Compromise Assessment: How to detect malicious actors

Compromise Assessment allows you to detect signs of compromise and analyze the malicious activities detected against companies, as well as their scope and impact

Not all attacks have the same impact on the organizations they target. For example, during World War II, the Normandy landings were a successful attack that enabled the Allies to undertake the liberation of France. On the other hand, the German response, through the Ardennes counteroffensive, did not help them regain lost ground and weakened their position on both the Western and Eastern fronts.

Something similar is happening about cyberattacks. Each security incident may have a different impact on a company’s or institution’s systems, may have compromised all or only some systems, and may be more or less complex to oust the malicious actor. It is therefore essential that companies that are compromised or believe they may be compromised implement a Compromise Assessment.

Thanks to the Compromise Assessment it is possible to confirm the presence of malicious activity on corporate systems, evaluate this ongoing activity, isolate the systems that have been compromised, and obtain valuable information so that Incident Response services can successfully remove the malicious actors in the shortest possible time.

If the Normandy landing was a success, it was largely because the Allies put in place diversionary and counterintelligence maneuvers that prevented the Germans from detecting the signs of the attack and being able to repel it.

In the following, we will explain what a Compromise Assessment consists of, what its stages are, and what role it plays in incident response.

1. What is a Compromise Assessment?

As its name suggests, a Compromise Assessment is an evaluation that makes it possible to analyze whether a company’s technological infrastructure is compromised. In other words, the objective of a Compromise Assessment is to detect malicious activity and evaluate both its scope and its impact on the systems of an organization, be it a company or a public administration.

Who is qualified to perform a Compromise Assessment? Highly qualified Threat Hunting teams that accumulate extensive knowledge of the techniques, tactics, and procedures of malicious actors. In addition, professionals use detailed information provided by available telemetry to launch proactive Threat Hunting actions to detect both Threat Actors and Malicious Operations.

What actions can be detected thanks to a Compromise Assessment? This assessment makes it possible to detect ongoing malicious activities, but also attacks that occurred in the past but have left traces in the available telemetry and have gone unnoticed by the defensive teams of a company or public institution.

How long does it take to perform a Compromise Assessment? Because Threat Actors may pause their operations so as not to create opportunities for detection, and not all organizations have pre-incident telemetry available, it is often necessary to wait until new Malicious Operations occur to reveal the position of the Threat Actor and the extent of the compromise. In this context, the Tarlogic team has estimated that it can take up to 45 days to be sufficiently certain that no compromised assets or unidentified persistence have been left behind.

1.1. Under what circumstances should a Compromise Assessment be performed?

• When organizations detect malicious activity.
• When there is a suspicion that an attack is taking place.
• Periodically, to proactively identify malicious activity before malicious actors move further along the attack’s Cyber Kill Chain.

2. What are the differences between Compromise Assessment and Vulnerability Assessment?

Is a Compromise Assessment the same as a vulnerability assessment? No. They are analyses with different objectives and characteristics.

The purpose of a vulnerability assessment is to scan the perimeter of an organization to detect and prioritize the mitigation of vulnerabilities that can be exploited by malicious actors to attack an organization.

This type of analysis must be performed continuously to prevent cybercriminals from exploiting known vulnerabilities, especially considering the relevance and complexity of the software supply chain of companies.

For all these reasons, vulnerability analysis is an essential activity within the vulnerability management of the technological infrastructure of a company or a public administration.

´However, a Compromise Assessment focuses on the threat instead of the vulnerability. What is the purpose? To find evidence and indicators of compromise that enable professionals to ascertain the past or present presence of malicious activity on corporate systems.

Thus, while vulnerability assessment focuses on preventing security incidents by mitigating weaknesses that can be exploited by criminals, Compromise Assessment’s mission is to detect threats that have already had an impact and gather all the information necessary to isolate the systems that have been affected and expel cybercriminals from corporate assets. It is therefore a task of great added value for incident response teams.

3. From the initiation of the Compromise Assessment to the removal of malicious actors

There is no single methodology for conducting a Compromise Assessment. Tarlogic professionals’ procedure is composed of three phases:

• Initiation of the Compromise Assessment after analyzing the case and designing the analysis according to the objectives and needs of the incident response service.
• Access to telemetry. Detection and monitoring of malicious activity is carried out by analyzing telemetry. This information can be obtained from multiple sources, being especially relevant to the one provided by EDR or XDR technology.
• Analysis of the data collected to enrich the response to an incident. For example, by implementing Proactive Threat Hunting actions to detect malicious actors, isolate compromised corporate assets, and carry out the incident response process with maximum efficiency.

4. Benefits of performing a Compromise Assessment

What are the benefits of conducting a Compromise Assessment for companies?

1. It provides evidence that a successful attack has occurred or is occurring against the organization.
2. It identifies the extent of the compromise, including the permissions the malicious actor has to further damage the organization.
3. Helps Incident Responders decide which systems or assets to isolate to prevent the spread of the attack.
4. Facilitates attack containment efforts to limit the harmful consequences of attacks.
5. Provides valuable information about the security incident so that professionals can orchestrate the most appropriate responses based on the compromise and successfully expel the malicious actor.
6. It provides organizations with highly relevant data to identify exploited weaknesses, identify detection deficiencies, and propose the implementation of the necessary measures to prevent future incidents.
7. If the Compromise Assessment is performed regularly as part of an ongoing Incident Response service, it can provide valuable data to improve the company’s detection and response capabilities.

