Advanced Threat Hunting and Compromise Assessments are increasingly important activities for businesses taking a proactive stance on Cyber Defence. Do you know if you have been breached?
Are malicious actors embedded in your network? Is your business undertaking a merger or acquisition, maturing your cyber incident management plan or simply seeking to understand where the gaps in your security configuration are?
A concise and effective Compromise Assessment will provide the answers you need.
We understand threats and know where to look for them. 44% of threats go undetected by automated security tools (Crowd Research Partners Threat Hunting Report). The average time attackers dwell on networks within EMEA is 106 days, and in APAC 172 days (FireEye M-Trends Report).
A Compromise Assessment answers the very important question “have we been breached already?” Our compromise assessment uses your business’s volatile data and existing telemetry to quickly reveal indicators of compromise, or threat actors that are already embedded in your network.
Take control and close the breach detection gap by proactively assessing your business.
We use Forensic State Analysis methodologies to determine the compromise state of endpoints.
Our deep experience supported by cutting edge technology allows us to effectively scan your environment for deeply embedded threats.
Using dissolvable agents, we independently collect, identify and evaluate a variety of data points.
Surveying the live memory of thousands of endpoints simultaneously, we analyse OS and application persistence mechanisms that can trigger the execution of code or malicious executables.
This provides an incredibly deep, and conclusive examination of an endpoint’s state.
Incident Response Lifecycle
Planning for incident response is critical to the effective management of a suspected data breach. Within each phase, there are specific areas to address as the incident progresses.
Your response plan should aim to be well documented, explaining everyone’s roles and responsibilities. The plan must be tested to ensure your employees will perform as expected. The more prepared your employees are, the less likely they’ll make critical mistakes.
Early identification of the nature of the attack is critical to determine if you have been breached, and how. Once the nature of the attack is known, forensic investigation can be used to increase your situational awareness. Identification processes will answer questions such as when an event occurred, how was it discovered, have any other areas been compromised, will the attack impact operations and has the point of entry of the attack been identified?
Upon discovery of a breach, you may be tempted to delete and reimage everything to remove the problem. That may not be the best course of action. Instead, contain the breach to minimise the impact. That way, any compromised data is preserved. Create short-term and long-term containment strategies such as updating and patching systems, reviewing access protocols, changing user and administrative access credentials and harden passwords.
Once the incident is contained, the next step is to identify and eliminate the root cause of the compromise. All malware should be effectively removed, systems hardened and patched, and updates applied.
Recovery & Lesson Learned
Recovery is the process of restoring affected systems and devices back to a clean state. The aim is to get business operations functioning normally again. At this stage you should also analyse and document the facts of the breach and conduct a critical review of the incident response process. This will help to strengthen your procedures and enhance your ability to deal with future attacks.