WHAT IS COMPROMISE ASSESSMENT?

The Benefits, How it’s Different, How to Choose a Vendor, and More

CyCraft Technology Corp
CyCraft
Published in
9 min readNov 11, 2021

--

A Compromise Assessment (CA) is a comprehensive, automated, evidence-based analysis and evaluation of an organization’s entire digital environment and cybersecurity posture and is designed to identify all ongoing and past incidents of unauthorized access, malicious activity, and indicators of compromise.

In short, a compromise assessment answers the questions that keep IT/SOC teams up at night. How are we vulnerable? Have we ever been compromised? How badly?

HOW DOES A COMPROMISE ASSESSMENT COMPARE TO OTHER SERVICES?

A compromise assessment is just one of the many cybersecurity assessments that can be performed by IT/SOC teams. While traditionally reserved as one of the later assessments to be implemented, advances in machine learning and automation technology have made compromise assessments faster, more accurate, more thorough, more affordable, and with even more functionality and features.

However, this also means that compromise assessments can often be confused with other assessment services.

COMPROMISE ASSESSMENTS VS. VULNERABILITY ASSESSMENTS

Vulnerability assessments (VA) are designed to locate all possible vulnerabilities along a system’s attack surface that could be exploited for initial access. Compromise assessments (CA) are designed to systematically scan your entire system and identify any vulnerabilities, potential risks, abnormal user behavior, as well as any indicators of past compromises.

With advances in machine learning, more and more vulnerability and compromise assessments are automated and completed within minutes or hours (depending on the size and architecture of the given network).

Automated vulnerability assessments (sometimes called vulnerability scans) are capable of scanning a system for thousands of known vulnerabilities. Typically, the automated process will include cataloging all of your assets and triaging the detected vulnerabilities by projected impact severity; however, the number of false positives produced will vary from vendor to vendor, and human analysts (be they yours, the VA vendor, or another 3rd party) will still need to verify vulnerabilities detected during the assessment.

However, automated vulnerability assessments are really only as good as the vendor’s database. You can only trust that the vendor’s database is up-to-date and covers all active and emerging threats targeting your industry. If their database is not up-to-date, the cybersecurity assessment you invested in will have little to no impact or return.

Compromise assessments go beyond the scope of vulnerability assessments as more and more include analyses of user behavior in search of abnormalities, such as a remote user connecting from different countries in the span of a few minutes or outbound traffic being directed to a known malicious C2 server. Compromise assessments also look for indicators of compromise (IoCs) and any remaining artifacts for previous compromises.

COMPROMISE ASSESSMENTS VS. PENETRATION TESTING

While penetration tests (or pentests) are also designed to locate all possible vulnerabilities along a system’s attack surface that could be exploited for initial access, these tests are typically not automated and require the pentesting team to go a step beyond mere vulnerability detection.

Pentest teams also attempt to prove if the detected vulnerabilities would lead to a compromise. This is an extremely detailed process and takes more time than a vulnerability scan.

In addition, as pentests are typically not automated, there are zero false positives that need to be verified (or fewer, depending on what tools the pentest team uses and how loosely you define a “false positive”).

Due to advances in machine learning technology, compromise assessments today typically not only perform the signature-based detections included in vulnerability assessments but also have become capable of accurately analyzing user behavior to hunt for abnormalities and potentially malicious activity.

Compromise assessments are now capable of scanning environments with hundreds — and even thousands — of endpoints far faster, more accurately, and more thoroughly than any team of human analysts.

Some vendors even offer hybrid approaches where human and AI analysts work together to perform compromise assessments.

COMPROMISE ASSESSMENTS VS. RED TEAM ASSESSMENTS

There are three major differences between red team assessments and compromise assessments — goals, approaches, and money.

Red team assessments are designed to test the efficiency and efficacy of your organization’s detection and response capabilities and approach your system from a hacker’s perspective.

Compromise assessments (CA) are designed to systematically scan your entire system and identify any vulnerabilities, potential risks, abnormal user behavior, or indicators of past compromises.

Though a red team’s approach may be scripted, it is typically not automated and is human-driven. Red teams have been known to perform man-in-the-middle attacks with parked cars in parking lots, drop USB drives outside the office, socially engineer phishing attack campaigns, or even physically infiltrate a company to hack directly into the local intranet.

Once initial access is gained, red teams typically attempt to evade detection, linger in the customer’s environment as long as possible, and exfiltrate as much sensitive data as possible.

Red Team assessments, however, cannot tell you if other attackers are already inside unless they happen to travel some of the same routes. It is possible that red teams could exploit the same vulnerabilities in your system that cybercriminals did, and it is possible they could notice; however, this isn’t their main function. Red teams can only inform you of what they themselves have done to your system.

Additionally, many organizations have not yet adequately invested in cybersecurity beyond firewall or antivirus solutions, or they could simply lack the time and resources necessary to implement detection and response capabilities, which would negate the need for a red team assessment. Contrarily, identifying potential vulnerabilities and indicators of past compromise is always relevant when assessing a digital environment regardless of its maturity.

Last but not certainly not least, red team assessments can be quite expensive — especially if they’re experienced. An effective and experienced red team knows their way around security and should give you a very accurate assessment of your detection and response capabilities.

However, they’re not cheap and typically take a lot of time.

Conversely, compromise assessments take significantly less time to complete than red teams, are significantly cheaper, and offer more actionable reports.

