Why Remote Compromise Assessment is a Service You Need in Your Toolkit
Too often cyber-crime investigations reveal that digital evidence and attack indicators were available prior to the breach being detected. If these previously undetected vulnerabilities are identified early, companies can intervene to minimise risk and avoid future breaches.
Ransomware is like getting mugged in the street, they take what you have in your wallet and hopefully disappear, however, organised criminals play a much longer game and some breaches achieve prolonged unimpeded access for many months before they are discovered.
Sophisticated cyber criminals are in no hurry and will invest in developing systems that can bypass existing cyber security solutions or SOC services to either steal their targets data or disrupt services.
Often, when a breach is discovered it is not by an in-house security team, but by external parties such as security providers, customers or even law enforcement.
It is always safest to assume that systems have already been compromised.
Recognising Indicators of Compromise (IoC’s)
It’s not difficult to recognise typical Indicators of Compromise if you have the right tools to help and you know what you are looking for.
Typical IoC’s will include:
Windows Log Data being deleted
Changes in time/date in Windows event logs
Outbound data using unusual protocols
Compressed files leaving the network
Suspicious activity on User Accounts
Installation of Potentially Unwanted Programmes (PUP’s)
Instances of unexecuted Malware
In most cases these Indicators of Compromise will be available for months before a critical incident occurs or a denial of service happens. The fact that these IoC’s have gone undetected by existing cyber security services suggests a second line of defence is needed.
Cyber Security professionals can deliver this second line of defence by periodically performing a Remote Compromise Assessment. This assessment is not designed nor intended to expose inadequacies in existing cyber solutions, but to highlight the speed in which criminals can adapt to develop new methods that allow them gain access to networks.
Cyber Threat Landscape:
Cyber-attacks vary, and will range from crude brute-force type campaigns to sophisticated targeted attacks on specific companies or industries. Deploying cyber defence services will reduce the risks associated with known attack methods, however smart criminals are acutely aware of standard cyber defence strategies and so constant vigilance is key to remaining safe.
Cybercrime is a global business conducted by highly skilled people and these criminals may not always be working for their own direct benefit, in many cases these people hire out their services to others such as:
Competitors looking to steal valuable information
Governments committing espionage
Lesser skilled transactional cyber criminals looking to extort an income
In most cases breaches occur because of internal users not behaving as they should be while connected to their employers network.
Assumption of Breach & Remote Compromise Assessment
The world is grappling with a shortage of skilled cyber security professionals.
In Europe alone the skills gap in 2019 was 291,000 up from 142,000 in 2018. Globally the skills gap is higher, 4.07million in 2019 up from 2.93m in 2018.
Considering the cyber threat landscape today, the future of cyber security will have to involve leveraging technology to regularly interrogate the IT environment and use AI with context to baseline an organisations network activity, user behaviour, processes and connections because these indicators will reveal any deviations from the norm that are putting a company at risk.
Organisations will benefit from having a framework for identifying and forensically investigating suspicious or malicious network events. Remote Compromise Assessment can deliver a framework that acts as a guide to enable companies collect and analyse evidence effectively so they can better understand their vulnerabilities.
Using the results of a Remote Compromise Assessment, Cyber professionals can work with clients to develop an incident response framework to help internal IT staff respond to and mitigate cyber incidents. Working through the issues raised by the Compromise Assessment will also raise awareness of the overall IT strategy for Cyber Security and the importance of IT risk assessments.
Speed is essential when investigating a suspected breach or a cybercrime.
The lifespan of digital evidence is short and the first thing a hacker will do following a successful breach is delete the associated Windows Log files to hide their movements.
When a breach occurs or data theft is discovered, quick response, forensic preservation of digital evidence, and the application of the right analytical methodologies and tools are critical to achieving containment, managing risks, and empowering proper remediation.
But this can only happen if the right data is secured and delivered in a format that is easily understood and offers insights to help an investigation.
GuardYoo is leading the charge to deliver a state of perpetual cyber assessment.
The ability to quickly access and analyse historical Windows Log Data can significantly improve cyber incident actions by identifying the origins and duration of the compromise.
Some best practices that should be adhered to:
Windows Log Data should gathered and backed-up as part of a data back-up strategy
All non-corporate devices must be identified and either blocked from the network or secured with official security features
All PUP’s (Potentially Unwanted Programmes such as TeamViewer) must be uninstalled if not needed
Malware is typically delivered via phishing emails and so employees need to be re-educated on the importance of not opening suspicious emails or immediately reporting to IT if they do.
Analysing logs from firewalls, IDS/IPS, A/V, proxy servers, operating systems, and the like is an important element of cyber forensic investigations.
Password strength policies must be put in place to avoid successful brute force attacks
Cybercrime and those who perpetrate it are ever evolving, they are steadfast in their mission to access their targets sensitive information and maintaining persistent remote access for as long as they can.
Cyber criminals are as committed to deeply understanding an IT network as is the owner of the same network.
GuardYoo aims to provide companies with a safe, reliable and affordable Remote Compromise Assessment within 1 week and to provide Partners on its platform with a secure and flexible way to create new revenue streams.
To learn more about how we help Cyber Professionals deliver new services and generate more revenue please send us an email: firstname.lastname@example.org or send us a message via the contact form at the bottom of this page.