Compromise Assessment Methodology

Threat Landscape for the Enterprises

In recent years, many changes have occurred all around the world. The biggest reason for these changes was undoubtedly the global pandemic. The global pandemic has radically changed our work style and how we do business. Prolonged and frequent lockdowns made remote working a necessity, thus accelerating the digital transformation. Cloud services have become more widespread, and the use and diversity of cryptocurrency have increased tremendously.

These changes naturally caused the threats on the enterprises to change and develop. According to recent cyber security threat reports [2] [3], the most significant threats faced by enterprises in recent years are Ransomware and Malware. Generally, malware is used for data leakage/theft espionage.

In addition, the use of compromised systems for crypto mining has increased in recent years. 80% of attackers’ targets are servers, and most of these servers are web servers and mail servers. 70% of the adversaries perform these attacks because of financial motivation, and organized crime networks carry out more than 80% of the attacks.

The adversaries saw the business opportunity in the ransomware attacks, and they developed the business model for all kinds of attackers called Ransomware As A Service.

According to Gartner, the total amount of money spent on information security and risk management worldwide in 2020 was 137 billion dollars. This value is expected to increase to 221 billion dollars in 2025. [4] Data leaks, ransomware, and crypto-jacking incidents are constantly growing despite this money spent. Overall, we still could not reduce the attacker’s dwell time to an acceptable level. It took an average of 287 days to identify and contain a data breach.

According to the IBM Cost of Data breach 2021 report, the average cost of a data leak event is $4.2 million, and the cost of ransomware is $4.6 million, excluding the given ransom.

Of course, these numbers are average; the cost of data leak incidents and ransomware incidents can be above or below these values. But even if costs were lower than 4 million dollars, it is still too much money. Data breaches that took longer than 200 days to identify and contain cost on average $4.87 million, compared to $3.61 million for breaches that took less than 200 days. 29% of the Average total cost of a data breach was detection and escalation costs, mostly consisting of Forensic and investigative activities. The average time of Containment activities is approximately one-third point five of the whole identify and containment activities. For example, Breaches caused by stolen/compromised credentials took the longest number of days to identify (250) and contain (91) on average, for an average total of 341 days. In other words, the earlier we discover and contain compromised systems, the lower our costs will be.

Problems and Solutions

The importance of detection and prevention technologies like EPP, IPS, NGFW is undeniable. And we have to use these tools to protect our networks from external and internal attacks. We also need to continuously monitor our network for threats with SIEM and SOAR technologies. But traditional detection technologies like IPS, EPP, and NGFW are sometimes insufficient to struggle with new malware. And also, due to the too much noise in CSOC, analysts may overlook some indicators. And at the end of the day, some of our systems might be compromised, and we cannot catch it.

However, the early we can discover attackers and threats that have somehow bypassed enterprise security measures and start incident response activities, the less the impacts of the incident will be. Discovering the compromised systems is struggling and takes too much time with the traditional security tools. So, Compromise Assessment studies can be very effective in addition to the existing security measures discovering the compromised systems at the early phases of the attacks.

All attacks change the system state and leave evidence on the compromised systems, and we call these pieces of evidence Indicator of Compromises (IoC). IoCs are generally obtained from incident response activities and delivered to the cyber threat intelligence platforms for use. IoCs provide us with a proactive method for discovering compromised systems. Although IoCs has a short lifespan than TTPs of any threats, their accuracy in discovering compromised system is very high. And also, scanning IoCs is relatively easier and faster. When we discover an IoC in the network or on the endpoint, that system is highly probably compromised before. Compromised Assessment is the process of scanning the network and endpoints with reliable IoCs to find out compromised systems that the other security measures could not detect and prevent.

Compromise Assessment

Compromise Assessment is a targeted assessment study to discover compromised systems and undetected attacks, malware, and breaches that the company’s security measures could not detect and prevent.

The assessment is generally carried out with automated tools by scanning IoCs of known and up-to-date threats and evidence of malicious activities on the company’s network traffic, endpoints, and server systems. DFIR experts can analyze and use the results of these scans to discover compromised systems.

Compromise assessments must be;

• Fast
• Automated
• Periodic
• Affordable
• Without service interruption.

These assessments aim to discover compromised systems in the early stages of the attacks and reduce the dwell time. And also create output for DFIR activities and mitigate the impact of the incidents. Detailed and complete forensic activities generally are not performed in Compromise Assessments.

Benefits

Benefits of the Compromise Assessments are listed below:

• Create inputs to Incident Response and Threat Hunting
• Find out compromised systems.
• Discover known malware variants, remote access trojans, and similar malicious tools and software.
• Help to reduce Dwell Time.
• Find out new IoC to generate or update CTI Database.
• Help narrow down the assets of interest’s scope, which are investigated and quarantined in the Containment and Eradication activities in IR phases.
• Validates the effectiveness of the Company’s security measures Helps to create actionable items for remediation phases.

