Malware, ransomware or phishing: Companies are increasingly threatened by attacks that inject malware to steal information and intellectual property. Traditional protective measures are no longer sufficient. Cyber attacks can be detected with Compromise Assessment.

Compromise Assessment: Detecting attacks before major damage occurs

Traditional protection measures

Attack attempts on companies are becoming more and more sophisticated: Advanced Persistant Threats (APT) do not use standard tools that an IPS (Intrusion Prevention System) or IDS (Intrusion Detection System) detects, but their own tools with unknown signatures. The aim is to infiltrate the victim’s infrastructure and keep backdoors open. To do this, configurations are stored in the registry or a service is installed that is run regularly. The Compromise Assessment approach provides a solution for efficient defense.

Traditional protection measures such as semi-automated vulnerability management or penetration tests are frequently used IT security features in companies against cyber attacks. They reveal possible attack vectors, show whether they can be exploited in the infrastructure and what the consequences are: What privileges can an intruder gain and how big are the security gaps?

Circumventing weaknesses in traditional security measures

In vulnerability management, the results are based predominantly on data inventories, and in penetration testing, they are based on the expertise of the testers. If there is a lack of quality in both cases, the causes of attacks cannot be determined. This is the greatest weakness of both measures. In penetration testing, further challenges lie in the defined scope of systems and in the authorizations: These determine how far a tester may go without leaving additional damage to systems. This is because penetration tests are invasive and interfere with systems.

Since they can lead to failures and additional costs, they are associated with high risks. Nevertheless, they only provide snapshots of the security of the system and configuration at the time of testing. In vulnerability management, uploaded CVE data based on the software packages used in the company shows whether vulnerabilities exist. Often, patch management is also suspended here: security gaps are closed with new software versions.

Discovering Unknown Security Vulnerabilities

Neither method reveals whether existing vulnerabilities have already been exploited. Attacks are often only detected when systems behave differently than usual. A vulnerability that is also often overlooked by these traditional protection measures are zero-day gaps: unknown vulnerabilities that have been newly discovered and can therefore be exploited by an attacker to cause significant damage.

Traditional measures do not detect these gaps because they only target known ones. Even simple configuration errors can be overlooked by traditional measures – but they are obvious to an attacker. These are often overly generous authorization assignments: Windows Active Directory often contains accounts and even groups with diverse permissions and bad passwords. In an emergency, these can easily be exploited and the entire infrastructure compromised.

Increase the maturity level of IT security

Best practice is to give users as few rights as possible, but this is not always the case, especially in smaller companies with little manpower in IT. Employees replace each other and need extensive rights to do so. The configurations are per se designed to keep the systems running and to allow daily work to be performed. The focus on security is missing.

If only traditional or preventive measures are used, the maturity level of the IT security infrastructure is usually insufficient to detect and respond to attacks and acute threats and thus prevent ongoing damage of any kind: System failures usually cost a lot of money and must be kept to a minimum.

Finding traces of attacks

Traditional measures can be supplemented with useful features: Compromise Assessment is specifically designed to find traces of attacks, the so-called IOCs – Indicators of Compromise. By analyzing and evaluating these indicators, compromised systems can be identified on the one hand, and on the other, the underlying vulnerabilities can be discovered and clear recommendations for action to remedy them can be derived. In the form of a remediation phase, the causes are eliminated and the desired target state is established in order to end current attacks and prevent future ones.

Compromise assessment is not a preventive discipline in IT security, but an evaluative one. It looks not only at one part, but at the entire infrastructure and also allows a view into the past. It is a resource-saving and accurate method to quickly detect attacks, which are often successful despite preventive measures, and to minimize any damage.

It has been shown that Compromise Assessment can greatly increase the security level: Studies by various companies and institutes show that it usually takes two to three months before an attack is even detected. This gives an attacker several months to reach his actual target. The potential damage caused increases with every day that the attacker remains undetected. With Compromise Assessment, the time to detect a successful attack can be reduced to a few days in the best case.