While budgeting and resource constraints are key factors when deciding what kind of assessment is best for your organization’s current needs, the most important factor should be the goal for each assessment as red teams, and compromise assessments have different use cases.

In short, red teams inform you if you’re capable of being breached today and how badly; compromise assessments inform you if you’ve ever been breached before and where you’ll be vulnerable to attack tomorrow.

The Benefits of Compromise Assessments

  • Speed — unlike other assessments, CAs can typically be completed in one day
  • Reduced Risk — locate and triage vulnerabilities
  • Establish Complete Security Baseline — know the current state of your defenses
  • Expedite Merger & Acquisitions — quickly identify threats early on
  • Detect Unusual User Behavior — detect insider or advanced threats
  • Decreased Dwell Time — detect highly evasive advanced threats
  • Reduce and Control Breach Impact — early detection means reducing and controlling the breach impact as well as more time to prepare your messaging
  • Expedite Incident Response Investigations — IR investigations can leverage CA reports to allow victims to begin their eradication and remediation process earlier

WHY COMPROMISE ASSESSMENTS ARE IMPORTANT

Technology typically used for digital forensic incident response (DFIR) investigations is now used proactively to determine not only if your system has been compromised but also for how long, how it was done, and how to both actionably eradicate the threat and remediate your system.

Pentesting and vulnerability assessments are primarily focused on locating and triaging vulnerabilities, such as misconfigurations or unpatched services.

While closing these holes is crucial and can prevent future attacks, neither of these services can tell you if cybercriminals have already set up a command and control server with multiple access points after they abused those vulnerabilities.

Red teams can expose unrevealed problems in your detection and response protocols. However, while red team exercises are extremely useful (especially at giving blue teams experience with their own defense controls), red team assessments may not deliver the most actionable remediation reports. All the “damage” done by a red team could have been done by exploiting only a few vulnerabilities — or even just one. Other vulnerabilities could have been left unexplored and remain unknown.

Most likely, the path used by the red team poses the greater threat to your organization; however, a compromise assessment would specialize in detecting, verifying, and locating all potential risks and vulnerabilities.

Many organizations perform the bare minimum of what is required to meet compliance regulations, offloading the remaining risk to a cyber insurance policy investment. Most organizations do not have the time or resources to build and maintain a security operations center (SOC) from the ground up that is capable of effectively detecting and responding to modern threats, and that’s if they can afford the salary costs of the personnel capable of operating the necessary cyber controls.

Incorporating a routine compromise assessment (CA) into your risk mitigation strategy ensures your organization has, at the very least, an actionable road map to eradicating vulnerabilities in your system and confidently determining zero threats have breached your defenses.

If you’re interested in learning more about compromise assessments and CyCraft’s approach to a healthier and more secure network, engage with us directly at engage@cycraft.com

Everything Starts From Security

CyCraft Customers can prevent cyber intrusions from escalating into business-altering incidents. From endpoint to network, from investigation to blocking, from in-house to cloud, CyCraft AIR covers all aspects required to provide small, medium, and large organizations with the proactive, intelligent, and adaptable security solutions needed to defend from all manner of both existing and emerging security threats with real-time protection and visibility across the organization.

Engage with CyCraft

Blog | LinkedIn | Twitter | Facebook | CyCraft

CyCraft secures government agencies, police and defense organizations, Fortune Global 500 firms, top banks and financial institutions, critical infrastructure, airlines, telecommunications, hi-tech firms, SMEs, and more by being Fast / Accurate / Simple / Thorough.

CyCraft powers SOCs using innovative AI-driven technology to automate information security protection with built-in advanced managed detection and response (MDR), global cyber threat intelligence (CTI), smart threat intelligence gateway (TIG) and network detection and response (NDR), security operations center (SOC) operations software, auto-generated incident response (IR) reports, enterprise-wide Health Check (Compromise Assessment, CA), and Secure From Home services. Everything Starts From Security.

Meet your cyber defense needs in the 2020s by engaging with CyCraft at engage@cycraft.com

Additional Resources

  • Learn more about cybersecurity in our CyCraft Classroom Series. Our latest article, “What is Managed Detection and Response (MDR)?” teaches the benefits of MDR, its unique selling points, and how to make better-informed decisions when choosing an MDR service or vendor.
  • Out of the 47 Representative AI Startups listed in Gartner’s AI Market Guide, 7 are based in Taiwan, and 5 are based in Hong Kong. But only 1 of the 47 Representative AI Startups focused on cybersecurity products and services — CyCraft.
  • Read our latest white paper to learn what threat actors target Taiwan, their motivations & how Taiwan organizations retain resilience against some of the most sophisticated and aggressive cyber attacks in the world.
  • Is your SOC prepared for the next decade of cyber attacks? Read our latest report on building effective SOCs in the 2020s, the challenges to overcome, and the stressors to avoid — including research from Gartner, Inc. on why Midsize enterprises are embracing MDR providers.
  • New to the MITRE Engenuity ATT&CK Evaluations? START HERE for a fast, accurate, simple, thorough introductory guide to understanding the results.
  • Our CyCraft AIR security platform achieved a 96.15% Signal-to-Noise Ratio with zero configuration changes and zero delayed detections straight out of the box.

--

--

CyCraft Technology Corp
CyCraft

CyCraft automates SOC ops for the Fortune Global 500, national govs, & SMEs with MDR, IR, & threat hunting solutions. Learn more at CyCraft.com