SkarpSkarp

Chapter 10 of 27

Mitigation Techniques: From Hardening to Network and Application Defenses

Translate knowledge of threats and vulnerabilities into concrete defensive moves, hardening hosts, networks, and applications to withstand real-world attacks.

27 min readen

From Vulnerabilities to Mitigations: Defense-in-Depth Mindset

Linking Vulns to Defenses

You learned how vulnerabilities are found and exploited. This module focuses on what you actually configure and deploy to reduce that risk in real systems.

Defense in Depth

Defense in depth means combining multiple preventive, detective, and corrective controls so that if one layer fails, others still protect the system.

Risk-Based Focus

You prioritize mitigations for assets that are internet-exposed, host sensitive data, support critical functions, or are frequently targeted like email and web apps.

What You Will Practice

You will harden hosts and apps, use network defenses, apply endpoint and email controls, and design layered strategies tied to specific threats and vulnerabilities.

Host Hardening: Patching, Services, and Secure Baselines

What Is Host Hardening?

Host hardening configures an OS and its apps to minimize attack surface and reduce exploitability. It is one of the highest-value, lowest-cost defenses.

Patching and Updates

OS and application patching closes known vulnerabilities that attackers scan for. Use centralized tools and a test–approve–deploy process without long delays.

Disable Unneeded Services

Each running service is attack surface. Disable legacy or unused items like SMBv1, Telnet, FTP, or unneeded remote desktop and web services.

Secure Baseline Configs

A baseline is a standard approved config for a system type, covering passwords, logging, firewalls, encryption, and browser settings, enforced centrally.

More Host Hardening: Accounts, Permissions, and Endpoint Controls

Least Privilege

Least privilege means users and processes get only the access they need. Avoid daily use of admin accounts and prefer role-based access control.

Hardening Accounts

Use strong passwords plus MFA, disable or rename defaults, remove unused accounts, and protect how and where credentials are stored.

Local Security Controls

Host firewalls, application allowlisting or denylisting, and anti-malware or EDR tools all reduce what malware can do if it reaches a host.

Exam Angle

If a question asks how to limit malware damage or restrict user actions on endpoints, think least privilege, account controls, and host-level defenses.

Network Security Controls: Firewalls, IDS/IPS, and Proxies

Why Network Controls?

Network defenses shape and monitor traffic so attacks are blocked or visible. Many modern devices combine firewall, IDS/IPS, and proxy roles.

Firewalls

Firewalls enforce rules about which traffic is allowed. Stateful firewalls track connection state; NGFWs add app awareness and often extra features.

IDS vs IPS

IDS monitors and alerts on suspicious traffic (detective). IPS sits inline and can block or modify traffic (preventive). Both use signatures and anomalies.

Proxies and Web Gateways

Forward proxies and secure web gateways filter outbound web traffic; reverse proxies sit in front of servers and can host WAFs for extra protection.

Segmentation, Isolation, and Zero Trust Thinking

Why Segment?

Segmentation and isolation limit how far attackers can move after a compromise, aligning with the zero trust idea of no implicit trust.

Network Segmentation Basics

Use VLANs and subnets to separate user, server, management, and guest traffic, with firewalls controlling flows between segments.

Isolation Techniques

Air-gapped networks, jump servers, and sandboxes keep sensitive systems or risky code separated from the rest of the environment.

Microsegmentation and Identity

Microsegmentation and identity-aware policies enforce fine-grained access between workloads based on user and device, not just IP.

Endpoint Security: From AV to EDR/XDR

Endpoint Targets

Endpoints are common initial targets. Endpoint security tools try to detect and respond to malicious activity on these devices.

Traditional AV

Antivirus scans files and processes against known malware signatures. It is strong against known threats but weaker for new or fileless attacks.

EDR and XDR

EDR monitors endpoint behavior and can isolate hosts or kill processes. XDR correlates data across endpoints, network, cloud, and email.

Posture Management

Endpoint management enforces disk encryption, screen locks, USB policies, OS versions, and required agents for a secure posture.

Email, Web, and Application Layer Defenses

Why Email and Web?

