A True Approach to Cyber Resiliency · От нуля до автоматизации

Disclaimer & Intro

This post has been made as my notes from a "dark" talk I have been running. Even though I attempt to explain what I have setup/built/done and how, I do not owe anyone any explanation. Do NOT expect anything.

My blog is my garden.

WARNING: This machine has no brain, use your own.

The masses will impulsively state most of what follows is a bad idea. And yet they keep getting hacked — badly. Get a lawyer as soon as possible, don't become what you are defending against, and remember that Security/Resiliency is an Engineering problem, not a GRC problem. Believe what you want. I can't change your beliefs.

The Real Job

Let's cut through the noise: if your security program is built to pass audits, you do not have a security program. You have a PDF factory.

Security is about keeping them out. Resiliency is about fighting through. Two different disciplines. Most orgs can barely spell the first one. MITRE's CREF (Cyber Resiliency Engineering Framework) puts the second one on paper — Anticipate | Withstand | Recover | Adapt. Four pillars. Four separate engineering programs. Most orgs run zero of them.

This post is the long-form version of my talk. If you are an engineer or IT Head / CISO, this is the checklist I actually run against my own infra and my clients/friends. Nothing here is theoretical. All of it has been stress-tested against real adversaries, cheap EDRs, and people who refuse to read.

Segmentation (Yes, Down to the Laptop/Desktop/NIC)

VLANs are not segmentation. I'll say it louder for the network architects at the back.

Segment your network up to the Laptop/Desktop Level. Yes, I mean it. Small static subnets (keep them at /24 or smaller), dynamic IP allocation for endpoints, private VLANs enforced at the switch. Why is your HR system talking to a dev machine? Why is marketing's VLAN reachable from a prod DB? If you can't answer those questions in 10 seconds, your segmentation is theater.

The minimum viable list I run against every environment:

• Host firewall: deny by default. Yes, you can do this on macOS with pf / socketfilterfw. Yes, Windows Defender Firewall can also do this properly. Stop crying.
• CIS benchmarks at 80%+ across every server, application and endpoint. If you can't hit 80%, your baseline is wishful thinking.
• Default encryption of EVERYTHING. Disks, network, logs, backups. Don't ask.
• AWS? SCP + RCP + NACL + SG. S3 buckets in Governance mode where appropriate, Compliance mode where needed.
• Microsegmentation at the workload level — identity-enforced, not IP-enforced. Otherwise a compromised JIRA server on the same VLAN as your CI runner is a 15-minute lateral movement demo.

Attack surface isn't reduced by policy. It's reduced by rm -rf.

Geofencing (aka Whitelisting is the Only Game)

Blacklisting is a dead discipline. Stop maintaining deny lists like it's 2008.

If your business operates in India/APAC, your perimeter should accept traffic from India/APAC. Period. Heavily avoid China, North Korea, Pakistan, and yes — even the USA. Every SaaS provider worth paying for supports IP whitelisting or geofencing. If they don't, pick a different vendor. That's it.

• Rotate critical access keys every 30 days, the rest every 90 days — automation, not a calendar reminder.
• APIs should be IP-whitelisted AND geofenced. Both. Same rule as SaaS.
• Certain sites cannot be trusted even in sandboxes or on CXO systems. Reddit. Twitter. Random GitHub gists from accounts created yesterday. NO EXCEPTIONS.
• And for the love of everything: REMEMBER USA IS APT-0 / Equation Group. If your firewall, your EDR, your SIEM, and your cloud provider are all US-based, you have optimized your architecture for American intelligence collection. That is not an accident. That is the product.

You do not need to be paranoid. You need to be accurate.

VPN / Remote Work

Controversial take: do not allow remote work for everyone.

Some functions should not leave the office network. Finance. M&A. Source code with IP. If the laptop is on a hotel Wi-Fi in Bangkok, you are now in the threat model of three intelligence services and four script kiddies. Accept it or limit it.

The list:

• Wireguard over OpenVPN. Modern crypto, smaller attack surface, faster, simpler. If you're still running OpenVPN in 2026 because your vendor hasn't caught up, fire your vendor.
• Host Checker ON. Disallow unknown MAC addresses or hostnames. Enforce disk encryption, EDR running, OS patched. If the endpoint can't prove it, it doesn't connect.
• NAC + VPN integration. These are actually pretty cool when you wire them right. A compromised endpoint can be pushed to VLAN 666 (Quarantine) automatically.
• MFA after 1 hour, every time. Even for SSO'd VPN. NO EXCEPTIONS. Yes people will complain. They'll get over it.
• All VPN traffic must be treated as hostile / untrust. Zero Trust doesn't mean "use Okta and call it a day." It means the packet from your VPN is inspected the same way as the packet from the internet.
• Separate VPN subnets per department. Network Admins get their own. No intercommunication. If Marketing's VPN subnet can reach the DB admin's jump box, your architecture is a confession.
• Limit business-device travel outside the country. Automate it.

