Defense & Mitigation Strategies
Zero Trust architecture, network detection and response, incident handling, security operations, and comprehensive defense frameworks
Chapter 14: Defense & Mitigation Strategies
The Zero Trust Mandate
In May 2021, President Biden signed Executive Order 14028, mandating that U.S. federal agencies adopt Zero Trust architecture. This wasnβt just policy posturingβit was a response to years of devastating breaches that traditional perimeter security had failed to prevent.
SolarWinds showed that attackers inside the network could move laterally for months. The Colonial Pipeline ransomware attack disrupted fuel supply to the eastern United States. Microsoft Exchange vulnerabilities exposed thousands of organizations. Each incident highlighted the same fundamental failure: once attackers got past the perimeter, they had free reign.
Zero Trust represents a paradigm shift: assume breach, verify explicitly, and enforce least privilege. But Zero Trust alone isnβt enough. Organizations need detection capabilities, incident response plans, and security operations that can identify and respond to threats in real-time.
This chapter synthesizes the defensive techniques introduced throughout Part II into a comprehensive security strategy, from architecture to operations.
Defense in Depth Revisited
Layered Security Model
Modern Defense in Depth
Modern Defense in Depth:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β GOVERNANCE & POLICY β
β Security policies, standards, compliance, risk management β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
βββββββββββββββββββββββββββββββ΄ββββββββββββββββββββββββββββββββββββ
β IDENTITY & ACCESS β
β IAM, MFA, privileged access, zero trust principles β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
βββββββββββββββββββββββββββββββ΄ββββββββββββββββββββββββββββββββββββ
β PERIMETER DEFENSE β
β Firewalls, WAF, DDoS protection, email security β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
βββββββββββββββββββββββββββββββ΄ββββββββββββββββββββββββββββββββββββ
β NETWORK SECURITY β
β Segmentation, IDS/IPS, NDR, network monitoring β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
βββββββββββββββββββββββββββββββ΄ββββββββββββββββββββββββββββββββββββ
β ENDPOINT SECURITY β
β EDR, antimalware, patch management, hardening β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
βββββββββββββββββββββββββββββββ΄ββββββββββββββββββββββββββββββββββββ
β APPLICATION SECURITY β
β Secure development, code review, SAST/DAST, WAF rules β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
βββββββββββββββββββββββββββββββ΄ββββββββββββββββββββββββββββββββββββ
β DATA SECURITY β
β Encryption, DLP, classification, access controls β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
βββββββββββββββββββββββββββββββ΄ββββββββββββββββββββββββββββββββββββ
β SECURITY OPERATIONS & RESPONSE β
β SIEM, SOC, incident response, threat hunting β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββDefense Categories
| Layer | Preventive | Detective | Responsive |
|---|---|---|---|
| Network | Firewall, segmentation | IDS, NDR | Isolation, blocking |
| Endpoint | AV, hardening | EDR, logging | Quarantine, wipe |
| Identity | MFA, least privilege | Behavior analytics | Account disable |
| Data | Encryption, DLP | Data monitoring | Access revocation |
| Application | Input validation | WAF, RASP | Patching, rollback |
Zero Trust Architecture
Zero Trust Principles
Zero Trust Fundamentals
Zero Trust Fundamentals:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
CORE PRINCIPLES:
1. NEVER TRUST, ALWAYS VERIFY
- Authenticate every access request
- Continuous verification, not one-time
2. ASSUME BREACH
- Design as if attacker is already inside
