OBJECTIVE 4.6 Given a scenario (PBQ-likely)
Modify enterprise capabilities to enhance security
Firewalls (rules, ACLs, ports, protocols), IDS/IPS (trends, signatures), web filtering, OS security (GPO, SELinux, patching), secure protocols, DNS filtering, email security (DMARC, DKIM, SPF), file integrity monitoring, DLP, NAC, and EDR/XDR.
Exam approach: “Given a scenario” — expect to configure or tune enterprise security controls. Writing firewall rules, tuning IDS signatures to reduce false positives, configuring email authentication stack (SPF + DKIM + DMARC), and setting up DLP policies.
Offensive context: IDS signature tuning hits different when you understand JA3/JA4 TLS fingerprinting as a detection technique — and when you know how attackers reformulate payloads (re-encoding, chunking, case alternation) to bypass signatures. Writing resilient detection rules requires thinking like the attacker trying to break them. DLP makes more sense when you understand how data actually gets exfiltrated.
Firewalls
Rule Structure
Every firewall rule has the same core components:
- Source: Where the traffic originates (IP, subnet, zone, “any”)
- Destination: Where it’s going
- Port/Protocol: What service (TCP/443, UDP/53, ICMP, etc.)
- Action: Allow or Deny
- Direction: Inbound, outbound, or both
Rule Processing
Rules are evaluated top-to-bottom, first match wins. This makes ordering critical:
- Explicit deny rules for known threats (block known-bad IPs, block specific attack patterns)
- Explicit allow rules for authorized traffic (allow web traffic on 443, allow DNS on 53)
- Implicit deny at the bottom — anything not explicitly allowed is dropped
Common mistake: Placing a broad allow rule above a specific deny rule. The allow matches first and the deny never triggers.
Firewall Types
| Type | Layer | What It Sees |
|---|---|---|
| Packet filter | L3/L4 | Source/dest IP, port, protocol. Fast but no context. |
| Stateful | L3/L4 | Same as packet filter + connection state. Knows if a packet belongs to an established connection. |
| NGFW (Next-Gen) | L3–L7 | Full application awareness. Can filter by application (block BitTorrent regardless of port), inspect SSL/TLS, integrate threat intelligence. |
| WAF | L7 | HTTP/HTTPS only. Inspects request content — blocks SQL injection, XSS, directory traversal at the application layer. |
ACLs (Access Control Lists)
ACLs on routers and switches function like simple firewalls:
- Standard ACL: Filters by source IP only. Placed close to destination.
- Extended ACL: Filters by source, destination, port, protocol. Placed close to source.
- Applied to interfaces as inbound or outbound.
IDS/IPS
IDS (Intrusion Detection System)
Monitors traffic and alerts on suspicious activity. Does not block — passive monitoring.
- Deployed as a sensor on a SPAN/mirror port or network tap.
- Generates alerts for analyst review.
IPS (Intrusion Prevention System)
Monitors AND blocks. Sits inline with traffic — every packet passes through it.
- Can drop malicious packets in real time.
- Risk: false positives block legitimate traffic. Tuning is critical.
Detection Methods
Signature-Based:
- Pattern matching against known attack signatures (like antivirus for network traffic).
- Fast, low false positive rate for known attacks.
- Cannot detect novel/zero-day attacks. Signatures must be updated.
- Example: Snort/Suricata rules matching specific byte patterns in packets.
Anomaly-Based (Behavioral):
- Establishes a baseline of “normal” traffic, alerts on deviations.
- Can detect unknown attacks.
- Higher false positive rate — legitimate behavior changes trigger alerts.
- Requires training period to establish baseline.
Trend Analysis:
- Looks at patterns over time rather than individual events.
- Gradual increase in outbound data transfer might indicate slow data exfiltration.
- Seasonal patterns — traffic that’s normal during business hours is suspicious at 3 AM.
Tuning
The difference between a useful IDS and a noise machine is tuning:
- Suppress alerts for known-benign activity (vulnerability scanners, monitoring systems)
- Threshold tuning — one failed SSH login isn’t an alert, ten in a minute is
- Custom signatures for your environment — specific application patterns, internal protocols
- Regular review and pruning of rule sets
Web Filtering
- URL filtering: block/allow based on URL categories (gambling, malware, social media)
- Content filtering: inspect page content for prohibited material or malware
- SSL/TLS inspection: decrypt HTTPS to inspect content (requires deploying a trusted CA cert to endpoints — privacy implications)
- Agent-based (runs on endpoint) or proxy-based (traffic routes through proxy)
- DNS-based filtering: block at the DNS resolution level — fast, lightweight, but easy to bypass if user changes DNS settings
Operating System Security
Group Policy Objects (GPO) — Windows
- Centralized configuration management for domain-joined Windows systems
- Enforce password policies, software restrictions, firewall settings, audit policies, desktop lockdown
- Applied at site, domain, or OU level. Inheritance and precedence rules matter.
SELinux — Linux
- Mandatory Access Control enforcement on Linux
- Processes and files get security labels (contexts). Access requires matching labels, regardless of standard file permissions.
- Modes: Enforcing (blocks violations), Permissive (logs violations but allows), Disabled
- Common mistake: disabling SELinux because it breaks something. The correct response is to create a policy exception, not turn it off.
Patch Management
- Regular cadence for applying security updates. Don’t wait for a breach.
