Mental model
Real breaches in 2026 rarely look like the movies. The dominant pattern is mundane:
- An employee receives a phishing email.
- They click and enter their corporate credentials on a fake login page.
- The attacker logs in with valid credentials from somewhere overseas.
- Because MFA wasn’t enforced or was push-fatigued, they get in.
- They sit in the network for weeks, slowly mapping it.
- They escalate privileges, exfiltrate data, then drop ransomware to monetize.
No zero-day exploit. No Hollywood “hacking.” Just identity compromise + lateral movement + monetization.
This is why modern security thinking has shifted: assume compromise, design for blast-radius reduction. A network engineer’s job isn’t to make breaches impossible (you can’t) — it’s to ensure that one compromised endpoint can’t reach the crown-jewel systems without crossing several authorization boundaries.
The six categories of attack
Cisco’s blueprint groups threats into broad categories. Memorize these.
1. Phishing & social engineering
Tricking a human into giving up credentials, clicking malware, or wiring money.
Variants:
- Phishing — mass email impersonating a service (“Your Microsoft 365 expired”).
- Spear phishing — targeted at one person, references real details about them.
- Whaling — spear phishing aimed at executives.
- Smishing — phishing via SMS.
- Vishing — phishing via voice call (often impersonating IT support).
- Business Email Compromise (BEC) — attacker compromises an executive’s email and uses it to authorize wire transfers.
Mitigations: user awareness training, email security gateways (Mimecast, Proofpoint), DMARC/SPF/DKIM on outbound mail, MFA on every account, “verify out-of-band” policy for money transfers.
2. Malware (including ransomware)
Malicious code executed on endpoints or servers.
Categories:
- Virus / worm — self-replicating code.
- Trojan — disguised as legitimate software.
- Ransomware — encrypts files, demands payment.
- Spyware / keylogger — silently exfiltrates data or keystrokes.
- Cryptojacker — uses your CPU/GPU to mine cryptocurrency.
- Rootkit — modifies the OS to hide itself; very hard to detect.
- Wiper — destroys data with no payment option (nation-state).
Mitigations: EDR (endpoint detection and response) like CrowdStrike, SentinelOne, MS Defender for Endpoint; application allowlisting; patch management; offline backups (essential for ransomware recovery); least-privilege users.
3. Man-in-the-Middle (MITM)
Attacker sits between two parties and reads/modifies traffic.
Variants:
- ARP spoofing on a LAN — attacker poisons the ARP table so victim traffic flows through them.
- DHCP rogue server — attacker hands out malicious gateways.
- Wi-Fi evil twin — attacker sets up an open SSID matching a legitimate name.
- TLS strip / downgrade — attacker forces HTTP instead of HTTPS.
- BGP hijacking — attacker (often a misconfigured ISP) advertises someone else’s prefix, redirecting traffic.
Mitigations: DHCP Snooping + Dynamic ARP Inspection on access switches, IP Source Guard, HSTS on web apps, TLS everywhere, RPKI for BGP, WPA3 / 802.1X on Wi-Fi.
4. Denial of Service (DoS / DDoS)
Overwhelm a service so legitimate users can’t reach it.
Variants:
- Volumetric — saturate bandwidth (UDP amplification via DNS, NTP, memcached).
- Protocol — exhaust connection tables (SYN flood, ACK flood).
- Application — slow or recursive queries against an app (Slowloris, GET flood).
- Distributed (DDoS) — sourced from a botnet of thousands of IPs.
Mitigations: cloud-based scrubbing (Cloudflare, AWS Shield, Akamai), upstream blackhole / RTBH coordination with your ISP, rate limiting, CDN absorbing public traffic, NTP/DNS amplification protection at your edge (query-only ACLs on NTP — see NTP Authentication).
5. Supply-chain attacks
Attacker compromises a vendor or library that you depend on, gaining access to your systems indirectly.
High-profile examples: SolarWinds (2020), Kaseya (2021), 3CX (2023), MOVEit (2023). The attacker shipped a malicious update to a trusted vendor’s software, which thousands of victims auto-installed.
Mitigations: software bill of materials (SBOM), vendor security questionnaires, network segmentation of management plane, code signing verification, egress filtering (a compromised SolarWinds agent can’t beacon out if the management VLAN has no internet access).
6. Insider threats
Authorized user goes rogue (or makes a mistake).
Variants:
- Malicious insider — departing employee exfiltrating data.
- Compromised insider — legitimate account taken over by external attacker.
- Negligent insider — well-meaning user emailing a customer DB to a personal account.
Mitigations: principle of least privilege, separation of duties, DLP (data loss prevention) policies, monitoring for unusual access patterns, immediate offboarding processes, mandatory vacation policies.
Defense in depth — the layers
Internet
│
┌──────┴──────┐
│ DDoS scrub │ Layer 1: edge volumetric protection
└──────┬──────┘
│
┌──────┴──────┐
│ Perimeter FW│ Layer 2: stateful firewall + IPS
└──────┬──────┘
│
┌─────────────┴─────────────┐
│ Segmented internal │ Layer 3: VLAN + VRF + ACL between zones
│ (DMZ / PCI / corp / IoT)│
└──────┬──────────────┬─────┘
│ │
┌───┴───┐ ┌───┴────┐
│ Servers│ │ Users │ Layer 4: identity (AAA, dot1x, MFA),
└───┬────┘ └───┬────┘ EDR on every endpoint
│ │
└───────┬───────┘
│
┌───────┴────────┐
│ Logging │ Layer 5: SIEM + NetFlow + endpoint telemetry
│ + monitoring │
└────────────────┘
Each layer assumes the layer above fails. A compromise of one zone shouldn’t auto-grant access to another. Logs everywhere mean you find compromise quickly when (not if) it happens.
What’s specifically the network engineer’s job
For CCNA / CCNP-level network engineers, your contribution to this stack:
- Identity at the port: 802.1X with ISE or another RADIUS (see Cisco ISE Basics), MAC bypass for IoT.
- Layer-2 hardening: Port Security, DHCP Snooping, DAI, IP Source Guard, BPDU Guard.
- Network segmentation: VLAN per role/sensitivity, ACLs at L3 boundaries, VRFs for hard isolation, micro-segmentation in DCs.
- Encrypted transit: IPsec for site-to-site, AnyConnect for remote access, MACsec for in-DC encryption between switches.
- Logging and visibility: Syslog every device to a SIEM, NetFlow on uplinks (see NetFlow), packet capture capability.
- Patch the network gear: Cisco / vendor IOS updates aren’t optional. Old IOS has known CVEs.
- Egress filtering: outbound rules so compromised servers can’t beacon out to C2.
You’re not the SOC analyst. You’re the foundation the SOC works on top of.
Specific Layer-2 attacks to know (CCNA-tested)
| Attack | What it does | Mitigation |
|---|---|---|
| MAC flooding | Floods CAM table → switch becomes hub → attacker sniffs everything | Port Security (switchport port-security) |
| ARP spoofing | Sends fake ARP replies → MITM | Dynamic ARP Inspection (DAI) |
| DHCP starvation | Exhausts the legitimate DHCP pool | DHCP Snooping rate-limit |
| Rogue DHCP server | Hands out malicious gateways | DHCP Snooping trust only on real servers |
| VLAN hopping (double-tagging) | Crosses into another VLAN via native VLAN | Don’t use VLAN 1 as native; tag native explicitly |
| CDP / LLDP reconnaissance | Attacker reads neighbor info | Disable CDP/LLDP on user-facing ports |
| STP attacks | Become root bridge / divert traffic | Root Guard + BPDU Guard |
| MAC spoofing | Bypass MAC-based access | 802.1X with identity-based auth |
The CIA triad
A core concept from CCNA: every security control aims to preserve one of three properties.
| Property | What it means | Example controls |
|---|---|---|
| Confidentiality | Data is only seen by authorized parties | Encryption (AES), TLS, IPsec, ACLs |
| Integrity | Data is not modified undetected | Hashing (SHA-256), HMAC, digital signatures |
| Availability | Data and services are reachable when needed | Redundancy, DDoS protection, backup, capacity |
Map each control to which property it protects. A WAF protects integrity + availability (not confidentiality of internal data). Encryption protects confidentiality + integrity (not availability — encrypted data still gets DDoS’d).
Common mistakes
-
Treating firewalls as sufficient. A modern attack starts inside the firewall (phishing). The perimeter is necessary but far from sufficient.
-
No segmentation between user and server VLANs. A compromised laptop can talk to the file server, the AD controller, the database. Lateral movement is trivial.
-
Same admin credentials everywhere. Compromise of one device’s enable secret → entire fleet. Use TACACS+ / per-device auth.
-
No MFA on jump servers / management plane. The bastion host is the highest-value target on your network. SSH-key + MFA minimum.
-
NTP unencrypted and unauthenticated. Allows time-shift attacks that break Kerberos and TLS validation. See NTP Authentication.
-
Allowing CDP/LLDP everywhere. Attacker plugs into a network drop, learns the upstream switch model and IOS version — a recon goldmine. Disable on user-facing ports.
-
No outbound filtering. Compromised hosts can phone home to C2. Default-allow outbound is a habit that’s no longer defensible.
-
Treating “patched” as binary. Patching IOS once a year isn’t patching. Vendor advisories every 6 weeks; track them.
-
No tested backups. Backups untested = no backups. Ransomware doesn’t care if you have them, only if you can restore from them.
-
Conflating security with compliance. PCI-compliant ≠ secure. SOC 2-compliant ≠ secure. Compliance is a floor, not a ceiling.
Lab to try tonight
- MAC flooding demo: in CML / GNS3, use
macoffrom a Linux host to flood a switch’s CAM table. Without Port Security, the switch starts flooding all traffic. Applyswitchport port-securityand watch the attack get shut down. - ARP spoofing demo: between two hosts on the same VLAN, use
arpspoofto poison a victim’s ARP table. Then turn on DAI on the switch and confirm the attack stops. - Phishing-style URL inspection: look at a real phishing email (or test from KnowBe4 / Proofpoint demos). Note the small typos in the domain, the urgency language, the call-to-action.
- Configure 802.1X with ISE (DevNet sandbox). Add a host to the network, watch it authenticate. Then connect an “unknown” host and watch it land in the quarantine VLAN.
- NetFlow + threat hunting: with NetFlow data flowing into a collector, look for anomalies — one host suddenly sending to 1000 destinations (scan), or one host sending 50 GB/hour to a foreign IP (exfil).
- Tabletop exercise: walk a colleague through “what do we do if our domain controller is encrypted at 3am Saturday?” Find every gap in the plan.
Cheat strip
| Concept | Plain English |
|---|---|
| CIA triad | Confidentiality, Integrity, Availability — the goal of all security controls |
| Phishing | Tricking a human into giving credentials or clicking malware. #1 attack vector |
| Ransomware | Malware that encrypts your data and demands payment. Mitigated by tested offline backups |
| MITM | Attacker sits between victims. ARP spoofing, evil twin Wi-Fi, BGP hijack |
| DDoS | Distributed traffic flood that takes services offline. Mitigated by scrubbing services + CDN |
| Supply chain attack | Compromise a vendor to reach the vendor’s customers |
| Insider threat | Authorized user goes rogue or makes a mistake |
| Defense in depth | Multiple security layers — assume any one will fail |
| Least privilege | Each user/device gets the minimum access needed |
| MFA | Multi-factor auth — required on every account that matters |
| EDR | Endpoint detection + response — modern antivirus successor |
| SIEM | Central log aggregation + correlation |
| L2 attacks on CCNA | MAC flood, ARP spoof, DHCP attacks, VLAN hop, STP attacks — know each + its mitigation |
| Defender’s leverage | Identity (MFA, AAA) + segmentation (VLAN, VRF, ACL) + visibility (logs, NetFlow) — not firewalls alone |