HOW DOES A COMPROMISE ASSESSMENT COMPARE TO OTHER SERVICES?
A compromise assessment is just one of the many cybersecurity assessments that can be performed by IT/SOC teams. While traditionally reserved as one of the later assessments to be implemented, advances in machine learning and automation technology have made compromise assessments faster, more accurate, more thorough and more affordable.
However, compromise assessments are distinctly different from and should not be confused with other assessment services.
COMPROMISE ASSESSMENTS VS. VULNERABILITY ASSESSMENTS
Vulnerability assessments (VA) are designed to locate all possible vulnerabilities along a system’s attack surface that could be exploited for initial access. Compromise assessments (CA) are designed to systematically scan your entire system and identify any vulnerabilities, potential risks, abnormal user behavior, as well as any indicators of past compromises.
With advances in machine learning, more and more vulnerability and compromise assessments are automated and completed within minutes or hours (depending on the size and architecture of the given network).
Automated vulnerability assessments (sometimes called vulnerability scans) are capable of scanning a system for thousands of known vulnerabilities. Typically, the automated process will include cataloging all of your assets and triages the detected vulnerabilities by projected impact severity; however, the number of false positives produced will vary from vendor to vendor, and human analysts (be they yours, the VA vendor, or another 3rd party) will still need to verify vulnerabilities detected during the assessment.
However, automated vulnerability assessments are really only as good as the vendor’s database. You have no choice but to trust that the vendor’s database is up-to-date and covers all active and emerging threats targeting your industry. If their database is not up-to-date, the cybersecurity assessment you invested in will have little to no impact or return.
Compromise assessments go beyond the scope of vulnerability assessments to include analysis of user behavior in search of abnormalities. For example, a remote user connecting from different countries in the span of a few minutes or outbound traffic being directed to a known malicious C2 server. Compromise assessments also look for indicators of compromise (IoCs) and any remaining artifacts for previous compromises.
COMPROMISE ASSESSMENTS VS. PENETRATION TESTING
While penetration tests (or pentests) are also designed to locate all possible vulnerabilities along a system’s attack surface that could be exploited for initial access, these tests are typically not automated and require the pentesting team to go a step beyond mere vulnerability detection.
Pentest teams also attempt to prove if the detected vulnerabilities would lead to a compromise. This is an extremely detailed process and takes more time than a vulnerability scan. In addition, because pentests are typically not automated, there are zero false positives that need to be verified (or fewer, depending on what tools the pentest team uses and how loosely you define a “false positive”).
Compromise assessments, enhanced by machine learning, typically perform the signature-based detections included in vulnerability assessments. They have also become capable of accurately analyzing user behavior to hunt for abnormalities and potential malicious activity. Compromise assessments are now capable of scanning environments with hundreds—and even thousands—of endpoints far faster, more accurately, and more thoroughly than any team of human analysts. Some vendors even offer hybrid approaches where human and AI analysts work together to perform compromise assessments.
COMPROMISE ASSESSMENTS VS. RED TEAM ASSESSMENTS
There are three major differences between red team assessments and compromise assessments—goals, approaches, and cost.
Red team assessments are designed to test the efficiency and efficacy of your organization’s detection and response capabilities and approach your system from a hacker’s perspective. Compromise assessments (CA) are designed to systematically scan your entire system and identify vulnerabilities, potential risks, abnormal user behavior, or indicators of past compromises.
Though a red team’s approach may be scripted, it is typically not automated and is human-driven. Red teams have been known to perform man-in-the-middle attacks with parked cars in parking lots, drop USB drives outside the office, socially engineer phishing attack campaigns, or even physically infiltrate a company to hack directly into the local intranet. Once initial access is gained, red teams typically attempt to evade detection, linger in the customer’s environment as long as possible, and exfiltrate as much sensitive data as possible.
Red Team assessments, however, cannot tell you if other attackers are already inside unless they happen to navigate some of the same routes. It is possible that red teams could exploit the same vulnerabilities in your system that cybercriminals did, and it is possible they could notice; however, this isn’t their main function. Red teams can only inform you of what they themselves have done to your system.
Additionally, many organizations have not yet adequately invested in cybersecurity beyond firewall or antivirus solutions, or they could simply lack the time and resources necessary to implement detection and response capabilities, which would negate the need for a red team assessment. Contrarily, identifying potential vulnerabilities and indicators of past compromise is always relevant when assessing a digital environment regardless of its maturity.
Last but not least, red team assessments can be quite expensive—especially if they’re experienced. An effective and experienced red team knows their way around security and should give you an accurate assessment of your detection and response capabilities. However, they’re not cheap and typically take a lot of time.
Conversely, compromise assessments take significantly less time to complete than red teams, are significantly cheaper, and offer more actionable reports.
While budgeting and resource constraints are key factors when deciding what kind of assessment is best for your organization’s current needs, the most important factor should be the goal for each assessment as red teams and compromise assessments have different use cases.
In short, red teams inform you if you’re capable of being breached today and how badly; compromise assessments inform you if you’ve ever been breached before and where you’ll be vulnerable to attack tomorrow.
The Benefits of Compromise Assessments
- Speed – unlike other assessments, CAs can typically be completed in one day
- Reduced Risk – locate and triage vulnerabilities
- Establish Complete Security Baseline – know the current state of your defenses
- Expedite Merger & Acquisitions – quickly identify threats early on
- Detect Unusual User Behavior – detect insider or advanced threats
- Decreased Dwell Time – detect highly evasive advanced threats
- Reduce and Control Breach Impact – early detection means reducing and controlling the breach impact as well as more time to prepare your messaging
- Expedite Incident Response Investigations – IR investigations can leverage CA reports to allow victims to begin their eradication and remediation process earlier
WHY COMPROMISE ASSESSMENTS ARE IMPORTANT
Technology typically used for digital forensic incident response (DFIR) investigations is now used proactively to determine not only if your system has been compromised but also for how long, how it was done, and how to both actionably eradicate the threat and remediate your system.
Pentesting and vulnerability assessments are primarily focused on locating and triaging vulnerabilities, such as misconfigurations or unpatched services. While closing these holes is crucial and can prevent future attacks, neither of these services can tell you if cybercriminals have already set up a command and control server with multiple access points after they abused those vulnerabilities.
Red teams can expose unrevealed problems in your detection and response protocols. However, while red team exercises are extremely useful (especially at giving blue teams experience with their own defense controls), red team assessments may not deliver the most actionable remediation reports. All the “damage” done by a red team could have been done by exploiting only a few vulnerabilities—or even just one. Other vulnerabilities could have been left unexplored and remain unknown. Most likely, the path used by the red team poses the greater threat to your organization; however, a compromise assessment would specialize in detecting, verifying, and locating all potential risks and vulnerabilities.
Many organizations perform the bare minimum of what is required to meet compliance regulations, offloading the remaining risk to a cyber insurance policy investment. Most organizations do not have the time or resources to build and maintain a security operations center (SOC) from the ground up that is capable of effective detection and response to modern threats.
Incorporating a routine compromise assessment (CA) into your risk mitigation strategy ensures your organization has, at the very least, an actionable road map to eradicating vulnerabilities in your system and confidently determining zero threats have breached your defenses.
If you’re interested in learning more about compromise assessments and Cybots’ approach to a healthier and more secure network, engage us directly. email@example.com
- Learn more about cybersecurity in our Cybersecurity101 series. “What is Managed Detection and Response (MDR)?” teaches the benefits of MDR, its unique selling points, and how to make better-informed decisions when choosing an MDR service or vendor.
- Read our latest white paper to learn what threat actors target Taiwan, their motivations & how Taiwan organizations retain resilience against some of the most sophisticated and aggressive cyber attacks in the world.
- Is your SOC prepared for the next decade of cyber attacks? Read our latest report on building effective SOCs in the 2020s, the challenges to overcome, and the stressors to avoid—includes research from Gartner, Inc. on why Midsize enterprises are embracing MDR providers.
- New to the MITRE Engenuity ATT&CK Evaluations? START HERE for a fast, accurate, simple, thorough introductory guide to understanding the results.
- Our AIR security platform achieved a 96.15% Signal-to-Noise Ratio with zero configuration changes and zero delayed detections straight out of the box.