- Test patches before production deployment (especially for servers and critical systems)
- Emergency patching process for critical CVEs (Log4Shell, EternalBlue-class vulnerabilities)
- Track patch compliance — which systems are up to date, which are behind
Secure Protocols
Use the secure version. Always.
| Insecure | Secure Replacement | Why |
|---|---|---|
| HTTP | HTTPS (TLS) | Encryption, integrity, authentication |
| FTP | SFTP or FTPS | Credentials and data in cleartext |
| Telnet | SSH | Credentials in cleartext |
| SNMPv1/v2c | SNMPv3 | Community strings in cleartext, no encryption |
| LDAP | LDAPS (LDAP over TLS) | Credentials and directory data in cleartext |
| IMAP/POP3 | IMAPS/POP3S | Email credentials in cleartext |
| DNS | DoH (DNS over HTTPS) or DoT (DNS over TLS) | DNS queries in cleartext, visible to observers |
| NTP | NTPsec or authenticated NTP | Time manipulation enables replay attacks |
DNS Filtering
DNS-level security blocks malicious domains before the connection is established.
- Query goes to DNS resolver → resolver checks against threat intelligence feeds → known-malicious domains return NXDOMAIN or redirect to block page
- Fast: blocks at the lookup stage, before any TCP connection
- Lightweight: no deep packet inspection needed
- Limitations: bypass by using alternative DNS (IP-based blocks or forced DNS via firewall rules mitigate this)
- Products: Cloudflare Gateway, Cisco Umbrella, Infoblox
Email Security
SPF (Sender Policy Framework)
- DNS TXT record that lists authorized mail servers for your domain
- Receiving server checks: “Is this email coming from a server that
example.comauthorized?” v=spf1 include:_spf.google.com -allmeans “Google’s servers can send mail for us, reject everything else”~all(soft fail) vs.-all(hard fail) — hard fail is stronger but can break legitimate mail if misconfigured
DKIM (DomainKeys Identified Mail)
- Cryptographic signature on outbound email. Sending server signs with private key, public key published in DNS.
- Receiving server validates: “Was this email actually sent by someone with the private key for
example.com?” - Proves integrity (email wasn’t modified in transit) and authenticity (came from authorized sender)
DMARC (Domain-based Message Authentication, Reporting, and Conformance)
- Policy that tells receiving servers what to do when SPF and DKIM fail
- Policies:
none(monitor only),quarantine(spam folder),reject(don’t deliver) - Includes reporting —
ruaandruftags send aggregate and forensic reports back to the domain owner - A domain without DMARC reject can be spoofed, even if it has no MX records
The Stack
SPF, DKIM, and DMARC work together:
- SPF validates the sending server
- DKIM validates the message integrity and sender authenticity
- DMARC tells the receiver what to do when either fails and reports results back
All three are required for a properly secured email domain.
File Integrity Monitoring (FIM)
- Baseline hash of critical system files (OS binaries, configuration files, application executables)
- Continuous or scheduled comparison against baseline
- Change detected = alert. Either it’s an authorized change (correlate with change management) or a compromise.
- Tools: OSSEC, AIDE, Tripwire, Wazuh
- Key targets:
/etc/passwd,/etc/shadow, system binaries, web server config, application config
Data Loss Prevention (DLP)
Prevents sensitive data from leaving the organization through unauthorized channels.
DLP Components
- Content inspection: Pattern matching for sensitive data (SSN patterns, credit card numbers, classification labels)
- Context analysis: Who is sending, where is it going, what channel (email, USB, cloud upload, print)
- Policy enforcement: Block, quarantine, encrypt, or alert based on rules
DLP Deployment Points
- Endpoint: Agent on workstations monitors file copies, USB transfers, print jobs, clipboard
- Network: Monitors traffic at the perimeter for sensitive data in transit
- Cloud: Monitors SaaS uploads, cloud storage, email attachments (CASB integration)
Common Pitfalls
- Over-aggressive rules block legitimate business processes. Sales can’t send proposals because they contain dollar figures that match credit card patterns.
- False positives create alert fatigue. Tune rules with business context.
- Encrypted traffic bypasses network DLP unless you’re doing SSL inspection.
Network Access Control (NAC)
Controls which devices can connect to the network based on identity and compliance posture.
802.1X
- Port-based access control. Device must authenticate before getting network access.
- Supplicant (client) → Authenticator (switch/AP) → Authentication server (RADIUS)
- Unauthenticated devices get no network access (or redirected to a remediation VLAN)
Posture Assessment
- NAC agent checks device health before granting access: antivirus up to date? OS patched? Disk encryption enabled? Firewall running?
- Non-compliant devices quarantined to a remediation network until they meet requirements.
- Agentless options: fingerprinting device type by MAC, DHCP behavior, traffic patterns.
Common Scenarios
- Rogue device → quarantine VLAN: Unknown device connects, no 802.1X credentials, isolated
- Expired certificate → graceful failure: Device had valid cert, cert expired, moved to remediation with instructions to renew
- Printer without 802.1X → MAB fallback: MAC Authentication Bypass — authenticate by known MAC address for devices that can’t run a supplicant
EDR / XDR
EDR (Endpoint Detection and Response)
- Agent on endpoints that monitors process execution, file changes, network connections, registry changes
- Goes beyond antivirus: behavioral detection, threat hunting, forensic data collection
- Can isolate compromised endpoints from the network in real time
- Products: CrowdStrike, SentinelOne, Microsoft Defender for Endpoint, Carbon Black
XDR (Extended Detection and Response)
- Extends EDR concept beyond endpoints to network, cloud, email, identity
- Correlates signals across all sources — endpoint alert + suspicious email + unusual cloud API call = one incident
- Reduces the “pivot between five consoles” problem
- The distinction between XDR and a good SIEM is getting blurry. XDR tends to be more automated response, SIEM tends to be more analysis.