Intelligent CISO Issue 9 - Page 34

P RE D I C T I V E I NTELLIGEN CE can be exploited i.e. sneaking past the inattentive security guards and going through unlocked doors into areas of the house. A compromise assessment, then, is equivalent to combing through corners of the building for evidence of intrusion or attempted intrusion such as footprints not belonging to any house occupant, tools for further break-in left behind, or CCTV footage of intruders jumping in and out without detection. Where is the value? Going by the example above, it might sound tempting to dismiss the value of assessing the state of compromise of an entity since compromise could have already occurred. However, it is important to note that many the attacker may be unable to further their activities and would exercise patience, maintaining persistence within the network, until the right moment presents itself. As cyberattackers now operate with different agendas and motives – political, nation-state funded or financial – and organisations deploy advanced detection solutions, cybercriminals have adapted their attacks to become increasingly evasive and persistent. According to a recent FireEye report, firms in Europe, the Middle East and Africa on average take nearly six months to detect cyberattacks. An average attacker’s dwell time of six months is alarming and shows that a compromise assessment at any time could potentially prevent an attacker from claiming what they are after. Compromise assessment – best practices Approaches to a compromise assessment will usually vary by the engagement firm and client environment, however, an assessment of this type would usually involve the deployment of advanced diagnostic listening tools with behavioural analysis and forensics capability for a period to look for IOCs or advanced persistent threats (APTs). These IOCs could consist of malware 34  Compromise assessment provides proof of the previously unidentified footprint of an attacker or of the existence of indicators of compromise. hashes, filenames of files in wrong folders and malware execution pattern. The service differentiator Utilising the right approach and deploying best-in-class technologies is a critical part of conducting a thorough and effective compromise assessment. However, the analysis of the data captured during the listening phase is the most critical. Organisations should engage providers that have the right human competencies for threat hunting and forensics to identify appropriate relationships between indicators and artefacts. A systematic approach to compromise prevention External/internal VA/PT The first step to assessing how secure an infrastructure is, is to perform a vulnerability assessment/penetration test on it. These should be performed by seasoned ethical hackers who do not solely rely on tools but instead follow a stringent manual methodology that provides a 360-degree view of your security controls. Solution deployment This requires the deployment of intelligence sources in the infrastructure under investigation, such as sensors for monitoring anomalous events in network traffic and agents on endpoints for malware and digital forensic analysis. Forensics analysis Incident response handling procedures including assessment of the incident damage and digital forensics investigations are among the top services needed in this phase. Issue 09 |