A Compromise Assessment is an efficient method of determining if there is malicious activity within your environment and can identify security weaknesses before they are exploited by an adversary.
Melanie Ninovic
Too often, the ParaFlare Digital Forensics and Incident Response (DFIR) team sees organisations alerted to a security incident right as it is happening. A ransom notification or demand comes up on their screens, a suspicious program is discovered in a user’s downloads, or an unknown user is making changes to system data.
Is it time to consider a compromise assessment?
A Compromise Assessment is a point in time analysis of a cyber environment to determine whether an organisation has been breached. This includes discovering ongoing breaches, and identifying whether a security incident has occurred in the past, undetected.
It establishes a complete security baseline of your organisation, in a fast and efficient way. ParaFlare uses its collection of historical indicators of compromise, threat intelligence, and other data points, to identify abnormal behaviours and activities.
Whether your organisation is targeted by a hacktivist, crime group, or a sophisticated nation-state, some activity will go unnoticed for a period. Some adversaries will only show themselves at the very end of their campaign, once their mission has been achieved. This assessment aims to draw them out while the incident is still ongoing, and to prevent further damage or repercussions.
How does it work?
If an active security incident is detected, ParaFlare will transition the engagement to an Incident Response. This will determine the impacts of the activity, how long the threat has been within your environment, and who the adversary may be.
Here is a breakdown of how we conduct this assessment:
| Scope and Context | Know the context of your environment by the users, tools, processes, and architecture that is being used. Discuss the scope of the assessment and learn about your perceived risks. |
| Tool Deployment | Deploy an Endpoint Detection and Response (EDR) tool across the environment. |
| Data Sweep and Collection | Sweep the environment for host and network-based Indicators of Compromise. Collect forensic data regarding processes, configurations, and services. |
| Analysis | Identify any current or historical breaches. Discover areas of improvement regarding security controls, policies, and overall posture. |
| Report | Share the findings of the assessment with the client and recommend ways to improve their security posture. |
While conducting a Compromise Assessment, ParaFlare will:
- assist in the remediation of any identified current or historical breaches
- identify any security risks or hygiene issues misconfigurations, vulnerabilities, design or network architecture choices, and policies around access or improper use
- provide recommendations on how to strengthen the security posture of your environment – such as how to effectively respond to security issues in the future, and implementing the right patches or security updates, security controls, and security training and awareness programs.
Summary
ParaFlare will work with your team to remediate any threats, but also to highlight opportunities to strength your security programs and controls.
There are circumstances where you may need to consider a Compromise Assessment over other proactive cyber services, such as:
- an external notification has been provided by a law enforcement agency, government department, or third-party indicating suspicious activity emanating from your organisation
- as part of an audit or security policy that stipulates an assessment must be conducted to be compliant, ParaFlare is able to assess whether your organisation’s processes and procedures have been appropriately implemented.
Our team can talk you through the benefits of a Compromise Assessment, and how it can be tailored to suit your organisation.