“What's the most you ever lost on a coin toss?” - Anton Chigurh, No Country for Old Men
When you think about your security stack as it exists today, you have to realize it exists in both a working state and a non-working state. To illustrate this point further, Erwin Schrödinger, a physicist, created a thought exercise to illustrate the nature of quantum theory as it relates to subatomic particles.
Quantum theory states that until a particle is measured and observed, it exists in all possible states. To make this easier to digest, he came up with the following analogy:
A cat, placed into a box and then joined by a radioactive substance with a fifty percent chance of decaying while the cat is in the box (thus killing the cat) will exist in both states, alive and dead. It's not until we open the box will we know the cat's state.
What does this have to do with security?
It's not until you observe and monitor your security state that you will know where it stands. Think about it like this: if someone came to you today and asked the question "are we protected?" What would be your reply? Let's look at some of the possible answers.
"Yes, look at all we found in the environment."
Discovery of malicious activity is helpful in showing value of the stack, but is not a definitive answer to the question. Remember, we are trying to see if the cat is alive or dead here. This answer is merely the equivalent of stating that you heard a noise in the box at one point not too long ago, but it is not a comprehensive answer.
"Yes, and everything is quiet."
This answer is a little bit more concerning to me, but that could be my paranoia kicking in. That's due to my understanding of the size of the human attack surface. By the way, did you know that the human attack surface will be double by 2022? (This is according to CSO online). Revisiting the answer to the question, "are we protected?" - silence could mean the cat is dead in the box, or the cat could be sleeping.
"I cannot say definitively, but according to XYZ, we were on this date."
I like this answer, and to me, it's closest to the truth. The best way to think about your security stack is that it’s a living thing. It can be in one state one day, and another in the next. So, how do you gauge if the cat is alive or dead? Well, the answer is you need to examine it from the inside out.
Isn't that just a penetration test?
No, a penetration test can be viewed (in the context of the analogy) as looking for weaknesses in the box. It's not showing you if the cat is alive or dead. It's just trying to see if there are holes in the box.
So, what do we need to know to figure out whether the cat is alive or dead?
You need a compromise assessment, which is designed to do one thing: see if the security stack is working (the cat is alive) or if something has already happened (the cat is dead). It's a real-world/real-time measurement of the security environment.
How does a Compromise Assessment work?
Usually, a Compromise Assessment is performed in stages. The first stage is typically hunting. During the hunting stage, you are looking for anomalies revolving around various malicious behaviors like data exfiltration, C2 activities, user account peculiarities, and many more items. Think about it like this: you are just opening the box at this point.
From there you move into the second stage which revolves around the investigation. The investigation takes into account all the items that were discovered in the first stage. You have finally opened the box, you are examining the cat and are determining its state (whether it is alive or dead).
The final stage of a compromise assessment is to acquire how this occurred and to determine if there is an active incident. This one is probably the most interesting of all the stages.
Consider this: the cat has passed away because the radioactive substance has decayed and now, by opening the box you have discovered you have just exposed yourself to a dangerous material, meaning there is still an active problem.
Typically, this would begin a containment event or another way to state it, an incident response (IR).
Great, now we know definitively if the cat is alive or dead; now what?
Typically, a compromise assessment concludes with a detailed summary of any compromise detections, a comprehensive list of findings, and strategic and tactical recommendations for remediation (which can include incident response).
So, to go back to the quote that started this article: "what's the most you have ever lost on a coin toss?" The answer to the question is simple, and it is that you stand to gain everything or lose everything.