Tracking down attackers with forensic methods

Compromise Assessment uses forensic methods and tools to find traces of attacks: An agent is usually used on the end system, which starts a scan, monitors it and transmits the results to a central system. The end system is searched for specific traces of attacks (IOCs – Indicators of Compromise) with forensic thoroughness: For example, volatile and non-volatile data on a system, configurations, logins, user interactions or software that has been installed, executed or downloaded are looked at. The indicators of an attack are based on forensic artifacts that an attacker inevitably leaves behind.

In Windows alone, there are about 200 of these artifacts, attacker legacies such as tools in typical directories or configuration keys. They can also be unusual network connections to suspicious servers, IP addresses and ports, or log files generated during operation, i.e. interactions, logins and process starts. All of them are used for the evaluation.

Compromise assessment enhances IT security tools

Scanning for attack traces (IOCs – Indicators of Compromise) and analysis can also be performed on a recurring basis. This has the advantage that not only a snapshot is created, but that new unknown attack traces are continuously searched for and an attacker is ideally detected very reliably within a short time. SecuInfra’s “Continuous Compromise Assessment” service is available for this purpose, for example. Here, an initial scan including evaluation is carried out to obtain an initial assessment of the general situation at the customer’s site. This is usually quite time-consuming, as millions of forensic artifacts may have to be examined.

In addition, the corresponding tools require several days for the examination. Subsequently, further scans and evaluations take place on a regular basis, during which only the changes to the artifacts that are treacherous for an attacker need to be analyzed. This is much easier and therefore much faster. Compromise Assessment is a valuable tool that can be used to enhance IT security tools and increase their maturity level: With Compromise Assessment, the traces of cyber attacks can be detected and, ideally, high damage can be prevented.

Ramon Weil · Author

Founder & CEO

Ramon Weil ist Gründer und Geschäftsführer der SECUINFRA GmbH. Seit 2010 hat er SECUINFRA zu einem der führenden Unternehmen im Bereich der Erkennung, Analyse und Abwehr von Cyberangriffen in Deutschland entwickelt.

Ramon Weil ist Gründer und Geschäftsführer der SECUINFRA GmbH. Seit 2010 hat er SECUINFRA zu einem der führenden Unternehmen im Bereich der Erkennung, Analyse und Abwehr von Cyberangriffen in Deutschland entwickelt. Vor der Gründung von SECUINFRA war Ramon mehr als 20 Jahre im Bereich IT & IT-Security tätig. Unter anderem hat er bei Siemens im Security Operation Center (SOC) gearbeitet, den Back Level Support für IT-Security Produkte bei Siemens aufgebaut und weltweit IT- Security Projekte umgesetzt und geleitet. Von 2006 bis zur Gründung von SECUINFRA hat Ramon das IT-Security Geschäft für Siemens und später Nokia Siemens Networks (NSN) in der Region Asia Pacific (APAC) aufgebaut. Neben zahlreichen IT-Security Produkt-Zertifizierungen ist er seit 2006 CISSP und seit 2010 CISM.

Founder & CEO

Ramon Weil is founder and managing director of SECUINFRA GmbH. Since 2010, he has developed SECUINFRA into one of the leading companies in the field of detection, analysis and defense against cyber attacks in Germany.

Ramon Weil is founder and managing director of SECUINFRA GmbH. Since 2010, he has developed SECUINFRA into one of the leading companies in the field of detection, analysis and defense against cyber attacks in Germany. Before founding SECUINFRA, Ramon worked for more than 20 years in the field of IT & IT security. Among other things, he worked at Siemens in the Security Operation Center (SOC), established the back level support for IT security products at Siemens and implemented and managed IT security projects worldwide. From 2006 until the foundation of SECUINFRA, Ramon built up the IT Security business for Siemens and later Nokia Siemens Networks (NSN) in the Asia Pacific (APAC) region. In addition to numerous IT security product certifications, he has been a CISSP since 2006 and a CISM since 2010.
Beitrag teilen auf: