Microsoft Deputy CISO Damon Becknel outlines four immediate security priorities—basic cyber hygiene, modern standards and protocols, fingerprinting to identify bad actors, and increased collaboration—to reduce common, preventable online attacks. The post emphasizes practical actions like inventorying assets, enforcing phishing-resistant MFA, patching, network segmentation, DNS and SMTP hardening, and using fingerprinting and threat intelligence sharing to raise the cost for attackers. #Microsoft #EWS
Keypoints
- Focus on essential cyber hygiene: accurate asset inventory, timely patching, endpoint protection (EDR), full-disk encryption, host firewalls, and enforced logging/monitoring.
- Adopt modern security standards and retire deprecated technologies—move away from username/password-only authentication to phishing-resistant MFA (passkeys/YubiKeys) and deprecate insecure protocols.
- Harden network controls: use segmentation, jump boxes for production access, VPNs, web/email proxies, and block known malicious spaces like Tor nodes and risky country IP blocks.
- Harden email and DNS: implement DMARC with blocking, secure SMTP configurations, and deploy DNSSEC/DNS filtering and secure resolver settings to reduce spoofing and DDoS exposure.
- Prioritize fingerprinting for devices, browsers, and users to detect account takeover, proxy/VPN misuse, and machine-borrowing by botnets—use fingerprints as correlation keys for detection.
- Share intelligence and collaborate across industry groups (ARC, FSISAC, HISAC, TISAC, GASA) to exchange signals, IOCs, and lessons learned to improve collective detection and response.
MITRE Techniques
- [T1078 ] Valid Accounts – Use of compromised or legitimate credentials to appear as legitimate users; described as (‘Account Take Over (ATO) gives cyberattackers the appearance of a legitimate persona with seemingly valid historical activity.’)
- [T1566 ] Phishing – Initial access via email or web pages to deliver malicious content or credential prompts; described as (‘The vast majority of cyberattacks begin with email messages or web pages.’)
- [T1021 ] Remote Services (Lateral Movement) – Techniques enabling movement across systems that segmentation and host-based firewalls aim to prevent; described as (‘prevent lateral movement between workstations’ and ‘Force that traffic through a jump box instead.’)
- [T1498 ] Network Denial of Service – Attacks that exploit weak DNS and routing to cause DDoS conditions; described as (‘Non-secure DNS also leaves organizations more vulnerable to distributed denial of service (DDoS) attacks’).
Indicators of Compromise
- [IP addresses ] Blocking and filtering public-facing access – Tor node IPs, country-specific IP blocks (examples of IP-based filtering to reduce attacker surface).
- [Autonomous System Numbers (ASNs) ] Identifying malicious infrastructure – known-bad ASNs used by threat actors, and ASNs flagged for suspicious outbound traffic.
- [DNS records/domains ] Detection of spoofing and malicious redirectors – spoofed email domains, malicious domains identified by DNS filtering.
- [Email sender addresses ] Phishing and spoofing context – unauthorized or unauthenticated senders detected via DMARC enforcement, and misconfigured SMTP relay senders.
- [User accounts ] Account takeover and credential compromise context – compromised human accounts and service accounts used for unauthorized access.
- [Device/browser fingerprints ] Fingerprinting identifiers for detecting fraud and anomalous access – machine-specific identifiers, browser fingerprints used to correlate and flag suspicious sessions.
Read more: https://www.microsoft.com/en-us/security/blog/2025/12/04/cybersecurity-strategies-to-prioritize-now/