SSO (Really?)

Either all your SaaS is SSO'd, or you have nothing. A half-SSO'd org is just a pile of orphaned accounts waiting for credential stuffing.

• Your L3 does not need Global Admin. Neither does your L2. Neither does most of your L1. Global Admin for the guy who sets up printers is malpractice.
• Compulsory MFA for all Security and IT solutions, re-prompted after 1 hour.
• Conditional Access Policies — minimum 100 use cases. Yes, one hundred. If your CAS has six rules, you have decoration, not enforcement.
• Single point of contact is single point of failure. Your IdP going down takes the entire company offline. Plan for it. Test for it. Have break-glass accounts in cold storage.

Offensive Countermeasures / Active Defense

Deploy aggressive tactics with a defensive posture. Think poison, not venom.

Venom you inject. Poison they consume. That distinction matters legally and operationally.

• Always ensure solid legal footing. Before anything. Talk to a lawyer. Then talk to another lawyer.
• Frequently report to CERTs and CSIRTs. Make your own CSIRT if possible.
• The core math: Detectiontime + Reactiontime < Attack_time. If your MTTD + MTTR is bigger than the attacker's dwell-to-objective time, you've lost before you started.
• Collect forensic artifacts. Share them with LEAs where appropriate.
• Keep a BACKUP PLAN. Not just backups. A plan. Rehearsed. With timelines. With a phone tree. With a lawyer on speed dial.

Your threat model isn't "a kid with Metasploit." Stop designing for that.

Decoy & Deception

This is the most underused chapter in the defender's playbook and also the cheapest. Attackers cost themselves time the moment they step into a deception field. Your job is to make the field bigger than the legitimate network.

• Decoy CSV files across 50% of endpoints. Realistic names. Realistic sizes. Canary-tokened.
• Honeynet / canarytokens feeding telemetry back to a SIEM nobody talks about in meetings.
• At least 100 decoy users in AD / Entra ID. Automated. Randomly named. Periodically "logged in" from plausible IPs so they don't look dormant.
• Custom controlled vulnerabilities in non-prod to see who attacks and when.
• Controlled XSS on marketing pages to fingerprint which geographies are probing you.
• Decoy API abuse to gather adversary telemetry.
• Small lures in robots.txt — attackers read those before they touch your homepage.
• Diverse devices on the network. Mixed vendors, models, OSes. A uniform Windows-only network looks like a lab. A real organization has three generations of IoT, two macOS holdouts in design, and a lone FreeBSD box nobody remembers buying. Decoys should blend in with that, not with a vendor's brochure.

Honeypots that look like honeypots catch interns. Deceptive infrastructure indistinguishable from prod catches actual adversaries.

Tough Questions (Ask Your Team Tomorrow)

These questions are not rhetorical. Write them down. Take them to your next security review. If the answers are "no" or "it depends" or "we're working on it," that is your 2026 roadmap.

• Have you implemented continuous AuthN / AuthZ?
• Do you have at least 10 levels of access groups in the org? Not 3. Ten.
• Are you blocking Chinese / adversary devices based on MAC OUI?
• Are you running IPSec / private links with 3rd-party vendors wherever possible?
• Can you actually trust your CTO / CXO / CMO? I don't mean morally. I mean operationally — their laptops, their phones, their personal email.
• Are you using IDS / IPS properly? Snort, Zeek, Suricata — these are not products you bought, they are platforms you tune.
• Why does HR need SMB / FTP? (They don't.)
• Why does any endpoint need RPC? (Hardly ever.)

If these questions make your IT team uncomfortable, you've found the roadmap.

MITRE ATT&CK v18+

Do you truly understand TTPs? Not the buzzword. The actual behaviors.

• Do you have detection strategies, or a content pack?
• Metadata. Metadata. Metadata. If your SIEM only ingests severity + signature ID, you're detecting trivia.
• PRE-ATT&CK? Do you even care about reconnaissance-phase indicators, or have you outsourced that entire kill-chain stage to "the internet"?
• ATT&CK is fundamentally about understanding human behaviour. The framework is sociology with hex values.
• Threat groups split into Active vs Passive, then further by long-term vs short-term infrastructure. Can you identify "intent" from their infrastructure profile alone?
• Map your TTP coverage against your tool coverage. Where are the gaps? That's next quarter's budget.
• Do you run serious adversary simulation? Not a penetration test. Simulation. Against real group TTPs. With realistic dwell time. Or is your red team just a checkbox?

