Ethical Hacking Lesson 35 – Attack Mitigation | Dataplexa

Ethical Hacking

I. Foundations & Hacking Mindset
1. What is Ethical Hacking 2. Hacker Types & Motivations 3. Legal & Ethical Considerations 4. Hacking Methodologies 5. Cyber Kill Chain 6. Footprinting & Reconnaissance 7. Passive vs Active Recon 8. Information Gathering Tools 9. Hacking Lab Setup 10. Kali Linux Overview
II. Reconnaissance & Scanning
11. DNS Enumeration 12. Whois & Network Enumeration 13. Google Dorking 14. Nmap Scanning 15. Port Scanning 16. Service Enumeration 17. Vulnerability Scanning 18. Nessus & OpenVAS 19. Banner Grabbing 20. Recon Best Practices
III. System & Network Attacks
21. Password Cracking 22. Brute Force Attacks 23. Credential Harvesting 24. Exploiting Misconfigurations 25. Linux System Attacks 26. Windows System Attacks 27. Privilege Escalation 28. Malware Concepts 29. Backdoors & Trojans 30. Network Sniffing 31. MITM Attacks 32. DoS Attacks 33. Wireless Attacks 34. Covering Tracks 35. Attack Mitigation
IV. Web Hacking & Real World
36. Web Architecture 37. OWASP Top 10 38. SQL Injection 39. Cross-Site Scripting (XSS) 40. Authentication Attacks 41. Session Hijacking 42. File Upload Vulnerabilities 43. API Security 44. Tools Summary 45. Mini Project – Ethical Hacking Lab
System & Network Attacks · Lesson 35

Attack Mitigation

Every attack in Section III has a defence. This lesson maps the techniques from the last fifteen lessons to the specific controls that stop or detect each one — and explains how defenders build programmes that reduce real-world attack surface rather than just accumulating tools.

From finding to fixing — the pen tester's role in mitigation

A pen test report that lists vulnerabilities without actionable remediation is an incomplete deliverable. The findings section tells the client what is broken. The remediation section tells them how to fix it. The quality of a pen test report is often measured not by the number of findings but by the specificity and practicality of the remediation guidance — because that is what determines whether the client actually fixes the issues or lets them sit on a backlog indefinitely.

Understanding mitigation also makes the pen tester better at finding vulnerabilities. Knowing exactly what configuration change stops a technique tells you what misconfiguration to look for. Knowing that SYN cookies defeat SYN floods means you check whether they are enabled. Knowing that HSTS defeats SSL stripping means you test whether it is deployed. The offensive and defensive knowledge are the same knowledge, viewed from opposite directions.

Section III attack-to-defence map

The table below maps every major attack category from Lessons 21 through 34 to the primary controls that stop or significantly limit it. This is the reference that turns a set of findings into a structured remediation conversation with a client.

ATTACK → DEFENCE MAP — Section III
Attack Primary mitigation Detection signal
Password cracking Strong hashing algorithms (bcrypt, Argon2). Long passphrases. MFA so cracked password alone is insufficient. Credential dump from /etc/shadow
Brute force / spray Account lockout after N failures. Rate limiting per IP. MFA. CAPTCHA on web forms. Geo-restriction for VPNs. Repeated auth failures from single IP. Event ID 4740.
Credential harvesting Secrets scanning in CI/CD pipelines. No credentials in shell history (use password managers or vaults). Config file access controls. Access to sensitive config files from unexpected accounts.
Misconfiguration exploitation Hardening baselines (CIS Benchmarks). Change default credentials on all services. Regular configuration drift scanning. Login with default credentials. Anonymous service access.
Linux privilege escalation Remove SUID from unnecessary binaries. Restrict sudo rules. Protect cron scripts (chmod 700). Regular SUID audit. Unexpected root process spawned from non-root parent.
Windows privilege escalation Quote all service paths. Restrict service permissions to SYSTEM and admins only. Disable AlwaysInstallElevated. Regular WinPEAS-equivalent audits. New service with unexpected binary path. Event ID 4697.
Malware / backdoors EDR with behavioural detection. Application whitelisting. Email sandboxing. Network egress filtering to block unexpected C2 connections. Beaconing, process tree anomalies, new persistence entries.
Network sniffing Replace all plaintext protocols (FTP→SFTP, Telnet→SSH, HTTP→HTTPS). Network segmentation. 802.1X port authentication. NIC in promiscuous mode. ARP cache anomalies.
MITM / ARP spoofing Dynamic ARP Inspection on managed switches. HTTPS + HSTS. Network segmentation to limit blast radius. Duplicate IP-MAC mappings in ARP table. DAI violations.
DoS attacks Upstream scrubbing / CDN for volumetric. SYN cookies for protocol attacks. mod_reqtimeout / nginx for Slowloris. WAF rate limiting. Traffic spike, connection table exhaustion, slow HTTP requests.
Wireless attacks WPA3 or WPA2-Enterprise. Disable WPS. Guest VLAN isolation. Wireless IDS for rogue AP detection. Strong unique passphrase rotation. Unknown BSSID for known SSID. Deauth frame flood.
Log tampering Real-time log forwarding to external SIEM the attacker cannot access. Immutable log storage. Alert on Event ID 1102 and log gaps. Event ID 1102. Log gap in forwarded events.

