5.7 Threat Mitigation and Incident Response
Key Takeaways
- Network segmentation with VLANs, ACLs, and firewalls limits the blast radius so one compromised zone cannot reach the rest.
- Least privilege grants users and devices only the minimum access their role requires, capping the damage of any single compromise.
- Multi-factor authentication combines factors from different categories — know, have, are — so a stolen password alone is not enough.
- Firewalls (stateful filtering) and IPS (signature/anomaly inline blocking) are the core technical perimeter controls.
- Incident response follows a defined lifecycle, and containment (isolating the affected host) comes before eradication and recovery.
Mitigation Is About Limiting Blast Radius
No single control stops every attack, so threat mitigation combines preventive controls (block it), detective controls (spot it), and corrective controls (recover from it). The recurring CCNA theme is limiting the blast radius — making sure that when something is compromised, the damage stays contained.
Network Segmentation
Segmentation carves the network into zones, each with its own policy, so an attacker who lands in one zone cannot freely roam.
| Method | Layer | What it does |
|---|---|---|
| VLANs | 2 | Separate broadcast domains and user groups |
| ACLs | 3 | Filter which subnets/ports may cross zones |
| Firewalls | 3-7 | Stateful inspection between security zones |
| Micro-segmentation | per-workload | Granular SDN policies per host/app |
A flat network lets ransomware on one PC reach every server; a segmented network forces it to cross policed boundaries.
Firewalls vs. IPS
| Control | Primary job | How it acts |
|---|---|---|
| Firewall | Allow/deny by zone, address, port, and session state | Stateful — tracks connection state |
| IPS (Intrusion Prevention System) | Detect and block malicious patterns inline | Signature and anomaly based |
| IDS | Detect and alert (passive copy of traffic) | Out-of-band, does not block |
The IPS-vs-IDS distinction is testable: an IPS sits inline and can drop the attack; an IDS only watches a mirrored copy and raises an alarm.
Principle of Least Privilege
Grant each user or device only the minimum access its role needs. On IOS this maps to privilege levels and role-based access.
| Role | Access | Mechanism |
|---|---|---|
| Help desk | Read-only show commands | Privilege level 1 |
| Operator | Monitoring + limited changes | Custom privilege ~5 |
| Network engineer | Full configuration | Privilege level 15 |
| Security admin | Security commands only | Per-command authZ via TACACS+ |
Least privilege caps the damage from a stolen credential or a malicious insider — a help-desk account that cannot reconfigure the network cannot be used to reconfigure it.
Multi-Factor Authentication (MFA)
MFA requires two or more factors from different categories.
| Factor | Category | Examples |
|---|---|---|
| Something you know | Knowledge | Password, PIN |
| Something you have | Possession | Token, smart card, phone app |
| Something you are | Inherence | Fingerprint, face, retina |
The trap: a password plus a PIN is not MFA — both are "something you know." True MFA mixes categories, so a leaked password alone cannot grant access.
Security Monitoring
- SIEM (Security Information and Event Management) correlates logs from many sources.
- Syslog and SNMP traps surface device events and alarms.
- NetFlow reveals traffic-pattern anomalies (e.g., a host suddenly scanning the subnet).
- Vulnerability scans and penetration tests find weaknesses before attackers do.
Incident Response Lifecycle
| Phase | Actions |
|---|---|
| 1. Preparation | Build the plan, train staff, deploy tools and logging |
| 2. Identification | Detect and confirm a real incident |
| 3. Containment | Isolate affected systems to stop the spread |
| 4. Eradication | Remove the malware/unauthorized access |
| 5. Recovery | Restore systems and validate they are clean |
| 6. Lessons learned | Document and improve so it does not recur |
The sequence matters: containment precedes eradication and recovery. Reformatting or rebuilding before isolating the host risks letting the threat spread or destroying evidence.
Networking Containment Examples
| Threat | Containment action |
|---|---|
| Compromised host | Shut the switch port or move it to a quarantine VLAN |
| Rogue DHCP server | Enable DHCP snooping; shut the offending port |
| DDoS attack | Apply rate-limiting; ask the ISP for upstream filtering |
| Malware outbreak | Isolate the VLAN; block command-and-control IPs via ACL |
Where the Firewall Sits: DMZ Design
A frequent design concept is the DMZ (demilitarized zone) — a buffer network for public-facing servers (web, email, DNS) that sits between the untrusted internet and the trusted internal LAN. The firewall enforces three zones with decreasing trust: outside (internet), DMZ (semi-trusted, reachable from the internet), and inside (fully trusted, never directly reachable from the internet). If a public web server in the DMZ is compromised, segmentation keeps the attacker from pivoting straight into the internal LAN. This is defense-in-depth and least privilege applied to network topology.
Endpoint and Email Controls
Because most breaches begin at the endpoint, mitigation extends past the network gear. Endpoint protection (antivirus, host firewall, EDR), email security gateways that filter phishing and malicious attachments, and patch management all reduce the chance an attack ever reaches the wire. Pair these with user awareness training, since phishing and social engineering exploit people rather than protocols and no firewall blocks a user who willingly types their password into a fake page.
Logging Severity Levels
When monitoring, know the eight syslog severity levels, 0 (emergency) through 7 (debugging). Level 0 is the most critical and 7 the most verbose; logging trap informational (level 6) captures levels 0 through 6 and is a common production setting. Recognizing that lower number = higher severity is a small but testable detail.
| Level | Keyword | Meaning |
|---|---|---|
| 0 | emergencies | System unusable |
| 2 | critical | Critical condition |
| 5 | notifications | Normal but significant |
| 7 | debugging | Verbose debug output |
On the Exam: Expect a layered-defense scenario. Know that segmentation limits breach impact, MFA mixes factor categories, an IPS blocks while an IDS only alerts, and the first response to a confirmed compromise is containment, not eradication.
A help-desk technician's account is compromised, but the attacker cannot reconfigure any switches because the account only has read-only show access. Which security principle prevented escalation?
Which of the following qualifies as true multi-factor authentication?
A confirmed malware infection is spreading from one workstation. According to the incident-response lifecycle, what should happen FIRST after identification?
What is the key difference between an IPS and an IDS?