The organization did not have a large budget to spend on additional security controls. Endpoint security controls were in place along with a SIEM solution. A key requirement was that any further controls implemented not impact anyone’s day to day work, since considerable push back was already being felt from the organization.
As well as assisting with reviewing the monitoring solution in place a number of countermeasures were deployed into the environment and were configured to provide data to the SIEM. Honeypots are probably the most well-known counter measure; however a wide range of others exist.
One area which receives little attention is disrupting the reconnaissance phase of an attack. While security assessments will often have a small recon phase, actual attacks typically involve far more. The more recon an attacker is able to do, the greater their chance of success. This type of activity is done throughout an attack, not just at the outset. Once an environment is breached a new recon phase begins.
One extremely useful source of information (at least, we have found it to be during our assessments) are internal knowledge management systems. To counter this kind of activity a variety of fictitious information was added to the knowledge management system. The information was of a kind that would appeal to an attacker and is unlikely to be sought by an employee (for example documents containing login credentials). This data was linked to the other countermeasures deployed so that ultimately the attacker would be drawn to the technical systems allowing detecting to occur.
Discussions were also had with regard to addressing the vast amount of information available publicly on the client.