MITRE D3FEND 1.3.0+

ATT&CK tells you what attackers do. D3FEND tells you what you can do back. Everybody reads the first one. Almost nobody operationalizes the second.

• Do you have use cases covering even 60% of D3FEND? Most teams are at 15-20% and don't know it.
• Does your firewall come from the USA? (Equation Group.) If yes, assume it's transparent to at least one adversary.
• Do your VPC flow logs capture all packet info / telemetry? Any cloud provider. Same question.
• DNS Firewall. It's always DNS. I will die on this hill.
• MITRE D3FEND + ATT&CK map to around 8,000 use cases in SIEM + EDR. Over 2,000 controls can be independently implemented from D3FEND alone. 267 unique defensive techniques. You will not do all of them. But you should know which 100 you've done and which 167 you haven't.
• Do you truly understand your environment? "Managed in cloud" does not mean "no problem." It means the attack surface is now someone else's spreadsheet.
• Do you have SBOM / HBOM / AIBOM / QBOM? At least as per CERT-In?

MITRE CREF (The One Everybody Skips)

Repeat after me: security is about keeping them out; resiliency is about fighting through.

If the firewall fails (and it will), does the business continue?

The CREF goals: Anticipate | Withstand | Recover | Adapt. The CREF objectives: Prevent | Prepare | Continue | Constrain | Reconstitute | Understand | Transform | Re-architect. Fourteen techniques sit underneath those — Adaptive Response, Analytic Monitoring, Contextual Awareness, Coordinated Protection, Deception, Diversity, Dynamic Positioning, Non-Persistence, Privilege Restriction, Realignment, Redundancy, Segmentation, Substantiated Integrity, Unpredictability.

The questions worth sitting with:

• Do you use Obfuscation and Tainting?
• Can you continue operations after EDR / DLP bypass? Assume it happened this morning.
• What breaks the moment an identity is compromised?
• Can AD / Entra ID groups reconfigure via automation during a P0 attack? Or does it require a human in a meeting with 12 stakeholders?
• Can your NAC push entire departments to VLAN 666 for quarantine in under 60 seconds?
• 99.999% uptime = 100% attack surface. APTs want to stay. Why is your architecture helping them?
• CREF wants you to implement the "Kill Switch". Most orgs won't. That's the difference.
• Zero Trust in execution, not slides. Implement JIT access. Standing privilege is standing invitation.

And then the grown-up version:

• Stop acting like your perimeter is bulletproof. You are already compromised. Start from there.
• If ransomware detonates today, can you burn the infrastructure and redeploy from Infrastructure-as-Code in under 2-4 hours? If the answer is "no," your RTO is fiction.
• Graceful degradation. If the cloud goes dark, can your critical business survive on paper and local caches? Airlines learned this the hard way. You don't have to.
• Are your backups TRULY immutable? Offline or read-only does not mean immutable if the attacker has Domain Admin or Global Admin. Test it.
• Cryptographic verification. Can you mathematically prove your forensic logs haven't been tampered with? Hash chains. Signed events. Or it's hearsay.
• Resiliency also means making the attacker work for every inch of lateral movement. Every inch.

MITRE ENGAGE

Stop just dropping packets at the firewall. Start actively deceiving the adversary.

The goal: drive up the attacker's operational costs. Force them to burn their expensive zero-days on fake targets. Every minute they spend on a decoy is a minute they are not on prod.

• Lures & breadcrumbs. Feed them fake AWS keys in public GitHub repos. Those keys trigger silent P1 alerts the instant they get used. Attackers use those keys. Always.
• Network tarpitting. Make a simple Nmap scan take four days to complete. Frustrate the human behind the keyboard. They have KPIs too.
• Gather adversary intel. Let them compromise an isolated honeypot. Quietly study their post-exploitation tools. Their config files tell you more than their C2 traffic ever will.
• You are the apex predator in your own network. Act like it.

MITRE ATLAS (The One Nobody Has Looked At Yet)

Everyone loves GenAI until the internal LLM exfiltrates the customer database.

Adversarial Machine Learning is here. Are you actually defending against it or are you writing blog posts about "AI transformation"?

