Our great sponsors
-
rita
Real Intelligence Threat Analytics (RITA) is a framework for detecting command and control communication through network traffic analysis.
-
InfluxDB
Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
-
Endpoint-based prevention: Harden endpoints, including browser settings (https://www.cisa.gov/uscert/publications/securing-your-web-browser; https://stigviewer.com/stig/google_chrome_browser/) and software firewall including ingress and egress rules (https://www.stigviewer.com/stig/microsoft_windows_firewall_with_advanced_security/2021-10-15/). If you're primarily worried about Windows endpoints, take a look at Hardening Kitty and the solid STIG-based Windows Firewall list (https://github.com/0x6d69636b/windows_hardening/blob/master/lists/finding_list_dod_windows_firewall_stig_v1r7.csv) for some relatively easy wins.
Infrastructure-based detection: Collect and analyze network traffic for C2 beaconing, a la RITA (https://github.com/activecm/rita)
Depending on your situation, you may have a smaller set of machines that require more protection. Consider disabling internet access for those systems and require all access to those systems to go through bastion hosts, ideally containerized bastion hosts so you know they're being launched from your defined secure configuration without any persistent configuration drift each time they're used. Kasm is a good solution for this and if you want to self-host, that's an option https://www.kasmweb.com/.