Outputs

The common outputs of the Compromise Assessment studies are listed below.

• Compromised system list.
• Potential threats and threat actors which you are at risk.
• New IoCs, TTPs and CTI

Compromised Assessment Implementation Steps

Conducting any assessment according to a model can be essential, practical, and effective. We can easily detect and improve problematic, timeconsuming activities using a method. Usually, we use a standard template in assessment studies. This template generally consists of three primary phases: Preparation, Execution, and Report. We also used this template while developing the model of the compromise assessment study. Now let’s detail these steps.

Preparation Phase

The preparation or planning phase is the primary phase of the assessment. We usually list the requirements and needs, define the scope, prepare people, process, and technology elements and define the steps we will perform in the other phases. The activities are detailed below.

Determine the Scope: In this step, we need to define the scope of the assessment and need to answer the questions below. For example, if we have five different branches and more than ten thousand machines in our network, we may need to narrow the scope.

• Do we need to assess all the assets in the enterprise network?
• Do we have enough people and time resources for assessing all enterprise assets?
• Where do we need to start, and do we need to make any prioritization?
• How often do we need to perform a Compromise Assessment?

It is essential to perform periodically Compromise Assessment studies to increase their effectiveness, but we can make this study once. For example, before mergers and acquisitions, many CISOs want to get a quick idea of the effectiveness of security measures within the company to be acquired. For this reason, CISO may want to see if there are compromised systems by making a Compromise assessment.

The period of the Compromise Assessments can be every month, every three months, every six months, or one in a year. You can schedule it according to your risk appetite. You can also make schedules like assessing different branches or departments each week.

The output of this step is a detailed list of assets, including IP address, region, function, OS, etc. that we want to assess and Compromise Assessment Schedule.

Provide Enterprise Related IoCs and Rules: It is practically impossible to scan all IoCs provided globally, so we must limit them to an acceptable scope. We need to determine the latest and biggest threats that enterprise faces and list the matching IoCs. While listing the IoCs, we need to consider the potential enterprise vulnerabilities. We can eliminate the unrelated threats and IoCs that the enterprise faces by the time. For example, if the enterprise does not deal with ICS, we must immediately eliminate the ICS-related IoCs.

After defining the IoC scope, we need to gather the IoCs. We can use either IoC we developed from our DFIR studies and use IoC provided from the CTI platform. Due to the tools, we use in Compromise Assessment having different mechanisms and needs, we can use some of the IoCs directly, some of them not. For example, we can usually use the lists like IP addresses domain names, but sometimes we need to transform some IoCs to rules like YARA and Sigma or another format. So, in this step, we need to convert all the IoCs into the functional form or gather the functional forms of IoCs directly from the provider.

The output of this state is IoC lists and Rules.

Planning: Even if you are doing the simplest tasks, working without a plan might easily ruin your project. Therefore the most critical task of this phase is probably the planning.

Compromise Assessment is not a complicated study, but if you did not list your requirements and needs, list resources you have (time, money, staff, tools, etc.) and ensure your resources exactly match your requirements; this study will probably take more time than you thought.

So, take your time, make resource requirement planning, plan all the tasks, assign these tasks to the people, inform all related parties, and ensure all parties are informed and acknowledge the plan.

The output of this step is Compromise Assessment Plan.

Install and Configure Tools: We use different kinds of IoCs in Compromise Assessment, but the most useful ones are generally end-pointbased. Therefore, we usually need endpoint software to perform this kind of scanning. Installation and configuration of the tools seem the most straightforward task of this phase. We can use a straightforward approach to install 10 or 50 different machines, but we may need detailed planning and automation tools or scripts if the number of devices is more than hundreds or more. Nevertheless, mid-range enterprises have more than 500 machines, so we probably need a detailed plan for enterprise-grade companies.

We must detail the installation and configuration plan in the Planning step; however, we may need to update the plan in this step. We must meet technological constraints such as application whitelisting, network access, authentication, authorization, permission, and similar requirements in the Installation and Configuration plan.

There is not a tangible output of this step.

Discovery and Verification

Discovery and Verification phase mainly includes the operational activities of a Compromise Assessment. A compromised Assessment study is not just running the tools and reporting the tools’ output. Competent people must collect, consolidate, review, interpret, confirm and report the results. We start the scanning and wait for the hits and matching potentially compromised systems we call systems of interest. The results of these scanning need to be verified to find out and eliminate the false positives. Therefore we collect and consolidate those data to ease the verification of the compromised systems. The activities are detailed below.

Scanning: If we use a suitable tool and extensive IoCs and rules, the scanning step will probably be the easiest part; we only initiate the scanning and wait to discover systems of interest.

