Use phishing resistant 2FA everywhere! (FIDO etc.) - avoid SMS
Limit admin privileges
Install an up-to-date antivirus/HIPS/EDR solution (with web protection)
Keep your OS and apps up-to-date (apply patches)
Periodically scan your system with tools like Loki, Thor Lite scanner etc.
Be careful about your browser extensions and their privileges
Make sure you don't expose any public service to internet (RDP etc.)
Try to avoid Windows (if possible)
Implement application allowlisting
Use file-integrity apps to protect critical files
Monitor continuously (via NSM and EDR), respond ASAP (isolate etc.) when you see a sus. thing on your system/network before they complete their objectives
Read about latest threats, evaluate your posture since threat landscape keeps changing
Read about threat/incident reports regarding state-level actors targeted your industry in the past
Are you actually targeted with undisclosed vulnerabilities, or are you just concerned about quickly patching your infrastructure after a vulnerability is disclosed? If it's the latter, I'd love to hear more about your pain points as it's an area in which I've been kicking around ideas for a while.
