A Tale Story of Compromise Assessment — Part 1

Recently, a major cyber security incident occurred in many institutions in Indonesia, resulting in the loss of customer data and financial losses. This incident highlights the need for organizations to conduct regular compromise assessments and to ensure that their systems are secure and up-to-date with the latest security best practices. By conducting regular assessments, organizations can ensure that they are prepared to respond quickly and effectively to any potential security incidents and can help to mitigate the risk of future incidents.

Image Credit : Mandiant Youtube Channel https://www.youtube.com/watch?v=JVD9SdszzxI

Compromise assessments in cyber security are essential for organizations to be able to effectively protect their systems from malicious actors. A compromise assessment can be seen as a part of evaluation of an organization’s security posture that is conducted to detect and respond to security incidents. It is the process of discovering, analyzing, and addressing potential security threats or vulnerabilities that may have been compromised. Security professionals who review the evidence in organization can determined how the incident occurred, its impact on the organization, and what steps need to be taken to remediate the situation.

This includes identifying and mitigating any technical, physical, and administrative controls that have been weakened or breached. The assessment can also be used to determine the effectiveness of an organization’s security policies and procedures.

Image Credit : https://cybotsai.com/what-is-compromise-assessment/

Compromise assessments can be conducted both internally and externally. An external assessment is conducted by an outside third party, such as a security consultant or security firm. This type of assessment can provide a more comprehensive view of the organization’s security posture and can be used to ensure that the organization is following security best practices. Internal assessments are conducted by the organization’s own security team and can be used to identify any potential weak points or gaps in the security posture.

The goal of a compromise assessment is to identify any potential areas of vulnerability and to provide recommendations for improving the organization’s security posture. This includes identifying any potential weaknesses in the infrastructure, applications, and processes that can be exploited by malicious actors.

In addition, a compromise assessment should be conducted on a regular basis to ensure that the organization’s security posture is up to date and that any new threats or vulnerabilities are addressed in a timely manner.

Understanding the Problem

Why don’t we just doing a forensic or incident response? There are some reasons why organization perform compromise assessment :

1. Scope: They don’t exactly know which machine is compromised? Or at least which machine is involved
2. Time-Sensitive Nature: Compromise assessments are typically conducted when there is suspicion of a security breach, and there is a need to quickly determine whether the system has been compromised. In contrast, digital forensics is a time-consuming process that is conducted after an incident has occurred, and the goal is to determine what happened and how to prevent it from happening again.
3. Condition: Digital forensic investigations are typically conducted after a compromise has been identified, whereas compromise assessments are designed to proactively identify potential breaches. Therefore, a compromise assessment can help identify vulnerabilities and potential attacks before they happen.
4. Cost: Digital forensic investigations can be expensive, and may require specialized expertise and tools. In contrast, a compromise assessment can be less expensive and can be conducted using readily available security tools and techniques.
5. Detection: A compromise assessment can help an organization detect an ongoing attack or compromise, while digital forensic analysis is generally used after an incident has already occurred.
6. Response: A compromise assessment can provide an organization with actionable recommendations for responding to a compromise, while digital forensic analysis is generally used to gather evidence after an incident has occurred.
7. Resource requirements: Digital forensics can require a significant investment of time, money, and expertise to conduct properly. A compromise assessment, on the other hand, can be performed more quickly and with fewer resources. This makes it a more feasible option for organizations with limited resources or those that are not prepared to commit to a full-scale digital forensics investigation.

Image Credit : https://www.dts-solution.com/introspection-looking-from-within-with-compromise-assessment/

Step by Step of Compromise Assessment

Here are the general steps involved in a compromise assessment:

1. Preparation and Planning: The first step in a compromise assessment is to gather relevant information about the organization’s IT environment, including its systems, applications, and data. This may involve conducting interviews with key stakeholders, reviewing security policies and procedures, and examining network diagrams and other documentation.
2. Scoping: Once the necessary information has been gathered, the scope of the compromise assessment should be defined. This may include identifying critical assets and determining the types of threats and vulnerabilities that the organization is most concerned about.
3. Collection and Analysis of Data: The next step is to collect and analyze data from a variety of sources, including log files, network traffic, system configurations, alerts from SIEM, or other telemetry. This data can help identify potential security breaches, such as unauthorized access, malware infections, or suspicious network activity. The collected data is then analyzed to identify any anomalies, suspicious activity, or signs of compromise. This may involve using various tools and techniques, such as intrusion detection systems, log analysis, and threat intelligence feeds.
4. Reporting: The results of the compromise assessment should be documented in a comprehensive report that outlines the findings, recommendations, and next steps for improving the organization’s security posture. This report should be presented to key stakeholders, including senior management and IT staff, and should provide actionable insights for addressing the identified threats and vulnerabilities.
5. Remediation: Once the compromise assessment is complete, the organization should begin implementing the recommended remediation measures to address the identified threats and vulnerabilities. This may involve patching systems, updating security policies, or deploying new security solutions.
6. Follow-up: Finally, the compromise assessment team should conduct follow-up assessments to ensure that the remediation measures have been effective and that the organization’s security posture has been improved. This may involve conducting additional assessments, monitoring network traffic, and performing regular vulnerability scans.

That’s all for now. In the next episode, i will post about the skillset for the personnel who conducting the compromise assessment, approach and methodology of compromise assessment, Tools and Tradecraft for the compromise assessment activity, and also the hunt methodology for conducting the compromise assessment.

Thank you! Long Live Cyber Defender! Cheers