The most important thing here is to determine the scope correctly; in other words, working with complete data. For example, if we don’t start a scan on all assets in our scope, or worse, there are assets in our network that we don’t know, the work will be incomplete. Similarly, if we are not using the correct IoCs and rules, even if we did not miss any asset, we may not discover the compromised systems properly.

Consolidate Data: The Scanning step produces a bunch of data for verification and investigation. We probably can not use all those data in investigation and reporting activities directly. We may need to use command-line tools, Microsoft Excel, or some scripts to cut, split, append, sort to refine, and enrich the data. Since Compromise Assessment is not a “next-next finish” task, we need to collect related data from different tools or tools’ particular modules.

Therefore, we need to collect data from particular sources, bring them together, make some relations with each other and create actionable content to use in consequent steps.

Verification: As we mentioned before, there will be some False Positive results. Since the primary goal of Compromise Assessment is to mitigate the impact of the security incident, the following action must be conducting an Incident Response to those compromised systems. Therefore, we need to start a cursory investigation to determine whether the results are false-positive or true-positive. Since compromised systems eventually will be contained and eradicated by the incident response team, we don’t need to make a deep investigation. However, we need to prioritize these results to help the incident response team to shorten their triage.

The output of this step is a prioritized compromised system list detailed with pieces of evidence.

Report

The reporting is the final phase of the Compromise Assessment study. In the report phase, we generally consolidate results, convert them to a more readable format, add explanatory information, summary, and recommendations. The Report must be as short as possible, includes an executive summary, and be written in clear formal language. The reports’ content and details may vary depending on who conducted the compromise assessment study and the report whom to be presented.

Suppose MSSP or Consultant Company conducted a compromise assessment. In that case, the report must be more detailed and might include the methodology, the scope of work, resources list, time, and other metrics related to the pricing and results. And that report must include detailed strategic and tactical recommendations. Suppose the company’s DFIR team conducted a compromise assessment. In that case, the report might only include results that will be used in incident response activities to speed up the incident response process. Some performance metrics need to be added to that report that might e used to improve the compromise assessment process.

The output of this step is, of course, a Compromise Assessment Report.

Relation Between CTI, Threat Hunting and Incident Response

Compromise Assessment study is not a sort of single and independent activity, and it has strong relations between the Incident Response and the Threat Hunting activities. We generally conduct Compromise Assessments to mitigate the impact of the incidents by discovering the compromise systems in the early stages of the attacks. Therefore almost all compromise assessment studies must trigger to start the incident response. The Compromise Assessment outputs will be helpfully used in the incident response.

Unlike Incident Response and Threat Hunting, there is usually a one-way relation between Compromise Assessment and CTI platforms. We usually only consume IOCs and don’t generate data directly to develop CTI. We typically discover new IOCs and relate with TTPs after incident response and threat hunting. We consume and develop CTI in the incident response and threat hunting activities. There is a two-way interaction between CTI and these activities.

Compromise Assessment studies generally don’t trigger Threat Hunting. But if you want to start a Threat Hunting program, you should conduct an assessment first to clarify the scope of your hunting program. You can perform regular compromise assessments to improve your hunting hypothesis, starting points, and focus.

Conclusion

Attackers use sophisticated tactics and tools that can bypass most of the detection and prevention measures in enterprises nowadays. To struggle with those kinds of attackers and attacks, we need to change our mindset to hunting and strengthen our team’s hunting and DFIR skills and need to be equipped with essential tools.

Compromise Assessment is an affordable, rapid, automated, proactive study that helps to find out the compromised systems in our network. Its primary goal is for helping to mitigate the impact of the incidents by discovering the compromised systems in the early phases of the attack. We can increase the probability of catching attackers and decrease the attacker’s dwell time in our network by conducting compromise assessments regularly.

Compromise assessments usually are performed by scanning the enterprise’s network, endpoints, and logs with the help of CTI. We can discover the compromised systems at the end of the assessment. We can use these outputs to start an incident response on the discovered compromised systems.

Recommendations

Preparation is important: The preparation phase is more important than we think; your Compromise Assessment study will be performed smoother if you are well prepared. Therefore, you should take enough time for the preparation phase.

Tool selection is critical: The tool you use in Compromise Assessment is critical, user-friendly, fast, and affordable all in one tool that can simplify your assessment.

CTI is essential: The up-to-date IOC list is essential in the Compromise Assessment studies.

References

• ENISA Threat Landscape Report 2021 [1]
• IBM Cost of a Data Breach Report 2021 [2]
• Verizon DBIR Report [3]
• Gartner Forecast Analysis: Information Security and Risk Management Worldwide [4]
• https://cyboxproject.github.io/documentation/objects [5]