Prepare to ATT&CK (Part Two)
Now visibility of your network (covered in part one) is great, but at the end of the day, the prevention of attacks should be always taking place in your environment. It is easy to overlook prevention and to focus on visibility and detection far too much. Visibility and detection won’t help when you have an understaffed team, a taxing on-call schedule, and/or the attacker is already advanced far into your network.
Once you have an understanding of what your products and services cover from the visibility phase, utilize the prevention phase to review best practices to stop top attacks. Some topics to review:
- Is your organization utilizing Microsoft Security Baselines via GPO or Intune? (Ref: https://docs.microsoft.com/en-us/mem/intune/protect/security-baselines)
- Can you start utilizing Windows Defender Credential Guard and Application Guard?
- Evaluate enabling Applocker or another application control policy.
- Evaluate potential Windows Firewall utilization to limit SMB usage across hosts.
- Are your clients receiving regular security updates?
- Does your EDR have the correct feature set enabled?
[The MITRE ATT&CK APT29 Vendor Configuration pages hold some interesting Easter Eggs about features that only EDR vendors can turn on with a support ticket! (Ref: https://attackevals.mitre-engenuity.org/APT29/results/sentinelone/configuration.html)]
- Do you block/classify internet traffic from your endpoints? Can they be directed through a web proxy?
- Do you have protections enabled for your email gateway? (example: O365 ATP)
- Where can you utilize 2FA more? Not just for SaaS/Cloud applications, but perhaps inside your perimeter?
- Are conditional access policies in place for border access points?
- Are Macros in Microsoft Office documents restricted?
.htafiles with a text editor instead of a browser.
Now I realize I just dropped a lot of open-ended and potentially long term projects as suggestions, but I am of the belief there are some very quick wins to be had in each bullet point. For instance, the Microsoft Security Baselines will enable “Command line process auditing” in Windows which as of writing will provide visibility into over 100 techniques/sub-techniques!
Part Three coming soon
Originally published at https://johntuckner.me.