08.07 · Break the chain at every link

Malware Defenses

The modern defensive stack doesn't try to catch the binary. It tries to disrupt the attacker's chain at as many phases as possible so that any single defensive failure doesn't end the game. Eight controls, mapped to the kill-chain phases each one breaks.

The defender's wager

An attacker has to succeed at every kill-chain phase. A defender only has to stop them at one. The point of defense-in-depth is to make every phase be defended by at least one control, so that any single bypass doesn't lose the game.

The eight controls below are not optional. They are the table stakes for any organization that handles money, data, or anyone's safety. The trade-offs they each carry are real; the cost of skipping them is realer.

The eight controls

EDR / XDR

Endpoint Detection & Response. Watches process trees, syscalls, network connections, file operations on every endpoint. Detects behavior, not just signatures: "Word spawned PowerShell which made an HTTPS connection to a domain registered yesterday" is a high-confidence loader pattern regardless of what binary did it.
ExploitInstallC2Lateral MoveImpact
Trade-off: licensing cost, performance overhead, tuning burden for alerts.

Application Allowlisting

Only pre-approved, signed binaries from approved publishers can execute. Windows Defender Application Control (WDAC) and AppLocker; macOS Gatekeeper; Linux SELinux/AppArmor. If a loader drops update.exe in %APPDATA% and tries to run it, nothing happens.
ExploitInstallLateral Move
Trade-off: ongoing operational cost to approve new software; broken legitimate workflows during rollout.

Network Segmentation

Hosts can only reach the hosts they actually need to. Workstations don't see each other directly. Backup servers don't accept inbound connections from random clients. Domain controllers are isolated. If patient zero gets owned, the worm runs out of neighbors within hops.
DiscoveryLateral MoveImpact
Trade-off: significant network engineering; ongoing firewall rule maintenance; legitimate workflows that "just worked" break.

Immutable Backups (3-2-1-1-0)

3 copies, on 2 different media, 1 offsite, 1 immutable / air-gapped, 0 verification errors. Object-lock S3, tape rotation, hardware WORM appliances. The first thing a ransomware affiliate does is delete your backups; immutability means they can't.
ImpactRecovery
Trade-off: storage cost (especially immutable cloud); restoration drills take hours and must be rehearsed.

Least Privilege

Users get the access they need for their job, no more. No "everyone is local admin." Domain Admins log in only from privileged-access workstations. Service accounts are scoped to single applications. The Mimikatz-from-the-CFO-laptop attack on the previous page works because nobody enforced this.
ExploitPrivilege EscCredential AccessLateral Move
Trade-off: help-desk tickets for software installs; user friction; admin culture change.

Patch Cadence

Internet-facing systems patched within 48 hours of a critical advisory. Internal systems within 30 days. Worm exploits have a window between disclosure and mass exploitation; close it. WannaCry patched in March 2017, hit in May 2017. Companies that patched in March were fine.
ExploitLateral Move
Trade-off: maintenance windows; legacy systems that can't patch (mitigate with isolation instead).

Phishing-Resistant MFA Everywhere

FIDO2 / passkeys for every account that matters — especially admin accounts, VPN, RDP, and SaaS that holds data. See the Passkeys page. Initial Access Brokers run on stolen credentials; if the credentials don't work without a phishing-resistant second factor, the IAB market dries up for your org.
Initial AccessCredential AccessLateral Move
Trade-off: hardware-key cost; user onboarding; legacy applications that don't support modern auth.

Security Awareness

Users who recognize a phishing email don't click it; users who recognize an MFA-fatigue attack don't approve it. Will not save you on its own — humans are not perfect — but reduces the volume the rest of the stack has to deal with, which is what every other control needs to be effective.
Initial AccessCredential Access
Trade-off: training time; cultural resistance ("I know how to email"); diminishing returns after first 12 months.

The matrix — which control breaks which phase?

Read across to see which kill-chain phases each control disrupts. The pattern matters: no single control covers everything, but no phase is uncovered. That's the right shape for a defensive stack.

ControlReconDeliveryExploitInstallC2DiscoveryLateralImpactRecovery
EDR / XDR·~·
Allowlisting·~~·~·
Segmentation····~·
Immutable Backups·······
Least Privilege··~·~~·
Patch Cadence·~·····
Phishing-Resistant MFA·~·····
Security Awareness~~······

Legend: = strongly disrupts · ~ = partially disrupts · · = doesn't help

Read it sideways

Every column has at least one ✓. That's the goal. There is no defensive control that catches everything, but there is no single phase that has zero defenders. An attacker who phishes successfully gets caught by EDR; an attacker who bypasses EDR is constrained by least privilege; an attacker who escalates is contained by segmentation; an attacker who deploys ransomware can't destroy your backups.

The order to deploy them in

If you're starting from zero, the order matters. Some of these controls are prerequisites for others to be effective; some are quick wins that buy time for the rest.

  1. Backups first. Until backups exist and are tested, you have no recovery option. Everything else only matters if you would survive a failure.
  2. Phishing-resistant MFA on admin accounts second. Highest-leverage single change — closes most affiliate access paths.
  3. EDR everywhere third. The detection foundation that makes every other control observable.
  4. Patch cadence and segmentation in parallel. Both take time; both need executive sponsorship.
  5. Least privilege as ongoing work. Never finished; always improving.
  6. Allowlisting after least privilege is mature. Disruptive to deploy; needs a stable application baseline.
  7. Security awareness as continuous reinforcement. Not a one-time training; a culture.

What this all costs

The unsubtle answer: a lot. EDR licensing alone is $5-$20 per endpoint per month for enterprise tiers. Immutable backup storage is double-or-triple the storage cost. Hardware FIDO keys are $20-$70 per user. Network segmentation projects run six figures for a mid-sized enterprise.

The unsubtle answer to the unsubtle answer: a successful ransomware incident at a 1,000-employee company averages $2-$10M in direct costs (ransom, IR, downtime) plus regulatory fines and reputation damage. Cyber insurance carriers have stopped underwriting organizations that lack the basics — especially MFA and immutable backups — because the actuarial math no longer works for them.

The choice isn't "spend on defense or don't." It's "spend on defense, or spend the same amount on incident response with worse outcomes."