Want to chat?

Social

The Defendable Network

Comprehensive Cyber Defense Capabilities

Talk to an Expert
About CyberOne

Next-Gen Cybersecurity

Introducing The Defendable Network

The Defendable Network is a modern, integrated cybersecurity framework designed by CyberOne to address the realities of today’s threat landscape.

By integrating the most effective elements of established security frameworks—including NIST CSF, CIS Controls, ISO/IEC 27002, MITRE ATT&CK, and Zero Trust architectures—with the latest advancements in security controls, The Defendable Network provides organizations with a practical, adaptable, and defendable approach to cyber risk management.

Talk to an expert

The Evolving Cybersecurity Landscape

The cybersecurity landscape has undergone a dramatic transformation in recent years. The proliferation of cloud computing, SaaS adoption, remote work, and increasingly sophisticated adversaries have rendered traditional perimeter-based security models obsolete.

Organizations now face a complex array of threats, regulatory requirements, and operational challenges that demand a new approach to defense—one that is both comprehensive and adaptable. The Defendable Network was conceived in response to these challenges. Drawing inspiration from leading global frameworks and real-world attack data, it distills the complexity of modern cybersecurity into a set of actionable, prioritized capabilities.

Unlike compliance-driven checklists, The Defendable Network is engineered to provide real-world defense against targeted attacks from nation-states, criminal organizations, and other advanced threat actors. Its design is rooted in the recognition that security must be dynamic, risk-driven, and integrated across all layers of the organization. Overall, this framework is about defending against attacks versus compliance. 

Strategic Cyber Defense

Safeguarding Assets with The Defendable Network

The goal of the Defendable Network is to protect critical assets and information by creating an Information Technology infrastructure capable of being protected against attack and disruption. This is done by minimizing the attack surface, blocking known threats, and restricting lateral movement of attackers while providing continuous, automated monitoring of the infrastructure.

Following our framework will dramatically reduce compromises, minimize the time required for recovery efforts, and lower associated costs for a given level of security.

This approach cost effectively improves security because it allows organizations to prioritize efforts based on budget and available resources. Our prioritized roadmap considers factors like security impact, change to the user experience/business approach, budgets, implementation effort, and operational costs.

Very few of the security frameworks consider these commonsense requirements.  We don’t believe in product roadmaps, but instead focus on improving security capability that includes process, configuration, and technical controls.

Talk to an expert

A Dynamic Framework in an Evolving Space

The Defendable Network is an ever-progressing framework updated regularly based on:

  • Changing tactics, techniques, and procedures of attackers (TTP)
  • Shifts in the technology landscape that allow additional of new security capabilities
  • CyberOne experience with real world customer experiences and penetration testing
  • Customer feedback and suggestions
  • Regular review of other industry leading frameworks

The result is a solid, prioritized program for making fundamental computer security defenses a well-understood, repeatable, measurable, and consistent process. The Defendable Network applies to many kinds of attackers, such as malicious internal employees, contractors, individual external actors (hacktivists), organized crime groups (cybercriminals), terrorists, and nation-state actors.

Although our approach will block the vast majority of initial system compromises, nothing will block all attacks.  Just as much effort should be applied to detecting already-compromised machines and preventing or disrupting attackers’ follow-on actions.  Much of the Defendable Network is dedicated to reducing the initial attack surface by hardening security, rapidly identifying compromises, restricting lateral movement, and providing comprehensive infrastructure visibility for detection/remediation.

Areas of Focus

Core Cyber-Defense Capabilities of the Defendable Network

The core capabilities of the Defendable Network can be summarized into 4 broad categories. These categories are interdependent. For example, an organization that allows users to have local administrator rights, very permissive Internet browsing, and the right to install any desired applications will have more security events.

Restricting lateral movement of attackers would become more important, and we would recommend additional network segmentation of critical assets. We would also strongly suggest additional technical controls to add infrastructure visibility to enable faster detection and more efficient response/remediation. We have created a list of 35 Cyber Defense Capabilities for protection against advanced persistent threats and repeated attacks.

  1. Prevent and Protect – Reduce the Risk of Initial Compromise and Disruption
    1. Minimize the attack surface as much possible without impacting business operations and user productivity.
    2. Block known threats to reduce amount of reactive time spent on security
  2. Protect Critical Assets and Information by Restricting Lateral Movement of Attackers
    1. Use network segmentation to protect critical assets from internal users, contractors, and guests
    2. Monitor use of privileged accounts, especially Windows domain administrator accounts
    3. Implement pass the hash protection for Windows desktops and servers
  3. Monitor Infrastructure to Gain Visibility Needed for Breach Detection and Response to Incidents, Data Exfiltration, and/or Illicit Transactions.
    1. Provide visibility for both network and endpoints to investigate the attack and detect lateral movement.
  4. Commitment to Security Governance – the foundation to building a security program. The policies, processes, and resource commitments are critical to consistent success.

