There are numerous variants of cyber attacks with very different attack scenarios. While attacks with encryption Trojans (ransomware), for example, should not go undetected at all, other scenarios have the exact opposite aim of not being found. Traditional defense mechanisms such as antivirus solutions, endpoint detection and response (EDR) tools, intrusion detection and intrusion prevention systems and firewalls often detect incidents too late or not at all given the variety of attack scenarios. This is where cyber compromise assessment comes into play.
What is a Compromise Assessment?
A compromise assessment aims to collect and evaluate evidence of past or ongoing cyber incidents on the basis of certain digital traces (for example, forensic artifacts). Based on these traces and indications (Indicators of Compromise / IOCs), the systems or IT landscapes in focus are searched and evaluated. The traces include, for example, malware (or parts thereof), IP addresses, network connections, processes, log files and much more.
Compromise assessment therefore uses forensic methods and tools to specifically search for traces of cyber attacks and identify compromised IT systems. The anomalies identified are consolidated across all systems and evaluated on the basis of good practice experience. Ongoing attacks and data leaks can thus be identified and shut down.
For technical implementation, an agent is usually rolled out on the systems to be checked and its findings are reported back to a central system. The reports compiled there are evaluated by analysts and corresponding recommendations are sent to the customer.
Michael Sauermann
Partner, Audit, Regulatory Advisory, Forensic
KPMG AG Wirtschaftsprüfungsgesellschaft
More than classic antivirus protection
A compromise assessment using a scanner for advanced persistent threats (APTs) differs from traditional antivirus or EDR solutions in that forensic artifacts are also included in the investigation. This makes the detection of possible attacks - including those that have taken place in the past - more far-reaching and well-founded, thus going beyond the possibilities of classic solutions.
Compromise assessment process
Compromise assessments can generally be carried out at a low threshold and only require a few technical and organizational preparations.
• We work with you to plan the scope of the assessment, including the number of systems, depth of evaluation, etc.
• We support you with the installation of two systems in your IT infrastructure that serve as control servers.
• We work with you to define the timing of the scans, the scan parameters and the exceptions in existing security software.
• We support you with the roll-out of the software agents on the systems.
• In the event of communication problems between software and control servers, we support you in resolving them.
• The execution of the scans on the end devices takes place according to a previously defined plan (usually up to 30 days)
• If necessary, we adjust scan parameters (RAM/CPU/forensic artifacts)
• We analyze the scan results for anomalies (up to 90 days)
• You have the option of following up anomalies yourself.
• In the event of any uncertainties, we coordinate any anomalies with you.
• You receive continuous reporting in the management server.
• The progress of the scans and evaluations is displayed continuously.
• If desired, your administrators can report anomalies to us via an integrated ticket system.
• You have read access to an evaluation of compliance requirements.
• Finally, we provide you with a summary of all identified anomalies and vulnerabilities.
• You receive optional recommendations for improving your maturity level.
If you would like further information or advice on the Cyber Compromise Assessment, please contact us.
Our experts look forward to hearing from you.