A compromise assessment in cybersecurity involves investigating and analyzing a suspected or confirmed incident of a cybersecurity breach.
Compromise assessments determine whether an attacker has compromised a computer system or network and, if so, the extent of the compromise. This involves examining the system or network for signs of unauthorized access or activity, analyzing system and network logs, and checking for malware or other indicators of compromise.
Is a Compromised Assessment Necessary?
It is concerning that many businesses have unknowingly been infiltrated, yet they remain unaware of the situation.
You may not be aware that your business's information is being traded on the dark web or that a sophisticated hacker group is surreptitiously gathering data from your systems. Your organization may be at heightened risk of being targeted by malware and ransomware attacks, which you may not be aware of.
Attackers often use a multi-stage approach, starting with an initial intrusion to gain access and then moving laterally through a system, and eventually using that access to steal confidential information over an extended period before selling it to another malicious party.
Therefore, a compromise assessment is essential to help identify and reduce unexpected and unknown risks in your infrastructure. It is a critical step to maintain the security of your system.
What if my company needs to carry out a Compromised Assessment?
The benefits of a compromise assessment to your business include:
- Lack of proper assessment leaves you vulnerable to potential threats and attacks you may not be aware of.
- Your online assets and information may be at risk if the proper assessment is not conducted.
- Threat actors may have more time to access and exploit your systems without proper assessment.
- Your business may be at risk of non-compliance with cybersecurity laws and facing legal consequences.
- Your current security measures may not be sufficient to protect against new threats and viruses without proper assessment.
Evaluating a compromise assessment is a crucial component of an organization's cybersecurity strategy, as it helps organizations identify and address security vulnerabilities before attackers can exploit them.
Methodology used in Compromise Assessment
A security researcher conducts a compromise assessment using non-intrusive methods to independently test certain network components and evaluate the presence of indicators of compromise (IOCs) and indicators of attack (IOAs). The assessment focus on determining if any security breaches existed on the network.
The assessment evaluates the security posture of a network by scanning the network to look for any Advanced Persistent Threats (APTs) or Advanced Volatile Threats (AVTs) that have infiltrated the network. The assessment also looks for any malicious or suspicious activities detected within the network. Additionally, the assessment can include reviews of the network architecture, security policies, and any existing security solutions used to protect the network.
During the assessment, we developed reactive and proactive indicators to test the identified systems for indicators of compromise (IOCs) and indicators of attack (IOAs). This allows testers to detect any potential security breaches or vulnerabilities.
Steps Involved in Compromise Assessment
1st Phase – Pre-Assessment Planning
The first stage of compromise assessment is pre-assessment planning. This involves preparing for the assessment process by developing a plan that outlines the assessment's scope, objectives, and approach.
During the pre-assessment planning phase, it is important to identify the systems and assets included in the assessment and any potential risks and challenges that may arise during the assessment process. The plan should also include details on the resources required for the assessment, such as personnel, tools, and equipment.
In addition to developing a plan, the pre-assessment stage may involve coordinating with relevant stakeholders, such as IT staff, security personnel, and legal or compliance teams. It may also involve obtaining the necessary approvals and permissions to conduct the assessment.
Overall, the pre-assessment planning phase aims to ensure that the assessment process is well-organized and efficient and that all necessary resources are in place to support the assessment.
2nd Phase - Discovery
The second stage of compromise assessment is discovery, which involves discovering what has been compromised and how it happened. This involves gathering information about the attack, including the type of attack, the methods used, and the extent of the compromise. It may also involve identifying any IOCs that can be used to determine the extent of the compromise and the actions that need to be taken to remediate it.
Endpoint and network profiling: It involves gathering detailed information about your IT environment, including the hardware, operating systems, applications, and network components. By having a complete profile of your environment, you can better assess the impact of a potential compromise and identify and prioritize any needed security patches or configuration changes.
During the detection phase, gathering as much information about the attack as possible is important. This will help inform subsequent phases of the compromise assessment process.
This phase often includes analyzing logs and network traffic, examining system and application configurations, and conducting interviews with stakeholders. It may also include using forensic tools and techniques to identify and analyze changes or modifications made to systems due to an attack.
Overall, the goal of the discovery phase is to get a clear understanding of the nature and extent of the compromise so that appropriate remediation measures can be put in place to mitigate the risk of future attacks.
