Table 2 Summary of our review of publicly described compromise-assessment practices from major providers, including methodology, tools, data collected, relation to CTI, relation to TH/IR, and typical timing. Abbreviations: CTI, cyber threat intelligence; TH, threat hunting; IR, incident response; EDR, endpoint detection and response; SIEM, security information and event management; XDR, extended detection and response; NTA, network traffic analysis.
From: Proactive identification of cybersecurity compromises via the PROID compromise assessment framework
Company | Methodology | Tools | Collected data | CTI relation | TH and IR relation | When to do CA |
|---|---|---|---|---|---|---|
1. Data Collection and Threat Hunting 2. Targeted Investigation | •Cylance AI •Triage Collection | •Filesystem metadata •Network devices logs •Events and alerts from ancillary security systems | Not linked | •Consider TH as part of the CA •Immediate transition to IR when a compromise is identified | No public information available | |
High level review (not detailed) | No public information available | No public information available | Not linked | •Not linked with TH •Not linked with IR | No public information available | |
Cobalt Labs68 | 1. Pre-Assessment Planning 2. Discovery 3. Scanning, Collection and Analysis 4. Reporting | •Nessus (for mass scanning) •LogParser Studio •NetFlow Analyzer •SIEM •XDR | •Endpoint System Logs •Application Logs •User data •Network flow logs | Not linked | •Consider TH to be a proactive different approach •No linkage with IR | After an incident is identified or suspected |
CrowdStrike | 1. Assess (collection) 1. Analyze 1. Assist 1. Advise | •EDR •The Falcon platform •Falcon Forensics Collector | •Endpoint System Logs | Directly linked | •Consider the TH to be an ongoing process •No linkage with IR | Quarterly or Monthly |
Group-IB | 1. Preliminary Assessment 2. Toolkit Implementation 3. Threat analysis 4. Data collection 5. Analysis 6. Gap analysis 7. Incident Containment and reporting | •XDR •Triage collection | •Forensic artifacts •Alerts •Telemetry data | Directly linked | •Not linked with TH •Conduct IR when a threat is found | •After Recent Cyber Incident •When suspecting insider threats •After changes to Security Measures and Staff •Reacting to changes to the Cyber Threat Landscape •Periodic infrastructure checks •Post-M&A security checks |
1. Data Collection 2. Threat Hunting 3. Remediation & Reporting 4. Incident Validation and Early Response | •EDR •Triage collection | •Endpoint System Logs •NTA •Forensic metadata •Network flow logs | Directly linked | •Consider TH as part of the CA •Will immediately convert the assessment into IR when an incident identified | •Periodic •Can follow IR for assurance | |
KPMG69 | 1. Scoping and Planning 2. Scanning and collecting 3. Analysis 4. Reporting | No public information available | •Program Information •Memory •Network Information | Not linked | •Not linked with TH •Considered as a support service for IR | •For security control validation •Incident response support •Vendor risk assessments •Post-M&A security checks |
Mandiant | 1. Technology deployment 2. Environment Assessment 3. Evidence Analysis 4. Reporting | Focuses on deploying their own tools for: •EDR •Endpoint inspection tools •Network inspection tools •Email inspection tools •Log inspection tools | •Endpoint logs •Network full packet capture •Emails | Directly linked | No public information available | Annually |
1. Plan 2. Prepare 3. Analyze 4. Improve | •Cortex XDR | •User actions artifacts •Services artifacts •Software artifacts •Configuration | Linked | •Not linked with TH •Not linked with IR | No public information available |
