Defensive capabilities to consider by cyber defenders
| Defensive capability | Impact |
|---|---|
| Strong segmentation policies and dynamic based control | Restrict lateral movement and dynamically add controls based on assets and server needs. In the event of compromise dynamically limit access and reduce the blast radius. |
| Visibility into assets and how they communicate | Asset inventory and leverage this insight for dynamic control. Base line what normal network activity looks like on the network to detect deviations – operational networks are fairly static, and this gives defenders an advantage. Do not overlook this capability in both business and operational networks. |
| System hygiene and understanding vulnerability risk | Understanding the full risk allows for precision-based prioritization, limits downtime, while reducing resource constraints when trying to patch 100% of everything even when the risk cannot be realized. |
| Network based controls and inspection at gateways of entry for example DNS, NGFW, NGIPS, WAF, AMP, URL, Email, CASB. Protecting at the network decreases the risk of the asset being compromised. Protecting farthest away from the assets is always preferred since protecting at the asset requires 100% efficacy or one will be compromised | Strong network-based controls with advanced warning systems engaged:
Note: TLS Decryption is a MUST and if you are NOT doing it, you are at high risk of missing threats embedded inside the encryption channel (no IPS and no Malware inspection on majority of your traffic). You become 100% reliant on your endpoint (victim) to mitigate the risk |
| BGP monitoring, DDOS protection, GEO Control | Monitor your prefixes and alert in case of an 'interesting' path change. Path changes can be of different kinds, such as more specifics, change of as path, change of origin AS, Transit AS or any combination of these, leading to such threats as blackholed traffic or traffic redirection and interception. DDOS mitigation for enterprise-based application attacks to volumetric attacks. GEO based policies add one more layer and forces the advisory to pivot to other GEOs giving all defenders a change to detect these nefarious activities. |
| Cloud based visibility and control including API risk and exposure | Ensure cloud-based services and infrastructure meets compliance needs and is monitored for weaknesses including APIs. Behavioral monitoring of the network across multi-cloud environment gives defenders an advantage and pulls together the full story. |
| Endpoint protection, detection, and response and browser isolation | This is the last line of defense before compromise and an opportunity to mitigate. Multiple engines are key including sandboxing of unknown files but in the event of compromise tracking all activities will empower responders with insight into what took place and ultimately allow for better controls once understood and mitigate reinfection. When protecting high valued targeted individuals such as C-Suite, Accounting, IT and so on it may make sense to consider browser isolation to ensure endpoints are not compromised if the web sites visited are nefarious and meant to cause compromise. |
| Multi-Factor Authentication | Username and passwords alone have enabled adversaries to gain access to too many systems and two factor authentication is a must. This should cover all critical services which includes SaaS, web front ends, VPN, RDP/SSH and so on. |
| Security awareness training | The human element is still a key element and one of the biggest advantages the defender has in their tool kit. Education empowers the users to be part of the overall security posture, and this include mitigation and detection. Never underestimate the power of humans. |
| Incident Response and Threat Hunting | Tools are required to help augment the incident and response process which includes real time data collection and summarization, orchestration, and automation to reduce the time to respond and time to mitigate and eradicate. It is also time to revisit your overall plans and playbooks to ensure all is in line in the event of exposure. Consider the following exercises such as network reviews, red teaming, overall readiness assessment, emergency response teams, processes, and support channels are in place. |
Incident Response Services
Have you been impacted ? Contact Cisco Talos Incident Response. We are available globally, 24 hours a day, every day of the year. Contact us:
