Skip main navigation

Microsoft attack detection products

Microsoft attack detection products Microsoft has several products that can be used to detect suspicious activity on an organization’s information systems based on collection and analysis of telemetry. These products …

Code Integrity Policies

Code Integrity (CI) policies allow you to restrict which applications and scripts can run on a computer. There are a variety of methods that you can use to enforce code …

Privileged access workstations

A privileged access workstation (PAW) is a computer that is only used to perform administrative tasks. This computer has a locked-down configuration compared to computers used for day-to-day activities on …

Execute

During the execution phase, the blue team enacts the response plan to evict the intruder from the organization’s information systems and remediate the vulnerabilities in the security configuration that the …

Plan a response

Organizations shouldn’t attempt to evict an intruder until they have a good working understanding of the topology of the intrusion. Similarly, the method through which an intruder is evicted, and …

Restrict Privilege Escalation

Overview Privilege escalation is the process by which an attacker acquires the ability to perform a greater variety of tasks on the organization’s information systems from those that they were …

Blue Team Kill Chain

Overview In the information security lexicon, a kill chain describes the structure of an attack against an objective. While usually used to describe the phases of a red team’s operation, …

Blue Team

Overview The blue team represents and is comprised of your organization’s existing information security and IT administration staff. While part of the purpose of red team exercises is to explore …

Attack Detection

Overview When information systems are properly configured, all attacks, even those that are unsuccessful, leave some trace that they occurred. Clever attackers will attempt to remove those traces once they …

Standard Framework

Reconnaissance Sophisticated attackers don’t randomly attack organizations. Sophisticated attackers spend a significant amount of time researching their target. An attacker will use the reconnaissance phase to determine whether a target …

Restrict Lateral Movement

Overview Lateral movement occurs when an attacker who has compromised one system is able to compromise another system on the network by using an existing compromised system as a jump …

Red Team Kill Chain

Kill Chains are an idea originally taken from military strategy, which describes the structure of an attack against an objective. The company Lockheed Martin applied this idea to information security …

Common Objectives

Persist presence When an attacker can persist their presence on a target organization’s information systems, it means that they have reliable remote access via a back door to the target …

The Attacker’s Objective

When developing a red team versus blue team exercise it is important to specify the red team’s objective. The objective is the overall aim of the exercise and red teams …

Compromise Examples

Few attackers compromise an organization without having an objective beyond proving that the organization can be compromised. Attackers target organizations because they wish to accomplish one or more goals. When …