WOLF//SEC
← Domain 2
OBJECTIVE 2.5 Explain

Explain the purpose of mitigation techniques used to secure the enterprise

Mitigation reduces the likelihood or impact of a threat exploiting a vulnerability. This objective covers the defensive techniques you deploy across the enterprise — the countermeasures that map directly to the threat vectors and vulnerability types from 2.2 and 2.3.

Network Segmentation

Dividing a network into isolated segments to contain breaches and limit lateral movement.

  • VLANs: Logical separation at Layer 2. Different departments, sensitivity levels, or device types on different VLANs.
  • Subnets: Layer 3 separation with routing controls between segments
  • DMZ (Demilitarized Zone): Isolated network segment for public-facing services (web servers, email gateways). Sits between the external firewall and internal network.
  • Air gap: Physical isolation — no network connection at all. Used for critical infrastructure (ICS/SCADA, classified systems).
  • Microsegmentation: Granular, software-defined segmentation down to individual workloads. Zero-trust applied to east-west traffic.

Purpose: Even if an attacker compromises one segment, they can’t freely move to others. Limits blast radius.

Access Control

Principle of Least Privilege

Users and systems receive only the minimum permissions needed to perform their function. Nothing more.

  • Applies to user accounts, service accounts, API keys, application permissions
  • Regular access reviews to revoke accumulated permissions (“permission creep”)

Separation of Duties

No single person should have end-to-end control over a critical process.

  • Example: The person who approves financial transactions shouldn’t also process them
  • Prevents fraud and limits insider threat impact

Role-Based Access Control (RBAC)

Permissions assigned to roles, users assigned to roles. Changes to role affect all members.

Conditional Access

Access decisions based on context: device health, location, time, risk score.

  • “You can access email from a managed device on the corporate network without MFA re-prompt, but from an unmanaged device in a foreign country you get blocked.”

Patching

Applying vendor-provided fixes for known vulnerabilities.

  • Regular patching cycle: Monthly/quarterly scheduled updates (Microsoft Patch Tuesday)
  • Emergency patching: Out-of-cycle for actively exploited critical vulnerabilities
  • Testing: Always test patches in staging before production deployment
  • Prioritization: Not all patches are equal. Focus on internet-facing systems, critical CVEs, and actively exploited vulnerabilities first.

The uncomfortable truth: Most breaches exploit known, patched vulnerabilities. Orgs that patch promptly eliminate the majority of their attack surface.

Encryption

Rendering data unreadable without the proper key. Applied at every data state:

  • At rest: Full-disk encryption (BitLocker, LUKS), database encryption, file-level encryption
  • In transit: TLS 1.3 for web traffic, IPSec/WireGuard for VPN, SSH for remote administration
  • In use: More difficult — hardware-based solutions (Intel SGX, AMD SEV) for confidential computing

Application Security

Input Validation

Verify all user input conforms to expected format before processing.

  • Whitelist (allow known-good) preferred over blacklist (block known-bad)
  • Server-side validation is mandatory — client-side validation is easily bypassed

Parameterized Queries

Prevent SQL injection by separating code from data in database queries.

  • Prepared statements, stored procedures
  • Never concatenate user input into SQL strings

Code Analysis

  • SAST (Static Application Security Testing): Analyze source code for vulnerabilities without executing it
  • DAST (Dynamic Application Security Testing): Test running applications by sending malicious inputs
  • SCA (Software Composition Analysis): Identify vulnerable third-party libraries and dependencies

Sandboxing

Running untrusted code in an isolated environment.

  • Browser sandboxes, application containers, detonation chambers for malware analysis
  • Limits the impact if the code is malicious

Secure Coding Practices

  • OWASP Top 10 as a baseline
  • Avoid hardcoded credentials, use secrets management
  • Implement proper error handling (don’t leak stack traces to users)

Monitoring and Detection

SIEM (Security Information and Event Management)

Aggregates logs from across the enterprise, correlates events, generates alerts.

  • Centralizes visibility — the single pane of glass for security operations
  • Alert fatigue is the main challenge: too many false positives bury real incidents

IDS/IPS

  • IDS (Intrusion Detection System): Passive — detects and alerts on suspicious activity
  • IPS (Intrusion Prevention System): Active — detects and blocks suspicious activity inline
  • Signature-based: Matches known attack patterns. Fast but blind to novel attacks.
  • Anomaly-based: Establishes baseline of normal behavior, alerts on deviations. Catches novel attacks but generates more false positives.

EDR/XDR

  • EDR (Endpoint Detection and Response): Monitors endpoints for suspicious behavior, provides investigation and response capabilities
  • XDR (Extended Detection and Response): Extends EDR across network, cloud, email, and identity — correlated detection across multiple data sources

Hardening

Secure Baselines

Documented, known-good configurations that all systems should match.

  • CIS Benchmarks, DISA STIGs, vendor security guides
  • Automated enforcement via GPO, Ansible, Chef, Puppet

Disabling Unnecessary Services

Every running service is a potential entry point. If it’s not needed, it shouldn’t be running.

  • Default installations often include services you don’t need
  • Reduce the attack surface by removing or disabling them

Account Management

  • Disable default accounts or change their credentials
  • Enforce account lockout policies (but watch for lockout-based DoS)
  • Implement password policies (length > complexity)
  • Service accounts with non-interactive login, minimum privileges

Allow Lists and Deny Lists

Application Allow Listing

Only explicitly approved applications can execute. Everything else is blocked.

  • Strongest application control but highest management overhead
  • Exam tip: Allow listing is more secure than deny listing because it blocks unknown threats

Application Deny Listing

Specific known-bad applications are blocked. Everything else is allowed.

  • Easier to manage but provides weaker protection — only blocks what you know about

Decommissioning

Properly retiring systems, applications, and data when no longer needed.

  • Remove from network, revoke access, wipe data (crypto-shred or physical destruction)
  • Remove DNS records, firewall rules, and monitoring references
  • Forgotten systems (VM sprawl, shadow IT) are prime attack targets because nobody’s patching them

Offensive Context

Every mitigation technique has an offensive counterpart. Segmentation forces attackers to find pivot points — so they target dual-homed systems. Patching eliminates known exploits — so attackers race to exploit before the patch is applied (n-day attacks). Allow listing blocks unknown executables — so attackers live off the land using already-approved tools (PowerShell, WMI, certutil). Understanding the attacker’s response to each mitigation is what makes your defensive architecture resilient rather than brittle.