Defense Strategies
Comprehensive security controls and mitigations mapped to ATT&CK tactics. Implement these defenses to protect your critical infrastructure from sophisticated cyber threats.
Network Security
Controls for protecting network infrastructure and communications
Filter Network Traffic
Use network appliances to filter ingress or egress traffic and perform protocol-based filtering.
Implementation
- Deploy next-generation firewalls with deep packet inspection
- Implement network segmentation and micro-segmentation
- Configure IDS/IPS with up-to-date signatures
- Enable TLS inspection for encrypted traffic analysis
Addresses Tactics
Network Segmentation
Architect sections of the network to isolate critical systems, functions, or resources.
Implementation
- Implement VLANs for logical separation
- Deploy jump servers for administrative access
- Use software-defined networking for dynamic segmentation
- Establish DMZ for public-facing services
Addresses Tactics
Network Intrusion Prevention
Use intrusion detection signatures to block traffic at network boundaries.
Implementation
- Deploy inline IPS devices at network perimeter
- Configure signature-based and behavioral detection
- Implement automated blocking for known threats
- Integrate with threat intelligence feeds
Addresses Tactics
Endpoint Protection
Controls for securing endpoints and workstations
Antivirus/Antimalware
Use signatures or heuristics to detect malicious software.
Implementation
- Deploy enterprise endpoint protection platform (EPP)
- Enable real-time scanning and behavioral analysis
- Configure automatic signature updates
- Implement cloud-based threat intelligence
Addresses Tactics
Execution Prevention
Block execution of code on a system through application control.
Implementation
- Implement application whitelisting
- Configure Windows Defender Application Control
- Use code signing requirements
- Block script execution from untrusted sources
Addresses Tactics
Exploit Protection
Use capabilities to detect and block conditions that may lead to exploitation.
Implementation
- Enable Windows Exploit Guard features
- Configure DEP and ASLR
- Implement Control Flow Guard
- Deploy browser isolation technologies
Addresses Tactics
Identity & Access
Controls for managing identities and access permissions
Multi-factor Authentication
Use two or more pieces of evidence to authenticate to a system.
Implementation
- Implement MFA for all privileged accounts
- Deploy hardware security keys for sensitive access
- Configure conditional access policies
- Enable risk-based authentication
Addresses Tactics
Privileged Account Management
Manage the creation, modification, use, and permissions associated to privileged accounts.
Implementation
- Implement privileged access workstations (PAWs)
- Deploy privileged identity management (PIM)
- Configure just-in-time access
- Enable session recording for privileged access
Addresses Tactics
User Account Management
Manage the creation, modification, use, and permissions associated to user accounts.
Implementation
- Implement principle of least privilege
- Configure account lockout policies
- Enable account activity monitoring
- Perform regular access reviews
Addresses Tactics
Data Protection
Controls for protecting sensitive data and information
Encrypt Sensitive Information
Protect sensitive information with strong encryption.
Implementation
- Implement full disk encryption on all endpoints
- Use TLS 1.3 for data in transit
- Deploy key management infrastructure
- Enable database encryption for sensitive data
Addresses Tactics
Data Loss Prevention
Use a data loss prevention (DLP) strategy to categorize sensitive data.
Implementation
- Deploy endpoint DLP agents
- Configure network DLP for email and web
- Implement cloud access security broker (CASB)
- Create data classification policies
Addresses Tactics
Data Backup
Take and store data backups from end user systems and critical servers.
Implementation
- Implement 3-2-1 backup strategy
- Configure immutable backup storage
- Test backup restoration regularly
- Store offline copies for ransomware protection