- Limit blast radius of compromise
3. VERIFY EXPLICITLY
- All data points: user, device, location, resource
- Real-time risk assessment
4. LEAST PRIVILEGE ACCESS
- Minimum necessary permissions
- Just-in-time access
5. MICRO-SEGMENTATION
- Segment by application, not network
- Isolate workloadsZero Trust Network Architecture
Traditional vs Zero Trust
Traditional vs Zero Trust:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
TRADITIONAL (Castle and Moat):
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β TRUSTED ZONE β
β βββββββββββ βββββββββββ βββββββββββ βββββββββββ β
β β Server β β Server β β User β β User β β
β βββββββββββ βββββββββββ βββββββββββ βββββββββββ β
β β
β All internal traffic trusted β
β Once inside, free lateral movement β
ββββββββββββββββββββββββββ¬βββββββββββββββββββββββββββββββββββββββββ
β Firewall
ββββββββββββββββββββββββββ΄βββββββββββββββββββββββββββββββββββββββββ
β UNTRUSTED ZONE (Internet) β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
ZERO TRUST:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β POLICY ENGINE β β
β β Identity β Device β Location β Time β Risk Score β β
β ββββββββββββββββββββββββββββ¬ββββββββββββββββββββββββββββββββ β
β β β
β βββββββββββββ βββββββββββββ΄βββββββββββ βββββββββββββ β
β β Server ββββ€ Policy Enforcement βββΊβ Server β β
β β (Isolated)β β Point β β (Isolated)β β
β βββββββββββββ βββββββββββββ¬βββββββββββ βββββββββββββ β
β β β
β βββββββββββββ β βββββββββββββ β
β β User ββββββββββββββββ΄βββββββββββββ€ User β β
β β (Verified)β β (Verified)β β
β βββββββββββββ βββββββββββββ β
β β
β Every access verified β Micro-segmented β Logged β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββImplementing Zero Trust
Zero Trust Implementation Phases
Zero Trust Implementation Phases:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
PHASE 1: VISIBILITY
βββββββββββββββββββββ
β‘ Asset inventory (devices, applications, data)
β‘ User and service account inventory
β‘ Data classification
β‘ Traffic flow mapping
β‘ Current access patterns
PHASE 2: IDENTITY
βββββββββββββββββββββ
β‘ Strong authentication (MFA everywhere)
β‘ Identity governance
β‘ Privileged access management
β‘ Service identity (workload identity)
β‘ Conditional access policies
PHASE 3: DEVICE
βββββββββββββββββββββ
β‘ Device inventory and health checks
β‘ Endpoint detection and response
β‘ Device compliance enforcement
β‘ Certificate-based device identity
PHASE 4: NETWORK
βββββββββββββββββββββ
β‘ Micro-segmentation
β‘ Software-defined perimeter
β‘ Encrypted communications (TLS everywhere)
β‘ Network detection and response
PHASE 5: APPLICATION & DATA
βββββββββββββββββββββ
β‘ Application-aware policies
β‘ API security
β‘ Data loss prevention
β‘ Encryption at rest and in transitNetwork Detection and Response (NDR)
NDR Capabilities
NDR Architecture
NDR Architecture:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β NETWORK TRAFFIC β
β βββββββ βββββββ βββββββ βββββββ βββββββ β
β β TAP β β TAP β β TAP β β TAP β β TAP β β
β ββββ¬βββ ββββ¬βββ ββββ¬βββ ββββ¬βββ ββββ¬βββ β
βββββββββΌββββββββββΌββββββββββΌββββββββββΌββββββββββΌβββββββββββββββ
β β β β β
βββββββββββ΄βββββ¬βββββ΄ββββββββββ΄ββββββββββ
β
ββββββββββ΄ββββββββββ
β NDR SENSOR β
β β
β β’ Packet capture β
β β’ Flow analysis β
β β’ Protocol decodeβ
β β’ ML/Behavioral β
ββββββββββ¬ββββββββββ
β
ββββββββββ΄βββββββββ
β NDR PLATFORM β
β β
β β’ Correlation β
β β’ Threat intel β
β β’ Investigation β
β β’ Response β
βββββββββββββββββββNDR Detection Categories
| Category | Detection Method | Examples |
|---|---|---|
| Signature | Known patterns | Malware C2, exploits |
| Behavioral | Anomaly from baseline | Beaconing, exfiltration |
| ML/AI | Model-based detection | Novel threats, variants |
| Threat Intel | IOC matching | Known bad IPs, domains |
| Protocol | Protocol violations | DNS tunneling, HTTP anomalies |
Open Source NDR Stack
# Zeek (Bro) - Network analysis framework
zeek -i eth0 local
# Outputs detailed logs:
# conn.log - Connections
# dns.log - DNS queries
# http.log - HTTP transactions
# ssl.log - SSL/TLS connections
# files.log - File transfers
# Suricata - IDS/IPS with NDR capabilities
suricata -c /etc/suricata/suricata.yaml -i eth0
# RITA - Beacon and C2 detection
rita import --database mydb zeek_logs/
rita html-report --database mydb
# Arkime (Moloch) - Full packet capture and search
arkime-capture -c /etc/arkime/config.iniSecurity Information and Event Management (SIEM)
SIEM Architecture
Modern SIEM Architecture
Modern SIEM Architecture:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
DATA SOURCES:
βββββββββββ βββββββββββ βββββββββββ βββββββββββ βββββββββββ
βFirewall β β EDR β β Cloud β β Network β β Apps β
β Logs β β Logs β β Logs β β Flow β β Logs β
ββββββ¬βββββ ββββββ¬βββββ ββββββ¬βββββ ββββββ¬βββββ ββββββ¬βββββ
β β β β β
βββββββββββββ΄ββββββ¬ββββββ΄ββββββββββββ΄ββββββββββββ
β
ββββββββββ΄βββββββββ
β COLLECTION β
β & PARSING β
β (Syslog, API, β
β Agent) β
ββββββββββ¬βββββββββ
β
ββββββββββ΄βββββββββ
β NORMALIZATION β
β & ENRICHMENT β
β (Common schema, β
β threat intel) β
ββββββββββ¬βββββββββ
β
ββββββββββ΄βββββββββ
β ANALYTICS β
β & DETECTION β
β (Correlation, β
β ML, Rules) β
ββββββββββ¬βββββββββ
β
ββββββββββ΄βββββββββ
β INVESTIGATION β
β & RESPONSE β
β (Case mgmt, β
β SOAR) β
βββββββββββββββββββDetection Rules (Sigma)
# Sigma rule example - DNS Tunneling Detection
title: DNS Query Length Anomaly
status: experimental
description: Detects DNS queries with unusually long subdomain
logsource:
category: dns
detection:
selection:
query|re: '.{50,}\.' # Subdomain > 50 chars
condition: selection
fields:
- query
- src_ip
- dst_ip
falsepositives:
- CDN domains with long names
- Legitimate encoded data
level: medium
tags:
- attack.command_and_control
- attack.t1071.004
# Convert to SIEM format
sigmac -t splunk rule.yml
sigmac -t elastic rule.ymlKey Detection Use Cases
Essential SIEM Detection Categories
Essential SIEM Detection Categories:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
AUTHENTICATION:
β‘ Failed login threshold exceeded
β‘ Login from new location/device
β‘ Impossible travel
β‘ Service account anomalies
β‘ Brute force detection
NETWORK:
β‘ Port scanning
β‘ DNS anomalies (tunneling, DGA)
β‘ Beaconing patterns
β‘ Large data transfers
β‘ Communication with threat intel IOCs
ENDPOINT:
β‘ Suspicious process execution
β‘ Persistence mechanisms
β‘ Credential dumping tools
β‘ Living off the land binaries (LOLBins)
β‘ Lateral movement patterns
DATA:
β‘ Unusual data access patterns
β‘ Data exfiltration indicators
β‘ Sensitive file access
β‘ Permission changesIncident Response
Incident Response Process
NIST Incident Response Lifecycle
NIST Incident Response Lifecycle:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β β
β ββββββββββββββββ ββββββββββββββββββββ β
β β PREPARATION βββββββΊβ DETECTION & β β
β β β β ANALYSIS β β
β β β’ IR plan β β β β
β β β’ Team β β β’ Monitoring β β
β β β’ Tools β β β’ Triage β β
β β β’ Training β β β’ Investigation β β
β ββββββββββββββββ ββββββββββ¬ββββββββββ β
β β² β β
β β βΌ β
β ββββββββ΄ββββββββ ββββββββββββββββββββ β
β β POST-INCIDENTββββββββ CONTAINMENT, β β
β β ACTIVITY β β ERADICATION, β β
β β β β RECOVERY β β
β β β’ Lessons β β β β
β β β’ Improve β β β’ Isolate β β
β β β’ Document β β β’ Remove threat β β
β ββββββββββββββββ β β’ Restore β β
β ββββββββββββββββββββ β
β |
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββNetwork-Focused IR Actions
Network Incident Response Playbook
