Part II: Vulnerability Study Chapter 1

Introduction to Network Security

Security fundamentals, CIA triad, MITRE ATT&CK, threat modeling, attack-defense framework, and ethical considerations

Chapter 1: Introduction to Network Security

The $10 Billion Wake-Up Call

On June 27, 2017, a software update for a Ukrainian tax program called M.E.Doc delivered something unexpected: NotPetya, the most destructive cyberattack in history. Within hours, it had spread to 65 countries, encrypting systems and rendering them permanently unusable.

Maersk, the world’s largest shipping company, lost 49,000 laptops, 1,200 applications, and nearly all 6,500 servers. They rebuilt their entire IT infrastructure in 10 days—what normally takes 6 months. Total cost: $300 million. FedEx lost $400 million. Merck lost $870 million. Global damages exceeded $10 billion.

NotPetya wasn’t ransomware seeking profit—it was a weapon designed to destroy. It exploited EternalBlue (the same vulnerability behind WannaCry), spread through SMB, and used credential harvesting to move laterally. Network security failures at every level enabled its spread: unpatched systems, flat networks without segmentation, and inadequate monitoring.

This attack demonstrated that network security isn’t optional—it’s existential. In Part II, you’ll learn the attacks that make incidents like NotPetya possible, and the defenses that could have stopped them.

From Theory to Security

In Part I, you learned how networks move data reliably from source to destination. But reliability isn’t enough. In a world where networks carry financial transactions, medical records, government secrets, and personal communications, we need more than just delivery—we need security.

What Is Network Security?

Network security is the practice of protecting network infrastructure and the data that traverses it from unauthorized access, misuse, modification, or denial of service. It encompasses:

Technologies: Firewalls, encryption, intrusion detection
Processes: Incident response, vulnerability management, access control
Practices: Security monitoring, penetration testing, user awareness

The Security Mindset

As you’ll see throughout Part II, the protocols that make networking possible often prioritize functionality over security. They were designed in an era of trusted academic networks and limited connectivity. Understanding these design decisions—and their security implications—is essential for both attacking and defending systems.

PRO TIP

The best defenders understand attacks deeply. The best attackers understand defenses thoroughly. This chapter provides the foundation for both perspectives.

The CIA Triad

The CIA triad is the foundational model for information security, defining three core objectives that security measures aim to protect.

The CIA Triad

The CIA Triad:
═══════════════════════════════════════════════════════════════════

                    ┌─────────────────────┐
                    │   CONFIDENTIALITY   │
                    │                     │
                    │  Only authorized    │
                    │  access to data     │
                    └──────────┬──────────┘
                               │
              ┌────────────────┼────────────────┐
              │                │                │
              ▼                │                ▼
    ┌─────────────────┐        │      ┌─────────────────┐
    │   INTEGRITY     │◄───────┴─────►│  AVAILABILITY   │
    │                 │               │                 │
    │  Data is        │               │  Systems are    │
    │  trustworthy    │               │  accessible     │
    │  and accurate   │               │  when needed    │
    └─────────────────┘               └─────────────────┘
    
    All three must be balanced based on the asset's requirements

Confidentiality

Confidentiality ensures that information is accessible only to those authorized to access it. It protects against unauthorized disclosure.

Network Threat	Example	Impact
Eavesdropping	Packet capture on unencrypted WiFi	Credentials stolen
MITM attacks	ARP spoofing to intercept traffic	Data exfiltration
Unauthorized access	Compromised server leaking database	Customer data breach
Traffic analysis	Timing attacks reveal patterns	Metadata exposure

Countermeasures:

Encryption (TLS, VPNs, WPA3)
Access controls and authentication
Network segmentation
Data classification

Integrity

Integrity ensures that information is accurate and hasn’t been modified by unauthorized parties. It protects against unauthorized modification.

Network Threat	Example	Impact
Packet modification	MITM altering transaction amounts	Financial fraud
DNS poisoning	Fake DNS responses redirect users	Phishing success
Session hijacking	Injecting commands into active session	Account takeover
Malware injection	Modifying downloads in transit	System compromise

Countermeasures:

Cryptographic integrity checks (MACs, digital signatures)
DNSSEC, certificate pinning
Input validation
Version control and audit trails

Availability

Availability ensures that information and systems are accessible when needed by authorized users. It protects against denial of service.

