Recent research has shown that organizations typically take upwards of 200 days to realize that they have been victims of an advanced attack. How then does an organization obtain assurance that its security controls have not been breached? To assist with this goal we offer Compromise Assessment as a service focused on capturing, analysis and detecting suspicious traffic, malicious activities, compromised systems, and the possible presence of an attacker or backdoor within the corporate network.
If during the assignment, we discover the presence of a significant breach, which goes beyond the standard garden-variety malware, we will then undertake a more detailed analysis of the malware, its nature, the control gaps that allowed the breach to take place in the first instance, and remedial actions to correct breach and prevent it from recurring.
The broad approach here is as follows:
Analysis of network, endpoint, and log data
This is the first step when conducting a compromise assessment service which tries to monitor, capture and analyze the network, endpoint and log data for approximately 48 hours.
- Network Analysis:
Using network behavior analysis and packet capture tools, we monitor and capture network traffic for 48 hours. Then the captured data is analyzed in greater depth to detect suspicious network traffic and potential intruders on the network.
- Endpoint Analysis
By analyzing the existing information from your malware protection controls, we determine if any of the malware is representative of an advanced attack. We also deploy an APT monitoring solution for the duration of the exercise to carry out live analysis of any possible C&C traffic.
- Security Log Analysis
By analyzing the data from your existing SIEM, Web Proxy, IPS, and other security solutions we determine if there is a pattern that is emerging and may have been missed out from your security monitoring team. During this analysis, we also point out gaps in your security architecture that might have allowed a breach to go undetected.
Identification of compromised systems
Based on the analysis of network, end-point and security log data, we try to identify systems which may have been compromised or which were compromised in the past. A more detailed analysis is then carried out of the malware and the specific modus operandi used by the attackers to penetrate into your network.
Anaylsis of attacker activity
As part of this assessment, we also seek to determine how much and what data may have been compromised. Our team will also advise whether it is worth pursuing the case with local law enforcement, or it might be better to simply contain the attack, determine the financial and regulatory impact from it, and move to plug the lapses that led to the attack occurring in the first place.
Report of findings
After completion of this activity, we would provide a detailed report of our observations, security gaps, and recommendations of how these are to be addressed. These recommendations would cover the technology controls at the endpoint, network, perimeter and application levels. They would also address process gaps if it is concluded that this is an attack which the existing security mechanism should have picked up. As mentioned earlier, we would also highlight to the extent possible the data that has been lost by the organization.