You're staring at the practice quiz for Module 08. Security monitoring. Infrastructure threats. The questions look straightforward until you hit the third one and realize you're not actually sure what distinguishes a man-in-the-middle attack from a replay attack in a real network capture.
Been there. This module trips up more people than almost any other in the security curriculum — not because the concepts are hard, but because they're taught as definitions instead of scenarios.
Let's fix that.
What Is Module 08 Actually Testing
Module 08 in most security curricula (CompTIA Security+, Cisco CCNA Security, (ISC)² CISSP domains) covers two tightly coupled domains: the threats that target network and system infrastructure, and the monitoring strategies used to detect them The details matter here..
Infrastructure threats aren't just "hackers breaking in.Plus, " They're anything that compromises the confidentiality, integrity, or availability of the underlying systems that keep an organization running. Still, routers. Switches. Firewalls. Load balancers. That's why dNS servers. That said, time servers. The unglamorous plumbing Not complicated — just consistent..
Security monitoring is the discipline of watching that plumbing — continuously — so you know when something's wrong before the CEO reads about it on Twitter Simple, but easy to overlook..
The quiz doesn't just want definitions. It wants to know if you can match a symptom to a root cause, a log entry to an attack type, a monitoring gap to a blind spot.
The Two Halves Don't Exist in Isolation
Here's what most study guides miss: you can't understand infrastructure threats without understanding how monitoring detects them, and you can't design monitoring without knowing what the threats actually look like on the wire Surprisingly effective..
A rogue DHCP server isn't a threat because of some textbook definition. It's a threat because it hands out a malicious gateway, redirects traffic, and shows up in your monitoring as clients suddenly talking to an unknown MAC address on port 67/68 Still holds up..
You'll probably want to bookmark this section.
That's the level the quiz expects Worth keeping that in mind..
Why This Module Matters More Than You Think
Most people treat infrastructure security as "network stuff.Even so, " It's not. It's the foundation everything else sits on Most people skip this — try not to. And it works..
If your DNS is poisoned, your email security gateway doesn't matter — the MX record points to the attacker. If your NTP server is compromised, your logs have wrong timestamps, your Kerberos tickets fail, and your SIEM correlation rules break silently. If a switch port gets flooded with MAC addresses, the CAM table overflows and the switch starts flooding traffic to all ports — instant network tap for anyone plugged in Easy to understand, harder to ignore..
These aren't theoretical. They're Tuesday Simple, but easy to overlook..
The Monitoring Gap Is Where Breaches Live
Organizations don't get breached because they lack firewalls. They get breached because the firewall logged the attack, the IDS alerted on it, the endpoint agent saw the payload — and nobody correlated those three events in time to stop it Which is the point..
Module 08 forces you to think like a defender who has to connect dots across layers. Think about it: that's the job. Not memorizing port numbers. Not reciting the OSI model. Connecting dots.
How Infrastructure Threats Actually Work
Let's walk through the major threat categories the way they appear in real networks — not in flashcards.
Layer 2 Attacks: The Switch Is Not Your Friend
Switches operate on trust. So they learn MAC addresses by watching source addresses on incoming frames. That trust is exploitable.
MAC flooding sends thousands of frames with random source MACs. The switch's CAM table fills up. Once full, the switch fails open — it floods all frames to all ports. The attacker now sees everything. Tools like macof (part of dsniff) automate this in seconds.
ARP poisoning (ARP spoofing) exploits the fact that ARP has no authentication. The attacker sends gratuitous ARP replies telling the victim "I'm the gateway" and telling the gateway "I'm the victim." Traffic flows through the attacker. They can sniff, modify, or drop packets.
DHCP starvation exhausts the DHCP pool with bogus requests. Then the attacker spins up a rogue DHCP server. Clients get a malicious gateway, DNS server, WPAD proxy — full traffic interception That's the part that actually makes a difference..
VLAN hopping comes in two flavors: switch spoofing (attacker negotiates trunking with DTP) and double tagging (attacker sends frames with two 802.1Q tags; the first switch strips the outer tag, the second switch forwards based on the inner tag — jumping VLANs).
Layer 3 and 4: Routing and Transport Abuse
Routing protocol attacks target OSPF, BGP, EIGRP. Unauthenticated OSPF lets an attacker inject false LSAs, blackholing traffic or redirecting it. BGP hijacking — announcing prefixes you don't own — has taken down chunks of the internet. More than once And it works..
ICMP abuse isn't just ping floods. ICMP redirects can rewrite a host's routing table. ICMP unreachable messages can tear down TCP connections. Smurf attacks use broadcast ping with spoofed source to amplify traffic toward a victim.
TCP/IP stack attacks include SYN floods (exhaust connection tables), TCP reset attacks (forge RST packets to kill sessions), and sequence prediction (hijack sessions by guessing ISNs — mostly historical now, but the concept appears on exams).
