In 2022 alone, the German Federal Office for Information Security (BSI) recorded an increase of 116 million new malware variants, 15 million reports of malware infections of German systems, and a significant professionalization of cyberattacks. 40 percent of security breaches had a significant impact on business operations (BSI Report on the State of IT Security 2022). IT security experts consider this development a challenge for cybersecurity.
How can companies succeed in achieving and maintaining effective cybersecurity under these conditions? In this article, our author shows how Compromise Assessment can meaningfully extend traditional IT security tools to help organizations achieve robust cyber resilience.
The prerequisite for enterprise Cyber Resilience
Cyber Resilience refers to the ability of organizations to understand threat scenarios, assess them correctly and be optimally prepared for the worst case scenario. In this context, one of the most important tasks of IT security managers is to find ways to quickly identify a potential compromise, deal with it appropriately and minimize its impact. The idea that cyberattacks on organizations can always be prevented has not been realistic for some time. We know from the past that there can be no 100% security. The more digitization advances, the larger the attack surface for cybercriminals and hostile state actors becomes.
So it’s not just about preventing cyberattacks, but in particular the ability to detect them quickly and respond promptly with appropriate measures if they do occur. To enable companies to respond to attacks as quickly as possible, they should focus on proactive IT security measures as well as measures designed to detect cyberattacks.
Building and expanding these targeted measures is essential to strengthen resilience against cyberattacks. After all, operational downtime, the theft of sensitive data and the resulting high reputational damage could, in the worst case, threaten the business existence of companies.
The weaknesses of traditional protection measures: Vulnerability Management and Penetration Testing
Traditional measures such as vulnerability management or penetration tests are still frequently used in companies to increase IT security. But what can these measures actually achieve in terms of rapid attack detection and defense?
The Vulnerability Management
By implementing an automated vulnerability management solution, the aim is to identify and deal with existing security vulnerabilities. For this purpose, a vulnerability management tool examines the attack surface, identifies existing IT vulnerabilities and reports them. The identified IT vulnerabilities are assigned severity levels (e.g. low, medium, high, critical). On this basis, the vulnerabilities are sent to the analyst team with corresponding recommendations for action. Vulnerability management includes not only vulnerability identification and assessment, but also successful vulnerability remediation.
The Penetration Testing
A penetration test is a targeted and individually conducted IT security check. The purpose of this procedure is to identify the extent to which a company’s IT or information security is at risk from external or internal attacks and whether the IT security measures already in place provide sufficient protection.
In contrast to the vulnerability scanner, a penetration tester is able to verify the discovered vulnerability by using further tools, modules or an exploit. Moreover, he is not limited by a single vulnerability database, because in addition it is possible with this manual approach to identify further vulnerabilities “behind” the exploited vulnerability.
What’s missing when using Vulnerability Management and Penetration Testing
In summary, vulnerability management helps identify vulnerabilities and penetration testing reveals whether they could be exploited. Wouldn’t it be at least as important for a company’s cyber resilience to permanently or at least periodically examine systems to determine whether vulnerabilities have already been exploited?
Or to put it another way: Wouldn’t it be extremely important to know whether systems in the company have already been compromised and are thus in the hands of attackers? This is exactly where a Compromise Assessment comes in!
The Compromise Assessment as a supplement to traditional protective measures
The measures mentioned above should be supplemented by a useful feature – the Compromise Assessment.
Compromise assessment uses forensic methods and tools: Here, an agent is used on the end system that searches for attack traces, so-called Indicators of Compromise (IoC), with forensic thoroughness and transmits the results to a central system. For example, it looks at volatile and non-volatile data on a system, configurations, logins, user interactions or software that has been installed, executed or downloaded. The Indicators of Compromise are based on forensic artifacts that an attacker inevitably leaves behind.
By analyzing and assessing these indicators, it is possible to identify compromised systems, discover the underlying vulnerabilities, and derive clear recommendations for remediation.
Compromise Assessment does not just look at a single system, but at the entire infrastructure of a company and also enables a look into the past. It is a resource-saving and accurate method to reliably detect attacks, which are often successful despite preventive measures, and to minimize any damage. It has been shown that with Compromise Assessment, the security level – and thus cyber resilience – can be greatly increased: Studies by various companies and institutes show that it usually takes several months before an attack is even detected. Thus, an attacker has several months to reach his actual target. The potential damage caused increases with every day that the attacker remains undetected. With Compromise Assessment, the time to detect a successful attack can be reduced to a few days in the best case.
Vulnerability Management, Penetration Testing and Compromise Assessment as a Trio for robust Cyber Resilience
As discussed above, vulnerability management helps identify and address vulnerabilities. Regular penetration testing conducted by experienced pentesters reveals whether these vulnerabilities can be exploited. Knowing whether vulnerabilities have already been exploited or systems in your organization have been compromised can most safely be achieved by using a Compromise Assessment.
With Continuous Compromise Assessment, you can go one step further: Here, the system landscape undergoes a continuous and proactive review to achieve and maintain sustainable cyber resilience. As part of the Continuous Compromise Assessment, an initial scan including evaluation is performed at the beginning to obtain an initial assessment of the general situation. This scan is quite elaborate, as millions of forensic artifacts may need to be examined. Subsequently, further scans and evaluations take place on a regular basis, during which only the changes to the artifacts that are treacherous for an attacker need to be analyzed. This is significantly simpler and therefore also considerably faster.
Compromise assessment can thus be classified as an excellent supplement to existing security measures. Performed regularly (Continuous Compromise Assessment), it makes a valuable contribution to increasing cyber resilience.
Vulnerability management helps to identify vulnerabilities and a penetration test shows whether these could be exploited. But only a Compromise Assessment can reliably detect whether existing vulnerabilities have already been exploited!
With a Compromise Assessment, the traces of attackers are reliably detected and compromised systems in the company are tracked down. Thus, cyber attacks can be detected and thwarted at an early stage, ideally before high damage occurs. Thus, Compromise Assessment, especially in the form of a regularly performed Continuous Compromise Assessment, is a valuable tool to complement existing measures such as vulnerability management and regular penetration tests and to sustainably strengthen the cyber resilience of a company.