Full Report
Hola amigos, We will be running our elite “Combat Training” at the BlackHat Briefings in Barcelona this March (talk lineup) and this course is the flagship of our established Hacking by Numbers series. From the first hour to the final minutes students are placed in different attacker scenarios as they race the clock to “capture the flag”. The trainers are highly skilled (as well as having the standard Southern African humour, looks, and charm) and the course is full of new hacks.
Analysis Summary
Based on the context provided—which is an announcement for a security training course ("Combat Training" as part of the "Hacking by Numbers" series) focused on attacker scenarios and "new hacks"—the security recommendations derived will focus on preparing defenses against advanced, scenario-based attacks often covered in such elite training sessions.
Since the article itself is a marketing blurb and does not contain explicit technical security guidelines, the recommendations below are synthesized based on what a course titled "Hacking by Numbers" and "Combat Training" implies the attendees will be learning to defeat (i.e., offensive security coverage).
# Best Practices: Hardening Defenses Against Advanced Attacker Scenarios (Inferred from Elite Training Context)
## Overview
These practices address hardening environments against sophisticated attack methods, likely including exploitation, lateral movement, privilege escalation, and objective completion (Capture The Flag scenarios), which are characteristic of high-level "Combat Training" security courses.
## Key Recommendations
### Immediate Actions (Focus on visibility and basic hygiene)
1. **Validate Patch Cadence:** Immediately verify the last successful execution date for your critical patch management system for all public-facing assets and internal Domain Controllers.
2. **Review Firewall Egress Rules:** Conduct a rapid audit to ensure that only explicitly required outbound connections are permitted, focusing on blocking common command-and-control (C2) ports and protocols used stealthily (e.g., DNS tunneling preparations).
3. **Test Authentication Resilience:** Ensure Multi-Factor Authentication (MFA) is enforced for all administrative and remote access accounts *today*.
### Short-term Improvements (1-3 months) (Focus on detection gaps and reducing attack surface)
1. **Implement Attack Visibility Monitoring:** Deploy and tune Security Information and Event Management (SIEM) rules specifically looking for indicators of compromise (IOCs) related to common post-exploitation frameworks (e.g., suspicious PowerShell execution patterns, credential dumping attempts like Mimikatz indicators).
2. **Harden Local Security Policy:** Enforce the principle of least privilege aggressively. Review and restrict the use of highly powerful built-in accounts (e.g., Administrators group membership) for daily operational tasks across all endpoints.
3. **Inventory and Baseline Configuration Drift:** Run automated scans to identify configuration drift on high-value targets (e.g., domain controllers, key file servers) against established secure baselines (CIS Benchmarks).
### Long-term Strategy (3+ months) (Focus on resilience and architectural security)
1. **Establish Credential Segregation Architecture:** Implement robust credential segmentation, ensuring Golden Ticket resistance across the domain by securing Kerberos Key Distribution Centers (KDCs) and utilizing Privileged Access Workstations (PAWs) for all administrative tasks.
2. **Develop Live Incident Response Playbooks:** Based on common penetration testing methodologies (like MITRE ATT&CK techniques), develop and practice "run books" for responding to advanced threats, including network containment and evidence preservation steps tailored for scenario-based compromises.
3. **Integrate Attacker Thinking into Audits:** Institutionalize regular, scenario-based testing (e.g., red teaming exercises that simulate a full "Capture the Flag" approach) to proactively discover and remediate weaknesses before real adversaries exploit them.
## Implementation Guidance
### For Small Organizations
- **Prioritize MFA Everywhere:** Implement MFA on email, VPN, and major cloud services immediately, as this is the single biggest block against compromised credentials often gleaned early in attacks.
- **Simplified Patching Schedule:** Mandate a fixed weekly slot (e.g., every Tuesday evening) for patching critical systems, minimizing disruption while ensuring timely updates.
- **Use Managed Services for EDR:** If internal expertise is low, procure managed Endpoint Detection and Response (EDR) services that incorporate threat hunting features to compensate for limited internal monitoring staff.
### For Medium Organizations
- **Segment Critical Assets:** Isolate high-value assets (HR data, financial backups, credential stores) onto separate network segments with strictly controlled cross-segment firewall rules.
- **Formalize Vulnerability Scanning:** Establish a recurring, authenticated vulnerability scanning schedule (at least bi-weekly) directed specifically at internal network segments, not just perimeter defenses.
- **Train Developers on Secure Coding:** If internal applications are critical, mandate secure coding training focused on common web application vulnerabilities (OWASP Top 10), as these are often entry points exploited in CTF-style exercises.
### For Large Enterprises
- **Deploy Advanced Deception Technology:** Implement honeypots, honey tokens, and bait files across various critical systems to detect and lure attackers early in the reconnaissance or lateral movement stages.
- **Implement Zero Trust Segmentation:** Move towards micro-segmentation to ensure that even if one segment is compromised, lateral movement to other segments requires re-authentication and re-authorization based on granular security policies.
- **Formalize Threat Intelligence Integration:** Subscribe to and automate the ingestion of high-fidelity threat intelligence feeds into your SIEM/SOAR platforms to detect signatures related to "new hacks" demonstrated in training courses like this one.
## Configuration Examples
(Note: Specific technical configurations are not provided in the source material, but best practices point toward these areas):
* **Windows Security Baseline:** Ensure GPOs dictate that WDigest/LSA protection is enabled to prevent cleartext credential harvesting from memory.
* **Firewall Rules Example (Deny-by-Default Philosophy):**
ACTION=DENY; PROTOCOL=ANY; SRC_ZONE=INTERNAL; DST_ZONE=ANY; DST_PORT=ANY; LOG=TRUE; EXCEPT (ALLOW_ESSENTIAL_BUSINESS_TRAFFIC)
## Compliance Alignment
The focus derived from highly technical security training aligns best with preventative and detective control frameworks:
- **CIS Critical Security Controls (CSC):** Strong alignment with Controls like Inventory & Control of Network Devices, Continuous Vulnerability Management, and Account Management.
- **NIST SP 800-53 (High Baseline):** Focuses heavily on configuration management (CM), access control (AC), and auditing/accountability (AU), which are central to combating advanced attacks.
- **ISO/IEC 27002:** Specifically mapping to Annex A controls related to secure system engineering and operational security.
## Common Pitfalls to Avoid
1. **Assuming Perimeter Defense is Sufficient:** Believing that strong external firewalls stop an attacker who gains an initial foothold via a phishing email or software vulnerability.
2. **Ignoring Internal Network Traffic:** Failing to monitor east-west traffic, which is where lateral movement and credential misuse activities occur undetected.
3. **Stale Documentation:** Relying on old security policies that do not account for modern attack techniques (e.g., relying solely on traditional antivirus instead of EDR/XDR).
4. **Over-Trusting Default Settings:** Assuming vendor default configurations are secure, especially for new software or cloud services.
## Resources
- **MITRE ATT&CK Framework:** Essential for understanding and mapping defenses against adversary tactics, techniques, and procedures (TTPs).
- **CIS Benchmarks:** Foundational guides for hardening operating systems, network devices, and cloud environments.
- **BlackHat/DEF CON Archives:** Reviewing briefings where new exploits or evasion techniques may have been publicly demonstrated to stay ahead of common "new hacks."