Prepare to ATT&CK (Part Two)

Part One: https://johntuckner.me/posts/prepare-attack

Prevention

Now visibility of your network (covered in part one) is great, but at the end of the day, the prevention of attacks should be always taking place in your environment. It is easy to overlook prevention and to focus on visibility and detection far too much. Visibility and detection won’t help when you have an understaffed team, a taxing on-call schedule, and/or the attacker is already advanced far into your network.

Once you have an understanding of what your products and services cover from the visibility phase, utilize the prevention phase to review best practices to stop top attacks. Some topics to review:

  • Is your organization utilizing Microsoft Security Baselines via GPO or Intune? (Ref: https://docs.microsoft.com/en-us/mem/intune/protect/security-baselines)

[The MITRE ATT&CK APT29 Vendor Configuration pages hold some interesting Easter Eggs about features that only EDR vendors can turn on with a support ticket! (Ref: https://attackevals.mitre-engenuity.org/APT29/results/sentinelone/configuration.html)]

  • Do you block/classify internet traffic from your endpoints? Can they be directed through a web proxy?

Now I realize I just dropped a lot of open-ended and potentially long term projects as suggestions, but I am of the belief there are some very quick wins to be had in each bullet point. For instance, the Microsoft Security Baselines will enable “Command line process auditing” in Windows which as of writing will provide visibility into over 100 techniques/sub-techniques!

https://twitter.com/kwm/status/125021141159200

Part Three coming soon

Originally published at https://johntuckner.me.

Focusing on infosec writing, many other hobbies here: https://johntuckner.me