Most companies rely on proven and well-known methods for their IT security, e.g. vulnerability management or penetration tests, to arm themselves against cyber attacks. However, such attacks are becoming increasingly sophisticated and are correspondingly difficult to detect. Traditional IT security measures are therefore reaching their limits; moreover, they are merely snapshots with high costs. In addition, they cannot detect whether security vulnerabilities have actually been exploited - this requires tools such as Compromise Assessment, which uses Indicators of Compromise (IOCs) to detect traces of attacks and thus determine whether an attack has taken place.

Compromise assessment for clinics: a critical review

Building block for a higher security maturity level

In combination with the know-how of cybersecurity analysts and continuous implementation, hospitals can sustainably increase their security maturity level and avoid mere snapshots of their own security level. Compromise assessment can be a valuable tool to enhance clinics’ IT security alongside traditional measures such as vulnerability management or penetration testing. It can be used to detect ongoing or past attacks. Nevertheless, hospitals must be aware that only a holistic approach based on the interaction of tools and know-how can permanently raise the security maturity level. Organizations typically employ traditional protection measures such as vulnerability management or penetration testing against cyberattacks; however, these are becoming increasingly difficult to detect.

Advanced Persistent Threats (APT), for example, use their own tools with unknown signatures that an IPS (Intrusion Prevention System) or IDS (Intrusion Detection System) cannot detect. Vulnerability management or penetration tests provide images of the system’s security and configuration. In Vulnerability Management, the results are mainly based on the data files, and in Penetration Testing, the results are based on the expertise of the testers. Without broad expertise and quality, the causes of attacks cannot be determined. Penetration testing is also invasive. Since failures and additional costs can occur, they are associated with high risks. Neither method reveals whether existing vulnerabilities have already been exploited.

Zero-day gaps are often overlooked: Unknown vulnerabilities that can be exploited to cause damage. Even simple configuration errors such as overly generous authorization measures fall through the cracks: Windows Active Directory often contains accounts or groups with diverse authorizations and bad passwords. In an emergency, the entire infrastructure can be compromised.  Traditional or preventive measures are therefore not sufficient to raise the maturity level of the IT security infrastructure of hospitals, to detect attacks and acute threats and to react to them. Compromise assessment can be a valuable addition here: It is designed to find traces of attacks, the so-called IOCs – Indicators of Compromise.

By analyzing and assessing them, compromised systems and the underlying vulnerabilities are discovered and clear recommendations for action are derived. The causes are eliminated in the Remediation phase and the desired target state is established in order to end ongoing attacks and prevent future ones. Compromise assessment is an evaluative, not a preventive discipline in hospital IT security. It looks at the entire infrastructure and provides a view into the past.

Finding the traces of current and past attacks

An attacker inevitably leaves behind forensic artifacts that can be used for evaluation. These can be, for example, log and dump files from attack tools, files with unusual obfuscated content, persistence creation tools, or simply tools in atypical directories or specific configuration keys. It can also be unusual network connections to suspicious servers, IP addresses and ports, or log files of interactions, logins and process starts. The number and variety of IOCs that can be detected in practice is quite frightening. Good tools and broad knowledge to quickly detect attacks Studies show that it usually takes two to three months before an attack is even detected.

The damage increases with every day that the attacker remains undetected. Using Compromise Assessment, the time to detect a successful attack can be reduced to a few days in the best case. Typically, attacks are detected shortly after the analysis begins because the events with the highest hit rate are started. The decisive factor is a sum of days, which is made up of the scan duration and the start of the analysis. This period can vary greatly depending on the scan configuration, the size of the system and the number of events returned. An approximate parameter is a week, since the scan duration can be between a few minutes and several days and the analysis is started directly afterwards.
Events are sorted by severity, starting with the most severe. However, events with a low severity level can also be indicators of an attack. Therefore, it is important that the analysts have a broad knowledge of the structure and functioning of the systems: The result of the analysis can only be as good as the analysts’ know-how allows. The tools and the underlying rule set of the IOC scanners provide the right direction; the indications must then be interpreted correctly and put into context.

Need for Continuous Compromise Assessment

Even though a Compromise Assessment scan brings clarity to ongoing and past attacks and provides deep insight – it remains a snapshot in time. Any change to a hospital’s systems can fix attack vectors, but it can also create new ones. That’s why Continuous Compromise Assessment makes sense: scanning for attack traces and analysis on a recurring basis. The initial scan is quite time-consuming, as millions of forensic artifacts may need to be examined, which can take several days. The follow-up scans and analysis are significantly simpler, as only the changes need to be screened.

A Compromise Assessment Scan alone does not reduce the time it takes to detect an attack. This only happens if all measures from previous scans are implemented and systems are rescanned at regular intervals. These measures must be prioritized, implemented in a timely manner and tracked so that the security level increases in the long term. These measures can include, for example, introducing centralized log management or even SIEM, changing the domain policy and introducing authorization management. It also makes sense to replace systems if they are too old or the manufacturer has discontinued support. In this way, clinics can optimize their processes and achieve a level of security that will help deal with or prevent new attacks more quickly.


Compromise assessment is an excellent discipline for identifying and evaluating ongoing or past attacks on clinics and taking appropriate action to prevent them in the future. It can meaningfully enhance a hospital’s ITSecurity, but is not sufficient on its own to increase its security maturity level. This is because Compromise Assessment is a passive discipline and must be performed manually. Only in combination with other tools and measures does a cosmos emerge that reflects the overall security level.


Ramon Weil · Author

Founder & CEO

Ramon Weil ist Gründer und Geschäftsführer der SECUINFRA GmbH. Seit 2010 hat er SECUINFRA zu einem der führenden Unternehmen im Bereich der Erkennung, Analyse und Abwehr von Cyberangriffen in Deutschland entwickelt.

Ramon Weil ist Gründer und Geschäftsführer der SECUINFRA GmbH. Seit 2010 hat er SECUINFRA zu einem der führenden Unternehmen im Bereich der Erkennung, Analyse und Abwehr von Cyberangriffen in Deutschland entwickelt. Vor der Gründung von SECUINFRA war Ramon mehr als 20 Jahre im Bereich IT & IT-Security tätig. Unter anderem hat er bei Siemens im Security Operation Center (SOC) gearbeitet, den Back Level Support für IT-Security Produkte bei Siemens aufgebaut und weltweit IT- Security Projekte umgesetzt und geleitet. Von 2006 bis zur Gründung von SECUINFRA hat Ramon das IT-Security Geschäft für Siemens und später Nokia Siemens Networks (NSN) in der Region Asia Pacific (APAC) aufgebaut. Neben zahlreichen IT-Security Produkt-Zertifizierungen ist er seit 2006 CISSP und seit 2010 CISM.

Founder & CEO

Ramon Weil is founder and managing director of SECUINFRA GmbH. Since 2010, he has developed SECUINFRA into one of the leading companies in the field of detection, analysis and defense against cyber attacks in Germany.

Ramon Weil is founder and managing director of SECUINFRA GmbH. Since 2010, he has developed SECUINFRA into one of the leading companies in the field of detection, analysis and defense against cyber attacks in Germany. Before founding SECUINFRA, Ramon worked for more than 20 years in the field of IT & IT security. Among other things, he worked at Siemens in the Security Operation Center (SOC), established the back level support for IT security products at Siemens and implemented and managed IT security projects worldwide. From 2006 until the foundation of SECUINFRA, Ramon built up the IT Security business for Siemens and later Nokia Siemens Networks (NSN) in the Asia Pacific (APAC) region. In addition to numerous IT security product certifications, he has been a CISSP since 2006 and a CISM since 2010.
Beitrag teilen auf: