> Repave servers and applications every few hours. This means redeploying the same software – if an attacker has compromised a server, the deploy will wipe out the attacker’s foothold there
Yes, but keep in mind that the same attacker will be able to run the same attack successfully again, as long as they have an attack vector.
> Repair vulnerable software as soon as possible (within a few hours) after a patch is available.
Very good advice, and for that you need somebody to update vulnerable libraries and OS packages - like what Linux distributions do - unless you want to maintain hundred of packages by yourself.
> the same attacker will be able to run the same attack successfully again, as long as they have an attack vector
I'm reminded of 'fileless malware'. A virus can reside exclusively in volatile memory. Worst case here would be to have a set of servers continually reinfecting each other even as you continually repave. I imagine the solution to that would be to repave the whole set and then switch over, like double-buffering. (Of course, not using files isn't exactly a strength here, but it seems apropos.)
>> Repave servers and applications every few hours.
> Yes, but keep in mind that the same attacker will be able to run the same attack successfully again
Exactly. Detecting that deployed files were tampered with can be tricky (one has to take updates into account, and some attacking code may be able to detect this analysis and nurture it with the original version of the files).
As an aside, s/nurture/neutralize/ eh? I'm seeing more and more malapropisms in online text. Has some common auto-correct thing gotten aggressive in guessing, badly, at misspelled words? (Auto-incorrect.)
Good advice!
> Repave servers and applications every few hours. This means redeploying the same software – if an attacker has compromised a server, the deploy will wipe out the attacker’s foothold there
Yes, but keep in mind that the same attacker will be able to run the same attack successfully again, as long as they have an attack vector.
> Repair vulnerable software as soon as possible (within a few hours) after a patch is available.
Very good advice, and for that you need somebody to update vulnerable libraries and OS packages - like what Linux distributions do - unless you want to maintain hundred of packages by yourself.