Most important defense tactics network defenders must know

Ali Alwashali
Nov 8 · 3 min read

Here is a list of the most important defense tactics network defenders must know about. I can’t imagine a blue team person missing even one of them. Make sure you know all of them and how to leverage the power of each to better protect your network. Do your research and learn them.

MITRE ATT&CK framework

MITRE ATT&CK™ is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.

With the creation of ATT&CK, MITRE is fulfilling its mission to solve problems for a safer world — by bringing communities together to develop more effective cybersecurity. ATT&CK is open and available to any person or organization for use at no charge.

CIS Controls

IT security leaders use CIS Controls to quickly establish the protections providing the highest payoff in their organizations. They guide you through a series of 20 foundational and advanced cybersecurity actions, where the most common attacks can be eliminated.

Diamond Model

The model establishes the basic atomic element of any intrusion activity, the event, composed of four core features: adversary, infrastructure, capability, and victim. It further defines two important meta-features, technology connecting the infrastructure and capability enabling operations and the social-political meta-feature describing the always-existing, and sometimes enduring, relationship between adversary and victim.

Cyber Kill Chain

The cyber kill chain is an industry-accepted methodology for understanding how an attacker will conduct the activities necessary to cause harm to your organization. An effective understanding of the cyber kill chain will greatly assist the information security professional in establishing strong controls and countermeasures, which will serve to protect their organization’s assets.

Detection Maturity Level (DML) model

Modified Detection Maturity Level Model

The Detection Maturity Level (DML) model is a capability maturity model for referencing ones maturity in detecting cyber attacks. It’s designed for organizations who perform intel-driven detection and response and who put an emphasis on having a mature detection program. Two of the key principles driving the establishment of this model are:

  1. The maturity of an organization is not measured by it’s ability to merely obtain relevant intelligence, but rather it’s capacity to apply that intelligence effectively to detection and response functions.
  2. Without detection, one has no opportunity to respond.

The Pyramid of Pain

The pyramid of pain defines the pain it will cause the adversary when you are able to deny those indicators to them. Hash Values: SHA1, MD5 or other similar hashes that correspond to specific suspicious or malicious files.

NIST Cybersecurity Framework

The NIST Cybersecurity Framework provides a policy framework of computer security guidance for how private sector organizations in the United States can assess and improve their ability to prevent, detect, and respond to cyber attacks. The framework has been translated to many languages and is used by the governments of Japan and Israel, among others.

Ali Alwashali

Written by

Doing Security: DFIR | ‏Threat Intelligence

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade