Endpoints are where attacks land and where data lives. Layer prevention (allowlisting, EDR) with the controls that stop code from running and data from walking.
Why: endpoints are the primary target and the last line of defense, so modern endpoint protection (EDR — Endpoint Detection and Response) both blocks known malware and detects suspicious behavior, feeding telemetry to your detection pipeline. When: deploy EDR on every endpoint and server, tuned to alert and, where trusted, to contain. Where: EDR is what should catch the exploitation and post-exploitation activity from the pentest course — and its logs power the Threat Detection course.
ENDPOINT PROTECTION layers:
ANTI-MALWARE signature + heuristic blocking of known-bad
EDR behavioral detection + response (isolate, kill, roll back)
-> rich process/network telemetry to the SIEM
HOST FIREWALL + HIPS block unexpected connections + behaviors
EDR should light up during exploitation/priv-esc. If it doesn't, that's a
detection gap to fix (Threat Detection course).Why: the strongest control against malware is to allow only approved programs to run (allowlisting) rather than trying to block every bad one — because a denylist always misses the newest threat. When: use allowlisting (AppLocker, WDAC, fapolicyd) on high-value or fixed-function systems where the software set is stable. Where: this neutralizes most malware and living-off-the-land binaries by default, since unapproved code simply cannot execute.
# Allow only approved binaries to execute (Linux: fapolicyd; Windows: AppLocker/WDAC).
# Default posture: DENY execution, ALLOW an explicit set of trusted paths/hashes.
fapolicyd --debug # observe what executes, build the allowlist
# then enforce: unapproved binaries (incl. dropped malware) can't run.
# Allowlisting beats denylisting: you don't need to know every bad program,
# only your good ones. Best on servers/kiosks with a stable software set.Why: hardening also means protecting the data itself — full-disk encryption defeats physical theft, and controls on removable media and egress limit exfiltration. When: encrypt disks on laptops/mobile, restrict USB and cloud-upload paths for sensitive data, and monitor large outbound transfers. Where: these controls counter the exfiltration behaviors traced in the DFIR course, and reduce the impact of any successful compromise.
Protect the DATA, not just the host:
[ ] full-disk encryption (LUKS / BitLocker) — defeats device theft
[ ] restrict/monitor removable media (USB) on sensitive systems
[ ] DLP / egress controls on paths where data could leave
[ ] encrypt sensitive data at rest; tight file permissions
[ ] alert on large or unusual OUTBOUND transfers (exfil signal)
Reduces the IMPACT of a breach even if prevention fails.