A Compromise Assessment (CA) is a comprehensive, automated, evidence-based analysis and evaluation of an organization’s entire digital environment and cybersecurity posture and is designed to identify all ongoing and past incidents of unauthorized access, malicious activity, and indicators of compromise.
In short, a compromise assessment answers the questions that keep IT/SOC teams up at night. How are we vulnerable? Have we ever been compromised? How badly?
A compromise assessment is just one of the many cybersecurity assessments that can be performed by IT/SOC teams. While traditionally reserved as one of the later assessments to be implemented, advances in machine learning and automation technology have made compromise assessments faster, more accurate, more thorough, more affordable, and with even more functionality and features.
However, this also means that compromise assessments can often be confused with other assessment services.
Vulnerability assessments (VA) are designed to locate all possible vulnerabilities along a system’s attack surface that could be exploited for initial access. Compromise assessments (CA) are designed to systematically scan your entire system and identify any vulnerabilities, potential risks, abnormal user behavior, as well as any indicators of past compromises.
With advances in machine learning, more and more vulnerability and compromise assessments are automated and completed within minutes or hours (depending on the size and architecture of the given network).
Automated vulnerability assessments (sometimes called vulnerability scans) are capable of scanning a system for thousands of known vulnerabilities. Typically, the automated process will include cataloging all of your assets and triaging the detected vulnerabilities by projected impact severity; however, the number of false positives produced will vary from vendor to vendor, and human analysts (be they yours, the VA vendor, or another 3rd party) will still need to verify vulnerabilities detected during the assessment.
However, automated vulnerability assessments are really only as good as the vendor’s database. You can only trust that the vendor’s database is up-to-date and covers all active and emerging threats targeting your industry. If their database is not up-to-date, the cybersecurity assessment you invested in will have little to no impact or return.
Compromise assessments go beyond the scope of vulnerability assessments as more and more include analyses of user behavior in search of abnormalities, such as a remote user connecting from different countries in the span of a few minutes or outbound traffic being directed to a known malicious C2 server. Compromise assessments also look for indicators of compromise (IoCs) and any remaining artifacts for previous compromises.
While penetration tests (or pentests) are also designed to locate all possible vulnerabilities along a system’s attack surface that could be exploited for initial access, these tests are typically not automated and require the pentesting team to go a step beyond mere vulnerability detection.
Pentest teams also attempt to prove if the detected vulnerabilities would lead to a compromise. This is an extremely detailed process and takes more time than a vulnerability scan.
In addition, as pentests are typically not automated, there are zero false positives that need to be verified (or fewer, depending on what tools the pentest team uses and how loosely you define a “false positive”).
Due to advances in machine learning technology, compromise assessments today typically not only perform the signature-based detections included in vulnerability assessments but also have become capable of accurately analyzing user behavior to hunt for abnormalities and potentially malicious activity.
Compromise assessments are now capable of scanning environments with hundreds — and even thousands — of endpoints far faster, more accurately, and more thoroughly than any team of human analysts.
Some vendors even offer hybrid approaches where human and AI analysts work together to perform compromise assessments.
There are three major differences between red team assessments and compromise assessments — goals, approaches, and money.
Red team assessments are designed to test the efficiency and efficacy of your organization’s detection and response capabilities and approach your system from a hacker’s perspective.
Compromise assessments (CA) are designed to systematically scan your entire system and identify any vulnerabilities, potential risks, abnormal user behavior, or indicators of past compromises.
Though a red team’s approach may be scripted, it is typically not automated and is human-driven. Red teams have been known to perform man-in-the-middle attacks with parked cars in parking lots, drop USB drives outside the office, socially engineer phishing attack campaigns, or even physically infiltrate a company to hack directly into the local intranet.
Once initial access is gained, red teams typically attempt to evade detection, linger in the customer’s environment as long as possible, and exfiltrate as much sensitive data as possible.
Red Team assessments, however, cannot tell you if other attackers are already inside unless they happen to travel some of the same routes. It is possible that red teams could exploit the same vulnerabilities in your system that cybercriminals did, and it is possible they could notice; however, this isn’t their main function. Red teams can only inform you of what they themselves have done to your system.
Additionally, many organizations have not yet adequately invested in cybersecurity beyond firewall or antivirus solutions, or they could simply lack the time and resources necessary to implement detection and response capabilities, which would negate the need for a red team assessment. Contrarily, identifying potential vulnerabilities and indicators of past compromise is always relevant when assessing a digital environment regardless of its maturity.
Last but not certainly not least, red team assessments can be quite expensive — especially if they’re experienced. An effective and experienced red team knows their way around security and should give you a very accurate assessment of your detection and response capabilities.
However, they’re not cheap and typically take a lot of time.
Conversely, compromise assessments take significantly less time to complete than red teams, are significantly cheaper, and offer more actionable reports.
While budgeting and resource constraints are key factors when deciding what kind of assessment is best for your organization’s current needs, the most important factor should be the goal for each assessment as red teams, and compromise assessments have different use cases.
In short, red teams inform you if you’re capable of being breached today and how badly; compromise assessments inform you if you’ve ever been breached before and where you’ll be vulnerable to attack tomorrow.
Technology typically used for digital forensic incident response (DFIR) investigations is now used proactively to determine not only if your system has been compromised but also for how long, how it was done, and how to both actionably eradicate the threat and remediate your system.
Pentesting and vulnerability assessments are primarily focused on locating and triaging vulnerabilities, such as misconfigurations or unpatched services.
While closing these holes is crucial and can prevent future attacks, neither of these services can tell you if cybercriminals have already set up a command and control server with multiple access points after they abused those vulnerabilities.
Red teams can expose unrevealed problems in your detection and response protocols. However, while red team exercises are extremely useful (especially at giving blue teams experience with their own defense controls), red team assessments may not deliver the most actionable remediation reports. All the “damage” done by a red team could have been done by exploiting only a few vulnerabilities — or even just one. Other vulnerabilities could have been left unexplored and remain unknown.
Most likely, the path used by the red team poses the greater threat to your organization; however, a compromise assessment would specialize in detecting, verifying, and locating all potential risks and vulnerabilities.
Many organizations perform the bare minimum of what is required to meet compliance regulations, offloading the remaining risk to a cyber insurance policy investment. Most organizations do not have the time or resources to build and maintain a security operations center (SOC) from the ground up that is capable of effectively detecting and responding to modern threats, and that’s if they can afford the salary costs of the personnel capable of operating the necessary cyber controls.
Incorporating a routine compromise assessment (CA) into your risk mitigation strategy ensures your organization has, at the very least, an actionable road map to eradicating vulnerabilities in your system and confidently determining zero threats have breached your defenses.
If you’re interested in learning more about compromise assessments and CyCraft’s approach to a healthier and more secure network, engage with us directly at contact-sea@cycraft.com
Writer: CyCraft
CyCraft is a cybersecurity company founded in 2017, focusing on autonomous AI technology. Headquartered in Taiwan, it has subsidiaries in Japan and Singapore. CyCraft provides professional cybersecurity services to government agencies, police and defense forces, banks, and high-tech manufacturers throughout the Asia-Pacific region. It has received strong backing from the CID Group and Pavilion Capital, a Temasek Holdings Private Limited subsidiary.