Our Methodology

Core Cyber-Defense Capabilities

  1. Reduce the Risk of Initial Compromise.
    1. Minimize Attack Surface
      1. Visibility and/or Control of Applications. Complete visibility of assets, applications, and identities via multiple platforms and analysis to identify missing coverage, exceptions, and exposures.
      2. Secure Remote Access Communications, Exceptions, and Privileged Accounts. Restrict the ability for remote attackers to connect as a node on the network.
        1. Perimeter and critical networks require two factor authentication to prevent stolen passwords from accessing critical networks.
        2. Eliminate direct VPN connections and adopt a Zero Trust approach to publishing individual applications or services based on an authenticated and authorized identity
        3. Identify suspicious patterns based on identity activity or remote connectivity
        4. Review non-human identities and service accounts and restrict access to continuously authenticated users
        5. When the user is about to perform a privileged action or access a sensitive information repository, require continuous authentication and multi-factor access on a Zero Trust basis
      3. Vulnerability Management. Utilize scanning tools to identify assets on the network and to understand the overall risks of the systems. Patch operating system and applications that are easily exploitable.
        1. Maintain a continuously updated, business-context-rich asset inventory so you always know what you own, where it lives, and how critical it is—because you can’t secure what you can’t see
        2. Prioritize and close high-risk vulnerabilities within defined SLAs using risk scoring (CVSS + exploitability + asset criticality) and enforce rapid remediation or compensating controls to keep real-world exposure low
      4. Secure Servers, Workstations, and Applications. Security controls for systems on the network can prevent a great number of known attacks.
        1. Reduce susceptibility to operating system exploit mitigation mechanisms such as Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR).
        2. Use computer configuration management based on a hardened Standard Operating Environment with unrequired operating system functionality disabled.
        3. Harden server application security configurations e.g. databases, web applications, customer relationship management and other data storage systems.
    2. Block Known Threats
      1. Use a firewall (Internet and Web) and avoid PCs directly accessing the internet without a web proxy. Border gateway using an IPv6-capable firewall to prevent computers directly accessing the Internet except via a split DNS server, an email server, or an authenticated web proxy. Periodically verify and document that firewall rules and access control lists are working properly.
      2. Perform Network Detection and Response (NDR). Network-based monitoring of remote, local, cloud and IoT devices for anomalous traffic both internally and crossing network perimeter boundaries.
      3. Block untrusted Executables across all systems. Perform continuous review of every executable and DLL within the environment and create a whitelisted approach to restrict unknown attacks. Perform proactive SaaS security evaluation of interactive sites to restrict users should not have unrestricted access to the Internet with the ability to download programs. Utilize the proxy to monitor for and detect unauthorized activity. Enable dynamic categorization of websites.
      4. Protect External Web Applications. To protect against the flurry of web based attacks, an application firewall that included DDoS, API, and Bot protection is needed for externally facing applications.
      5. Use Application Based Host Firewalls. Application based workstation firewall, configured to deny traffic by default, to protect against malicious or otherwise unauthorized incoming network traffic (low user impact). Application based workstation firewall, configured to deny traffic by default, that whitelists which applications are allowed to generate outgoing network traffic (Medium user impact).
      6. Email Security. Whitelist email content filtering allowing only attachment types required for business functionality. Harden email and web gateways with anti-phishing, DMARC/DKIM/SPF, and sandbox detonation to block the most common initial access vectors.
      7. Block Drive by, Watering hole, and Multi-vector web attacks. Use a non-persistent, virtualized, trusted operating environment with limited access to network file shares for risky activities such as reading email and web browsing. Otherwise, use virtualized execution engines to evaluate browser based exploits.
      8. Use Antivirus software with up to date signatures, reputation ratings and other heuristic detection capabilities. Use gateway and desktop antivirus software from different vendors.
  2. Restrict Lateral Movement of Attackers
    1. Architect Network to Protect Important Assets. Review of the current network architecture and design to perform the segmentation of systems based on criticality, role and traffic flow within the organization.
    2. Service Accounts. Review accounts for privilege creep. Change passwords frequently. Do not embed credentials into scripts. Minimize interactive logins – login type should be appropriate. Restrict login only from required hosts. Reduce the number of domain-wide service accounts.
    3. Minimize Local Admin Privileges. Minimize the number of users with local administrative privileges (or implement application control). Such users should use a separate unprivileged account for email and web browsing. Use random local administrator passphrases that are unique and complex for all computers and remove the ability for network login for local administrator accounts. Use domain group privileges instead of local administrator accounts.
    4. Protect Windows Credentials from Being Stolen or Misused.
