Inhalt
Detecting attacks before major damage is done
Compromise Assessment can be a valuable technique to increase the maturity level of IT security.
Attack attempts on companies are becoming more and more sophisticated: Advanced Persistant Threats (APT) do not use standard tools that an IPS (Intrusion Prevention System) or IDS (Intrusion Detection System) can detect, but their own tools with unknown signatures. The aim is to infiltrate the victim’s infrastructure and keep backdoors open. To do this, configurations are stored in the registry or a service is installed that is run regularly.
Traditional protection measures such as semi-automated vulnerability management or penetration tests are IT security features frequently used in companies to combat cyber attacks. They reveal possible attack vectors, show whether they can be exploited in the infrastructure and what their consequences are: What privileges can an intruder gain and how severe are the vulnerabilities?
In the case of vulnerability management, the results are based predominantly on data inventories, and in the case of penetration testing, they are based on the expertise of the testers. If there is a lack of quality in both cases, the causes of attacks cannot be determined. This is the greatest weakness of both measures. In penetration testing, further challenges lie in the defined scope of systems and in the authorizations: These determine how far a tester may go without leaving additional damage to systems. This is because penetration tests are invasive and intervene in systems – as they can lead to downtime and additional costs, they are associated with high risks. Nevertheless, they represent only snapshots of the security of the system and configuration at the time of testing.
In Vulnerability Management, uploaded CVE data based on the software packages used in the company shows whether vulnerabilities are present. Often, patch management is also suspended here: security vulnerabilities are closed with new software versions.
Weaknesses of traditional security measures
Both methods do not show whether existing vulnerabilities have already been exploited. Attacks are often only detected when systems behave differently than usual. A vulnerability that is also often overlooked by these traditional protection measures are zero-day gaps: unknown security holes that have been newly discovered and can therefore be exploited by an attacker to cause significant damage. Traditional measures do not detect these gaps because they only target known ones. Even simple configuration errors can be overlooked by traditional measures – but they are obvious to an attacker. These are often overly generous authorization assignments: Windows Active Directory often contains accounts and even groups with diverse permissions and bad passwords. In an emergency, these can easily be exploited and the entire infrastructure compromised. Best practice is to grant users as few rights as possible, but especially in smaller companies with little manpower in IT, this is not always the case. Employees replace each other and need extensive rights to do so. The configurations are per se designed to keep the systems running and to allow daily work to be performed. The focus on security is missing.
If only traditional or preventive measures are used, the maturity level of the IT security infrastructure is usually insufficient to detect and respond to attacks and acute threats and thus prevent ongoing damage of any kind: System failures usually cost a lot of money and have to be reduced to a minimum.
Compromise assessment for a better security maturity level
Traditional measures can be supplemented with useful features: Compromise Assessment, for example, is specifically designed to find traces of attacks, the so-called IOCs – Indicators of Compromise. By analyzing and evaluating these indicators, compromised systems can be identified on the one hand, and on the other, the underlying vulnerabilities can be discovered and clear recommendations for action to remedy them can be derived. In the form of a remediation phase, the causes are eliminated and the desired target state is established in order to end ongoing attacks and prevent future ones.
Compromise assessment is not a preventive discipline in IT security, but an evaluative one. It looks not only at one part, but at the entire infrastructure and also allows a view into the past. It is a resource-saving and accurate method to quickly detect attacks, which are often successful despite preventive measures, and to minimize any damage. It has been shown that Compromise Assessment can greatly increase the security level: Studies by various companies and institutes show that it usually takes 2-3 months before an attack is even detected. Thus, an attacker has several months to reach his actual target. The potential damage caused increases with every day that the attacker remains undetected. With Compromise Assessment, the time to detect a successful attack can be reduced to a few days in the best case.
Tracking down attackers with forensic methods
Compromise Assessment uses forensic methods and tools to find traces of attacks: An agent is usually used on the end system, which starts a scan, monitors it and transmits the results to a central system. The end system is searched for specific traces of attacks (IOCs – Indicators of Compromise) with forensic thoroughness: For example, volatile and non-volatile data on a system, configurations, logins, user interactions or software that has been installed, executed or downloaded are looked at. The indicators of an attack are based on forensic artifacts that an attacker inevitably leaves behind.
In Windows alone, there are about 200 of these artifacts, attacker legacies such as tools in typical directories or configuration keys. They can also be unusual network connections to suspicious servers, IP addresses and ports, or log files generated during operation, i.e. interactions, logins and process starts. All of them are used for the evaluation.
Scanning for attack traces (IOCs – Indicators of Compromise) and analysis can also be done on a recurring basis. This has the advantage that not only a snapshot is created, but that new unknown attack traces are continuously searched for and an attacker is ideally detected very reliably within a short time. SECUINFRA GmbH, for example, offers a “Continuous Compromise Assessment” service. Here, an initial scan including evaluation is carried out in order to obtain a first assessment of the general situation at the customer’s site. This is usually quite time-consuming, as millions of forensic artifacts may have to be examined. Even the professionals from SECUINFRA need several days with their tools for this. Subsequently, further scans and evaluations take place on a regular basis, during which only the changes to the artifacts that are treacherous for an attacker need to be analyzed. This is much easier and therefore much faster.
Conclusion
Compromise Assessment is a valuable tool that can enhance IT security tools and increase their maturity level: With Compromise Assessment, the traces of cyber attacks can be detected and, ideally, high damage can be prevented.
More about Compromise Assessment