Security 101
Starting with Windows 7, Microsoft removed these rights by default for users who log into Windows PC's, which greatly diminished what threat actors could do/access. Currently this is still the default behavior of Microsoft OS's.
What are Local Administrator rights?
This is the practice of checking users passwords against previous choices, poor entropy and otherwise weak passwords; Length, Character Classes, and even Block Lists can be used.
What is password filtering? (Password Auditing too)
These letter substitution's, misspellings and other minor changes help phishing emails look more real and make it more likely the user might click.
What are Homoglyphs: RRI / RN = m(rri / rn) CL = d (cl) Capital I = l (will appear lower when clicked, but upper when moused over) 1 = L, Zero = O (oh)
Typo squatting too, example.com: ezample.com, exsmple.com, examole.com, exampke.com, examplw.com)
These types of logins most of the time do not mean that there is an attack. More often than not, these types of logins point to configuration problems, and not a security issue!
What are Failed Logins?
This antiquated practice has been shown to create weaker authentication secrets, which is the opposite of its intention.
What are Password Change Policies?
https://arstechnica.com/information-technology/2019/06/microsoft-says-mandatory-password-changing-is-ancient-and-obsolete/
What is blocking common file sharing and or remote access ports.
e.g. Ports: 135, 137-139, 445 (SMB)
21 (FTP)
22 (SSH)
3389 (RDP)
Once breached, these are the first systems/services threat actors are going to figure out and target. These systems/services should be treated differently than others in your network.
What are Crown Jewels, Vital Infrastructure, and or VIP assets.
(Have an inventory of these systems, and share it with your security team(s) for heightened awareness)
This type of email comes from a trusted source, but is anything but trustworthy. As recent example 11-14-2021 an email from the FBI was sent out to many in the public, but was not sent by any FBI agent.
What is BEC, Business Email Compromise.
Not limited to one type or product, these preconfigured settings are often not detailed, or tuned to a useful degree to allow proper security alerting.
What are the default levels of logging?
This system, while never an easy undertaking, is essential for security triage as well as alerting, and benefits many others in the IT, Accounting and Compliance.
What is an Inventory system?
These are services that are installed by default, however they are not needed. These protocols put security at risk because they are outdated and often bypass authentication best-practices.
What are unused services and legacy protocols and API's?
This data may be buried deep in your documents and or files, and shared by you "willingly". Removing this additional data isn't as straight forward as it may seem, but should be done.
What is sanitizing meta-data and minimizing your digital footprint? (Also lumped into Attack Surface Reduction/Brand Management)
These are the traces/habits you leave online, and that "free services", especially Social Media services, sell to Advertisers and anyone else who is willing to purchase your traces/habits.
What is your Digital Footprint?
Public Postings, Pictures, Comments, Reviews, Friends/Family, Address, Phone numbers...
This log source is voluminous, full of false positives, and very hard to correlate into a useful alert. Conversely this same log source is great for triage, and after action reviews.
What are Firewall Logs?
Following this principal is one of best methods of keeping your systems from being abused, misconfigured and even taken over!
What is the Principal of Least Privilege?
Ex: Not allowing your users to be Local Admins
Establishing, and training employees as well as contractors on what software is acceptable to be used in administration of computers. Keeping track of software used and following up when a deviation is found.
What are company standards and auditing software inventory?
Often thought of as just patch management, but should involve software updating, web application scanning, phishing programs, computer based training and penetration tests.
Vulnerability Management Program
This is the practice of obtaining information about a person(s) or entity (typically) using publicly available information.
What is OSINT (open source intelligence)? (Digital Footprint)
What are WebServer Logs?
With these policies enabled, even if you can't send the logs to be ingested, you should at least configure them with the idea they will be useful should you need them.
What is enable verbose auditing and log retention policies?
Jokingly called: "Decentralized, surprise backup!" This meme refers to this common ailment that has even affected various Gov't agencies.
What is Data Breach?
https://twitter.com/dakami/status/1367644238167433216
Not just backing up your data, making sure it remains unchanged by checking the hash/signature of the data as soon as the backup is taken, and before you restore from that backup.
What are verified and trusted backup's?
https://securityboulevard.com/2020/10/ransomwares-next-target-backup-data/
And vice versa...
https://arstechnica.com/tech-policy/2021/10/fbi-others-crush-revil-using-ransomware-gangs-favorite-tactic-against-it/
This is the targeting of a C-suite, upper management, or the impersonation of those high-up's to someone perhaps in the finance department; the higher-up is typically asking for a financial change/charge of some kind.
What is Whaling(phishing) or CEO Fraud?
This event log is essential to any SOC or EDR's success in detecting not only malicious processes, but legitimate processes being abused for nefarious purposes.
What are Windows Process Creation events (EventID 4688)?
When these security tokens are reused or have a pattern, and a 3rd party is breached; those tokens may allow your company to be breached as well.
What is Password Reuse?
https://www.wired.com/story/7-steps-to-password-perfection/ (see Number 5 in particular)