Proactive Threat Assessment

Proactive Threat Assessments are designed to help give organizations a level of assurance regarding their abilities to detect, respond, and prevent various cyber threats. In particular, Volexity's approach for these assessments puts a core focus on looking at technical and procedural controls that would make life much more difficult for skilled and advanced adversaries should they be targeting the organization. While perimeter defense and core security mechanisms are within scope, a key focus is given to internal controls and capabilities that might thwart attackers once already inside the network. Given that traditional approaches to security leave networks compromised for months or years before detection, a more proactive approach is needed to hunt for attackers and malware throughout critical network resources.

Volexity's Proactive Threat Assessment is not a simple audit that involves check boxes. Part of Volexity's methodology is to collect various resources and logs from the customer. This allows the Proactive Threat Assessment to look for signs of an active intrusion. Analysis techniques employed during Proactive Threat Assessments include:

  • Volatile memory analysis (memory forensics) to detect attackers and malware performing code injection, lateral movement, and anti-forensics tampering
  • Review of log files to determine suspicious user account behavior, program execution, and data exfiltration
  • Audit of user activity to find traces of malicious insider threats

This component of the assessment can be performed with or without Volexity's Network Security Monitoring equipment. Network visibility gives an additional level of visibility that may prove useful. In particular, network visibility can help to quickly determine other resources that may be compromised but may not have been included within the initial Proactive Threat Assessment.

While performing a Proactive Threat Assessments, Volexity may find signs of an ongoing breach. When this occurs, Volexity can then immediately switch to incident response handling, suppression, and remediation.

Volexity’s typical approach to Proactive Threat Assessments is to analyze volatile memory and disk from a sampling of high value systems. For traditional IT networks, these often include domain controllers, email servers, application database servers, and files servers. For Industrial Control System (ICS) networks, these often include data historians, backend databases, and the systems that connect the ICS and business network. In parallel to this analysis, Volexity’s Network Security Monitoring equipment can also be placed onto high-value network segments in order to leverage the network to find malicious activity.

Our security-conscience clients generally have these tests performed quarterly. We also often perform one-time tests for clients who feel they may be compromised, but want expert analysts to prove or disprove their assumptions.

If you are interested in having Volexity perform a Proactive Threat Assessment for your organization, please visit the Contact Page and get in touch with us today!