5. A task that enriches proactive Incident Response

As we have suggested throughout the article, the Compromise Assessment is an activity that can be carried out when providing an Incident Response service. But what is Incident Response? This kind of cybersecurity service is focused on:

• Taking leadership and coordination between the different teams involved in the response.
• Identifying malicious activity affecting a company.
• Containing an attack.
• Eradicating the presence of malicious actors in corporate technology infrastructures.
• Restoring normality after a security incident.

Does this mean that Incident Response is only reactive and is triggered when an event occurs? Not necessarily. It is advisable to approach an Incident Response service proactively, with a focus on pre-incident preparedness to optimize the response to incidents as much as possible.

Thus, a proactive Incident Response service allows companies to anticipate malicious actors and to enrich their response capabilities by performing beforehand and regularly tasks such as:

• Readiness Assessment, to ascertain that the incident response team can be deployed in the shortest possible time in the event of an event.
• Compromise Assessment, which, as mentioned above, is not only of great added value for evaluating active events but also serves to identify malicious activities that have not been detected beforehand.
• Incident drills, to maximize the efficiency of response actions.
• Threat analysis. This task makes it possible to identify malicious actors that could potentially launch attacks against a company and to design a prevention strategy to avoid them.
• Development of an effective incident response plan.

6. The 4 keys to a comprehensive Incident Response Service

In light of what we have just said about the characteristics of a proactive Incident Response service, we can outline four basic characteristics of a comprehensive service that enables companies to anticipate incidents, safeguard business continuity, and avoid catastrophic economic, legal, and reputational consequences.

6.1. Adaptation to the organization and its needs

Each company or institution has elements and processes that make it unique. Therefore, the Incident Response service must adapt to these peculiarities to gather as much information as possible. Why? When detecting, analyzing, and containing an attack, it is crucial to pay attention to any type of information source.

6.2. Preparedness, foresight, and an offensive mindset

The best incident response services are enriched by the knowledge and experience of the Red Team and Threat Hunting teams. As a result, incident response professionals can identify hostile actions even when no alarms have been raised. This is also possible thanks to the offensive mentality of the Incident Response teams, who can make forecasts about the activities that may be deployed in the future by malicious actors attacking a company.

6.3. Continuous updating of knowledge

Beyond the crucial importance of EDR or XDR technology, the team in charge of an incident response service must be at the forefront of Threat Hunting Intelligence and be able to elucidate the right line of inquiry when it comes to uncovering malicious actors. This also means keeping abreast of the most innovative techniques, tactics, and procedures used by criminals.

6.4. Expertise in detecting malicious actors

The expertise of professionals and the creation of synergies with other advanced cybersecurity services such as Red Team or Threat Hunting is essential when designing and implementing an Incident Response service.

7. Managed Detection and Response Service (MDR)

Incident Response is a managed detection and response service or MDR. Behind these letters lies the concept of «Managed detection and response».

The purpose of this type of service is to optimize detection mechanisms and improve companies’ ability to respond to security incidents. To do this, cybersecurity experts use the information available to companies (servers, networks, equipment, etc.) by making use of multiple technologies, such as the EDR/XDR technology that we mentioned earlier when dissecting the keys to a Compromise Assessment. In such a way that a managed security service combines:

• The use of EDR and XDR technology, a critical technology for effectively detecting and responding to threats.
• The knowledge of professionals trained to manage this technology who put the information it generates in context and analyze it efficiently to track potential compromises.
• Continuous research work on the state of the art in the cybersecurity field, to understand the TTPs of malicious actors and be able to design new rules to identify and analyze compromises in corporate environments.

8. Threat Hunting and Incident Response: Staying one step ahead of the bad guys

To provide companies with a comprehensive MDR service, the Tarlogic team offers organizations two complementary and mutually enriching services:

• Proactive Threat Hunting. The cybersecurity company’s Threat Hunters specialize in analyzing activity on corporate endpoints and servers, launching deception campaigns, and evaluating the behavior of an organization’s entities. Why? To detect threats even if no security alerts have been generated. Thanks to this proactive approach, Compromise Hypotheses can be raised and Malicious Actors acting under the radar can be discovered without generating security alerts.
• Incident Response. The Tarlogic team takes leadership of the response, involving multiple teams of the organization, analyzes the available information relevant to the investigation, where necessary provides tools to expand the information relevant to the investigation, identifies Malicious Operations and Malicious Actors, determines the scope and impact of the compromise identified, helps design the best containment strategy, coordinates the different teams involved to provide the effective response and, once the Malicious Actor is removed from the corporate assets, suggests recovery actions for a return to normality and business continuity.

8.1. Combating APTs

MDR services are essential for managing security incidents, limiting the impact of an attack, stopping malicious actors, and restoring normality in the shortest possible time.

So they show their full potential in combating Advanced Persistent Threats and the most innovative and resource-intensive criminal groups at their disposal.

We will never know what would have happened if the Germans had detected the Normandy landing and had the necessary information to successfully repel the invasion. But there is no doubt that the course of the war would have been different.

For a company’s Incident Response to be as efficient and rapid as possible, it is essential to have a team of highly qualified professionals with extensive experience behind them, with their methodology and up-to-date knowledge of a constantly evolving threat landscape.