Use intrusion detection signatures to block traffic at network boundaries.

Boot Integrity ensures that a system starts securely by verifying the integrity of its boot process, operating system, and associated components. This mitigation focuses on leveraging secure boot mechanisms, hardware-rooted trust, and runtime integrity checks to prevent tampering during the boot sequence. It is designed to thwart adversaries attempting to modify system firmware, bootloaders, or critical OS components.

• Implementation: Enable UEFI Secure Boot on all systems and configure it to allow only signed bootloaders and operating systems.
• Use Case: An adversary attempts to replace the system’s bootloader with a malicious version to gain persistence. Secure Boot prevents the untrusted bootloader from executing, halting the attack.

• Implementation: Configure systems to use TPM-based attestation for boot integrity, ensuring that any modification to the firmware, bootloader, or OS is detected.
• Use Case: A compromised firmware component alters the boot sequence. The TPM detects the change and triggers an alert, allowing the organization to respond before further damage.

• Implementation: Protect BIOS/UEFI settings with a strong password and limit physical access to devices.
• Use Case: An attacker with physical access attempts to disable Secure Boot or modify the boot sequence. The password prevents unauthorized changes.

• Implementation: Deploy solutions to verify the integrity of critical files and processes after boot.
• Use Case: A malware infection modifies kernel modules post-boot. Runtime integrity monitoring detects the modification and prevents the malicious module from loading.

Auditing is the process of recording activity and systematically reviewing and analyzing the activity and system configurations. The primary purpose of auditing is to detect anomalies and identify potential threats or weaknesses in the environment. Proper auditing configurations can also help to meet compliance requirements.

The process of auditing encompasses regular analysis of user behaviors and system logs in support of proactive security measures. Auditing is applicable to all systems used within an organization, from the front door of a building to accessing a file on a fileserver. It is considered more critical for regulated industries such as, healthcare, finance and government where compliance requirements demand stringent tracking of user and system activates.

• Use Case: Regularly assess system configurations to ensure compliance with organizational security policies.
• Implementation: Use tools to scan for deviations from established benchmarks.

• Use Case: Review file and folder permissions to minimize the risk of unauthorized access or privilege escalation.
• Implementation: Run access reviews to identify users or groups with excessive permissions.

• Use Case: Identify outdated, unsupported, or insecure software that could serve as an attack vector.
• Implementation: Use inventory and vulnerability scanning tools to detect outdated versions and recommend secure alternatives.

• Use Case: Evaluate system and network configurations to ensure secure settings (e.g., disabled SMBv1, enabled MFA).
• Implementation: Implement automated configuration scanning tools like SCAP (Security Content Automation Protocol) to identify non-compliant systems.

• Use Case: Examine network traffic, firewall rules, and endpoint communications to identify unauthorized or insecure connections.
• Implementation: Utilize tools such as Wireshark, or Zeek to monitor and log suspicious network behavior.