cqrenet/antifragile
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
763da003d36dd9387e35758dbb93833da4cc30ae
antifragile/antifragile-consulting/playbooks/zero-budget-hardening.md
Tomas Kracmar 763da003d3 Initial commit: antifragile cybersecurity consulting blueprint 
Complete repository of frameworks, playbooks, and assessment resources
for cybersecurity consultations focused on antifragile enterprise design.

Includes:
- Core philosophy and manifest (5 pillars)
- 12 modular engagement packages
- AI sovereignty and operations frameworks
- Zero-budget vulnerability discovery and hardening playbooks
- M365 E3 hardening and antifragile project plans
- Osquery sovereign discovery platform blueprint
- Perimeter scanning capability guide
- AI-assisted TVM blueprint for AI-powered adversaries
- Vertical specializations: banking, telco, power/utilities
- CIS Controls v8 and NIST CSF 2.0 mappings
- Risk registers and assessment templates
- C-suite conversation guide and business case templates
2026-05-09 16:53:22 +02:00

14 KiB
Raw Blame History

Zero-Budget Hardening Playbook

"The most expensive security tool is the one you already bought and never turned on."

This playbook provides tactical guidance for hardening an enterprise's security posture using existing tools, native platform capabilities, and open-source alternatives. It is designed for consultants whose clients need to reduce technological debt and improve resilience without additional software procurement.

The philosophy is simple: maximize current investment before discussing new investment. This builds trust, demonstrates competence, and preserves optionality for strategic purchases later.

The Underutilization Audit

Before proposing any new tool, conduct this audit. It typically reveals that the client already owns 60-80% of the capabilities they need.

Microsoft-Centric Environments (Most Common)

Critical distinction: Most of our clients own E3, not E5. The table below shows the E5 ideal; see M365 E3 Hardening for the pragmatic E3 reality.

Capability What E5 Includes What E3 Includes What Is Often Unused Activation Effort
Endpoint Detection Defender for Endpoint P2 (EDR, ASR) Defender Antivirus only (no EDR) Real-time protection, network protection Low
SIEM / Log Analytics Microsoft Sentinel Log Analytics only (no Sentinel) Basic KQL queries, log forwarding Medium
Identity Protection Entra ID P2 (PIM, conditional access, risk) Entra ID Free (per-user MFA only) Per-user MFA, basic audit Low
Email Security Defender for Office 365 P2 (Safe Links, Safe Attachments) EOP only (basic anti-phishing) Anti-malware, anti-spam tuning Low
Data Protection Microsoft Purview (DLP, labels) None N/A N/A
Cloud Security Microsoft Defender for Cloud Basic Defender for Cloud (limited) Secure score review Low
PAM (Basic) Entra ID PIM + LAPS LAPS only (no PIM) LAPS deployment Low

E3 Strategy: Maximize native E3 capabilities, augment with open-source tools (Wazuh, Sysmon), and selectively license add-ons for critical users rather than blanket E5 upgrades.

The Pitch (E3 Clients):

"You own E3, not E5. That means we do not have EDR, conditional access, or advanced email filtering out of the box. But we do have solid foundations: antivirus, basic MFA, audit logging, and EOP. Our first job is to turn every E3 knob to maximum, then close the most dangerous gaps with free tools like Sysmon and Wazuh. If gaps remain that threaten your specific risk profile, we will size a selective upgrade—not a blanket one."

Multi-Cloud / Heterogeneous Environments

Capability Native Free/Cheap Options
Vulnerability scanning AWS Inspector (basic), Azure Update Manager, Google OS Config
Configuration compliance AWS Config (basic), Azure Policy, Google Organization Policy
Log aggregation CloudWatch Logs, Azure Monitor Logs, Cloud Logging
Identity security AWS IAM Access Analyzer, Azure AD Identity Protection, Google Cloud IAM Recommender
Network monitoring VPC Flow Logs, Azure NSG Flow Logs, Google Cloud VPC Flow Logs
Cost anomaly detection AWS Cost Anomaly Detection, Azure Cost Management, Google Cloud Billing Alerts

Open-Source Force Multipliers

When native capabilities are insufficient, these open-source tools can close gaps without license costs:

Category Tool When to Use
EDR / XDR Wazuh Need centralized endpoint visibility but no EDR budget
SIEM Wazuh (again), Graylog, Grafana Loki Need log analysis without commercial SIEM
Vulnerability Management OpenVAS Need scanning without commercial VM platform
Network Monitoring Zeek, Suricata Need IDS/IPS without commercial NDR
Asset Discovery OpenLDAP scripts, Nmap, Masscan Need network asset discovery
Threat Intelligence MISP (free tier), AlienVault OTX Need IOC sharing and correlation
Password Auditing Hashcat, John the Ripper Need to audit password strength internally
Backup Verification Custom scripts (rsync, hash verification) Need to validate backup integrity
Local AI Inference Ollama, llama.cpp, vLLM Need sovereign AI without API costs

The 30-Day Zero-Budget Sprint

This sprint assumes the client has a typical Microsoft-centric environment with E3 or E5 licensing. Adapt for other environments.

Week 1: Turn On What You Own

Note for E3 clients: Skip the ASR and advanced EDR steps below. E3 includes Defender Antivirus only. See M365 E3 Hardening for the E3-specific week 1 plan. The steps below assume E5 or Defender for Endpoint P2.

Day 1-2: Microsoft Defender for Endpoint (E5 Only)

  • Verify onboarding coverage: what % of endpoints are reporting?
  • Enable ASR rules in Audit mode (not block) to measure impact:
    • Block executable content from email client and webmail
    • Block JavaScript or VBScript from launching downloaded executable content
    • Block Office applications from creating child processes
    • Block Office applications from injecting code into other processes
    • Block Adobe Reader from creating child processes
    • Block persistence through WMI event subscription
  • Enable exploit protection with default settings
  • Enable network protection in Audit mode

Day 3-4: Entra ID (Azure AD) Hardening

  • E5 clients: Enable security defaults or configure conditional access:
    • Require MFA for all users, all cloud apps
    • Block legacy authentication
    • Require compliant or hybrid Azure AD joined device for admin roles
    • Enable PIM for Global Administrator and other privileged roles
  • E3 clients: Enable per-user MFA for all users (no conditional access available)
    • Block legacy authentication tenant-wide
    • Review and reduce standing admin assignments manually
    • Document conditional access as a gap for steering committee

Day 5: Email Security

  • E5 clients: Enable Safe Links and Safe Attachments for all recipients; configure anti-phishing policies with impersonation protection
  • E3 clients: Tune EOP anti-phishing, anti-malware, and anti-spam to maximum aggression; configure impersonation protection in EOP; document Safe Links/Safe Attachments gap
  • Enable mailbox auditing for all users (works in E3)

Week 2: Visibility and Hygiene

Day 6-7: Log Aggregation

  • Enable diagnostic settings for all Azure resources to Log Analytics
  • Enable Microsoft 365 auditing
  • If no Sentinel, use Log Analytics + KQL for basic querying

Day 8-9: Identity Hygiene

  • Export all users, groups, and service principals
  • Disable unused accounts (> 90 days inactive, no owner)
  • Identify shared mailboxes with login capability and restrict
  • Review enterprise applications (OAuth consents) and revoke suspicious grants

Day 10: Secure Score Review

  • Review Microsoft Secure Score (Defender for Cloud + M365)
  • Pick 5 improvements that require no purchase
  • Execute them

Week 3: Configuration and Control

Day 11-12: Windows Defender Firewall

  • Enforce firewall on all profiles (domain, private, public)
  • Enable logging for dropped packets
  • Review and document any exceptions

Day 13-14: LAPS (Local Administrator Password Solution)

  • Deploy LAPS via GPO or Intune
  • Set unique random passwords for all local admin accounts
  • Configure password expiration (30-60 days)

Day 15: DNS Security

  • Enable DNS over HTTPS (DoH) on Windows 11 endpoints via Intune/GPO
  • Configure DNS filtering (Quad9, Cloudflare for Teams free tier, or native Microsoft DNS security)
  • Enable DNS query logging if infrastructure supports it

Week 4: Validation and Documentation

Day 16-17: Backup Verification

  • Inventory all backup jobs
  • Select one non-critical system and perform test restore
  • Document gaps in coverage or recovery time

Day 18-19: External Perspective

  • Run basic external scan using free tools (Shodan search for your IP ranges, SSL Labs for public websites)
  • Document exposed services and missing TLS configurations

Day 20: Metrics and Reporting

  • Calculate "before and after" metrics:
    • EDR coverage %
    • MFA enrollment %
    • Secure Score change
    • Number of disabled unused accounts
    • Number of ASR audit-mode triggers
  • Present to stakeholders with cost: $0 in new licensing

The 60-90 Day Extension: Configuration as Control

Once the initial sprint proves value, extend into structural improvements that require work but not purchase.

