Evidence of Compromise - No Fun for CISOs

Meet Ellen. As CISO for a regional bank, she spends her time spreading security awareness, coaching her managers, and supporting the selection of security tools. Ellen doesn’t know that her bank has been compromised, or that a nation-state has been funneling data out of her network with impunity. After three years of pleasant ignorance, Ellen happily retires from the bank and moves to Florida where she enjoys sailing.

Meet Fred. As CISO for a regional bank, he spends his time dealing with law enforcement, meeting with regulators, and answering questions from now-angry customers. Fred knows that his bank had been compromised, and that a nation-state has been funneling data out of his network with impunity. After six months of stress, Fred sadly steps down from the bank and moves to Florida where he tries to enjoy sailing.

Let’s be honest: Everyone knows is that it is much more enjoyable to be Ellen than Fred. Furthermore, everyone also knows that if true experts decide to dig into any network or infrastructure, then they’re going to find something. When, for example, was the last time a penetration testing team was hired to detect vulnerabilities – and came back with nada? It just never happens. The test ladle always pulls up something. Always.

It was with this challenge in mind that the TAG Cyber team met with senior executives from cyber start-up Prevailion. With locations in Maryland and Texas, the company supports the provision of compromise evidence to enterprise teams. In essence, they are in the business of turning Ellens into Freds, and we were keen to learn how things were going with this approach in the marketplace. Here is what we learned:

“We create and share what we refer to as compromise intelligence,” explained Karim Hijazi, founder and CEO of Prevailion. “This involves deployment of sensors outside an organization’s enterprise perimeter, which are used to detect evidence of breach. The data is gathered from actual phone-home communications from malware in a hacked organization. We can thus obtain a clear picture of who has been targeted in a given campaign.”

Prevailion generates for its customers indicators of compromise, which provide insight into the tactics, techniques and procedures (TTPs) used by a threat actor against a targeted enterprise. “We track how sophisticated adversaries operate by monitoring their C&C infrastructure with our proprietary beaconing technology. We wait for dormant, planted malware to begin signaling over the network and this gives us the visibility we need.”

A typical campaign monitored by Prevailion might start with Trojans being dropped into unsuspecting victim networks through a compressed RAR folder. When detonated, the Trojans create benign-looking ghost RAT binaries that hide easily in the Windows startup folder. The rest is familiar: The infection will eventually establish communication externally with the C&C infrastructure – and this is how Prevailion detects the source of the beaconing.

When asked about the business model and the whole making-Ellen-into-Fred thing, the Prevailion team had perhaps the only answer that we could not protest: They suggested pointing the evidence collection at third-party suppliers. Now – say what you will about CISOs and their willingness to submit to proper audit, but no one can begin to suggest that they will hesitate to demand evidence from a supplier.

“We understand that the third party supply chain remains a nagging security risk for just about all enterprise teams,” Hijazi explained, “so we make it easy for them to query our interface to obtain real-time evidence of compromise about a given third-party company. We’ve also seen the approach used by M&A teams in advance of a transaction, or even by investors in advance of making a financial commitment.”

From an analyst’s perspective, this business approach makes perfect sense. Everyone knows that PII, legal data, and personal records have been escaping from third-party networks with frightening acceleration. So the idea that sponsoring organizations would use evidence of compromise to keep them in line seems a sensible approach. Prevailion must now translate this into a growing for-pay service. (You can get a free account here.)

With a capable team and a solid $10M round of Series A funding, one would expect to see good growth and performance from this team. Our advice to the Prevailion team was to connect their solution in some manner to the contractual relationships that organizations have with their third-parties. Companies like SecurityScorecard and BitSight have done a good job of this, and Prevailion can learn from their experience.

I’d recommend that you have a peek at this fine offering, and perhaps take advantage of the free account referenced above. And if you worry about third-party or M&A risk, then this will be particularly useful. As always, please let us know your experiences afterward.

Stay safe.