DNS: The Phone Book Nobody Checks
DNS cache poisoning (Kaminsky attack) floods a resolver with responses for a target domain, racing the legitimate answer. If the attacker wins, the resolver caches the malicious IP. Modern defenses: source port randomization, 0x20 encoding, DNSSEC.
DNS tunneling exfiltrates data by encoding it in subdomain queries to an attacker-controlled domain. data.exfil.attacker.com — the resolver recursively queries, the attacker decodes. Shows up as high-volume, high-entropy subdomains. Monitoring catches this.
Domain generation algorithms (DGAs) let malware generate thousands of domains daily. Fast flux DNS rotates IPs rapidly. Both evade static blocklists. Detection requires behavioral analysis — NXDOMAIN rates, entropy, TTL anomalies.
Time Synchronization: The Silent Killer
NTP attacks are rarely taught well but appear on exams constantly.
NTP amplification uses monlist (deprecated but still out there) or other query types to reflect/amplify traffic toward a victim. 200x amplification possible Surprisingly effective..
NTP spoofing shifts clocks. Kerberos fails at 5-minute skew. Certificate validation breaks. Log correlation dies. SIEM rules stop firing. An attacker who controls your time controls your visibility.
Wireless Infrastructure Threats
Evil twin APs mimic legitimate SSIDs. Clients connect automatically. Attacker gets MitM position Worth keeping that in mind..
KRACK (Key Reinstallation Attack) against WPA2 forces nonce reuse, letting attackers decrypt, replay, or forge frames. Patched, but legacy gear remains.
WPS PIN brute force — the PIN is validated in two halves, reducing entropy from 10^8 to 10^4 + 10^3. Hours to crack. Disable WPS.
Rogue APs plugged into wired ports by insiders or contractors. Bridge the secure network to open wireless. NAC and port security are the answer That alone is useful..
How Security Monitoring Actually Works
Monitoring isn't "install a SIEM and check the dashboard." It's a pipeline: collect, normalize, enrich, correlate, alert, investigate, respond.
Data Sources You Can't Live Without
NetFlow / IPFIX / sFlow — metadata about conversations. Source/dest IP, ports, protocol, bytes, packets, start/end time. No payload. Lightweight, scalable, essential for traffic baselining
and spotting anomalies.
Firewall logs — allowed and denied traffic, NAT translations, policy hits, geo-location, and user identity if integrated with directory services. These are critical for understanding perimeter behavior and lateral movement.
Proxy and web gateway logs — URLs, domains, categories, user agents, TLS SNI, uploads/downloads, and blocked content. These are invaluable for detecting command-and-control traffic, phishing follow-up, and data exfiltration.
DNS logs — queries, responses, NXDOMAIN results, query volume, and resolver source. DNS is one of the best places to find malware beacons, DGAs, tunneling, and suspicious newly registered domains.
Authentication logs — successful and failed logons, privilege changes, MFA prompts, VPN sessions, service account activity, and impossible travel. Most compromises become obvious once you examine identity events closely.
Endpoint telemetry — process creation, parent-child process relationships, persistence mechanisms, file changes, network connections, and user activity. Endpoint data bridges the gap between network suspicion and host-level confirmation.
Packet capture — full payload visibility when needed. Packet capture is heavier and more privacy-sensitive than NetFlow, but it is essential for deep analysis, malware reverse engineering, and proving exactly what happened.
Normalization and Enrichment
Raw logs are messy. Every system formats events differently, so monitoring platforms normalize them into common fields: source IP, destination IP, source port, destination port, protocol, user, host, action, timestamp, and event type Practical, not theoretical..
Enrichment makes those fields useful. A source IP becomes more meaningful when you know it belongs to a domain controller, a contractor laptop, a cloud instance, or a known malicious ASN. Enrichment adds context such as:
- Asset owner and criticality
- Hostname and operating system
- User department and role
- Geo-location and reputation
- Vulnerability status
- Threat intelligence indicators
- Baseline behavior
A login from a rare country may be harmless for a traveling executive but highly suspicious for a domain admin who has never left the corporate network Surprisingly effective..
Correlation: Turning Events Into Incidents
One alert rarely proves an attack. Correlation connects multiple weak signals into a stronger story Most people skip this — try not to..
Examples:
- Multiple failed logins followed by a successful login may indicate password guessing or credential stuffing.
- DNS queries to high-entropy domains followed by outbound HTTPS beacons may indicate malware command-and-control.
- Port scanning followed by exploitation attempts suggests active reconnaissance.
- SMB or RDP connections from an unusual workstation may indicate lateral movement.
- **Large data transfers after phishing
emails** may indicate data exfiltration.
- Service account executing PowerShell with encoded commands followed by outbound connections to unknown IPs suggests living-off-the-land tradecraft.
Effective correlation requires temporal awareness (events within minutes or hours of each other), entity awareness (same user, host, or IP across data sources), and behavioral baselines (what "normal" looks like for that entity). Modern SIEMs and detection platforms use rule-based logic, statistical models, and increasingly, machine learning to surface these patterns without drowning analysts in noise.