3rd Phase – Scanning, Collection, and Analysis
The third stage of compromise assessment is scanning, collection, and analysis. This stage involves scanning the target system to detect any potential malicious activity or potential compromise, collecting data from the system to determine what kind of malicious activity or compromise occurred, and analyzing the data to determine the extent of the compromise and identify any indicators of compromise (IOCs).
The scanning portion of this stage is an important part of the assessment process because it ensures that any malicious activity or compromise has been detected and not overlooked.
The collection portion of this stage involves collecting data from the target system. This can include system logs, server logs, application logs, user data, system state information, and anything else that might be relevant to the assessment. This data is then analyzed to determine the extent of the compromise and identify any IOCs.
The analysis portion of this stage involves analyzing the data collected in the collection phase to determine the extent of the compromise and identify any IOCs. This involves reviewing the data to determine the type of malicious activity or compromise and the potential impact of the activity or compromise. Additionally, the analysis may include looking for any potential indicators of compromise, such as malicious files, network connections, or registry changes, that can help identify the attacker or the malicious activity.
Once the analysis is complete, a report is produced outlining the findings and recommendations for remediation.
4th Phase – Reporting
The reporting phase in a compromise assessment is the final step. During this phase, the assessment results are compiled into a report summarizing the findings and recommendations for addressing the compromise. The report is then typically shared with relevant stakeholders, such as IT staff, executives, and potentially law enforcement or regulatory bodies, depending on the severity and scope of the compromise. The report's purpose is to provide a clear understanding of the extent of the compromise, the steps taken to address it, and any recommendations for preventing similar incidents in the future.
Key Areas to Perform During Compromise Assessment Activity:
The following areas are priorities during the compromise assessment:
To identify potential security breaches or compromises, network traffic can be analyzed to look for abnormal patterns, such as traffic being directed to unexpected locations or custom text in PING messages. This helps to quickly detect any unusual activity on the network and allow for timely remediation.
To assess potential compromise, checking for any unauthorized transfers of files over FTP, SSH, or RDP protocols on internet-accessible servers or hosts is important. This may indicate that an attacker has gained access to the system and exfiltrating sensitive data. Monitoring this activity can help quickly identify a security breach and take appropriate action to prevent further damage.
To assess for potential compromise, capturing and analyzing packets on the network may be helpful to look for any abnormal sequences. This helps to identify any unusual activity that may indicate that an attacker has gained access to the system and is attempting to communicate with external servers or devices. By studying these packets, it may be possible to gather information about the source and nature of the attack and take appropriate action to prevent further damage.
End-Point Analysis refers to examining individual devices (such as computers, laptops, or smartphones) connected to a network. This includes checking for any unusual or malicious software installed on the device and looking for any other indicators of compromise.
Registry Enumeration: The registry is a computer's operating system database that stores essential configuration information. Enumerating the registry means analyzing it to look for any unusual or suspicious entries that may indicate that malware is present on the device.
End-point Log Analysis: Logs are records of events that happen on a device or system. End-point log analysis involves examining the logs on individual devices to look for any unusual or suspicious activity that may indicate a compromise.
End-point Forensics: End-point forensics involves thoroughly examining a device to identify any signs of a security breach. This includes analyzing the device's memory, disk, and other storage areas to look for any evidence of malware or other malicious activity or performing a malware scan on endpoints and critical servers.
Custom correlation rules: These rules identify patterns or connections between events or data that may indicate a security compromise. In compromise assessment, these rules might detect pre-compromise (before the breach has occurred) and post-compromise (after the breach has occurred) traces.
Correlating with multi-platform logs: Multi-platform logs are records of activity from devices or systems connected to a network. Correlating these logs means analyzing them together better to understand the network's overall context and behavior. By doing this, it is possible to gain situational awareness or a clear and comprehensive view of the current state of the network and any potential security threats.
Note: These are just a few examples of the types of activities that can be involved in a compromise assessment. The specific approaches and techniques will depend on the nature of the system being examined and the goals of the assessment.
Benefits of a Compromise Assessment
Some benefits of conducting a compromise assessment include the following:
- Identifying vulnerabilities: A compromise assessment can help identify vulnerabilities in an organization's system that attackers could exploit. This can help the organization take steps to fix these vulnerabilities and improve its overall security posture.