Hardening frameworks — how organisations structure defence

Individual controls address individual vulnerabilities. A hardening framework provides the structure for building a comprehensive, prioritised defence programme — ensuring controls are applied consistently across every system rather than ad hoc on whichever systems someone happened to configure carefully.

Three frameworks appear most consistently in enterprise security programmes. Each has a different purpose and a different level of prescriptiveness.

CIS Benchmarks

Technical hardening guides

The Center for Internet Security publishes detailed hardening guides for every major operating system, cloud platform, application server, and network device. Each benchmark contains hundreds of specific configuration checks — disable SMBv1, set minimum password length to 14, enable audit policy for privilege use — with the rationale for each and instructions for both applying and verifying the setting.

CIS Benchmarks are free and are the most widely adopted technical hardening reference in the industry. When a pen tester recommends that a client "apply the CIS Benchmark for Windows Server 2022," that is a complete, actionable instruction — not a vague suggestion. Tools like CIS-CAT Pro and open-source alternatives can automatically assess a system against its benchmark and produce a scored compliance report.

Available free at: cisecurity.org/cis-benchmarks

NIST Cybersecurity Framework (CSF)

Programme structure

The NIST CSF organises security capabilities into five core functions: Identify, Protect, Detect, Respond, and Recover. It does not prescribe specific technical controls — it provides a language and structure for assessing and communicating security programme maturity. An organisation using the NIST CSF can evaluate where they are strong (Protect) and where they have gaps (Detect, Respond) and prioritise investment accordingly.

For pen testers, the NIST CSF is useful as a reporting structure. A finding that involves failing to detect an ARP spoofing attack maps to the Detect function. A finding that involves no incident response capability maps to the Respond function. Framing findings within the CSF framework makes the report more accessible to executive audiences who think in terms of programme maturity rather than individual CVEs.

NIST CSF 2.0 released in 2024 — adds Govern as a sixth function covering risk management and supply chain security.

MITRE ATT&CK — the attacker's perspective

Threat-informed defence

MITRE ATT&CK maps every known attacker technique to the tactics they serve — initial access, execution, persistence, privilege escalation, defence evasion, credential access, discovery, lateral movement, collection, exfiltration, command and control, and impact. Each technique has documented detection guidance, mitigations, and real-world examples from known threat actor groups.

The ATT&CK Navigator tool lets security teams visually map which techniques their current detection coverage addresses and which ones have gaps. A pen test report that maps each finding to an ATT&CK technique ID gives the client's blue team a direct reference for building the detection rules that would catch an attacker using the same technique. T1548 — Abuse Elevation Control Mechanism — covers SUID and sudo abuse. T1071 — Application Layer Protocol — covers C2 communication. The specificity is what makes ATT&CK-mapped reporting genuinely useful rather than decorative.

Free at: attack.mitre.org — updated continuously from real incident data.

The defence-in-depth model

No single control stops all attacks. The principle of defence-in-depth acknowledges this and structures controls so that an attacker who bypasses one layer encounters another. The model is sometimes described as a castle — moat, walls, gates, guards, inner keep — each layer providing a barrier that must be overcome independently.

In a corporate network, defence-in-depth looks like this: perimeter firewall blocks most inbound attacks. Email filtering stops most phishing. Endpoint antivirus catches most commodity malware. EDR catches behavioural anomalies. Network segmentation limits lateral movement. Privileged access controls limit escalation. SIEM correlation detects multi-stage attacks. Incident response capability limits dwell time when detection occurs. Backup and recovery capability limits ransomware impact.

DEFENCE-IN-DEPTH — layers and what each stops
Perimeter — firewall, IPS
Blocks known-bad traffic, restricts inbound attack surface, prevents direct access to internal services from the internet. Does not stop threats that arrive through email, web browsing, or supply chain.
Network — segmentation, DAI
VLANs contain lateral movement. Dynamic ARP Inspection stops ARP spoofing. 802.1X prevents unauthorised devices. Does not stop attacks that originate from legitimate devices on the same segment.
Host — hardening, patching
CIS Benchmark hardening removes unnecessary attack surface. Patching closes known vulnerabilities. Local firewalls reduce exposure per host. Does not stop exploitation of zero-days or misconfigured applications.
Endpoint — AV, EDR
Antivirus stops commodity threats. EDR detects behavioural anomalies including fileless attacks, process injection, and unusual persistence. Does not stop all living-off-the-land techniques or well-crafted evasion.
Identity — MFA, PAM
Multi-factor authentication stops credential attacks even when passwords are compromised. Privileged Access Management controls who can access what with elevated permissions. Does not stop attacks that compromise the MFA device itself.
Detection — SIEM, SOC
Correlates events across all layers to identify multi-stage attacks that no single layer sees. Reduces dwell time. The assumption here is that prevention has failed and the goal shifts to minimising damage through rapid detection and response.