Detection Engineering: From Logic to Coverage
Correlation rules are only as good as the detection engineering behind them. Mature teams treat detections as code: version-controlled, tested, and continuously refined Worth keeping that in mind..
Detection as Code practices include:
- Unit tests for each rule using synthetic or replayed logs
- MITRE ATT&CK mapping to ensure coverage across tactics and techniques
- False positive tracking with automated suppression tuning
- Detection gap analysis against threat intelligence and red team findings
- Staged rollout: shadow mode → alerting → automated response
A detection that fires once a quarter with high fidelity is worth more than one that fires daily and gets ignored. Precision beats volume.
Triage and Investigation: The Analyst Loop
When an alert fires, the clock starts. Analysts need a repeatable investigation framework:
- Context gathering — Pull all related events across data sources for the involved entities (user, host, IP, process). Enrichment should be automatic: asset tags, vulnerability data, threat intel hits, recent alerts.
- Timeline reconstruction — Build a chronological narrative. What happened first? What triggered what? Parent-child process trees, authentication chains, and network flows reveal the attack path.
- Hypothesis testing — Is this malicious, benign, or unknown? Check against known admin activity, scheduled tasks, software updates, and business workflows.
- Scope determination — Is this isolated or widespread? Pivot to find other hosts with similar indicators: same process hash, same C2 domain, same lateral movement pattern.
- Decision — Escalate to incident response, close as false positive, or create a suppression rule with expiration and review date.
Tooling matters. Analysts should pivot across logs, endpoints, and network data in a single interface without writing complex queries from scratch every time. Saved investigations, shared notebooks, and automated enrichment accelerate the loop.
Response and Containment
Detection without response is just expensive logging. Pre-approved playbooks for common scenarios reduce dwell time:
- Account compromise — Disable account, reset password, revoke sessions, review recent activity, check for mailbox rules or forwarding.
- Malware execution — Isolate host, kill malicious processes, collect forensic artifacts, block indicators at perimeter, reimage if persistence confirmed.
- Data exfiltration — Block egress to destination, quantify data loss, notify legal and privacy teams, preserve evidence.
- Lateral movement — Segment network, disable compromised accounts, hunt for additional footholds, rotate service account credentials.
Automation handles the repetitive: host isolation, indicator blocking, ticket creation. Humans make the judgment calls: scope, impact, legal obligations, business continuity Worth keeping that in mind..
Measuring What Matters
A monitoring program that cannot measure its own effectiveness will stagnate. Key metrics:
- Mean Time to Detect (MTTD) — How long from first malicious action to alert?
- Mean Time to Respond (MTTR) — How long from alert to containment?
- Detection coverage — Percentage of MITRE ATT&CK techniques with at least one validated detection.
- False positive rate — Alerts closed as benign per analyst per day.
- Alert fidelity — True positives / total alerts.
- Blind spot analysis — Data sources not ingested, techniques not covered, environments not monitored.
Review these monthly. Adjust collection, enrichment, and detection priorities accordingly Less friction, more output..
The Feedback Loop
Red team exercises, penetration tests, and real incidents are the ultimate validation. Each should feed back into:
- New or improved detections
- Additional log sources or fields
- Enrichment gaps (missing asset tags, unknown service accounts)
- Playbook updates
- Training scenarios for analysts
Threat intelligence should flow in both directions: consume external feeds, but also contribute internal indicators (malware hashes, C2 infrastructure, phishing lures) back to the community and your own detection pipeline.
Conclusion
Security monitoring is not a product you buy—it is a discipline you build. Day to day, it starts with deliberate data collection, matures through normalization and enrichment, becomes actionable through correlation and detection engineering, and proves its worth in the hands of analysts who can investigate, respond, and improve the system continuously. The goal is not perfect visibility or zero alerts. The goal is to detect the attacks that matter, respond before damage spreads, and learn from every event so the next one is caught faster.
That cycle—collect, enrich, analyze, and act—is the engine of effective security monitoring. It requires relentless iteration: refining detection rules as threats evolve, updating playbooks based on real-world lessons, and ensuring that both technology and people adapt in tandem. The most resilient organizations are those that treat monitoring not as a static checklist but as a dynamic process. They invest in tools that scale, but more importantly, they cultivate analysts who ask the right questions and responders who act with precision. In the end, security monitoring is about creating a rhythm of vigilance—a constant balance between reacting to what is and preparing for what could be. By embracing this rhythm, organizations can turn their monitoring efforts from a cost center into a strategic asset, capable of withstanding the inevitable onslaught of cyber threats.
This discipline thrives on humility: recognizing that no system is ever fully immune, and that every alert, whether true or false, is an opportunity to learn. On top of that, the metrics tracked, the playbooks refined, and the teams trained today will shape tomorrow’s defenses. Security monitoring is not about achieving perfection; it’s about building resilience through continuous improvement. As threats grow more sophisticated, the organizations that survive will be those that understand monitoring as a living, breathing practice—one that evolves with every incident, every lesson, and every step forward.
