What do you do when you don't feel well but don't know the cause of your sickness? You will go to a doctor who will carry out analyses and tests to detect the problem. And then will it indicate the most appropriate treatment.
Something similar can be done with corporate devices: they are subjected to specific and prolonged checks to identify the points in which there is a potentially harmful malfunction, which if not removed can become the starting point for an attack.
The Analysis is the task of the Compromise Assessment, the activity that checks the state of compromise of a company's digital environment, scanning its network in depth for any traces of malicious activity. Using software installed on all the company's endpoints, the contents of the machines are analysed, as well as their configuration status, behaviour and the hosts to which they connect. In other words, the life of the machines is analysed, even over an extended period of time.
Hunting for potential hazards
"The compromise assessment activity has a well-defined purpose," says Lorenzo Bernini, Managing Director Middle East for HWG. "Think of a major attack, capable of destroying the business operations of a company. It is never an operation that is done overnight, but extends over time. Through a compromise, the attacker remains in the environment for weeks or months, makes lateral movements, escalates privileges and then obtains the correct ones and carries out the attack. For him to remain hidden during this time is crucial: once he has gained knowledge of the infiltrated network, he launches his attacks".
With Compromise Assessment, it is therefore possible to carry out an environmental health check to detect the compromised state of machines at a given time. But when is the best time to carry it out? "Rather than timing, I would speak of opportunity," continues Bernini. "All companies that have not activated a SOC, monitoring and incident response service, are invited to carry out a Compromise Assessment. The general trend is to proceed with vulnerability assessments and penetration tests, but this only helps to identify the vulnerabilities and give us the risk exposure. So we know how many vulnerabilities are there, which ones are critical, which ones are likely to be exploited. In short, it's statistics. But we need to go beyond that, and do a proactive activity to detect a compromise, be aware of the breach and activate remediation to remove the attacker from the corporate perimeter and restore the digital environment".
What is the Compromise Assessment
Although it is the client that chooses the assets to be scanned, HWG recommends to analyse all endpoints on the network using dedicated scanners. At the end of the scan, an analyst will study the results and then promptly notify the company, support the remediation process and rule out false positives. The analyst will also prepare an executive summary report to clearly and comprehensively explain the results of the assessment, with detailed and technical information on the findings.
The advantages of this approach are obvious. "As I said, companies are focused on finding vulnerabilities. The trend that emerges is about verifying the environment to avoid the effects of an attack," concludes Bernini. "This verification is decisive: it gives time to protect the organisation and it can eliminate remote access to the system. It is also a good starting point for raising awareness and allowing IT teams to communicate more effectively with boards. It helps people understand the value of an SOC and can get the company on a path to an improved IT security.