< Overview
Malware, ransomware or phishing: companies are increasingly threatened by attacks that inject malware to steal information and intellectual property. Vulnerability management or penetration testing are no longer sufficient as traditional security measures, as they can only detect known threats but not attacks. This is where Compromise Assessment can be a valuable technique to increase the maturity level of IT security.

Malware, ransomware or phishing

Detect attacks before they cause major damage

Attack attempts on companies are becoming more and more sophisticated: Advanced Persistant Threats (APT) do not use standard tools that an IPS (Intrusion Prevention System) or IDS (Intrusion Detection System) can detect, but their own tools with unknown signatures. The aim is to infiltrate the victim’s infrastructure and keep backdoors open. To do this, configurations are stored in the registry or a service is installed that is run regularly.

Traditional protection measures such as semi-automated vulnerability management or penetration tests are IT security features frequently used in companies to combat cyber attacks. They reveal possible attack vectors, show whether they can be exploited in the infrastructure and what their consequences are: What privileges can an intruder gain and how severe are the vulnerabilities?

In the case of vulnerability management, the results are based predominantly on data inventories, and in the case of penetration testing, they are based on the expertise of the testers. If there is a lack of quality in both cases, the causes of attacks cannot be determined. This is the greatest weakness of both measures. In penetration testing, further challenges lie in the defined scope of systems and in the authorizations: These determine how far a tester may go without leaving additional damage to systems. This is because penetration tests are invasive and intervene in systems – as they can lead to downtime and additional costs, they are associated with high risks. Nevertheless, they represent only snapshots of the security of the system and configuration at the time of testing.

In Vulnerability Management, uploaded CVE data based on the software packages used in the company shows whether vulnerabilities are present. Often, patch management is also suspended here: security vulnerabilities are closed with new software versions.

Weaknesses of traditional security measures

Both methods do not show whether existing vulnerabilities have already been exploited. Attacks are often only detected when systems behave differently than usual. A vulnerability that is also often overlooked by these traditional protection measures are zero-day gaps: unknown security holes that have been newly discovered and can therefore be exploited by an attacker to cause significant damage. Traditional measures do not detect these gaps because they only target known ones. Even simple configuration errors can be overlooked by traditional measures – but they are obvious to an attacker. These are often overly generous authorization assignments: Windows Active Directory often contains accounts and even groups with diverse permissions and bad passwords. In an emergency, these can easily be exploited and the entire infrastructure compromised. Best practice is to grant users as few rights as possible, but especially in smaller companies with little manpower in IT, this is not always the case. Employees replace each other and need extensive rights to do so. The configurations are per se designed to keep the systems running and to allow daily work to be performed. The focus on security is missing.

If only traditional or preventive measures are used, the maturity level of the IT security infrastructure is usually insufficient to detect and respond to attacks and acute threats and thus prevent ongoing damage of any kind: System failures usually cost a lot of money and have to be reduced to a minimum.

Compromise assessment for a better security maturity level

Traditional measures can be supplemented with useful features: Compromise Assessment, for example, is specifically designed to find traces of attacks, the so-called IOCs – Indicators of Compromise. By analyzing and evaluating these indicators, compromised systems can be identified on the one hand, and on the other, the underlying vulnerabilities can be discovered and clear recommendations for action to remedy them can be derived. In the form of a remediation phase, the causes are eliminated and the desired target state is established in order to end ongoing attacks and prevent future ones.

Compromise assessment is not a preventive discipline in IT security, but an evaluative one. It looks not only at one part, but at the entire infrastructure and also allows a view into the past. It is a resource-saving and accurate method to quickly detect attacks, which are often successful despite preventive measures, and to minimize any damage. It has been shown that Compromise Assessment can greatly increase the security level: Studies by various companies and institutes show that it usually takes 2-3 months before an attack is even detected. Thus, an attacker has several months to reach his actual target. The potential damage caused increases with every day that the attacker remains undetected. With Compromise Assessment, the time to detect a successful attack can be reduced to a few days in the best case.

