What is a Compromise Assessment?

Compromise assessments are high-level investigations where skilled teams utilize advanced tools to dig more deeply into their environment to identify ongoing or past attacker activity in addition to identifying existing weaknesses in controls and practices. The intent of the comprehensive assessment is to answer the critical question: “Has my organization been breached?”

Some industries are required by regulatory standards to conduct compromise assessments, while the Cybersecurity & Infrastructure Security Agency (CISA) recommends their use as best practice for all organizations.

Benefits of a Compromise Assessment

Despite advancements in cybersecurity technologies and increases in security budgets, average dwell times have remained largely unchanged over the years. Dwell time is the amount of time between an attacker’s entry into the network and their expulsion. Reducing dwell time is important because the longer a threat actor can operate undetected inside the network, the more time they have to find a route to the most valuable assets, learn how to defeat defenses, install back doors, and exfiltrate data. These advanced persistent threats (APTs) are damaging and costly, but they can be exposed by a compromise assessment.

The depth and breadth of a compromise assessment allows organizations to determine if threat actors are present or if they have been breached. This determination derived through comprehensive analysis leads to a reduction in security risk of attackers stealing financial assets, customer data or intellectual property.

Security posture is improved through the proactive identification of ineffective security practices such as configuration errors and policy conflicts that can leave gaps and put organizations at greater risk. A compromise assessment will expose these weaknesses and provide a path toward remediating them. Organizations will be able to answer the question, “has my organization been breached?” It will also provide suggestions for future improvements that can be used to guide decisions about budget and resources in the future. Lastly, compromise assessments are mandatory under some regulations, but even if an organization is not covered by one of those particular standards, proof of a compromise assessment will carry weight with auditors.

Steps of a Compromise Assessment

Step 1: Assess

A compromise assessment begins with a collection of forensic data, searching for signs of potential compromise in endpoints, network traffic, and logs.

Step 2: Analyze

Compromise assessment teams can use the collected data to determine, has there been an attack? If yes, the suspected compromises are validated and the team can develop an analysis of - who is behind the attack - why they are targeting an organization - what their objective is - and how they execute their tradecraft. This knowledge can be used to anticipate and block the adversary’s next steps.

Step 3: Assist

Analysts can further use their compromise assessment findings to respond to and remediate discovered threats.

Step 4: Advise

The compromise assessment is completed when the organization understands how to improve its in-house response capabilities and overall security posture so it can prevent or address future incidents.

Compromise Assessment vs. Threat Hunting

Threat hunting is a proactive search for cyber threats that are already inside the infrastructure. Threat hunters develop hypotheses based on information gathered about new threats and combine that with knowledge about adversary tradecraft.  They use threat intelligence to expose potential and ongoing attacker activity, and apply advanced analytics to detect suspicious behaviors among the massive amount of information captured by security systems. Threat hunting is an ongoing process.

A compromise assessment, on the other hand, typically conducted on a periodic basis, oftentimes quarterly or monthly for point in time analysis and in some cases to meet regulatory requirements. The scope of a compromise assessment is also significantly greater than that of a threat hunt: a compromise assessment looks not only at indicators of compromise and indicators of attack, but also at the reasons they may have occurred, what next steps are in order, and what actions can be taken to improve the organization’s overall security posture.

CrowdStrikes Falcon Forensics Empowers Teams to Conduct Periodic Compromise Assessments

CrowdStrike’s Falcon Forensics automates the collection of point-in-time and historic forensic triage data, enabling teams to conduct effective and efficient compromise assessments on a periodic basis. As a single solution to analyze large quantities of data, both historical and in real-time, Falcon Forensics eliminates the need for disperate tools or data ingestion methods, simplifying analyst workflows. Customizable preset dashboards, like the quick wins dashboard, were developed in concert with the CrowdStrike Services team to have the highest signal-to-noise ratios.

Falcon Forensics enables teams to rapidly deploy at scale, supporting collections from tens to hundreds of thousands of endpoints. The dissolvable executable performs the collection before removing itself from the systems so analysts don't have to maintain and manage another agent on systems, further reducing complexity.

For organizations that want the industry’s most comprehensive assessment done for them, the CrowdStrike® Services Compromise Assessment leverages the Services team’s years of experience in responding to intrusions by the most advanced attackers. Together with the powerful CrowdStrike Falcon® platform, industry-leading cyber threat intelligence and 24/7 threat hunting, organizations can answer the critical question: “Has my organization been breached?”

Anne Aarness is a Senior Manager, Product Marketing at CrowdStrike based in Sunnyvale, California.