24/7 incident emergency number:
+31 (0) 800 0699
In case of questions:
+31 (0) 8 548 958 57

Want to know if there are attackers in your environment?

We conduct an investigation to identify and locate any attacker

Compromise Assessment.
What is it, and when do I need it.

A compromise assessment answers the question of whether attackers have been (or are) active in your digital environment. A common reason to request such an assessment:

  • If you suspect an incident, such as a supply chain attack because one of the suppliers has reported a cyber-incident.
  • If a business acquisition occurs where you're going to integrate a digital environment and want be sure no attackers are already inside the network.
  • If during an incident, you've removed an active attacker from your network but are not sure if all backdoors are closed.
Nerium's approach

1. Intake

During the intake for a Compromise Assessment, the research questions are formulated. It is essential to set clear goals for the investigation to achieve a good result.

2. Preparation

In order to answer the research questions effectively, the IT and/or OT environment must first be broadly mapped to identify risks and potential attack paths. If necessary, (temporary) tools will be deployed.

3. Hunting

After creating visibility in the environment, the specialists at Nerium will search for traces of attack activity in logs and other artifacts in order to to detect malicious actors.

4. Results and advice

After completing the Compromise Assessment, Nerium compiles a report with all results, which is then discussed jointly. Additionally, we provide advice on how to strengthen the digital environment.

What can you expect from us?
In-depth analysis of your digital environment to identify active and inactive attackers.
Experts ready to intervene should an attacker be identified during the investigation.
Results and advisory report for insight and to enhance resilience of your organization.


What does the Compromise Assessment report consist of?

The report consists of a management summary outlining the findings, the approach, and details on how it was conducted. Additionally, it includes recommendations to address any hygiene issues.

What happens if active or inactive attackers are found?

In consultation with the client, we escalate to an incident response process. In a thorough process, Nerium investigates the attack and assists with securely restoring the digital environment.

Which tools are being used?

We utilize an open-source agent called 'Velociraptor,' which can be installed on Windows, Linux, and macOS. We use it to gather information from a large number of systems simultaneously to identify potential attack activity. Additionally, we also leverage tools that the client already has, such as an Endpoint Detection & Response (EDR) solution that collects telemetry valuable in identifying attack activity or malware communication.

Which sources are used to spot attackers?

Nerium surgically collects data from systems using the open-source solution 'Velociraptor.' This data originates from memory (network connections, processes). Additionally, data is retrieved to determine which applications have been launched (AmCache, Prefetch, etc.). Furthermore, mechanisms are examined through which malware is automatically initiated (persistence locations).

Additionally, we use the log sources that a client may already have, including:

- Logs from web applications to identify unauthorized access to the server.
- Endpoint Detection & Response (EDR) solution where we use telemetry to spot malware communication.
- Alerts from an Intrusion Detection/Prevention System (IDS/IPS) or antivirus solution.

What is the difference between a Compromise Assessment and Threat Hunting?

A Compromise Assessment is reactive in nature and may start, for example, when you suspect an incident or when you want to check a digital environment for the presence of attackers. Threat Hunting, on the other hand, is proactive and is used by mature organizations to periodically search for attackers in digital environments using hypotheses. Examples of hypotheses include: "Attackers have deployed fileless malware to evade detection" or "Attackers have exploited a specific vulnerability that was recently disclosed.

Is this something your organization needs? Or do you have any questions?

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.