Counter moves¶
Attacker techniques, defender’s view. What to harden, what to detect, what to hunt for, what to do when it triggers.
- Closing the doors just walked through
- The machine at the point of impact
- Traffic patterns as evidence
- Inter-domain routing as a target
- The surface designed to be accessible
- The application layer as a target
- Infrastructure you defend but do not own
- Where the container meets the host
- Systems that were never meant to be networked
- The domain as an attack graph
- The gap between access and authority
- Harvesting stored secrets
- Surviving the reboot
- From target to target
- Plausibility as cover
- Evasion trends: defensive perspective
- Behavioural detection
- Deception technology
- Network-level detection of evasion
- C2 framework signatures
- Hardening against evasion
- Serverless and cloud-native evasion
- Containers and Kubernetes evasion
- Long-window detection
- Evasion technique coverage matrix
- Evasion detection and hunting
- Memory corruption and its limits
- Watching data being gathered
- Watching the exits
- Limiting the blast radius
- Impact: defender context
- When the network is the target
- When the yard is someone else’s
- When nothing breaks but everything lies
- When nothing breaks and the secret is already gone
- When the lock is on your side of the door
- When geography is the wall
- When your own posture is the threat
- Responding to impact events
- Responding to active impact runbooks
- Operational cost of security controls
- MFA fatigue
- Detection false positive economics
- HVCI and performance overhead
- Application control exclusion creep
- CASB and DLP latency
- Patch windows and the downtime tax
- Segmentation and the rules that rot
- Least privilege and the cost of asking
- Log volume and the blind spots you bought
- Backups are cheap, restores are not
- Measuring and trimming the cost