Suspect you've been breached? Remote Compromise Assessment will help you understand your fears.
Let's begin with an old maxim: "You must inspect what you expect."
What does this mean? And why am I quoting it?
This old saying tells us that if you are expecting a certain outcome, you need to confirm that the desired outcome actually occurred.
If your company has invested in a layered cybersecurity strategy so that every aspect of your defence is backed up by another should something go wrong, how can you confirm your strategy is working and why do you always fear that it’s not?
The traditional Attack Surface is evolving so fast that a lot of companies struggle to determine where exactly they are most vulnerable; let alone put in place effective controls to ensure that business-critical information and systems are secure.
How can companies defend their organisations from attackers if they don’t know how their internal network works?
In this article, I am going to highlight an area that most CISO’s, IT managers and Information Security professionals struggle with, primarily, visibility of user behaviour, and the management of vulnerabilities therein.
Why is this an issue?
If a company does not have a dedicated cybersecurity resource, responsibility may fall to the IT team to defend the business from attack.
According to RSM, 20% of companies believe it is the IT manager who holds overall responsibility for cybersecurity within the organisation.
Although the IT team is often interested in cybersecurity, in many cases they have little experience in implementing a robust cybersecurity strategy and as a result, IT managers can struggle to identify when their network has been compromised if adversaries use Privileged Access to hide their Lateral Movement.
What can IT Teams do to gain a deeper knowledge of their internal network?
- Regular remote Compromise Assessments will provide IT Teams with a technical review of their network to identify any previously undetected vulnerabilities.
- Remote Compromise Assessment is essentially a Cyber Audit of a network;
however, a Compromise Assessment goes much deeper than a cyber audit that is based on a questionnaire.
- A Compromise Assessment is a forensic analysis of an entire infrastructure that will determine whether a breach has taken place, enabling IT teams to fully understand their network and the anomalies that may make it vulnerable.
If a breach has been identified, we believe there is a logical process to follow;
- Step 1.
- Step 2.
Use findings of Compromise Assessment to configure other cyber solutions such as SIEM.
- Step 3.
Conduct a Vulnerability Assessment to identify Patches that need to be installed or if misconfigurations are a threat.
- Step 4.
Have a Pen-Test executed on your network, to ensure all doors have been shut.
(Part of the process here should be to learn the techniques the Pen-Testers use to educate yourself on how a hacker approaches an attack.)
We explain this in more detail in another of our articles – "Remote Compromise Assessment – Step 1 of a logical Cyber Strategy".
To help, we offer the below practical tips that may help identify if a breach has already occurred.
3 Indicators of Compromise (IOC’s) that might indicate an attack has taken place:
Unauthorised deletion of windows log data.Windows Event Logs are designed to record everything that occurs on a PC, including hacking attempts, and can be the determining factor in catching hackers after the attack has taken place. If a hacker successfully gains entry (and exit) to your network, they will delete Windows Event Log data to conceal their activity.
Direct communications with external IP addresses/networks.IT teams should be on constant lookout for any devices that have direct communication with unknown external IP addresses.
(This can often coincide with periods of reduced internet speed as the external IP may download large amounts of data from the network.)
- Recently created fictitious user accounts.
If an attacker successfully gains entry to a network and compromises an existing user account that has high privileged access, they will use these access privileges to create additional user accounts. This allows them to further hide their actions.
(By owning these accounts they need not fear the original owner will change passwords)
A remote Compromise Assessment from GuardYoo can assist IT Teams to “Inspect, what they expect” regarding their network security and if a breach has been identified the findings from the assessment will act as a roadmap to understanding the How, Who and When of the attack, as well as supplying a clear roadmap on what needs to be done to resecure the infrastructure.
If you suspect you've been breached and want a definitive answer, please reach out to us via the button below. Our experts will be happy to talk to you about any concerns you may have regarding your cybersecurity posture.
Our team will plan the best course of action to ensure the impact of the incident is minimised.