Network Incident Response Playbook:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
DETECTION CONFIRMED:
1. β‘ Document initial indicators
2. β‘ Preserve volatile network data (connections, flows)
3. β‘ Capture relevant traffic (if not already)
4. β‘ Identify affected systems
CONTAINMENT:
1. β‘ Isolate affected systems (VLAN, firewall rules)
2. β‘ Block C2 communications
3. β‘ Block attacker IPs at perimeter
4. β‘ Disable compromised accounts
5. β‘ Preserve evidence before changes
ERADICATION:
1. β‘ Identify all compromised systems
2. β‘ Remove malware/implants
3. β‘ Reset credentials
4. β‘ Patch vulnerabilities exploited
5. β‘ Remove persistence mechanisms
RECOVERY:
1. β‘ Restore from clean backups
2. β‘ Rebuild if necessary
3. β‘ Gradual reconnection with monitoring
4. β‘ Validate security controls
POST-INCIDENT:
1. β‘ Timeline documentation
2. β‘ Root cause analysis
3. β‘ Detection improvements
4. β‘ Control gaps addressedContainment Strategies
| Scenario | Containment Action | Considerations |
|---|---|---|
| Single host compromised | VLAN isolation | Preserve for forensics |
| Lateral movement detected | Segment affected systems | May disrupt business |
| C2 communications | Block at firewall/DNS | May alert attacker |
| Data exfiltration | Terminate connections | Evidence preservation |
| Ransomware spreading | Network isolation | Immediate action required |
Network Hardening Checklist
Layer-by-Layer Hardening
Comprehensive Network Hardening
Comprehensive Network Hardening:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
LAYER 2 - DATA LINK:
β‘ Port security enabled
β‘ DHCP snooping enabled
β‘ Dynamic ARP Inspection
β‘ 802.1X authentication
β‘ BPDU Guard on access ports
β‘ Disable DTP (switchport nonegotiate)
β‘ Change native VLAN
β‘ Private VLANs where appropriate
β‘ MAC address limits per port
LAYER 3 - NETWORK:
β‘ Ingress/egress filtering (BCP38)
β‘ Unicast RPF enabled
β‘ ICMP rate limiting
β‘ IP source routing disabled
β‘ Directed broadcasts disabled
β‘ RPKI for BGP validation
β‘ BGP prefix filtering
β‘ TTL security for BGP
LAYER 4 - TRANSPORT:
β‘ SYN cookies enabled
β‘ SYN flood protection
β‘ Connection limits per source
β‘ TCP timestamps considered
β‘ Invalid flag combinations dropped
LAYER 7 - APPLICATION:
β‘ DNS security (DNSSEC validation)
β‘ Unnecessary services disabled
β‘ Strong encryption only (TLS 1.2+)
β‘ Certificate validation
β‘ Rate limiting on services
INFRASTRUCTURE:
β‘ Management network isolated
β‘ Out-of-band management
β‘ Strong device authentication
β‘ Encrypted management protocols (SSH, HTTPS)
β‘ Logging centralized
β‘ NTP authenticated
β‘ Configuration backups securedSecurity Operations Center (SOC)
SOC Functions
SOC Operating Model
SOC Operating Model:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
TIER 1 - ALERT TRIAGE (24/7):
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β β’ Initial alert review β
β β’ False positive identification β
β β’ Basic investigation β
β β’ Escalation to Tier 2 β
β β’ Metrics: Alerts per day, time to triage β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
TIER 2 - INCIDENT HANDLING:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β β’ Deep investigation β
β β’ Malware analysis β
β β’ Containment actions β
β β’ Coordination with IT teams β
β β’ Escalation to Tier 3 β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
TIER 3 - ADVANCED ANALYSIS:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β β’ Threat hunting β
β β’ Advanced forensics β
β β’ Threat intelligence β
β β’ Detection engineering β
β β’ Process improvement β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
METRICS:
- MTTD (Mean Time to Detect)
- MTTR (Mean Time to Respond)
- Alert-to-incident ratio
