Network Security & Threat Analysis

CyberSec (cybersecurity) protects systems, networks, and data from digital threats. This pack covers NET (network) security architecture, threat analysis, defensive operations, and incident response — the practical knowledge needed to secure modern infrastructure.

Network Security Architecture

Defense in depth layers multiple security controls so no single failure compromises the system. The zones: perimeter (FW, IDS/IPS), DMZ (public-facing services isolated from internal network), internal network (segmented by function and sensitivity), and critical assets (DB, secrets, admin interfaces).

FW (firewall) enforces access policy between network zones. Stateless FW filters on IP/port — fast but easily bypassed. Stateful FW tracks connection state (TCP handshake, established sessions) — blocks unsolicited inbound while allowing return traffic. NGFW (next-generation firewall) adds application-layer inspection (L7), SSL/TLS decryption, integrated IPS, and identity-based policies.

NET segmentation limits lateral movement after initial compromise. VLAN separation with inter-VLAN routing controlled by FW policy. Microsegmentation extends this to workload level — each service communicates only with explicitly authorized peers. ZTA (zero trust architecture) assumes no implicit trust: verify every request regardless of source network. Core principles: least privilege access, continuous verification, assume breach.

Threat Landscape & Attack Vectors

The kill chain (Lockheed Martin) models adversary operations: RECON (reconnaissance) → WEAP (weaponization) → DELIV (delivery) → EXPLOIT (exploitation) → INST (installation) → C2 (command and control) → ACT (actions on objectives). Defenders can disrupt at any stage — earlier is better.

MITRE ATT&CK framework catalogs adversary TTPs (tactics, techniques, procedures) observed in real intrusions. TAC categories: initial access, execution, persistence, privilege escalation, defense evasion, credential access, discovery, lateral movement, collection, exfiltration, C2, impact. Mapping detected activity to ATT&CK TTPs enables threat intelligence sharing and gap analysis.

Common attack vectors: PHI (phishing — social engineering via email/SMS, #1 initial access vector), VULN exploitation (unpatched software — CVE tracking essential), credential stuffing (reused passwords from breaches), supply chain compromise (malicious dependencies, build system infiltration), insider threat (malicious or negligent authorized users).

Web Application Security

OWASP Top 10 critical web vulnerabilities: injection (SQLi, command injection — always use parameterized queries), broken authentication (weak session management, credential exposure), XSS (cross-site scripting — reflected, stored, DOM-based; sanitize all output), SSRF (server-side request forgery — validate and restrict outbound requests), IDOR (insecure direct object references — enforce authorization checks on every resource access).

SQLi (SQL injection): attacker supplies malicious input that alters query logic. Example: input ' OR 1=1-- bypasses WHERE clause. Prevention: parameterized queries (prepared statements) exclusively — NEVER concatenate user input into SQL strings. ORM use reduces risk but does not eliminate it (raw query escape hatches).

XSS prevention: encode output based on context (HTML entity encoding for HTML body, JavaScript encoding for script context, URL encoding for URL parameters). CSP (Content Security Policy) headers restrict script sources — effective second layer defense. HttpOnly flag on session cookies prevents JavaScript access.

API security: authenticate every request (OAuth 2.0 / JWT with short expiration), rate limit to prevent abuse, validate all input (schema validation, type checking, bounds checking), use TLS everywhere, implement proper CORS (Cross-Origin Resource Sharing) policies — never wildcard in production.

Cryptography Essentials

SYM (symmetric) encryption: same key encrypts and decrypts. AES-256-GCM is the standard — provides both confidentiality and integrity (AEAD — authenticated encryption with associated data). Never use ECB mode (deterministic, leaks patterns). ChaCha20-Poly1305 is the alternative where AES hardware acceleration is unavailable.

ASYM (asymmetric) encryption: public key encrypts, private key decrypts (or signs/verifies). RSA-2048 minimum (RSA-4096 preferred), being replaced by ECC (Elliptic Curve Cryptography — equivalent security at smaller key sizes: ECC-256 ≈ RSA-3072). Key exchange: ECDHE (Ephemeral Elliptic Curve Diffie-Hellman) provides PFS (perfect forward secrecy) — compromised long-term key does not decrypt past sessions.

Hashing: SHA-256 for data integrity, SHA-384/512 for higher security margin. Password hashing: NEVER plain SHA/MD5. Use bcrypt (cost factor 12+), scrypt, or Argon2id (memory-hard, resistant to GPU/ASIC attacks). Salt every password (unique per user, stored alongside hash).

TLS 1.3 is mandatory for all network communications. Reduced handshake (1-RTT, 0-RTT resumption), removed insecure cipher suites (no RSA key exchange, no CBC, no RC4), mandatory PFS. Certificate management: automate with ACME (Let's Encrypt), monitor expiration, pin certificates or public keys for critical connections.

Security Operations

SOC (Security Operations Center) provides continuous monitoring and response. SIEM (Security Information and Event Management) aggregates logs from all sources (FW, endpoints, servers, cloud), correlates events, and triggers alerts. Detection engineering writes rules matching known TTPs: Sigma rules (vendor-agnostic), YARA rules (malware signatures), Snort/Suricata rules (network signatures).

EDR (Endpoint Detection and Response) monitors endpoint behavior: process creation, file modifications, network connections, registry changes. Behavioral detection catches novel threats that signature-based AV misses. UEBA (User and Entity Behavior Analytics) baselines normal behavior and alerts on anomalies — unusual login times, impossible travel, data exfiltration patterns.

TH (threat hunting) proactively searches for adversary activity that evades automated detection. Hypothesis-driven approach: based on CTI (cyber threat intelligence), formulate hypotheses about adversary TTPs likely targeting the environment, then investigate using available telemetry. IOC (indicators of compromise — hashes, IPs, domains) are low-confidence and short-lived; TTP-based detection is higher confidence and harder for adversaries to change.

Incident Response

IR (incident response) follows the NIST framework: preparation → detection & analysis → containment → eradication → recovery → lessons learned. Preparation includes IR playbooks, communication plans, legal coordination, and forensic readiness (log retention, disk imaging capability).

Containment strategy: short-term (isolate affected systems from network — disable switch ports, host FW rules, DNS sinkhole C2 domains) and long-term (rebuild compromised systems from clean images, rotate all potentially compromised credentials, patch exploitation vector).

DFIR (digital forensics and incident response): preserve evidence chain of custody. Acquire disk images (dd, FTK Imager) before analysis. Memory forensics (Volatility) reveals running processes, network connections, injected code that disk analysis misses. Timeline analysis correlates filesystem timestamps, event logs, and network logs to reconstruct adversary actions.

Vulnerability Management

VM (vulnerability management) lifecycle: discover assets (you cannot protect what you do not know exists), scan (authenticated scans for accurate results), prioritize (CVSS base score + threat intelligence + asset criticality + exploitability), remediate (patch, mitigate, accept risk with documentation), verify (rescan to confirm fix).

CVSS (Common Vulnerability Scoring System) scores from 0-10: Low (0.1-3.9), Medium (4.0-6.9), High (7.0-8.9), Critical (9.0-10.0). But CVSS alone is insufficient — EPSS (Exploit Prediction Scoring System) predicts probability of exploitation in the wild. Prioritize CVSS Critical + EPSS >10% for immediate patching.

Patch management: test patches in staging environment before production deployment. Emergency patching (zero-day with active exploitation) may skip full testing — risk accepted. Compensating controls (WAF rules, network isolation, detection rules) provide interim protection while patching is scheduled.

Cloud Security

CSPM (Cloud Security Posture Management) continuously audits cloud configuration against security baselines. Common misconfigurations: public S3 buckets, overprivileged IAM roles, unencrypted storage, security groups allowing 0.0.0.0/0 on management ports. IAM (Identity and Access Management): enforce MFA everywhere, use temporary credentials (STS assume-role), implement least-privilege policies, review access regularly.

Container security: scan images for VULN before deployment, use minimal base images (distroless/Alpine), run as non-root, enforce read-only root filesystem, use network policies for pod-to-pod communication control. Secrets management: HashiCorp Vault, AWS Secrets Manager, or similar — NEVER embed secrets in images, environment variables, or source code.