Many attacks start with phishing or malicious websites, and many target web apps. These layers need focused defenses.

Email Security Gateways

Email gateways filter spam and phishing, sandbox attachments, and rewrite URLs for time-of-click checks to reduce malicious mail reaching users.

Web Gateways and DNS Filtering

Secure web gateways filter HTTP/HTTPS traffic; DNS filtering blocks access to malicious domains at the DNS level.

Application-Layer Defenses

WAFs block common web attacks, while secure coding, reviews, and strong HTTPS configurations harden the application itself.

Putting It Together: Layered Defense for a High-Risk Web Server

Scenario: Internet-Facing Web Server

An e-commerce site is exposed to the internet. Attackers may scan ports, exploit web bugs, brute-force logins, or steal credentials via endpoints.

Host Hardening Layer

Patch OS and web server, disable unneeded services, restrict admin access via VPN or jump host, and use host firewall to limit allowed ports.

Network Layer

Place the server in a DMZ behind firewalls, use a reverse proxy or load balancer with WAF, and tightly control database connections.

Application and Monitoring

Apply secure coding, enforce HTTPS, and send logs to a SIEM to detect anomalies like repeated login failures or strange SQL errors.

Thought Exercise: Choosing Controls for Specific Threats

Use this exercise to practice mapping threats and vulnerabilities to concrete mitigation techniques.

Imagine you are the security analyst for a small organization with:

  • 50 Windows 11 laptops used by staff
  • A small on-prem file server
  • Cloud email and collaboration tools
  • A simple internal web app for HR, not exposed to the internet

For each scenario below, pause and mentally pick 2–3 key controls you would prioritize. Then compare with the suggested answers.

  1. Ransomware via phishing attachment
  • What host hardening, endpoint, and email controls would you emphasize?
  1. An attacker who gains access to one employee laptop and tries to reach the file server
  • What network segmentation and host controls slow or stop lateral movement?
  1. A developer accidentally leaves default credentials on the internal HR web app
  • What application and account controls reduce the risk of abuse?

Reflect on your answers, then reveal the sample solutions:

Sample answers (keep these in mind for exam-style questions):

  1. Ransomware via phishing: email security gateway with attachment sandboxing, EDR with ransomware behavior detection and rollback, least privilege on endpoints, regular backups and tested restores.
  2. Lateral movement: separate user and server VLANs with firewall rules, host firewalls on laptops and server, strong authentication and access control on the file server, EDR to detect unusual SMB or admin tool usage.
  3. Default credentials: secure configuration baselines forbidding default passwords, application authentication integrated with central identity (e.g., SSO), periodic credential audits, and code review processes that include security checks.

Quick Check: Hardening and Network Controls

Test your understanding of host hardening and network defenses.

A security analyst wants to reduce the risk that an attacker who compromises a single workstation can easily access file servers and other internal systems. Which combination of controls BEST addresses this goal?

  1. Deploy EDR on all endpoints and enable automatic OS patching.
  2. Implement user training and require strong passwords on all accounts.
  3. Place servers in a separate VLAN with firewall rules, enable host firewalls on workstations, and enforce least privilege on file shares.
  4. Use a cloud-based email security gateway and DNS filtering for all outbound requests.
Show Answer

Answer: C) Place servers in a separate VLAN with firewall rules, enable host firewalls on workstations, and enforce least privilege on file shares.

Separating servers into their own VLAN with firewall rules, enabling host firewalls, and enforcing least privilege on file shares directly limit lateral movement from a compromised workstation. EDR and patching are valuable but more focused on initial compromise and detection. Training and strong passwords help against credential theft but do not constrain network paths. Email gateway and DNS filtering mainly address phishing and malicious domains, not movement inside the LAN.

Quick Check: IDS/IPS, WAF, and Gateways

Test your understanding of different network and application-layer technologies.

A company’s public web application is repeatedly targeted with SQL injection attacks. Which control MOST directly mitigates this specific threat at the application layer?

  1. Network-based IDS monitoring traffic to and from the web server.
  2. Web Application Firewall (WAF) in front of the web server.
  3. Secure web gateway for outbound user web browsing.
  4. Host-based firewall on the web server allowing only ports 80 and 443.
Show Answer

Answer: B) Web Application Firewall (WAF) in front of the web server.

