WOLF//SEC
← Domain 2
OBJECTIVE 2.5 Explain

Explain the purpose of mitigation techniques used to secure the enterprise

Mitigation reduces the likelihood or impact of a threat exploiting a vulnerability. This objective covers the defensive techniques you deploy across the enterprise — the countermeasures that map directly to the threat vectors and vulnerability types from 2.2 and 2.3.

Network Segmentation

Dividing a network into isolated segments to contain breaches and limit lateral movement.

  • VLANs: Logical separation at Layer 2. Different departments, sensitivity levels, or device types on different VLANs.
  • Subnets: Layer 3 separation with routing controls between segments
  • DMZDemilitarized Zone — Network segment for public-facing services (Demilitarized Zone): Isolated network segment for public-facing services (web servers, email gateways). Sits between the external firewall and internal network.
  • Air gap: Physical isolation — no network connection at all. Used for critical infrastructure (ICSIndustrial Control System — Systems managing physical industrial processes/SCADASupervisory Control and Data Acquisition — Industrial control system for remote monitoring, classified systems).
  • Microsegmentation: Granular, software-defined segmentation down to individual workloads. Zero-trust applied to east-west traffic.

Purpose: Even if an attacker compromises one segment, they can’t freely move to others. Limits blast radius.

Access Control

Principle of Least Privilege

Users and systems receive only the minimum permissions needed to perform their function. Nothing more.

  • Applies to user accounts, service accounts, APIApplication Programming Interface — Interface for software-to-software communication keys, application permissions
  • Regular access reviews to revoke accumulated permissions (“permission creep”)

Separation of Duties

No single person should have end-to-end control over a critical process.

  • Example: The person who approves financial transactions shouldn’t also process them
  • Prevents fraud and limits insider threat impact

Role-Based Access Control (RBAC)

Permissions assigned to roles, users assigned to roles. Changes to role affect all members.

Conditional Access

Access decisions based on context: device health, location, time, risk score.

  • “You can access email from a managed device on the corporate network without MFAMulti-Factor Authentication — Requiring multiple authentication factors re-prompt, but from an unmanaged device in a foreign country you get blocked.”

Patching

Applying vendor-provided fixes for known vulnerabilities.

  • Regular patching cycle: Monthly/quarterly scheduled updates (Microsoft Patch Tuesday)
  • Emergency patching: Out-of-cycle for actively exploited critical vulnerabilities
  • Testing: Always test patches in staging before production deployment
  • Prioritization: Not all patches are equal. Focus on internet-facing systems, critical CVEs, and actively exploited vulnerabilities first.

The uncomfortable truth: Most breaches exploit known, patched vulnerabilities. Orgs that patch promptly eliminate the majority of their attack surface.

Encryption

Rendering data unreadable without the proper key. Applied at every data state:

  • At rest: Full-disk encryption (BitLocker, LUKS), database encryption, file-level encryption
  • In transit: TLSTransport Layer Security — Port 443 (HTTPS). Encryption protocol for data in transit 1.3 for web traffic, IPSecInternet Protocol Security — Network-layer VPN protocol suite/WireGuard for VPNVirtual Private Network — Encrypted tunnel over public networks, SSHSecure Shell — Port 22. Encrypted remote administration protocol for remote administration
  • In use: More difficult — hardware-based solutions (Intel SGX, AMD SEV) for confidential computing

Application Security

Input Validation

Verify all user input conforms to expected format before processing.

  • Whitelist (allow known-good) preferred over blacklist (block known-bad)
  • Server-side validation is mandatory — client-side validation is easily bypassed

Parameterized Queries

Prevent SQLStructured Query Language — Language for database queries injection by separating code from data in database queries.

