We conduct an investigation to identify and locate any attacker
A compromise assessment answers the question of whether attackers have been (or are) active in your digital environment. A common reason to request such an assessment:
.svg)
During the intake for a Compromise Assessment, the research questions are formulated. It is essential to set clear goals for the investigation to achieve a good result.
In order to answer the research questions effectively, the IT and/or OT environment must first be broadly mapped to identify risks and potential attack paths. If necessary, (temporary) tools will be deployed.
.svg)
After creating visibility in the environment, the specialists at Nerium will search for traces of attack activity in logs and other artifacts in order to to detect malicious actors.
.svg){kind=icon}
After completing the Compromise Assessment, Nerium compiles a report with all results, which is then discussed jointly. Additionally, we provide advice on how to strengthen the digital environment.
The report consists of a management summary outlining the findings, the approach, and details on how it was conducted. Additionally, it includes recommendations to address any hygiene issues.
In consultation with the client, we escalate to an incident response process. In a thorough process, Nerium investigates the attack and assists with securely restoring the digital environment.
We utilize an open-source agent called 'Velociraptor,' which can be installed on Windows, Linux, and macOS. We use it to gather information from a large number of systems simultaneously to identify potential attack activity. Additionally, we also leverage tools that the client already has, such as an Endpoint Detection & Response (EDR) solution that collects telemetry valuable in identifying attack activity or malware communication.
Nerium surgically collects data from systems using the open-source solution 'Velociraptor.' This data originates from memory (network connections, processes). Additionally, data is retrieved to determine which applications have been launched (AmCache, Prefetch, etc.). Furthermore, mechanisms are examined through which malware is automatically initiated (persistence locations).
Additionally, we use the log sources that a client may already have, including:
- Logs from web applications to identify unauthorized access to the server.
- Endpoint Detection & Response (EDR) solution where we use telemetry to spot malware communication.
- Alerts from an Intrusion Detection/Prevention System (IDS/IPS) or antivirus solution.
A Compromise Assessment is reactive in nature and may start, for example, when you suspect an incident or when you want to check a digital environment for the presence of attackers. Threat Hunting, on the other hand, is proactive and is used by mature organizations to periodically search for attackers in digital environments using hypotheses. Examples of hypotheses include: "Attackers have deployed fileless malware to evade detection" or "Attackers have exploited a specific vulnerability that was recently disclosed.