Mitre's recently released D3FEND matrix offers sound guidance for any security admin or CISO looking to harden a Windows network against attack. Credit: Grasetto / Chakis Atelier / Getty Images Often it just takes a defensive mindset to come up with effective options to protect and defend against today’s threats. The Mitre organization has recently released its D3FEND matrix that documents ways to harden the network, detect and isolate threats, and deceive and evict attackers from your network. I’m focusing on D3FEND guidance Windows admins can follow to harden their networks.Application hardeningMitre D3FEND recommends these processes to harden applications:Dead code eliminationException handler pointer validationProcess segment execution preventionSegment address offset randomizationStack frame canary verificationPointer authenticationWhile you might have influence on software choices, you might not have the ability to influence the actual software coding. As a CSO for a larger organization, you can discuss these concepts with your software vendors and query them about their security processes. You can hire consultants to review your internal code projects to ensure that your applications are designed with security in mind. Credential hardeningCredential hardening starts with certificate pinning, which includes both end-to-end certificate pinning and certificate and public key pinning. According to Mitre, this “allows for a trusted copy of a certificate or public key to be associated with a server and thus reducing the likelihood of frequently visited sites being subjected to man-in-the-middle attacks. Certificates or public keys can be pinned after a trusted connection has been established or the pinning can be preloaded in an application, which is the preferred method for mobile applications.” The next credential hardening advice is multi-factor authentication (MFA). MFA deployment can take the form of tokens, key fobs, cell phone apps, or phone calls to a designated phone number. It usually requires you to identify the common authentication platform that most of your key high-risk applications are supporting. Typically, this means an application like the Microsoft Authenticator, Google Authenticator, or a third-party platform such as Duo.com. Key fobs such as Yubikey can provide an additional level of authentication.If you use cell phones and applications to be the authenticator, you may need to either deploy business phones to your staff or provide reimbursement to your staff for the use of their personal phones as an authentication device. Often the IT department must test MFA with multiple phone platforms and ensure that instructions to the end users are clear and the help desk is set up to handle incoming questions and issues as MFA is rolled out. One-time password deployments are another alternative, but this needs to be balanced with the risk of SIM swapping, insecure delivery of the password, and other compromises. I often see one-time passwords used in indirect transfers of files or information between two parties rather than a permanent deployment in an office environment.A strong password policy, as well as communication regarding what that constitutes a strong password, is key to keeping a network safe. Provide education regarding password handling (proper choice of password saving programs) as well as how passwords should not be shared or given over the phone in a potential vishing attack. It’s not enough to use group policies to set up a strong password policy; you need to provide education as well.Message hardeningMessage hardening can be a hard-to-implement defensive technique. Unless you are in an industry that demands encryption, email messages are sent in the clear. Encryption is often added with third-party encryption messaging systems. Just like with passwords, this is a category of hardening that needs user education along with actual implementation.Transfer agent authentication can be easy or difficult to do. If your only email process relies on third-party mailing platforms such as Gmail or Office 365, the vendor provides the necessary DMARC, DKIM and SPF settings. If you use additional email platforms as part of your domain mailing processes such as third-party bulk emailers and other platforms, you may need to have multiple settings in your SPF and DNS records to identify the email platforms you will use. Often you have to review email headers to ensure that the settings are what you intended.Platform hardeningPlatform hardening is where we spend a lot of time and resources on network security. Starting with disk encryption, this ensures that if an asset is stolen an attacker can’t read the data on the hard drive. Driver load integrity checking ensures that the device has integrity from the boot process. If devices need RF shielding, ensure that such systems have appropriate protections.TPM boot integrity a category that Microsoft is pushing forth the Windows 11 platform. As they note: “During the boot process, the BIOS boot block (which with this defense enabled, is the Core Root of Trust for Measurement) measures boot components (firmware, ROM). The TPM hashes those measurements and stores the hashes in Platform Configuration Registers (PCRs). Upon a subsequent boot, these hashes are provided to a verifier which compares the stored measurements to the new boot measurements. Integrity of the boot components is assured if they match.” Combined with Bootloader authentication, this ensures that a system won’t be tampered with before the boot process begins. Finally, we need to have a plan in place to manage frequent software changes. Replacing old software on a computer system component is a key way to keep a system secure. Patching ensures that attackers can’t use persistence or privilege escalations to take over our systems.I’ve just scratched the surface of the ideas and concepts that you need to know to properly protect and defend your network. Review the D3FEND techniques and recommendations. How many are you already doing now? How many do you need to work on? Related content feature What is IAM? Identity and access management explained IAM is a set of processes, policies, and tools for controlling user access to critical information within an organization. By David Strom May 07, 2024 12 mins Identity Management Solutions IT Leadership Security news Most interesting products to see at RSAC 2024 Tools, platforms, and services that the CSO team recommends 2024 RSA Conference attendees check out. By CSO Staff May 07, 2024 12 mins RSA Conference Security news Google launches Google Threat Intelligence at RSA Conference The new addition to Google Cloud Security is designed to give security teams information to inform approaches to protecting against external threats, managing attack surfaces, and mitigating digital risks. By Sascha Brodsky May 06, 2024 4 mins Google Cloud Functions Cloud Security Security Software brandpost Sponsored by Elastic Search + RAG: The 1-2 punch transforming the modern SOC with AI-driven security analytics AI is modernizing how SOCs function, triaging countless alerts down to a handful of attacks that matter most. By Mike Nichols, Product for Security at Elastic May 06, 2024 3 mins Artificial Intelligence PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe