Preventing Initial Access

Privileges Down, Control Up

Attack paths shrink once privileges, segments, and management channels are consistently configured.

For Preventing Initial Access, the basics remain the same: less implicit trust and more visibility into anomalous behavior.

This limits not only the chance of incidents, but especially the scope and duration when something goes wrong.

Immediate measures (15 minutes)

• Start with MFA, least privilege, and tiering for admin accounts.
• Enforce segmentation and explicit firewall rules on critical paths.
• Embed logging, detection, and recovery testing as a structural operation.

Why this matters

The core of Preventing Initial Access is risk reduction in practice. Technical context supports the choice of measures, but implementation and assurance are central.

Defense: how to prevent this

This is the point where we take off our attacker hat and get practical. Because it's fun to find vulnerabilities, but it's more useful to prevent them.

Password policy

• Block commonly used passwords: use a banned password list with seasons, company names, and known patterns
• Longer passwords: enforce a minimum of 14 characters, preferably 20+
• Encourage passphrases: my dog likes to eat cheese is better than P@ssw0rd1!
• MFA everywhere: TOTP, FIDO2, or push notifications -- anything is better than just a password
• Account lockout with monitoring: lockout after 5 attempts, but also monitor failed attempts

Patch management

• Jenkins: update regularly, restrict access to /script and /manage
• WordPress: automatic updates for plugins and themes
• PHP: upgrade to supported versions, disable allow_url_include
• Office: disable macros for files from the internet (Mark-of-the-Web)

Network segmentation

• Jenkins: not on the user network, not on the internet
• FTP: replace with SFTP, or restrict to specific IP addresses
• Management interfaces: only reachable from a jump host or VPN

Email filtering

• Block macro-enabled files: .docm, .xlsm, .pptm as attachments
• Sandboxing: open attachments in a sandbox for analysis
• SPF, DKIM, DMARC: implement all three to prevent spoofing
• User training: yes, it helps. Not perfectly, but it helps

Monitoring and detection

Defense is not only prevention -- it's also detection. Even the best preventive measures sometimes fail. Make sure you notice when that happens:

• Monitor failed logins: a sudden wave of failed logins across multiple accounts is a clear sign of password spraying
• Anomaly detection: a user who suddenly logs in at 3:00 AM from an unknown IP address deserves attention
• Endpoint Detection and Response (EDR): detects suspicious processes, shellcode injection, and lateral movement
• Network monitoring: unusual outbound management sessions to unknown IP addresses
• Honeypots: fake accounts with simple passwords that trigger an alert when someone tries to log in
• Jenkins audit logging: who used the Script Console? Who modified Jobs?

The irony is that many of these attacks remain undetected for months -- not because detection is so difficult, but because nobody looks at the logs. A SIEM that collects logs but nobody responds to is an expensive piece of furniture.

Summary

You prevent initial access by consistently doing three things:

1. Harden access: MFA, strong password policy, lockout, and least privilege.
2. Restrict entry channels: secure mail flow, macro policy, web input validation, shielded management interfaces.
3. Embed detection: centralized logging, anomaly detection, and rapid follow-up on alerts.

The biggest gains are not in complexity, but in discipline on basic measures.

Defensive validation check