There are numerous variants of cyber attacks with very different attack scenarios. While attacks using encryption Trojans (ransomware), for example, should not go undetected at all, other scenarios have the exact opposite aim of not being found. Traditional defence mechanisms such as antivirus solutions, endpoint detection and response (EDR) tools, intrusion detection and intrusion prevention systems and firewalls often detect incidents too late or not at all given the variety of attack scenarios. This is where cyber compromise assessment comes into play.
What is a Compromise Assessment?
A compromise assessment aims to collect and evaluate evidence of past or ongoing cyber incidents on the basis of certain digital traces (for example forensic artefacts). Based on these traces and indications (Indicators of Compromise / IOCs), the systems or IT landscapes in focus are searched and evaluated. The traces include, for example, malware (or parts thereof), IP addresses, network connections, processes, log files and much more.
Compromise assessment therefore uses forensic methods and tools to specifically search for traces of cyber attacks and identify compromised IT systems. The anomalies identified are consolidated across all systems and evaluated on the basis of good practice experience. Ongoing attacks and data leaks can thus be identified and shut down.
For technical implementation, an agent is usually rolled out on the systems to be checked and its findings are reported back to a central system. The reports compiled there are analysed by analysts and appropriate recommendations are sent to the customer.
More than classic antivirus protection
A compromise assessment using a scanner for advanced persistent threats (APTs) differs from traditional antivirus or EDR solutions in that forensic artefacts are also included in the investigation. This makes the detection of possible attacks - including those that have taken place in the past - more far-reaching and well-founded, thus going beyond the possibilities of classic solutions.
Procedure of a Compromise Assessment
Compromise assessments can usually be carried out at a low threshold and only require a few technical and organisational preparations.
- We work with you to plan the scope of the assessment, including the number of systems, depth of evaluation, etc.
- We support you in the installation of two systems in your IT infrastructure that serve as control servers.
- We work with you to define the times of the scans, the scan parameters and the exceptions in existing security software.
- We support you in rolling out the software agents to the systems.
- In the event of communication problems between the software and control servers, we help you to resolve them.
- Scans are performed on the end devices according to a predetermined schedule (usually up to 30 days).
- If necessary, we adjust scan parameters (RAM/CPU/forensic artefacts).
- We analyse the scan results for anomalies (up to 90 days).
- You have the option of following up on anomalies yourself.
- In the event of any uncertainties, we will coordinate any anomalies with you.
- You receive continuous reporting in the management server.
- The progress of the scans and analyses is continuously displayed.
- If desired, your administrators can report anomalies to us via an integrated ticket system.
- You have read access to an evaluation of compliance requirements.
- Finally, we provide you with a summary of all identified anomalies and vulnerabilities.
- You receive optional recommendations for improving your maturity level.
If you would like further information or advice on the Cyber Compromise Assessment, please contact us.
Our experts look forward to hearing from you.
Your contact
Michael Sauermann
Partner, Audit, Regulatory Advisory, Forensic
KPMG AG Wirtschaftsprüfungsgesellschaft