Compromised Assessment Service

It is crucial to clearly define the scope and objectives of a Compromise Assessment Service in advance to avoid misunderstandings and ensure that the assessment team focuses on the right areas.

The scope of Compromise Assessment Service may cover the following:

1. Endpoint Assessment: Evaluate the security of individual endpoints (computers, servers, mobile devices) to identify signs of compromise, including unusual processes, unauthorized software, or suspicious network connections.
2. Network Traffic Analysis: Analyze network traffic to detect anomalies, such as unusual data flows, unauthorized access attempts, or patterns consistent with known attack techniques.
3. User and Account Activity: Review user and account activity logs to identify suspicious behavior, such as multiple failed login attempts, unusual access patterns, or privilege escalation.
4. File and Data Analysis: Examine files and data repositories for signs of compromise, such as altered or encrypted files, unauthorized access to sensitive data, or data exfiltration.
5. Malware-like behavior Analysis: Investigate the presence of malware by examining files, system memory, and registry settings for indicators of compromise (IOCs) or patterns consistent with known malware.
6. Credential and Authentication Analysis: Assess the security of authentication mechanisms and user credentials to detect compromised accounts or unauthorized access.
7. External Threat Intelligence: Leverage external threat intelligence feeds and databases to identify indicators of compromise associated with known threats or attackers.
8. Insider Threat Monitoring: Monitor insider threats by analyzing user behavior and access patterns, looking for signs of unauthorized or malicious activities by employees or contractors.
9. Periodic Reassessment: Recognize that the threat landscape is dynamic, so perform compromise assessments on a regular basis to stay ahead of emerging threats.
10. Documentation and Reporting: Maintain detailed records of findings and produce comprehensive reports that include actionable recommendations for remediation.

Compromise Assessment Service besides using telemetry platform that allows for hunting (e.g.: CrowdStrike Falcon, MS Defender for Endpoints or other), also takes advantage of installation of additional telemetry toolset, which is DFIR Investigator (delivered by Eviden).

DFIR Investigator allows Eviden CA to generate isolated environment (new AWS account) for digital forensics in chosen AWS region. Installation of DFIR Investigator Ecosystem is performed for the duration of Compromise Assessment Service only. After Compromise Assessment will end, DFIR Investigator agent is uninstalled.