Dependency removed: Dependence on attackers not finding you, on vendors patching your systems, and on cloud security teams protecting your data - you actively defend your own infrastructure.
This section covers defensive security for systems you own and operate. It explicitly excludes techniques for attacking third-party systems. The goal is to protect your digital infrastructure from unauthorized access, data loss, and disruption - including in scenarios where conventional security tooling (cloud-connected AV, SIEM, MDR services) is unavailable.
- Hardening - reducing attack surface; disabling unused services; minimal installs; CIS benchmarks as a starting point
- Access control - least-privilege; service accounts; password policies; local identity providers
- Monitoring and logging - what to collect, how long to keep it, and how to alert on anomalies without cloud dependency
- Incident response - triage, containment, eradication, recovery; runbook-driven; practiced before needed
These techniques are deployed only within systems you own or are explicitly authorized to administer:
- Honeypots and decoy services - isolated services that attract and identify attackers; alert on first access
- Honeytokens - fake API keys, documents, and database rows that trigger alerts when accessed
- Canary credentials and files - tripwires for detecting lateral movement; alert on use
- Tarpits and throttling - slowing down suspicious connections at the network or application level
- Automated containment - VLAN quarantine; account lockout; firewall block on detection
Safety design requirements:
- Deception environments must be isolated from production systems
- Logging/telemetry must flow through a separate path that attackers cannot tamper with
- Clear rollback and escalation procedures must exist before any deception system is deployed
Critical when cloud-connected AV is unavailable:
- Offline-capable scanners - ClamAV with locally staged definitions; Windows Defender offline scan
- Offline definition updates - staging update packages from a trusted machine; verifying signatures before import
- Removable media hygiene - dedicated scanning workstation; quarantine workflow for all new media
- Allowlisting - application allowlists as a complement to signature-based detection; reduces reliance on up-to-date signatures
- Local surveillance cameras - no cloud dependency; local NVR; Motion, Frigate, or hardware NVR
- Offline event retention - locally stored video; retention policies; integrity verification
- Doorbells and intercoms - local operation without internet; SIP-based intercom systems
- Power continuity for security systems - UPS for cameras, NVR, and sensors
- Intrusion detection - Suricata, Snort; network-based detection; alert routing to local SIEM
- Behavioral monitoring - Wazuh for host-based detection; file integrity monitoring; privilege escalation detection
- Alerting - local alerting via MQTT, Gotify, or ntfy; no cloud dependency; tested alert paths
- Home SOC - Wazuh + Suricata + local alerting on a dedicated machine or VM
- Personal Monitoring Stack - lightweight monitoring for a home server: file integrity, failed logins, network anomalies
- Community Security Monitoring - shared detection and alerting for a community network