- False positive rate
- Escalation accuracyDetection Engineering
# Detection-as-Code Example
# Store in version control, test before deployment
name: lateral_movement_psexec
description: Detects PsExec-style lateral movement
mitre_attack:
- T1569.002 # Service Execution
- T1021.002 # SMB/Windows Admin Shares
data_sources:
- windows_security_events
- network_flows
detection_logic: |
(EventID == 4648 AND LogonType == 3) # Network logon
AND (ProcessName CONTAINS "PSEXESVC"
OR ServiceName LIKE "PSEXE%")
AND SourceIP != DestinationIP
response_actions:
- alert_soc_tier2
- isolate_source_host
- preserve_evidence
testing:
- atomic_red_team: T1569.002
- validation_data: test_data/psexec_sample.jsonContinuous Improvement
Security Metrics
| Metric Category | Example Metrics |
|---|---|
| Detection | MTTD, detection coverage, false positive rate |
| Response | MTTR, containment time, escalation accuracy |
| Prevention | Patch compliance, vulnerability age, pen test findings |
| Compliance | Policy violations, audit findings, training completion |
| Risk | Risk score trend, accepted risks, risk treatment progress |
Maturity Assessment
Security Program Maturity Levels
Security Program Maturity Levels:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
LEVEL 1 - INITIAL:
β’ Ad-hoc security
β’ Reactive only
β’ No formal processes
LEVEL 2 - DEVELOPING:
β’ Basic controls in place
β’ Some documentation
β’ Limited monitoring
LEVEL 3 - DEFINED:
β’ Documented processes
β’ Consistent implementation
β’ Regular assessments
LEVEL 4 - MANAGED:
β’ Metrics-driven
β’ Continuous monitoring
β’ Proactive threat hunting
LEVEL 5 - OPTIMIZING:
β’ Continuous improvement
β’ Threat intelligence integration
β’ Automated response
β’ Industry leadershipKey Takeaways
-
Defense in depth remains essentialβno single control is sufficient
-
Zero Trust is a paradigm shiftβverify explicitly, assume breach
-
NDR complements EDRβnetwork visibility catches what endpoints miss
-
Detection engineering is continuousβadversaries evolve, so must detection
-
Incident response requires preparationβyou canβt build the plane while flying
-
Metrics drive improvementβmeasure what matters, improve what you measure
Self-Assessment
-
Comprehension: How does Zero Trust fundamentally differ from traditional perimeter security?
-
Application: Design a detection strategy for DNS tunneling using your SIEM.
-
What if: Your organization discovers a breach thatβs been ongoing for 6 months. How does your incident response differ from a new breach?
Review Questions
- What are the core principles of Zero Trust architecture?
- How does NDR differ from traditional IDS/IPS?
- What are the phases of NIST incident response?
- Why is micro-segmentation important in modern networks?
- What metrics should a SOC track to measure effectiveness?
- How does detection engineering improve security over time?
Part II Conclusion
Throughout Part II, weβve explored attacks at every layer of the network stackβfrom physical access and Layer 2 manipulation to application exploitation and advanced persistent threats. Each attack technique reveals a corresponding defensive opportunity.
The security landscape continues to evolve. New protocols bring new vulnerabilities. Cloud and IoT expand the attack surface. Adversaries become more sophisticated. But the fundamental principles remain:
- Know your assets and their vulnerabilities
- Layer your defenses so no single failure is catastrophic
- Monitor continuously for threats
- Respond quickly when incidents occur
- Learn and improve from every event
In Part III, weβll put these concepts into practice with hands-on labs that build practical skills for both offensive testing and defensive operations.