Compromise assessment METHODOLOGY
A Compromise Assessment utilises a methodology for identifying environmental risks, security incidents, and ongoing threat actor activity in a network environment. The assessment identiﬁes ongoing compromises and uncovers the malicious access and usage of the environment.
The goal is to detect and stop any active security incidents quickly and quietly. The assessment is composed of three phases — with each phase more targeted.
Phase 1 — Initial Assessment
In this phase, data collection scripts are deployed throughout the entire environment leveraging existing software deployment software. These scripts and software assist in gathering key data that helps in searching for anomalous behaviors and conditions that are indicative of malicious activity or correlate to risks in the environment. The output from the scripts and software is then forwarded to the cloud for both manual and automated analysis to determine hosts of interest.
Phase 2 — Targeted Assessment
Targeted standalone executables are deployed to hosts of interest identiﬁed in Phase 1 to gather more in-depth data and analysis related to the behaviors and activity previously identiﬁed. It is also determined whether the ﬁndings from Phase 1 were false positives or indicate malicious activity. Data is forwarded to the cloud for analysis; however, it includes forensic artifacts to facilitate the validation that attacks have taken place or are underway. Containment strategies and other options moving forward are identiﬁed and communicated to the organization.
Phase 3 — Forensic Assessment
If certain computers are identiﬁed that according to internal corporate policies require retention for legal or other purposes or if more scientiﬁc/technical analysis is necessary, then activities will include a full bit-by-bit disk copy of those computers, including memory dump, for related analysis. As with Phase 2, any new information is utilized to identify additional Systems of Interest from the Phase 2 data collection and subsequent analysis is conducted.