The important observation in this model is that no layer has a "Does not stop" caveat that is empty. Every layer fails against something. Defence-in-depth works not because any layer is perfect but because the combination of layers forces an attacker to bypass each one sequentially — and each bypass attempt creates detection opportunities. A sophisticated attacker may pass the perimeter. They may evade EDR. But their lateral movement generates network logs. Their privilege escalation generates Event ID 4672. Their persistence generates new autorun entries. At some point, one of the layers catches them — if the detection layer is actually monitoring for what each layer misses.

Translating pen test findings into a remediation roadmap

A pen test delivers findings at a point in time. The client needs to turn those findings into a programme of work — prioritised, resourced, and scheduled. The pen tester's job does not end at findings delivery. The most valuable engagement deliverables include a clear remediation roadmap that tells the client what to fix first, what to fix second, and what they can accept as residual risk.

Remediation priority is typically driven by three factors: severity (how bad is the worst-case impact), exploitability (how easy is it for an attacker to reach and use this finding), and exposure (is this internet-facing or only reachable from inside). A critical finding on an internet-facing service gets fixed immediately. A critical finding reachable only from a highly restricted internal network segment can be scheduled for the next maintenance cycle.

Immediate — fix within 72 hours

Critical findings with active exploitation paths: default credentials on internet-facing services, unauthenticated remote code execution, exposed admin panels accessible from the internet, plaintext credential transmission on production systems. These represent open doors. Each hour they remain open is an hour a real attacker could walk through.

Short-term — fix within 30 days

High-severity findings requiring internal access to exploit: privilege escalation paths, credential reuse across systems, weak WPA2 passwords, missing MFA on internal systems, world-writable system scripts. Real but requires the attacker to already have a foothold. Prioritise based on how likely the internal position is achievable given the perimeter findings.

Medium-term — fix within 90 days

Medium and low-severity findings: missing security headers, verbose error messages, outdated software versions without known active exploits, log configuration gaps, missing network segmentation between less-sensitive VLANs. Important hardening work that reduces risk without addressing an active exploitation path.

Programme improvements — ongoing

Structural improvements that require sustained investment: deploying a SIEM and actively monitoring it, implementing EDR across the estate, building a security awareness training programme, establishing a vulnerability management process, defining and testing an incident response plan. These do not fix individual findings — they build the programme that prevents the next set of findings from being worse.

The re-test — confirming remediation worked

Most engagements include a re-test component — a follow-up assessment after the client has had time to remediate, confirming that the fixes actually work. Re-tests are not just good business practice. They are genuinely valuable: organisations frequently apply incomplete fixes, fix the symptom rather than the cause, or remediate in one environment while leaving the same issue in another.

A finding marked as "remediated" in a re-test carries real weight — it tells the client their fix was independently verified rather than self-assessed. A finding that recurs in a re-test or appears in a slightly different form suggests the root cause was not addressed. The re-test finding is often more useful to the client than the original finding because it reveals something about the organisation's remediation process that the initial report could not.

Teacher's Note: The single most common gap between "finding reported" and "finding fixed" is that the remediation was applied to the tested system but not to every other system with the same configuration. A world-writable cron script found on one server almost always exists on others built from the same template. Always ask the client whether a finding could be systemic — and suggest they check their full estate rather than only the specific host where the finding was demonstrated.

Quiz

Scenario:

A pen tester's report contains fifteen findings across a Windows Server environment — SUID-equivalent issues, unquoted service paths, weak audit policy, disabled SMB signing, unnecessary services running. The client's IT team asks for a single reference document that tells them the specific configuration settings to apply to systematically harden their Windows Server estate rather than addressing each finding individually. Which framework or resource should the pen tester point them to?

Scenario:

A CISO reviews a pen test report showing that an attacker bypassed the perimeter firewall via phishing, evaded EDR using a living-off-the-land technique, and escalated privileges before being detected by the SIEM. The CISO argues that since the firewall and EDR both failed, the defence-in-depth model does not work and they should invest everything into a single best-of-breed solution instead. What is the correct response?

Scenario:

A pen tester found a world-writable cron script on one Linux server — a critical privilege escalation finding. The client's IT team fixed it on that specific server and marked the finding as remediated before the re-test. During the re-test the pen tester finds the same world-writable script on three other Linux servers in the environment that were not in the original scope. What question should the pen tester always ask when a configuration finding is discovered on any single host?

Up Next · Lesson 36

Web Architecture

Section IV begins — HTTP request anatomy, how web applications are structured, and why the browser-server model creates the vulnerabilities that the next ten lessons explore.

← Previous Course Index Next →