Episode 18 - Blocking & Tackling
Football metaphor for fundamentals, literal for cybersecurity
Is an idiom that originates from the phrase “Block and Tackle” which refers to a series of pullies to make lifting easier – force multiplier through effort reduction
https://www.merriam-webster.com/dictionary/block%20and%20tackle
What are 3 key fundamentals we see overlooked? - tactics to employ tomorrow to force multiply through effort reduction
How we picked these:
1) Reward on these far outweigh the risk (40+ environments)
2) You probably have the data & tools at your disposal
Notes:
Blocking SANS IP List
An extremely effective smaller list of ip ranges to block
Don’t forget to block inbound and outbound
Removes noise and pressure on security tools
Adds time to how quickly internet scanners identify and exploit vulnerabilities
MFA - ALL services and Code to Enter
Multi factor is must these days
Any MFA is better than nothing, BUT not all MFA are equal
Codes are more effective than approval prompts
One customer tied device certificates with MFA to require a valid system as well as user – strongest I have seen
Don’t forget api’s, and legacy authentication fallbacks
Add any bypass urls to your detection platform
Block suspicious web categories - ie dynamic dns, anonymizers, new
Web proxy like zscaler or firewall like palo alto
All have categories but not everyone leverages these
Big categories to identify and block: anonymizers, dns over http (DOH), new domains, malware
The critiques of these may be that attackers can get around them, that is fair and accurate.
The goal is to reduce the surface and get rid of the top of the funnel, not the advanced adversaries in the bottom. BUT this gives you back time and energy to focus at the more advanced and nuanced threats.