We have been very fortunate this past year to work with some of the best front-liners in Australia. As a result we are often asked what the best are doing to defend their networks and where others should start? Well, here goes:

8 steps to a threat based defence model

  1. Be clear on the assets you are trying to protect (how can you successfully defend what you don’t know?)
  2. Understand your attack surface (unless you know what is running and what/who you are connected with, you cannot successfully defend)
  3. Know who you are protecting it from? (use intelligence to gather knowledge on the threat actors, their capabilities and motivations)
  4. Be clear on their Tactics, Techniques and Procedures (use intelligence, research and information sharing to understand how those threat actors operate)
  5. Design your telemetry to cover their TTPs (map the way your enemies move against the assets you are trying to defend)
  6. If you don’t have that telemetry, build it (you cannot have gaps in your visibility)
  7. Design alerting from your telemetry which actively looks for those TTPs (know when your enemy is attacking)
  8. Make continuous improvement your main priority (If you find holes, fix them)

Like most things folks, there are some caveats:

  1. You need competent and motivated security people (trust me when I say having the above in place will help with the motivation, this is what most security teams get out of bed for)
  2. None of this has to cost a fortune but, as with most things in technology, size and complexity does equal cost.
  3. Your critical security controls need to be in place and operating effectively (we know, IDAM, whitelisting and vulnerability management are not sexy but the rest of this does not work without them)