Inhalt
Traditional protection measures
Attack attempts on companies are becoming more and more sophisticated: Advanced Persistant Threats (APT) do not use standard tools that an IPS (Intrusion Prevention System) or IDS (Intrusion Detection System) detects, but their own tools with unknown signatures. The aim is to infiltrate the victim’s infrastructure and keep backdoors open. To do this, configurations are stored in the registry or a service is installed that is run regularly. The Compromise Assessment approach provides a solution for efficient defense.
Traditional protection measures such as semi-automated vulnerability management or penetration tests are frequently used IT security features in companies against cyber attacks. They reveal possible attack vectors, show whether they can be exploited in the infrastructure and what the consequences are: What privileges can an intruder gain and how big are the security gaps?
Circumventing weaknesses in traditional security measures
In vulnerability management, the results are based predominantly on data inventories, and in penetration testing, they are based on the expertise of the testers. If there is a lack of quality in both cases, the causes of attacks cannot be determined. This is the greatest weakness of both measures. In penetration testing, further challenges lie in the defined scope of systems and in the authorizations: These determine how far a tester may go without leaving additional damage to systems. This is because penetration tests are invasive and interfere with systems.
Since they can lead to failures and additional costs, they are associated with high risks. Nevertheless, they only provide snapshots of the security of the system and configuration at the time of testing. In vulnerability management, uploaded CVE data based on the software packages used in the company shows whether vulnerabilities exist. Often, patch management is also suspended here: security gaps are closed with new software versions.
Discovering Unknown Security Vulnerabilities
Neither method reveals whether existing vulnerabilities have already been exploited. Attacks are often only detected when systems behave differently than usual. A vulnerability that is also often overlooked by these traditional protection measures are zero-day gaps: unknown vulnerabilities that have been newly discovered and can therefore be exploited by an attacker to cause significant damage.
Traditional measures do not detect these gaps because they only target known ones. Even simple configuration errors can be overlooked by traditional measures – but they are obvious to an attacker. These are often overly generous authorization assignments: Windows Active Directory often contains accounts and even groups with diverse permissions and bad passwords. In an emergency, these can easily be exploited and the entire infrastructure compromised.
Increase the maturity level of IT security
Best practice is to give users as few rights as possible, but this is not always the case, especially in smaller companies with little manpower in IT. Employees replace each other and need extensive rights to do so. The configurations are per se designed to keep the systems running and to allow daily work to be performed. The focus on security is missing.
If only traditional or preventive measures are used, the maturity level of the IT security infrastructure is usually insufficient to detect and respond to attacks and acute threats and thus prevent ongoing damage of any kind: System failures usually cost a lot of money and must be kept to a minimum.
Finding traces of attacks
Traditional measures can be supplemented with useful features: Compromise Assessment is specifically designed to find traces of attacks, the so-called IOCs – Indicators of Compromise. By analyzing and evaluating these indicators, compromised systems can be identified on the one hand, and on the other, the underlying vulnerabilities can be discovered and clear recommendations for action to remedy them can be derived. In the form of a remediation phase, the causes are eliminated and the desired target state is established in order to end current attacks and prevent future ones.
Compromise assessment is not a preventive discipline in IT security, but an evaluative one. It looks not only at one part, but at the entire infrastructure and also allows a view into the past. It is a resource-saving and accurate method to quickly detect attacks, which are often successful despite preventive measures, and to minimize any damage.
It has been shown that Compromise Assessment can greatly increase the security level: Studies by various companies and institutes show that it usually takes two to three months before an attack is even detected. This gives an attacker several months to reach his actual target. The potential damage caused increases with every day that the attacker remains undetected. With Compromise Assessment, the time to detect a successful attack can be reduced to a few days in the best case.
Tracking down attackers with forensic methods
Compromise Assessment uses forensic methods and tools to find traces of attacks: An agent is usually used on the end system, which starts a scan, monitors it and transmits the results to a central system. The end system is searched for specific traces of attacks (IOCs – Indicators of Compromise) with forensic thoroughness: For example, volatile and non-volatile data on a system, configurations, logins, user interactions or software that has been installed, executed or downloaded are looked at. The indicators of an attack are based on forensic artifacts that an attacker inevitably leaves behind.
In Windows alone, there are about 200 of these artifacts, attacker legacies such as tools in typical directories or configuration keys. They can also be unusual network connections to suspicious servers, IP addresses and ports, or log files generated during operation, i.e. interactions, logins and process starts. All of them are used for the evaluation.
Compromise assessment enhances IT security tools
Scanning for attack traces (IOCs – Indicators of Compromise) and analysis can also be performed on a recurring basis. This has the advantage that not only a snapshot is created, but that new unknown attack traces are continuously searched for and an attacker is ideally detected very reliably within a short time. SecuInfra’s “Continuous Compromise Assessment” service is available for this purpose, for example. Here, an initial scan including evaluation is carried out to obtain an initial assessment of the general situation at the customer’s site. This is usually quite time-consuming, as millions of forensic artifacts may have to be examined.
In addition, the corresponding tools require several days for the examination. Subsequently, further scans and evaluations take place on a regular basis, during which only the changes to the artifacts that are treacherous for an attacker need to be analyzed. This is much easier and therefore much faster. Compromise Assessment is a valuable tool that can be used to enhance IT security tools and increase their maturity level: With Compromise Assessment, the traces of cyber attacks can be detected and, ideally, high damage can be prevented.