  • Prepared statements, stored procedures
  • Never concatenate user input into SQLStructured Query Language — Language for database queries strings

Code Analysis

  • SASTStatic Application Security Testing — Analyzing source code for vulnerabilities (Static Application Security Testing): Analyze source code for vulnerabilities without executing it
  • DASTDynamic Application Security Testing — Testing running applications for vulnerabilities (Dynamic Application Security Testing): Test running applications by sending malicious inputs
  • SCASoftware Composition Analysis — Identifying vulnerable third-party dependencies (Software Composition Analysis): Identify vulnerable third-party libraries and dependencies

Sandboxing

Running untrusted code in an isolated environment.

  • Browser sandboxes, application containers, detonation chambers for malware analysis
  • Limits the impact if the code is malicious

Secure Coding Practices

  • OWASPOpen Web Application Security Project — Nonprofit producing web security resources (Top 10) Top 10 as a baseline
  • Avoid hardcoded credentials, use secrets management
  • Implement proper error handling (don’t leak stack traces to users)

Monitoring and Detection

SIEM (Security Information and Event Management)

Aggregates logs from across the enterprise, correlates events, generates alerts.

  • Centralizes visibility — the single pane of glass for security operations
  • Alert fatigue is the main challenge: too many false positives bury real incidents

IDS/IPS

  • IDSIntrusion Detection System — Monitors and alerts on suspicious activity (passive) (Intrusion Detection System): Passive — detects and alerts on suspicious activity
  • IPSIntrusion Prevention System — Detects and blocks suspicious activity (inline) (Intrusion Prevention System): Active — detects and blocks suspicious activity inline
  • Signature-based: Matches known attack patterns. Fast but blind to novel attacks.
  • Anomaly-based: Establishes baseline of normal behavior, alerts on deviations. Catches novel attacks but generates more false positives.

EDR/XDR

  • EDREndpoint Detection and Response — Monitors endpoints for threats and enables response (Endpoint Detection and Response): Monitors endpoints for suspicious behavior, provides investigation and response capabilities
  • XDRExtended Detection and Response — EDR extended across network, cloud, email, identity (Extended Detection and Response): Extends EDREndpoint Detection and Response — Monitors endpoints for threats and enables response across network, cloud, email, and identity — correlated detection across multiple data sources

Mobile Device Management (MDM) as Mitigation

MDMMobile Device Management — Centralized management of mobile devices isn’t just an administrative tool — it’s a security mitigation technique against mobile threats:

  • Remote wipe: Mitigates data exposure from lost/stolen devices
  • Containerization: Mitigates data leakage between personal and corporate apps on BYODBring Your Own Device — Employee uses personal device for work
  • Application whitelisting: Mitigates malware installation from unofficial sources
  • Configuration enforcement: Mitigates weak device security (forced encryption, PINPersonal Identification Number — Numeric passcode for authentication length, screen lock timeout)
  • Jailbreak/root detection: Mitigates bypass of OSOperating System — System software managing hardware and applications-level security controls
  • Geofencing: Mitigates data access from unauthorized locations (disable camera in secure areas, restrict data access outside office)
  • Certificate deployment: Mitigates MITMMan-in-the-Middle — Attacker intercepts communication between two parties attacks by distributing trusted certificates for VPNVirtual Private Network — Encrypted tunnel over public networks, WiFi, email

Secure Boot and TPM

Secure Boot

Firmware-level verification ensuring only trusted, signed code executes during startup:

  1. UEFIUnified Extensible Firmware Interface — Modern firmware interface replacing BIOS firmware verifies bootloader signature against trusted keys stored in firmware
  2. Bootloader verifies OSOperating System — System software managing hardware and applications kernel signature
  3. Kernel verifies driver signatures
  4. Each stage verifies the next — a chain of trust from hardware to OSOperating System — System software managing hardware and applications

If any component fails verification, boot is halted. Prevents bootkits, rootkits, and firmware-level malware from executing before the OSOperating System — System software managing hardware and applications loads.

TPM (Trusted Platform Module)

Hardware chip providing cryptographic functions and secure key storage:

  • Platform integrity measurement: Stores hash measurements of boot components (PCRs — Platform Configuration Registers). If measurements change, something was modified.
  • Key protection: Encryption keys stored in TPMTrusted Platform Module — Hardware chip for secure key storage and boot integrity hardware — can’t be extracted by software. BitLocker uses TPMTrusted Platform Module — Hardware chip for secure key storage and boot integrity to protect disk encryption keys.
  • Attestation: TPMTrusted Platform Module — Hardware chip for secure key storage and boot integrity can prove to a remote verifier that the system booted in a trusted state
  • Sealed storage: Data encrypted to a specific TPMTrusted Platform Module — Hardware chip for secure key storage and boot integrity state — only accessible if the system is in the expected configuration

Together: Secure boot ensures trusted code runs. TPMTrusted Platform Module — Hardware chip for secure key storage and boot integrity proves it happened and protects the keys.

Network Access Control (NAC) as Mitigation

NACNetwork Access Control — Enforces security policy on devices connecting to network mitigates the risk of non-compliant or unauthorized devices accessing the network:

  • Pre-admission: Check device posture BEFORE granting network access (AV updated? OSOperating System — System software managing hardware and applications patched? Firewall enabled? Encryption on?)
  • Post-admission: Continuously monitor device state AFTER connection. If device falls out of compliance, quarantine automatically.
  • Guest isolation: Untrusted devices get internet-only access on a quarantine VLANVirtual Local Area Network — Logical network segmentation at Layer 2 — no access to internal resources
  • 802.1X enforcement: Port-level authentication prevents unauthorized physical connections
  • BYODBring Your Own Device — Employee uses personal device for work containment: Personal devices get limited network access through NACNetwork Access Control — Enforces security policy on devices connecting to network policy even if they authenticate successfully

Exam context: When a question describes an unauthorized device connecting to the network, NACNetwork Access Control — Enforces security policy on devices connecting to network is typically the answer. When it describes a compliant device that later becomes non-compliant, post-admission NACNetwork Access Control — Enforces security policy on devices connecting to network with quarantine is the answer.

Hardening

Secure Baselines

Documented, known-good configurations that all systems should match.

  • CISCenter for Internet Security — Publishes CIS Controls and Benchmarks Benchmarks, DISA STIGs, vendor security guides
  • Automated enforcement via GPOGroup Policy Object — Windows policy enforcement mechanism, Ansible, Chef, Puppet

Disabling Unnecessary Services

Every running service is a potential entry point. If it’s not needed, it shouldn’t be running.

  • Default installations often include services you don’t need
  • Reduce the attack surface by removing or disabling them

Account Management

  • Disable default accounts or change their credentials
  • Enforce account lockout policies (but watch for lockout-based DoSDenial of Service — Attack making a resource unavailable)
  • Implement password policies (length > complexity)
  • Service accounts with non-interactive login, minimum privileges

Allow Lists and Deny Lists

Application Allow Listing

Only explicitly approved applications can execute. Everything else is blocked.

  • Strongest application control but highest management overhead
  • Exam tip: Allow listing is more secure than deny listing because it blocks unknown threats

Application Deny Listing

Specific known-bad applications are blocked. Everything else is allowed.

  • Easier to manage but provides weaker protection — only blocks what you know about

Decommissioning

Properly retiring systems, applications, and data when no longer needed.

  • Remove from network, revoke access, wipe data (crypto-shred or physical destruction)
  • Remove DNSDomain Name System — Port 53 (UDP/TCP). Resolves domain names to IP addresses records, firewall rules, and monitoring references
  • Forgotten systems (VMVirtual Machine — Software emulation of a computer system sprawl, shadow ITInformation Technology — Broad term for computing infrastructure and services) are prime attack targets because nobody’s patching them

Offensive Context

Every mitigation technique has an offensive counterpart. Segmentation forces attackers to find pivot points — so they target dual-homed systems. Patching eliminates known exploits — so attackers race to exploit before the patch is applied (n-day attacks). Allow listing blocks unknown executables — so attackers live off the land using already-approved tools (PowerShell, WMI, certutil). Understanding the attacker’s response to each mitigation is what makes your defensive architecture resilient rather than brittle.