Conditional Access Refinement

Policy Target Risk Addressed
Require MFA from untrusted locations All users Credential stuffing, brute force from abroad
Require compliant device for sensitive apps Finance, HR, Engineering Data exfiltration from unmanaged devices
Block download from unmanaged devices SharePoint, OneDrive Shadow IT data leakage
Require password change on high user risk All users Compromised credential remediation

ASR Rules: From Audit to Block

After 30 days of audit-mode data:

  • Review ASR rule hits
  • Identify false positives and create exclusions
  • Switch high-confidence rules to Block mode
  • Monitor for 2 weeks, then iterate

Automated Response (No SOAR Required)

Use native platform automation:

Platform Native Automation Use Case
Microsoft Logic Apps + Sentinel / Defender APIs Auto-isolate high-risk device, auto-disable compromised account
AWS EventBridge + Lambda Auto-snapshot compromised EC2, auto-revoke suspicious IAM key
Azure Logic Apps + Azure Monitor Auto-scale compromised resource, auto-trigger runbook
Google Cloud Cloud Functions + Cloud Monitoring Auto-suspend suspicious service account

These require no additional licensing—only development time.

AI Sovereignty on Existing Hardware

Local AI does not require a $50,000 GPU cluster to start. Many organizations have underutilized servers or workstations that can run quantized models.

Minimum Viable Local AI

Component Specification Typical Source
CPU inference host 8+ cores, 32GB+ RAM Underutilized server, retired workstation
Storage 100GB SSD for models and data Existing SAN or local SSD
GPU (optional) NVIDIA with 8GB+ VRAM for faster inference Existing CAD/ML workstation
Software Ollama or llama.cpp Free, open-source
Model Llama 3.1 8B or Mistral 7B (4-bit quantized) Free download

Pilot Workflow: Internal code review assistant or security log summarizer. These are low-risk, high-signal use cases that prove local AI viability without disrupting operations.

Common Objections and Responses

Objection Response
"We need a proper EDR, not Defender." Defender for Endpoint is a Leader in Gartner Magic Quadrant. Most organizations have not enabled its advanced features. Let us turn those on first and measure.
"Open source is not enterprise-grade." Zeek, Suricata, Wazuh, and Ollama are used by Fortune 500 companies and government agencies. The issue is not the tool; it is the expertise to run it.
"We don't have time to configure this." Configuration is a one-time investment with perpetual returns. Buying a new tool also requires configuration—plus negotiation, procurement, and onboarding.
"Our auditor wants to see vendor support." For audit evidence, native platform capabilities (Microsoft, AWS, Google) come with vendor backing. Open-source can be supplemented with commercial support if needed.
"The board wants us to buy something." The board wants risk reduction. Show them risk reduction at zero incremental cost, and they will trust you when you later recommend strategic purchases.

The Consultant's Value Proposition

When you deliver zero-budget hardening, you demonstrate:

  1. Independence: You are not here to sell software. You are here to solve problems.
  2. Competence: You know how to extract value from complex platforms.
  3. Speed: Visible improvement in 30 days builds momentum and political capital.
  4. Trust: When you later recommend a purchase, it will be because the gap genuinely requires it—not because you have a quota.

The Opening Pitch

"Before we talk about what to buy, let us talk about what you already own. In our experience, most organizations are utilizing less than 40% of their existing security capabilities. Our 30-day sprint will turn on, tune, and operationalize what you have already paid for. If there is still a gap after that, we will recommend the minimum viable purchase to close it."

Integration With Rapid Modernisation

The Zero-Budget Hardening Playbook maps directly onto the Rapid Modernisation Plan:

Rapid Modernisation Phase Zero-Budget Focus
Hygiene (Days 0-30) Turn on existing EDR, enable MFA, configure conditional access, inventory identities
Control (Days 30-60) ASR rules, LAPS, DNS security, log aggregation with existing tools
Sovereignty (Days 60-90) Local AI on existing hardware, backup verification with existing solution
Antifragility (Days 90-180) Open-source network monitoring, native automation, chaos engineering with free tools

Previous: Rapid Modernisation Plan Next: Implementation Playbook

Reference in New Issue View Git Blame Copy Permalink