Tracking down attackers with forensic methods

Compromise Assessment uses forensic methods and tools to find traces of attacks: An agent is usually used on the end system, which starts a scan, monitors it and transmits the results to a central system. The end system is searched for specific traces of attacks (IOCs – Indicators of Compromise) with forensic thoroughness: For example, volatile and non-volatile data on a system, configurations, logins, user interactions or software that has been installed, executed or downloaded are looked at. The indicators of an attack are based on forensic artifacts that an attacker inevitably leaves behind.

In Windows alone, there are about 200 of these artifacts, attacker legacies such as tools in typical directories or configuration keys. They can also be unusual network connections to suspicious servers, IP addresses and ports, or log files generated during operation, i.e. interactions, logins and process starts. All of them are used for the evaluation.

Scanning for attack traces (IOCs – Indicators of Compromise) and analysis can also be done on a recurring basis. This has the advantage that not only a snapshot is created, but that new unknown attack traces are continuously searched for and, ideally, an attacker is detected very reliably within a short time. The “Continuous Compromise Assessment” service is available for this purpose, for example. Here, an initial scan including evaluation is carried out to obtain an initial assessment of the general situation at the customer’s site. This is usually quite time-consuming, as millions of forensic artifacts may have to be examined. In addition, the corresponding tools require several days for this. Subsequently, further scans and evaluations take place on a regular basis, during which only the changes to the artifacts that are treacherous for an attacker need to be analyzed. This is much easier and therefore much faster.

Conclusion

Compromise Assessment is a valuable tool that can be used to enhance IT security tools and increase their maturity level: With Compromise Assessment, the traces of cyber attacks can be detected and, ideally, high damage can be prevented.

Ramon Weil · Author

Founder & CEO

Ramon Weil ist Gründer und Geschäftsführer der SECUINFRA GmbH. Seit 2010 hat er SECUINFRA zu einem der führenden Unternehmen im Bereich der Erkennung, Analyse und Abwehr von Cyberangriffen in Deutschland entwickelt.

Ramon Weil ist Gründer und Geschäftsführer der SECUINFRA GmbH. Seit 2010 hat er SECUINFRA zu einem der führenden Unternehmen im Bereich der Erkennung, Analyse und Abwehr von Cyberangriffen in Deutschland entwickelt. Vor der Gründung von SECUINFRA war Ramon mehr als 20 Jahre im Bereich IT & IT-Security tätig. Unter anderem hat er bei Siemens im Security Operation Center (SOC) gearbeitet, den Back Level Support für IT-Security Produkte bei Siemens aufgebaut und weltweit IT- Security Projekte umgesetzt und geleitet. Von 2006 bis zur Gründung von SECUINFRA hat Ramon das IT-Security Geschäft für Siemens und später Nokia Siemens Networks (NSN) in der Region Asia Pacific (APAC) aufgebaut. Neben zahlreichen IT-Security Produkt-Zertifizierungen ist er seit 2006 CISSP und seit 2010 CISM.

Founder & CEO

Ramon Weil is founder and managing director of SECUINFRA GmbH. Since 2010, he has developed SECUINFRA into one of the leading companies in the field of detection, analysis and defense against cyber attacks in Germany.

Ramon Weil is founder and managing director of SECUINFRA GmbH. Since 2010, he has developed SECUINFRA into one of the leading companies in the field of detection, analysis and defense against cyber attacks in Germany. Before founding SECUINFRA, Ramon worked for more than 20 years in the field of IT & IT security. Among other things, he worked at Siemens in the Security Operation Center (SOC), established the back level support for IT security products at Siemens and implemented and managed IT security projects worldwide. From 2006 until the foundation of SECUINFRA, Ramon built up the IT Security business for Siemens and later Nokia Siemens Networks (NSN) in the Asia Pacific (APAC) region. In addition to numerous IT security product certifications, he has been a CISSP since 2006 and a CISM since 2010.

> All posts

Beitrag teilen auf: