Computer attacks have grown exponentially, targeting both businesses and governments.
Advanced Persistent Threats (APT) are scenarios where advanced attackers compromise an information system and remain active for years without being detected. How can an organization determine if an attacker has already bypassed its security ? In particular, how can it recognize an advanced persistent attack (APT) that most popular security solutions fail to detect ?
Compromise Discovery is a solution developed by PwC that allows you to take a proactive approach to identify potential IS compromises by analyzing weak signals over a wide area.
Benefits of Compromise Discovery
Easy to deploy at scale. No specific agent to install.
Identify risky behaviors and suspicious traces that may indicate an ongoing or past attack.
Provide an accurate analysis of the compliance of your IT assets.
We developed the Compromise Discovery solution in response to a question frequently asked by our clients following our security assessments : "I now know that I am at risk, but is it already too late ?". Our approach has allowed us to identify discrete attacks on our clients' most at-risk perimeters : for example, the presence of banking malware on a branch treasurer's workstation, remote access to an executive assistant's environment, or the presence of unsecured remote access solutions left on a critical server by a supplier.
Jamal Basrire, Cybersecurity Associate, PwC France and Maghreb
- Definition of the perimeter of the IS machines to be analyzed
- First collection of data necessary to detect a compromise
- Analysis limited to 500 endpoints
- Detection of suspicious behaviors & weak signals
- Delivery of a report with a global view of the IS
- Definition of the perimeter of the IS machines to be analyzed
- Initial collection + monthly collection for one year
- Analysis limited to 500 endpoints
- Detection of suspicious behaviors & weak signals
- Delivery of an initial report with a global view of the IS, followed by a monthly update allowing to follow the evolution
- Definition of the scope of the IS machines to be analyzed
- Initial collection + monthly collection for one year
- Analysis limited to 1000 endpoints
- Detection of suspicious behaviors & weak signals
- Delivery of a report with a global view of the IS
- Access to our Incident Response service (available 7 days a week), first 2 days of analysis included
- Access to our Threat Watch platform
Book a demo
F.A.Q
What is an indicator of compromise ?
Indicators of compromise are technical artifacts or behaviors whose presence indicates malicious activity on the information system.
What are the most common indicators of compromise ?
- Traces of failed authentication attempts on a set of servers
- Abnormal behavior of conventional Windows processes
How does PwC's Compromise Collector solution work ?
PwC's collector is based on the DFIR-ORC utility developed by the ANSSI. It can be launched via various execution methods, the preferred method being deployment via GPO. Running the collector generates a zip file containing artifact exports in text format, which is then retrieved from a file server for analysis by PwC. The collection does not require any remote access from PwC, once configured by the client.
What types of analyses are performed by PwC in its platform ?
The Compromise Analytics platform is a modular environment, continuously updated with new tests and analyses. It is based on several types of processing :
- Enrichment with internal or external Threat Intelligence databases (comparison based on signatures or technical indicators, customer data is not sent to third parties)
- Search for known suspicious behaviors (technical) or behaviors that deviate from the nominal operation of a system
- Statistical analysis of the entire fleet (uncommon behaviors or files, divergent behavior compared to the rest of the fleet)
Once these tests have been performed, the discrepancies are manually analyzed by a PwC expert in order to eliminate false positives and investigate the data to understand the extent of a potential compromise.