Compromise assessment can be a valuable tool to enhance hospital IT security alongside traditional measures such as vulnerability management or penetration testing. It can be used to detect ongoing or past attacks. Nevertheless, hospitals must be aware that only a holistic approach based on the interaction of tools and know-how can permanently raise the security maturity level.

A building block for a higher security maturity level

A higher security maturity level

Organizations typically employ traditional protection measures such as vulnerability management or penetration testing against cyberattacks; however, these are becoming increasingly difficult to detect. Advanced Persistent Threats (APT), for example, use their own tools with unknown signatures that an IPS (Intrusion Prevention System) or IDS (Intrusion Detection System) cannot detect.

Vulnerability management or penetration tests provide snapshots of the security of the system and configuration. In Vulnerability Management, the results are predominantly based on the data sets, and in Penetration Testing, the results are based on the expertise of the testers. Without broad expertise and quality, the root causes of attacks cannot be determined. Penetration testing is also invasive. Since failures and additional costs can occur, they are associated with high risks.

Neither method reveals whether existing vulnerabilities have already been exploited. Zero-day gaps are often overlooked: unknown vulnerabilities that can be exploited to cause damage. Even simple configuration errors such as overly generous authorization measures fall through the cracks: Windows Active Directory often contains accounts or groups with diverse authorizations and bad passwords. In an emergency, the entire infrastructure can be compromised.

Traditional or preventive measures are therefore not sufficient to raise the maturity level of the IT security infrastructure of hospitals, to detect attacks and acute threats and to react to them. Compromise assessment can be a valuable addition here: It is designed to find traces of attacks, the so-called IOCs – Indicators of Compromise. By analyzing and assessing them, compromised systems and the underlying vulnerabilities are discovered and clear recommendations for action are derived. The causes are eliminated in the Remediation phase and the desired target state is established in order to end ongoing attacks and prevent future ones. Compromise assessment is an evaluative, not a preventive discipline in hospital IT security. It looks at the entire infrastructure and provides a view into the past.

Finding the traces of current and past attacks

An attacker inevitably leaves behind forensic artifacts that can be used for evaluation. These can be, for example, log and dump files from attack tools, files with unusual obfuscated content, persistence generation tools, or simply tools in atypical directories or specific configuration keys. It can also be unusual network connections to suspicious servers, IP addresses and ports, or log files of interactions, logins and process starts. The number and variety of IOCs that can be detected in practice is quite frightening.

For example, the THOR APT Scanner tool from Nextron Systems GmbH alone currently contains around 18,000 IOCs in 26 different detection modules in its basic rule set. It is appreciated by threat hunters and incident responders worldwide.

Good tools and broad knowledge to detect attacks quickly

Studies show that it usually takes two to three months before an attack is even detected. The damage increases with each day that the attacker remains undetected. Using Compromise Assessment, the time to detect a successful attack can be reduced to a few days in the best case. Typically, attacks are detected shortly after the analysis begins because the events with the highest hit rate are started. The decisive factor is a sum of days, which is made up of the scan duration and the start of the analysis. This period can vary greatly depending on the scan configuration, the size of the system and the number of events returned. An approximate parameter is a week, since the scan duration can be between a few minutes and several days and the analysis is started directly afterwards. Events are sorted by severity, starting with the most severe. However, events with a low severity level can also be indicators of an attack. Therefore, it is important that the analysts have a broad knowledge of the structure and functioning of the systems: The result of the analysis can only be as good as the analysts’ know-how allows. The tools and the underlying rule set of the IOC scanners provide the right direction; the indications must then be correctly interpreted and put into context.

The need for Continuous Compromise Assessment

Even though a Compromise Assessment scan brings clarity to ongoing and past attacks and provides deep insight – it remains a snapshot in time. Any change to a hospital’s systems can fix attack vectors, but it can also create new ones. That’s why Continuous Compromise Assessment makes sense: scanning for attack traces and analysis on a recurring basis. The initial scan is quite time-consuming, as millions of forensic artifacts may need to be examined, which can take several days. The follow-up scans and analysis are significantly simpler, as only the changes need to be screened.

A Compromise Assessment Scan alone does not reduce the time it takes to detect an attack. This only happens if all measures from previous scans are implemented and systems are rescanned at regular intervals. These measures must be prioritized, implemented in a timely manner and tracked so that the security level increases in the long term. These measures can include, for example, introducing centralized log management or even SIEM, changing the domain policy and introducing authorization management. It also makes sense to replace systems if they are too old or the manufacturer has discontinued support. In this way, clinics can optimize their processes and achieve a level of security that will help deal with or prevent new attacks more quickly.


Compromise assessment is an excellent discipline for identifying and evaluating ongoing or past attacks on clinics and taking appropriate action to prevent them in the future. It can meaningfully enhance a hospital’s IT security, but is not sufficient on its own to increase its security maturity level. This is because Compromise Assessment is a passive discipline and must be performed manually. Only in combination with other tools and measures does a cosmos emerge that reflects the overall security level.

Christoph Lemke · Author

Senior Cyber Defense Consultant

Christoph unterstützt gerne herausfordernde IT-Security & Information Security Projekte und sucht nach Herausforderungen im Bereich Cyber Defense.

Christoph studierte bis März 2017 Technische Informatik an der Beuth Hochschule für Technik in Berlin und startete im April 2017 bei SECUINFRA als Cyber Defense Analyst durch. Seitdem beschäftigt er sich hauptsächlich mit der Erkennung, Analyse und Abwehr von Cyber Angriffen basierend auf SIEM-Lösungen und dem Bereich Digital Forensics. Innerhalb diverser Projekte verbesserte Christoph  bereits erfolgreich die Detektions-Fähigkeiten von SIEM-Infrastrukturen. Seine Erfahrungen aus dem Bereichen Digital Forensics und Incident Response flossen dabei in die Entwicklung von SIEM Use-Cases zur Identifkation von selbst herausfordernden Angriffen (sog. Advanced Persistent Threats) ein. In seiner Freizeit bildet sich Christoph im Bereich IT-Security weiter und sammelt praktische Erfahrungen in den Bereichen Reverse Engineering und Pentesting. Persönlich überzeugt er durch kompetentes und freundliches Auftreten.

Senior Cyber Defense Consultant

Christoph enjoys supporting challenging IT Security & Information Security projects and is looking for challenges in Cyber Defense.

Christoph studied Computer Engineering at Beuth University of Applied Sciences in Berlin until March 2017 and joined SECUINFRA as Cyber Defense Analyst in April 2017. Since then, he is mainly involved in the detection, analysis and defense of cyber attacks based on SIEM solutions and the field of digital forensics. Within various projects Christoph already successfully improved the detection capabilities of SIEM infrastructures. His experience in the areas of digital forensics and incident response has been used in the development of SIEM use cases for the identification of self challenging attacks (so-called Advanced Persistent Threats). In his spare time, Christoph continues his education in the field of IT security and gains practical experience in the areas of reverse engineering and pentesting. Personally, he convinces with his competent and friendly appearance.
Beitrag teilen auf: