Defensive Strategy

Reference : Network Attacks and Exploitation by Matthew Monte

Failed Tactics

Antivirus and Signature Based Detection

Antivirus: Attacker can buy and test against it.

1. Don’t be on the bad list: if the program not on the antivirus list, theres no code signature.
2. Can avoid doing bad behavioul: thhrough trial and error or reverse engineering.
3. Be stealthy

Signature Based Detection: it does not encounter any strategic principle

1. Information of product Defender use can be obtained easily; by release of partnership companies, or through the access, posititon recruiting.
2. Predictable schedule of updates sequenece (once a year…)

Password Policies

Both ignore the foundational principle of humanity.

1. Choos a strong password - humans are terrible at choosing random passwords (predictable)
2. Avoid reusing passwords - no way to enforce and check among users.

User Training

Unless there are real consequnces to user mistakes, it wont work.

Crafting a Defensive Strategy

1. Avoid recreating the wheel - Start with following the guides
2. Know yourself - what is truly essential.
3. Develp data classification system - apply rist management mentality to what is important (determine value, how much worth to spend on it…)
4. Prioritize the user base by the sensitivity of the a data they can access.
5. Prioritize systems according to how they interact on the network.

Application Whitelisting

Only allowed can play the party

Network Segmentation and Segregation

Segmentation : For attacker has two choices

1. Treat as a single network: sucks resources of attacker as it takes great amount of work by treating each segment as a network. It also dramatically increase the exposure of attacker.
2. Jump between segments: When cross the segements —> creates perfect choke point. Constraints the ability to move and obstructs attackers ability to communicate. Counters Operational security.

Log Analysis

Questionable for preventing. And attacker will sacrifice one and collect the data. And able to do sidestepping. It is good for Defender after a compromise.

Web Domain Whitelisting for All Domains

Only allowed domain can be visited

1. Limits the avenues of infiltration - less vulnerable.
2. Limits Attaker’s option for communication after establish the access.

It is against the foundational principle of humanity.

Deny Direct Accees form Workstation

Needs all outbound access through an authenticating choke point. Great for limiting attacker’s access without limiting uesrs much. It needs innovation, but once set it is good. It dircetly encounter attackers strategy on almost every level.