Network Compromise Assessment (NCA)

A Network Compromise Assessment (NCA) is a useful exercise to undertake if a client suspects there is malware operating on their network, or that the organisation is being targeted by external attackers, but is unsure as to how to collate sufficient evidence to prove it.

Traditional signature-based security software solutions can’t help, because the sophisticated methods used by well resourced attackers can circumvent these defences, then employ covert techniques to ensure they remain unnoticed and undisturbed for as long as possible.

The best way to discover whether or not the organisation has suffered a breach of its defences is to search for anomalies in network traffic in real time. The NCA allows the organisation to determine what is actually happening in the network through a short term deployment of monitoring equipment, then to take practical steps to stop any malicious activity, to mitigate its effects and reduce the risks of other attacks succeeding in future.

An NCA can be deployed to monitor Internet gateways or other locations within a network, capturing passing traffic to perform deep packet analysis, thereby spotting anomalies that could indicate malicious activity. The service uses a combination of cutting edge commercial tools, proprietary software and privileged intelligence feeds and is delivered by specialist security analysts and experienced forensic investigators. If indications of a compromise are identified we work alongside a client’s in-house incident response or network support teams to trace trails of evidence through the network and to identify, where possible:

  • Malicious network traffic, indicating that a successful attack has already been mounted
  • Instances of suspicious traffic emanating from a compromised host on the network
  • Attack vectors being actively exploited, including malware infections and other hacking tools
  • Whether client data is being extracted from the network and where this is happening
  • The origins of the attack and possible identity of the attacker
  • The initial chronology of the infection, such as Trojans carried into the network as email attachments, or
  • Network users clicking on malicious email or website links.

During the temporary deployment of the monitoring equipment traffic is captured and analysed round the clock. During this period Context will keep a consultant on site during normal business hours to review captured data and take further action if required in as close to real time as possible. We can offer support outside these times if required.

Analysis of network traffic alone however may not give the whole picture, so we also look at evidence drawn from hosts and from log data. Malware needs to install itself somewhere on the network, from where it will contact its command and control infrastructure. In doing so it leaves traces on machines, including files in particular locations, registry keys, open ports and other indications, which can be found with the use of Context’s host agent. The results are then processed against Context’s extensive signature database, comprising signatures found in investigations into targeted attacks against other clients, signatures provided by the UK Government to help detect attacks; and via various closed security forums of which Context is a member, along with open source reporting on sophisticated attacks. Log data may provide additional evidence.

Once all the evidence is collected, collated and analysed we provide a report into our findings, written primarily for non-technical readers, but also including technical detail such as malware signatures found, to aid future attack detection.

Our consultants will help clients to plan an engagement and can carry out a staged engagement. This helps to establish whether or not a network is subject to particular security issues before a client commits to a longer term engagement. We offer the full spectrum of services necessary to support a detection engagement, including digital forensics and reverse engineering; and can provide briefings to all levels of the business to help improve awareness and understanding of security issues.

Read more about Context's NCA service here.

© Copyright 2013 Context Information Security