A WAF is specifically designed to inspect HTTP/HTTPS traffic and block common web application attacks such as SQL injection and cross-site scripting. A network IDS would alert but not block. A secure web gateway focuses on outbound user browsing, not protecting servers. A host firewall limiting ports is necessary but does not analyze HTTP payloads for SQL injection patterns.

Key Term Review: Mitigation Techniques

Flip through these cards to reinforce core terminology for Security+ mitigation questions.

Defense in depth
A layered security approach that uses multiple preventive, detective, and corrective controls so that if one control fails, others still protect the system.
Host hardening
The process of configuring an operating system and its applications to minimize attack surface and reduce exploitability, typically via patching, disabling services, and secure baselines.
Least privilege
An access control principle where users and processes are granted only the permissions they need to perform their tasks, and no more.
Stateful firewall
A firewall that tracks the state of active connections and makes filtering decisions based on the context of the traffic, allowing return traffic for established sessions.
IDS vs IPS
An Intrusion Detection System monitors and alerts on suspicious traffic (detective), while an Intrusion Prevention System sits inline and can block or modify traffic (preventive).
Web Application Firewall (WAF)
A security control that sits in front of web applications and inspects HTTP/HTTPS traffic to detect and block common web attacks such as SQL injection and cross-site scripting.
EDR
Endpoint Detection and Response: security tools that monitor endpoint behavior, detect malicious activity, and support investigation and automated response such as host isolation.
Zero trust
Zero trust is a security model that assumes no implicit trust and requires continuous verification of users and devices, limiting access to only what is needed.
Network segmentation
Dividing a network into smaller segments (e.g., VLANs, subnets) with controlled communication between them to limit the spread of attacks and improve security control.
Email security gateway
A system that filters inbound and outbound email to block spam, phishing, and malware, often using attachment sandboxing and URL protection.

Key Terms

EDR
Endpoint Detection and Response: security tools that monitor endpoint behavior, detect malicious activity, and support investigation and automated response such as host isolation.
IDS
Intrusion Detection System: a security tool that monitors network or host activity to detect signs of attacks and generates alerts without blocking traffic.
IPS
Intrusion Prevention System: a security tool that sits inline with network traffic and can block or modify traffic when it detects malicious activity.
XDR
Extended Detection and Response: security tools that correlate telemetry across endpoints, network, cloud, identity, and email to detect and respond to multi-stage attacks.
proxy
A server that acts as an intermediary for requests from clients seeking resources from other servers, used for filtering, caching, and anonymity.
zero trust
Zero trust is a security model that assumes no implicit trust and requires continuous verification of users and devices, limiting access to only what is needed.
host hardening
The process of configuring an operating system and its applications to minimize attack surface and reduce exploitability, typically via patching, disabling services, and secure baselines.
least privilege
An access control principle where users and processes are granted only the permissions they need to perform their tasks, and no more.
defense in depth
A layered security approach that uses multiple preventive, detective, and corrective controls so that if one control fails, others still protect the system.
stateful firewall
A firewall that tracks the state of active connections and makes filtering decisions based on the context of the traffic, allowing return traffic for established sessions.
secure web gateway
A security solution that filters and monitors outbound web traffic, enforcing web usage policies and blocking access to malicious or inappropriate sites.
network segmentation
Dividing a network into smaller segments (e.g., VLANs, subnets) with controlled communication between them to limit the spread of attacks and improve security control.
email security gateway
A system that filters inbound and outbound email to block spam, phishing, and malware, often using attachment sandboxing and URL protection.
web application firewall (WAF)
A security control that sits in front of web applications and inspects HTTP/HTTPS traffic to detect and block common web attacks such as SQL injection and cross-site scripting.
next-generation firewall (NGFW)
An advanced firewall that combines traditional packet filtering and stateful inspection with application awareness and additional features such as IDS/IPS and URL filtering.

Finished reading?

Test your understanding with a custom practice exam on this chapter.

Test yourself