Final considerations

Things to ask to help the company defend themselves

Perimeter First

  • What exactly are we protecting?

  • What are the most valuable assets the organization owns that need securing?

  • What can be considered the perimeter of our network?

  • What devices & services can be accessed from the Internet? (Public-facing)

  • How can we detect & prevent when an attacker is attempting an attack?

  • How can we make sure the right person &/or team receives alerts as soon as something isn't right?

  • Who on our team is responsible for monitoring alerts and any actions our technical controls flag as potentially malicious?

  • Do we have any external trusts with outside partners?

  • What types of authentication mechanisms are we using?

  • Do we require Out-of-Band (OOB) management for our infrastructure. If so, who has access permissions?

  • Do we have a Disaster Recovery plan?

Internal Considerations

Many of the questions we ask for external considerations apply to our internal environment. There are a few differences; however, there are many different routes for ensuring the successful defense of our networks. Let's consider the following:

  • Are any hosts that require exposure to the internet properly hardened and placed in a DMZ network?

  • Are we using Intrusion Detection and Prevention systems within our environment?

  • How are our networks configured? Are different teams confined to their own network segments?

  • Do we have separate networks for production and management networks?

  • How are we tracking approved employees who have remote access to admin/management networks?

  • How are we correlating the data we are receiving from our infrastructure defenses and end-points?

  • Are we utilizing host-based IDS, IPS, and event logs?

MITRE Breakdown

As a different look at this, we have broken down the major actions we practice in this module and mapped controls based on the TTP and a MITRE tag. Each tag corresponds with a section of the Enterprise ATT&CK Matrix found here. Any tag marked as TA corresponds to an overarching tactic, while a tag marked as T### is a technique found in the matrix under tactics.

Last updated