- Protecting sensitive data: A compromise assessment can help an organization protect sensitive data, such as customer or employee information, from being accessed or stolen by cybercriminals.
- Maintaining compliance: Some industries, such as healthcare and finance, have strict regulations requiring organizations to conduct compromise assessments to ensure they meet compliance requirements regularly.
- Improving incident response: A compromise assessment can help an organization develop and improve its incident response plan, which can be critical in a cyber attack.
- Building trust with customers and stakeholders: By demonstrating that an organization is taking proactive steps to protect its systems and data, a compromise assessment can help build trust with customers and stakeholders.
Types of Compromise Assessment
Several different types of compromise assessments can be performed, depending on the incident's specific circumstances and the assessment's goals. Some common types of compromise assessments include
- Network compromise assessment: This assessment focuses on evaluating the extent of a compromise within an organization's network infrastructure and identifying any vulnerabilities that may have contributed to the compromise.
- Endpoint compromise assessment: This assessment is focused on evaluating the security of individual devices within an organization's network, such as laptops, tablets, and smartphones, on identifying any potential compromise or malware infections.
- Application compromise assessment: This assessment evaluates the security of an individual application or system, looking for evidence of a compromise and identifying any vulnerabilities that may have been exploited.
- Malware compromise assessment: This assessment focuses on evaluating the presence and impact of malware on an organization's systems and identifying any vulnerabilities that may have enabled the malware to be introduced.
- Insider threat compromise assessment: This assessment focuses on evaluating the risk of compromise due to insider threats, such as employees or contractors who may have malicious intent or may inadvertently compromise the organization's systems.
Compromise Assessment vs. Vulnerability Assessment vs. Threat hunting
1x1 - Vulnerability Assessment vs. Compromise Assessment
Identifies potential vulnerabilities that attackers could exploit.
Determines whether a system or network has been hacked or otherwise compromised.
Focuses on identifying and prioritizing vulnerabilities based on their potential impact and likelihood of exploitation
Identifies any compromised systems or data / Investigates the root cause of the compromise / Identifies the extent of the compromise.
Recommends steps to remediate vulnerabilities
Recommends steps to remediate the compromise.
1x2 - Threat Hunting vs. Compromise Assessment
Proactive: Threat hunting is a proactive approach to security that goes beyond traditional monitoring activities to actively identify malicious activity.
Reactive in nature: Compromise assessments are reactive and are conducted after an incident is identified or suspected.
Long-term strategy: Threat hunting is a long-term security strategy that requires ongoing monitoring and analysis of network activity to identify malicious threats.
Limited timeframe: Compromise assessments are typically completed in a limited timeframe, allowing organizations to quickly identify the scope and impact of a breach.
It can be conducted both internally and externally.
Primarily conducted internally.
Identification of unknown threats: Threat hunting seeks to identify unknown threats that have bypassed traditional security monitoring systems.
Identification of known threats: Compromise assessments focus on identifying known threats, such as malware or malicious actors, that bypass traditional security controls.
Tools used during Compromise Assessment:
Depending on an organization's specific needs and requirements, many different tools can be used for compromise assessment. Some standard tools often used for this purpose include:
Nessus Professional: Malware scan on servers and endpoints with domain admin credentials for malware scanning.
LogParser Studio: For further analysis, security logs from selected critical systems were imported.
NetFlow Analyzer: Used for capturing Egress traffic log (from the Internet router towards the Internet). NetFlow traffic was redirected from the perimeter router to the tool configured on the Protiviti system.
FireEye IOC Finder with custom scripts/FireEye Redline: Run locally on servers to collect data required for IOC / IOA pattern matching. Collected data was provided to the research team for analysis.
Security information and event management (SIEM) systems: These tools can collect, analyze, and report security-related data from various sources, including logs, network traffic, and system events. Examples include Splunk, LogRhythm, and IBM QRadar.
Network analyzers: These tools can capture and analyze network traffic to identify patterns or anomalies that may indicate a security breach. Examples include Wireshark and tcpdump
Endpoint protection: These tools can protect individual devices from malware and other security threats by monitoring suspicious activity and taking action to prevent infections. Examples include Symantec Endpoint Protection, McAfee Endpoint Security, and Trend Micro Endpoint Security.
