5.7 Threat Mitigation and Incident Response
Key Takeaways
- Firewalls, IPS, and endpoint security form the core technical controls for threat mitigation.
- Network segmentation (VLANs, ACLs) limits the blast radius of a security breach.
- Multi-factor authentication (MFA) combines something you know, have, and are for stronger verification.
- The principle of least privilege gives users only the minimum access needed for their role.
- An incident response plan defines the steps to contain, eradicate, and recover from security incidents.
Threat Mitigation and Incident Response
Threat Mitigation Strategies
Network Segmentation
Network segmentation divides the network into smaller zones, each with its own security controls. If one zone is compromised, the attacker cannot easily move to others.
Implementation methods:
- VLANs — separate traffic at Layer 2
- ACLs — filter traffic between segments at Layer 3
- Firewalls — deep inspection between security zones
- Micro-segmentation — granular policies per workload (using SDN)
Principle of Least Privilege
Give users and devices only the minimum access they need to perform their function:
| Role | Access Level | Example |
|---|---|---|
| Help desk | Read-only, basic show commands | Privilege level 1 |
| Network operator | Monitoring + basic changes | Privilege level 5 |
| Network engineer | Full configuration access | Privilege level 15 |
| Security admin | Security-related commands only | Custom role via TACACS+ |
Multi-Factor Authentication (MFA)
MFA requires two or more verification methods from different categories:
| Factor | Category | Examples |
|---|---|---|
| Something you know | Knowledge | Password, PIN, security question |
| Something you have | Possession | Smart card, token, phone (SMS/app) |
| Something you are | Biometric | Fingerprint, face recognition, retina scan |
Using MFA significantly reduces the risk of unauthorized access, even if a password is compromised.
Security Monitoring and Response
Proactive measures:
- SIEM (Security Information and Event Management) systems correlate logs from multiple sources
- SNMP traps and syslog alerts for suspicious activity
- NetFlow analysis for traffic pattern anomalies
- Regular vulnerability assessments and penetration testing
Incident Response Process
| Phase | Actions |
|---|---|
| 1. Preparation | Develop plans, train staff, deploy tools |
| 2. Identification | Detect and confirm the incident |
| 3. Containment | Isolate affected systems to prevent spread |
| 4. Eradication | Remove the threat (malware, unauthorized access) |
| 5. Recovery | Restore systems to normal operation |
| 6. Lessons Learned | Document what happened and improve processes |
Containment Examples in Networking
| Threat | Containment Action |
|---|---|
| Compromised host | Shut down the switch port or move to quarantine VLAN |
| Rogue DHCP server | Enable DHCP snooping, shut port with rogue server |
| DDoS attack | Apply rate limiting, notify ISP for upstream filtering |
| Malware outbreak | Segment infected VLAN, block C2 server IPs via ACL |
On the Exam: Understand the layered approach to security. No single control protects everything — defense-in-depth combines physical, network, host, application, and administrative controls. Know that network segmentation limits breach impact and that MFA strengthens authentication.
What is the principle of least privilege?
Which three categories make up multi-factor authentication (MFA)?
What is the recommended first action when a compromised host is detected on the network?