Network Threat	Example	Impact
DDoS attacks	Volumetric flood overwhelming servers	Service outage
SYN floods	Exhausting connection tables	Application unavailable
Ransomware	Encrypting critical systems	Operations halt
Physical attacks	Cutting fiber lines	Network disconnection

Countermeasures:

Redundancy and failover
DDoS mitigation services
Rate limiting
Backups and disaster recovery

Beyond CIA: The Extended Model

Modern security often considers additional properties:

Property	Description	Example Control
Authentication	Verifying identity	Multi-factor authentication
Authorization	Controlling permissions	Role-based access control
Non-repudiation	Proving actions occurred	Digital signatures, audit logs
Accountability	Tracing to responsible party	Logging, monitoring

MITRE ATT&CK Framework

What Is MITRE ATT&CK?

MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a globally-accessible knowledge base of adversary behavior based on real-world observations. It provides a common language for describing attacks and mapping defenses.

MITRE ATT&CK Matrix (Simplified)

MITRE ATT&CK Matrix (Simplified):
═══════════════════════════════════════════════════════════════════

TACTICS (The "Why" - Adversary Goals):
┌───────┬──────┬─────┬───────┬────────┬───────┬──────┬─────────┬───┐
│ Recon │Access│Exec │Persist│Priv Esc│Defense│Cred  │Discovery│   │
│       │      │     │       │        │Evasion│Access│         │...│
└───────┴──────┴─────┴───────┴────────┴───────┴──────┴─────────┴───┘
   │       │      │      │        │        │       │       │
   ▼       ▼      ▼      ▼        ▼        ▼       ▼       ▼

TECHNIQUES (The "How" - Methods Used):
┌─────────┐┌─────────┐┌─────────┐┌────────────┐
│Phishing ││PowerShell│Scheduled││Exploitation│
│         ││         ││  Task   ││for Priv Esc│
├─────────┤├─────────┤├─────────┤├────────────┤
│Scanning ││WMI      ││Registry ││Valid       │
│         ││         ││Run Keys ││Accounts    │
├─────────┤├─────────┤├─────────┤├────────────┤
│...      ││...      ││...      ││...         │
└─────────┘└─────────┘└─────────┘└────────────┘

Each technique has:
- ID (e.g., T1566 for Phishing)
- Description
- Examples from real attacks
- Detection methods
- Mitigation strategies

ATT&CK Tactics (Enterprise)

Tactic	Description	Network Examples
Reconnaissance	Gathering information	Port scanning, OSINT
Resource Development	Establishing infrastructure	C2 servers, domains
Initial Access	Getting into the network	Phishing, exploitation
Execution	Running malicious code	Scripts, commands
Persistence	Maintaining access	Backdoors, scheduled tasks
Privilege Escalation	Gaining higher permissions	Exploits, credential theft
Defense Evasion	Avoiding detection	Obfuscation, disabling AV
Credential Access	Stealing credentials	Keylogging, LSASS dumping
Discovery	Learning the environment	Network scanning, enumeration
Lateral Movement	Moving through network	Pass-the-hash, RDP
Collection	Gathering target data	Data staging
Command & Control	Communicating with implants	DNS tunneling, HTTPS C2
Exfiltration	Stealing data	Data transfer over C2
Impact	Disruption or destruction	Ransomware, wipers

Using ATT&CK in This Book

Throughout Part II, we’ll reference ATT&CK techniques where relevant:

Example ARP Spoofing

Example: ARP Spoofing

MITRE ATT&CK Mapping:
├── Tactic: Credential Access, Collection
├── Technique: T1557 - Adversary-in-the-Middle
├── Sub-technique: T1557.002 - ARP Cache Poisoning
├── Detection: Monitor for ARP anomalies
└── Mitigation: DAI, network segmentation

TRY IT YOURSELF

Explore the ATT&CK framework at https://attack.mitre.org/

Browse techniques by tactic

Look up real-world examples

Check detection and mitigation guidance

Threat Modeling

Threat modeling is a structured approach to identifying, quantifying, and addressing security risks. Before you can defend a system, you need to understand what you’re defending against.

Key Questions

What are we protecting? (Assets)
Who might attack it? (Threat actors)
How might they attack? (Threat vectors)
What’s the impact if they succeed? (Risk assessment)
How do we prevent or detect it? (Countermeasures)

Threat Actors

Understanding who might attack helps predict their capabilities, motivations, and methods:

Actor Type	Motivation	Capability	Patience	Examples
Script Kiddies	Fun, bragging	Low	Low	Using Metasploit without understanding
Hacktivists	Political/social	Low-Medium	Medium	Anonymous, protest movements
Cybercriminals	Financial gain	Medium-High	Medium	Ransomware gangs, fraud rings
Insiders	Varied	Varies	High	Disgruntled employees
Competitors	Business advantage	Medium	High	Corporate espionage
Nation-States	Espionage, sabotage	Very High	Very High	APT groups (APT28, Lazarus)

Attack Surface

The attack surface is the sum of all possible attack vectors—every point where an attacker could potentially enter or extract data.

Network Attack Surface

Network Attack Surface:
═══════════════════════════════════════════════════════════════════

External Attack Surface:
┌─────────────────────────────────────────────────────────────────┐
│ Internet-facing services (web, email, VPN)                      │
│ DNS records revealing infrastructure                            │
│ Cloud resources and APIs                                        │
│ Third-party connections                                         │
│ Remote access mechanisms                                        │
│ Social media/OSINT information                                  │
└─────────────────────────────────────────────────────────────────┘

Internal Attack Surface:
┌─────────────────────────────────────────────────────────────────┐
│ Internal network services                                       │
│ Workstations and servers                                        │
│ Network infrastructure devices                                  │
│ Wireless networks                                               │
│ Physical access points                                          │
│ User credentials and permissions                                │
└─────────────────────────────────────────────────────────────────┘

Supply Chain Attack Surface:
┌─────────────────────────────────────────────────────────────────┐
│ Third-party software and updates                                │
│ Vendor network connections                                      │
│ Cloud service providers                                         │
│ Outsourced services                                             │
└─────────────────────────────────────────────────────────────────┘

Reducing attack surface:

Disable unnecessary services
Close unused ports
Remove default accounts
Network segmentation
Principle of least privilege

STRIDE Threat Model

Microsoft’s STRIDE model categorizes threats:

Threat	Description	CIA Property	Example
Spoofing	Pretending to be something else	Authentication	ARP spoofing, IP spoofing
Tampering	Modifying data or code	Integrity	MITM modification, DNS poisoning
Repudiation	Denying an action	Non-repudiation	Deleting logs, forging timestamps
Information Disclosure	Exposing data	Confidentiality	Packet sniffing, data breach
Denial of Service	Making unavailable	Availability	DDoS, SYN flood
Elevation of Privilege	Gaining capabilities	Authorization	Privilege escalation exploit

The Attack-Defense Framework

Every Attack Has a Defense

Throughout Part II, we’ll analyze each attack using a consistent framework:

AttackDefense Analysis Framework

Attack-Defense Analysis Framework:
═══════════════════════════════════════════════════════════════════

┌─────────────────────────────────────────────────────────────────┐
│                        ATTACK                                   │
├─────────────────────────────────────────────────────────────────┤
│ What:        Description of the attack technique                │
│ Why:         What makes this attack possible                    │
│ How:         Step-by-step attack process                        │
│ Prerequisites: What attacker needs (access, tools, knowledge)   │
│ Impact:      What damage can result                             │
│ MITRE ATT&CK: Relevant technique IDs                            │
└─────────────────────────────────────────────────────────────────┘
                              │
                              ▼
┌─────────────────────────────────────────────────────────────────┐
│                       DETECTION                                 │
├─────────────────────────────────────────────────────────────────┤
│ Indicators:  What to look for (logs, traffic patterns)          │
│ Tools:       Detection technologies and methods                 │
│ Signatures:  Specific detection rules (Snort, Sigma, etc.)      │
│ Behavior:    Anomaly-based detection approaches                 │
└─────────────────────────────────────────────────────────────────┘
                              │
                              ▼
┌─────────────────────────────────────────────────────────────────┐
│                       MITIGATION                                │
├─────────────────────────────────────────────────────────────────┤
│ Prevention:  Stop the attack from succeeding                    │
│ Reduction:   Limit the impact if attack succeeds                │
│ Controls:    Specific technologies and configurations           │
│ Best Practices: Operational and procedural defenses             │
└─────────────────────────────────────────────────────────────────┘

Example: ARP Spoofing Analysis

AttackDefense Example ARP Spoofing

Attack-Defense Example: ARP Spoofing
═══════════════════════════════════════════════════════════════════

ATTACK:
├── What: Send fake ARP replies to poison victim's cache
├── Why: ARP has no authentication
├── How: Send "gateway IP is at attacker MAC"
├── Prerequisites: Same Layer 2 network as victim
├── Impact: MITM position, traffic interception
└── ATT&CK: T1557.002 (ARP Cache Poisoning)

DETECTION:
├── Indicators: Multiple MACs for same IP, ARP storms
├── Tools: arpwatch, IDS, DAI logs
├── Signatures: ARP reply without request, MAC changes
└── Behavior: Unusual gateway MAC in client ARP tables

MITIGATION:
├── Prevention: Dynamic ARP Inspection (DAI), static ARP
├── Reduction: Network segmentation, encryption (TLS)
├── Controls: DHCP snooping, 802.1X, private VLANs
└── Best Practices: Monitor ARP, segment sensitive systems

Defense in Depth

Defense in depth is the principle of layering multiple security controls so that if one fails, others remain. No single security measure is perfect; layers provide redundancy.

Defense in Depth Layers

Defense in Depth Layers:
═══════════════════════════════════════════════════════════════════

                    ┌─────────────────────────────────────┐
                    │          POLICIES & PROCEDURES      │
                    │    (Security policies, training)    │
                    └──────────────────┬──────────────────┘
                                       │
                    ┌──────────────────┴──────────────────┐
                    │            PHYSICAL SECURITY        │
                    │    (Guards, locks, cameras, badges) │
                    └──────────────────┬──────────────────┘
                                       │
                    ┌──────────────────┴──────────────────┐
                    │          PERIMETER SECURITY         │
                    │    (Firewalls, DMZ, IDS/IPS)        │
                    └──────────────────┬──────────────────┘
                                       │
                    ┌──────────────────┴──────────────────┐
                    │          NETWORK SECURITY           │
                    │ (Segmentation, NAC, monitoring)     │
                    └──────────────────┬──────────────────┘
                                       │
                    ┌──────────────────┴──────────────────┐
                    │          ENDPOINT SECURITY          │
                    │    (AV, EDR, patching, hardening)   │
                    └──────────────────┬──────────────────┘
                                       │
                    ┌──────────────────┴──────────────────┐
                    │        APPLICATION SECURITY         │
                    │  (Input validation, secure coding)  │
                    └──────────────────┬──────────────────┘
                                       │
                    ┌──────────────────┴──────────────────┐
                    │            DATA SECURITY            │
                    │   (Encryption, access controls)     │
                    └─────────────────────────────────────┘

If one layer fails, others still protect the asset

THINK ABOUT IT

NotPetya spread so effectively because multiple defense layers failed: unpatched systems (endpoint), flat networks (network), and inadequate monitoring (perimeter). Which single improvement would have had the biggest impact?

Legal and Ethical Considerations

The Legal Landscape

Unauthorized access to computer systems is illegal virtually everywhere. Understanding the law is essential for security professionals.

Key Laws:

Law	Jurisdiction	Key Provisions
CFAA	United States	Criminalizes unauthorized access
CMA	United Kingdom	Similar to CFAA
GDPR	European Union	Data protection, breach notification
HIPAA	US (Healthcare)	Health information protection
PCI-DSS	Global (Cards)	Payment card security standards

Critical Legal Principles:

Authorization is everything: Having permission is the difference between penetration testing and crime
Scope matters: Exceeding authorized scope can be illegal
Intent isn’t always required: Some laws don’t require malicious intent
Documentation protects you: Written authorization is essential
Data handling matters: Even authorized testers must handle data properly

** COMMON MISTAKE**

“I was just testing security” is not a legal defense. Even well-intentioned unauthorized testing can result in criminal charges. Always get written authorization before testing.

Responsible Disclosure

When you discover a vulnerability, how you handle it matters:

Approach	Process	Pros	Cons
Full Disclosure	Publish immediately	Forces quick patches	Enables attackers
Non-Disclosure	Report only to vendor	Vendor has time	May be ignored
Coordinated	Private report, then publish	Balanced approach	Requires vendor cooperation

Coordinated Disclosure Best Practices:

Report to vendor privately with full details
Give 90 days to develop patch (standard timeline)
Publish after patch is available
Publish earlier if actively exploited or vendor unresponsive

Bug Bounty Programs:

HackerOne, Bugcrowd (platforms)
Company programs (Google, Microsoft, Apple)
Legal safe harbor often provided
Financial rewards for valid reports

Ethical Guidelines

Beyond legality, ethical considerations guide professional behavior:

Core Principles:

Do no harm: Minimize impact even during authorized testing
Respect privacy: Protect any data you encounter
Be honest: Report findings accurately, don’t exaggerate
Maintain trust: Don’t abuse access or knowledge
Give back: Contribute to the security community

Security Testing Types

Vulnerability Assessment

Systematic identification of security weaknesses:

Automated scanning tools (Nessus, Qualys, OpenVAS)
Configuration review
Results in prioritized vulnerability list
Regular cadence (weekly, monthly)

Penetration Testing

Authorized simulation of attacks to test defenses:

Type	Knowledge	Simulates
Black Box	No prior knowledge	External attacker
White Box	Full knowledge	Insider or targeted attack
Gray Box	Partial knowledge	Compromised user scenario

Red Team vs Blue Team

Red Team: Adversary simulation

Full-scope attack simulation
Tests people, process, and technology
May include social engineering, physical access
Goal: Test overall security posture

Blue Team: Defense and response

Monitors for attacks
Investigates incidents
Improves defenses
Goal: Detect and respond effectively

Purple Team: Collaborative improvement

Red explains techniques
Blue improves detection
Faster improvement cycle
Shared learning

Security Controls

By Function

Type	Purpose	Examples
Preventive	Stop attacks	Firewalls, encryption, access controls
Detective	Identify attacks	IDS, SIEM, log analysis
Corrective	Fix and restore	Backups, incident response, patches
Deterrent	Discourage attackers	Warning banners, visible cameras
Compensating	Alternative controls	Extra monitoring when can’t patch

By Implementation

Type	Description	Examples
Administrative	Policies and procedures	Security policy, training, background checks
Technical	Technology solutions	Firewalls, encryption, MFA
Physical	Physical protections	Locks, guards, cameras, environmental

Key Takeaways

The CIA triad (Confidentiality, Integrity, Availability) defines core security objectives
MITRE ATT&CK provides a common language for describing attacks and mapping defenses
Threat modeling identifies what to protect, from whom, and how
Defense in depth layers controls so no single failure is catastrophic
Authorization separates security testing from cybercrime—always get written permission
The attack-defense framework we’ll use throughout Part II analyzes attacks, detection, and mitigation together

Self-Assessment

Comprehension: How does NotPetya illustrate failures in defense in depth?
Application: Using STRIDE, categorize the following: ARP spoofing, DDoS attack, SQL injection, credential theft.
What if: Your penetration test exceeds the agreed scope when you discover a critical vulnerability. What should you do?

Review Questions

What are the three components of the CIA triad, and how do network attacks threaten each?
What is MITRE ATT&CK, and how is it useful for security professionals?
Why is authorization essential for security testing?
What is defense in depth, and why is it important?
How does coordinated disclosure balance vendor needs with user protection?
What’s the difference between red team and penetration testing?