Forensics tools: These tools can be used to conduct a thorough system analysis to identify any signs of compromise. Examples include EnCase, FTK, and SANS SIFT.
XDRs (Extended Detection and Response): XDRs (Extended Detection and Response) are cybersecurity solutions that provide more comprehensive detection and response capabilities than traditional security solutions. They use advanced analytics and machine learning to detect and respond to threats more quickly and accurately. XDR solutions typically integrate with multiple security solutions such as endpoint protection, anti-malware, firewalls, and identity and access management solutions.
Many other tools can be used for compromise assessment, and the specific tools used will depend on the needs and resources of the organization.
A real-world example of a Compromise Assessment I encountered during my assessment provides readers with an idea of how to proceed. Many potential scenarios exist, but I've chosen to share this one for illustrative purposes.
(Category - Malware compromise assessment)
The organization recently experienced a malware attack, with the root cause remaining unidentified. To determine the root cause of the attack, the organization conducted a compromise assessment, focusing on the areas most likely to have been affected.
Here I will explain what you should do in such a case.
I did an initial analysis after verifying the attack vector for malware spread across the entire organization. I performed the below actions: -
Brief about analysis
Discussion with the IT team to understand and collect as much information as possible to build the approach plan and way forward, i.e., how to proceed with the given test case and find that XYZ organization team recognized that all their data had been encrypted and shared drive data was not accessible to end users. It was also reported that their main domain AD account was compromised first, so the machine was isolated.
Review the Domain Admin accounts to validate that no new user accounts have been added. Captured the screenshot of domain admins and Enterprise admin accounts for further analysis. We also confirmed with the IT team of XYZ organization that the accounts are legitimate user accounts.
Post that, I verified the Installation of any malicious software. It was found that at time X/XX/XXXX, Microsoft .NET framework x.x.x is being installed, with multiple CVEs associated with it. But not related to any malware or later movement attack.
Next, I observed the Time Stamp of the malware attack to identify the time of the attack. Malware spread through the shared drive at the time stamp x/x/xxxx at x:xx PM
Compared this time in the machine which got initially compromised.
Initial Compromise machine Identified as the main message about being compromised is showing in AD server only - Windows server XXXX (Affected machine IP address: x.x.x.x)
Identified the users who have access to the affected AD machine.
I reviewed the Event Viewer of the targeted machine to look for suspicious activity and found a suspicious public IP address present at the time the malware was created.
I reviewed the firewall logs to determine whether the IP address of the attacker and the IP address of the initial compromised Active Directory server had any communication established between them.
The root cause of the incident was a compromise of the AD Server, which is Windows server XXXX via an RDP session established by an external attacker.
It was observed via Event viewer that the External IP address X.X.X.X was trying to RDP the AD server – Y.Y.Y.Y. Furthermore, the analysis revealed via firewall logs that the External attacker with IP address X.X.X.X was successful in getting the RDP session due to the fact the establishment of SYN packet at the firewall log, which confirmed that the attacker had complete access to Y.Y.Y.Y through remote desktop access.
Observations and Recommendations
Observation 1: Lack of network access control: It was found that the attacker easily moved through various segments, such as from server segment to user segments, through management ports such as the remote desktop.
Recommendation: It is recommended to perform a detailed architecture review to understand the business requirements and update the network-level controls to minimize the attack vector
Observation 2: Internet access on servers. It was found that servers had direct internet access, which was the main cause of the attacker having an active reverse connection to his command and control server.
Recommendation: It is recommended to revoke internet access from the servers.
Observation 3: No malware protection at the perimeter level: It was identified that there is no malware protection at the perimeter level to identify and block attacks at the initial stage
Recommendation: It is recommended to evaluate and implement appropriate malware protection at the perimeter level.
The threat of a cyber attack resulting in a security breach is becoming more and more of a reality, and if left unnoticed, the damage could remain undetected for months or even years. To identify and rectify the damage, it’s important to conduct a compromise assessment activity.
Compromise Assessments are essential in these cases to ensure that any breach is identified and dealt with quickly. By regularly conducting this assessment, you can also ensure that your organization is prepared to respond promptly and effectively to any security or compliance issues promptly and effectively. Ultimately, a successful compromise assessment process is critical to safeguarding the security and compliance of your organization.