• Prompt injection & jailbreaking. Your system-prompt "guardrails" are a joke to a determined attacker. Treat the LLM like a junior intern with direct DB access.
• Training data poisoning. How do you know your open-source foundational models haven't been subtly backdoored? Short answer: you don't. Longer answer: you probably can't. Blame the game not the player
• Model inversion. Can attackers extract sensitive PII by reverse-engineering your model's outputs? Yes, if you trained on PII. --> Don't train on PII.
• RAG architectures are often just massive SSRF vulnerabilities with marketing. Every vector database query that hits an internal URL is a footgun waiting.
• Treat every AI model as an untrusted, hostile user on your network. NO EXCEPTIONS.

ISO / IEC 27000 Series

Honest truth: the 27K series has around 60+ published standards, though nobody agrees on the exact number because of multi-part standards and quiet withdrawals. ~15 actually matter. Only ISO/IEC 27001 is certifiable — the rest are guidance , BUT YOU NEED TO READ THEM STILL!.

The short list worth reading:

• 27001 — ISMS requirements (the one you certify against)
• 27002 — 93 controls (dropped from 114 in the 2022 revision; if your ISMS hasn't been rewritten since 2013, your certificate is a museum piece)
• 27005 — Risk management
• 27017 / 27018 — Cloud + PII in public clouds
• 27035 — Incident management (multi-part)
• 27037 through 27043 — Digital forensics (identification, collection, investigation, analysis)
• 27701 — Privacy information management (PIMS extension to 27001)

ISO 27001 tells you WHAT. NIST 800-53 and MITRE D3FEND tell you HOW. A certificate on the wall doesn't stop Cobalt Strike. Map controls to actual TTPs or it's theater.

NIST 800-53

Stop letting auditors design your architecture. NIST is a rigorous engineering blueprint, not a GRC compliance checklist. Treat it like one.

• Annual audits are a joke to an attacker. Implement Continuous Control Monitoring (CCM) via automation. If your controls aren't checked daily, they aren't really checked.
• Aggressively prioritize the AC (Access Control), AU (Audit & Accountability), and SI (System & Information Integrity) families. If you can only do three, do those three.
• Map your NIST implementation directly to MITRE D3FEND to prove operational coverage. Otherwise you have a binder, not a defense.

The "Tin Foil Hat" Chapter

Pick your paranoia carefully. Most of the things on this list are not paranoia, they are documented reality. The inconvenient kind.

• The OS is just a suggestion. Backdoors are built-in. Read the Snowden disclosures. Then read the Vault 7 leaks. Then come back and tell me your Windows kernel is trustworthy.
• Anti-Forensics is Standard. Stop trusting basic IoCs. Hashes change. IPs rotate. TTL fields lie.
• Your IoT devices are spies. Weeping Angel proved smart TVs are active listening posts. Your doorbell camera is worse.
• Supply chain interdiction is real. Hardware gets backdoored in transit. Not rhetorically. Actually. See: every router that ever crossed a certain ocean border.
• "Air-gapped" is a myth. Acoustic, thermal, power-line, electromagnetic, fan-speed — dozens of covert channels have been demonstrated. covertchannels.com is a humbling afternoon read.

Not all of these apply to your threat model. But none of them are fiction. Decide what matters, then defend accordingly.

Do This Now

If you read this far and remember nothing else, remember this section.

• Legacy protocols lethal. EternalBlue annihilated global networks. SMBv1, NetBIOS, LLMNR, WPAD, plain LDAP — kill them all==.
• Fileless and cache-resident malware. Most EDRs miss this. If yours doesn't hook syscalls and inspect process memory, you have antivirus with a new sticker.
• Why are you trusting anything an endpoint tells you in the first place? Endpoint telemetry is a hint. Network telemetry is evidence. Network rarely lies.
• Network Traffic Analysis > Network Packet Inspection. Patterns over payloads. Metadata over signatures.
• Context > Signatures. Multi-variate correlation is the only game that scales. Filter the noise. Correlate the telemetry. Hunt the behavior.

Final Word

Security is not a product you buy. Resiliency is not a slide you present. Both are outcomes of sustained engineering discipline, practiced against an adversary who is more patient than you are and better-funded than you think.

If your CISO talks in "maturity levels" and your CIO talks in "digital/AI transformation" and nobody on the team can name their top five adversary groups from memory, you are not running a security program. You are running a cost center with good lighting.

The masses will impulsively state this is a bad idea. They will keep getting hacked — badly. Don't be them.

От нуля до автоматизации.

Jai Hind.

Wake up. Dig deeper.

#cyber security #cyber-warfare #dns #hacking #malware #research #security #security engineering #security mindset #strategy #surveillance

← Back to blog