      1. Domain Administrators’ accounts should not log in to any system other than domain controllers. Exceptions should be handled through the creation of temporary accounts that are removed after completing the intended task, or through the use of designated management machines that are not Internet connected. Also, Domain Administrators should avoid using tools that require interactive logons (e.g., remote desktop) and should instead use remote console tools. As few people as possible should have privileged credentials.
      2. Restrict the use of the SeDebugPrivilege privilege to those users that actually need it. This privilege can be used to perform DLL injection, a technique used by the majority of the pass-the-hash tools and other malware. By default, this is assigned to the Administrators group but should really be more restricted than this. Create a specific debug user, and assign this account the right to use the privilege via the “run as” command, thereby gaining temporary privilege escalation.
      3. Change the number of cached credentials being stored by Windows to “0” for everything but mobile devices (e.g., laptops). This reduces the number of credentials at risk of being stolen and cracked, but may prevent domain logins in the event that a domain controller is not available (local user accounts can still be used). Mobile devices should reduce the number of cached credentials to as few as possible (e.g., 1 or 2). Mobile devices will still require cached credentials, because it is likely that mobile device users will be attempting to log in when a domain controller is unavailable (e.g., working outside the office).
  3. Monitor Infrastructure to Give Visibility Needed for Quick Detection and Response to Incidents, Data Exfiltration, and/or Illicit Transactions.
    1. Utilize SIEM for log management and correlation of suspicious events. Collect log data from Proxy, DHCP and DNS (where possible) to perform forensic analysis when needed.
      1. Successful and failed computer events
      2. Allowed and blocked network activity
    2. Detect Threats from Legitimate Credentials. Detect threats posed by suspicious activities on critical applications and systems. Remove excessive access privileges. Detect fraudulent transactions by profiling normal user and peer group behavior.
    3. Perform Network Forensic Monitoring. Full network traffic capture to analyze threat intelligence and indicators of compromise against network traffic. Use to investigate suspicious activity and perform post-incident analysis of successful intrusions. Store network traffic for at least the previous 21 days (45 days if you are a high risk target).
    4. Host Visibility to Malicious Behavior. Implement client software to identify anomalous behavior such as process injection, keystroke logging, driver loading, and call hooking. As a minimum the organization should be able to track executable software across the enterprise.
    5. Mobile Device Protection. Email gateways (OWA) using ActiveSync are targeted locations for attackers since logs are rarely reviewed. Brute forcing and syncing of email accounts with executives is a common activity. Device management and restriction of access to ActiveSync are essential to cyber defense.
  4. Security Governance
    1. Commitment to Defending Organizational IT Assets from Attack.
      The most important aspect of an effective security program is executive alignment and commitment to defending the IT assets from external and internal threats.
    2. Identify Critical Assets.
      Manage assets within the organization to effectively protect and respond to compromise. Identify your most critical information, people, and transactions that would make you a specific target of interest. Ensure these people and systems are given the highest priorities for all hardening and monitoring activities. Designate a business and IT point of contact for each.
    3. Incident Response Planning.
      Creation of a repeatable incident response process to effectively resolve incidents within the least amount of time and business disruption.
      1. Ensure you have an IR plan and IR team structure/responsibilities. Test your IR plan. Security team should verify each administrator login event is required. Implement a set of accounts designed for use during an incident response (these accounts are normally disabled).
      2. Use anonymous Internet access for reviewing potential threats (Tor, 4G wireless, Anonymous VPN)
      3. Create secure mechanisms to investigate suspicious Internet activity and communicate in the event of compromised internal systems. Encrypt email communications and have secondary method for communicating such as cell phones, personal email (2FA Gmail), etc.
    4. User Awareness.
      Employees are typically the target of most attacks and provide training to understand data classification, malicious emails and the benefits of reporting suspicious activity and incidents.
    5. Simulated Phishing Campaigns.
      As a part of user awareness, simulate phishing campaigns to train users how to detect and report malicious emails.
    6. Devise Metrics on the operations of the security organization.
      Tracking metrics will provide details for the value of the program and the level of risk for the organization.
    7. Control Access.
      Identity and access management software helps organizations gain visibility and control of who has access to which applications and data in their enterprise. Automate key activities across the identity and access management lifecycle.
    8. Redundant or Unnecessary Security Tools.
      On a periodic basis the organization should review existing security tools and evaluate current maintenance and administrative costs. Tools that are not providing a business benefit should be a candidate for elimination. This saves operating expense and simplifies the infrastructure.