🛰️

Learning Track · 20 modules

Attacker Mindset — Network

Segmentation, Layer 2 trust, C2 evasion, Kerberos, VPN, BGP, OT, wireless — why each class of network attack persists.

Why this track

Segmentation, Layer 2 trust, C2 evasion, Kerberos, VPN, BGP, OT, wireless — why each class of network attack persists. This track walks you from fundamentals through advanced techniques across 20 practitioner modules — the same body of knowledge senior security professionals build over years, structured for self-paced progression with India-specific context throughout.

Prerequisite: See module 1 for entry context. Most modules are self-contained but follow the suggested sequence for best results.

Modules

16.5 h

Total time

Free modules

∞

Quiz retries

Difficulty mix

Beginner · 1 Intermediate · 12 Advanced · 6 Expert · 1

Module sequence

The Network Is Never Flat

Segmentation on paper vs reality. Every network has exceptions attackers exploit for lateral movement.

Beginner 60 min →

Layer 2/3 Trust — ARP, DNS, LLMNR Poisoning

Responder, mitm6, NTLM relay. Protocols designed in 1990 still farming credentials in 2026.

Intermediate 75 min →

Why Firewalls Miss Modern C2

HTTPS C2, DNS tunneling, DoH, domain fronting, living-off-the-cloud — attackers use permitted traffic for everything.

Intermediate 75 min →

Why Kerberos Keeps Producing Attacks

Kerberoasting, AS-REP, Golden Tickets, Silver Tickets, delegation abuse. Not bugs — design features in a new threat model.

Advanced 90 min →

SSH, RDP, SMB, WinRM — The Lateral Movement Highway

Every enterprise's admin protocols are attackers' rails. Credential reuse + cached credentials = fast compromise.

Advanced 90 min →

VPN Appliances — The Crown Jewel

Ivanti, Fortinet, Citrix, Palo Alto — every year a critical CVE. Patching speed vs attacker speed.

Advanced 90 min →

BGP, DNS, CAs — Internet-Scale Trust Failures

BGP hijack + DNS poisoning + TLS cert abuse = traffic interception at scale. Real breaches, real tools.

Advanced 90 min →

OT / ICS at the Network Layer

Stuxnet, Industroyer, Triton, Oldsmar. Why PLCs reachable from IT is catastrophic and common.

Advanced 90 min →

Wireless — The Perimeter That Moves

Evil Twin, KRACK, PMKID, rogue 802.1X, BLE. $40 of hardware extends the perimeter past the building.

Advanced 90 min →

M10

Why Network Detection Underperforms

Encrypted traffic, volume overload, alert fatigue. Why attacker dwell time is weeks to months on average.

Expert 90 min →

M11

Every Protocol Has Trust Assumptions

Every protocol — DHCP, ARP, DNS, BGP, NTP, IP, TCP — was designed for an environment with assumed cooperation. Attackers violate those assumptions. DHCP: trust whoever responds first. ARP: trust whoever claims an IP. DNS: trust whoever answers a query. BGP: trust whoever announces a route. Each assumption is a poisoning attack vector when the […]

Intermediate 15 →

M12

Layer 3 vs Layer 7 Mindsets

Network team thinks in subnets, ACLs, firewalls — Layer 3. App team thinks in HTTP semantics, auth, business logic — Layer 7. Attackers exploit the gap. Network ACL allows port 443 from 10.0.0.0/8 to web tier. Web tier app trusts client IP from header. Internal subnet of compromised laptop hits web tier with forged X-Forwarded-For. […]

Intermediate 15 →

M13

NAT Doesn’t Mean Safe

NAT was an addressing patch. It happens to drop unsolicited inbound packets. Many treat it as a firewall. It isn’t. NAT doesn’t inspect outbound. Compromised host phones home freely. NAT doesn’t protect peer-to-peer; UPnP / hole-punching exists. NAT doesn’t protect against same-segment attacks. The mindset: every “NAT protects us” claim should be replaced with “outbound […]

Intermediate 15 →

M14

Cleartext Is Forever

An adversary records your encrypted traffic today. Stores it. Years later, quantum computer breaks the key exchange. Decrypts. This isn’t hypothetical. Nation-state adversaries have been recording for years. Long-lifespan secrets — IP, state secrets, banking credentials — are exposed even when transmitted over modern TLS today. The mindset: data with multi-decade sensitivity needs post-quantum protection […]

Intermediate 15 →

M15

Connection Lifecycles and Where They Leak

Connections have states: SYN_SENT, ESTABLISHED, FIN_WAIT, TIME_WAIT, CLOSE_WAIT. Each has duration; each leaks information. SYN scans use the half-open state. CLOSE_WAIT exhaustion is a DoS. TIME_WAIT-buildup limits concurrency. Connection-level information leaks: working set of source ports reveals scan patterns. RTT distribution reveals geographic location. Header field defaults reveal OS. The mindset: connection-state telemetry is forensic […]

Intermediate 15 →

M16

Networks Fail Differently

Networks fail in five ways: complete outage, partial outage, latency increase, packet loss, partial reachability. Each masks security signals. “Latency spike for one user” might be QoS issue or might be MITM. “Partial reachability between subnets” might be misconfig or attacker-installed firewall rule. Defender must rule out malicious cause. The mindset: every “network issue” should […]

Intermediate 15 →

M17

DNS Is Half of Every Attack

Almost no internet attack avoids DNS. C2 beacons resolve domains. Phishing links resolve domains. Exfiltration via DNS tunneling. Malware periodically refreshes domain blocks. DNS visibility = visibility into the kill chain. Yet most SOCs underuse DNS logs. The mindset: every DNS query is a behavioural signal. Detection coverage starts here.

Intermediate 15 →

M18

Encrypted But Visible

“It’s TLS; we can’t see anything.” False. TLS reveals SNI (the host being visited). JA3 fingerprints the client. Packet sizes and timing leak content type. Connection counts reveal user behaviour. Encrypted DNS (DoH/DoT) hides query content but reveals user uses encrypted DNS. That itself is a signal. The mindset: encryption hides content, not behaviour. Detection […]

Intermediate 15 →

M19

Reading Topology Like an Attacker

Defenders read topology as “what we built.” Attackers read it as “what paths exist.” Every line is a path. Every box is a target. The questions an attacker asks: shortest path from any DMZ host to any DC? what asset has the largest blast radius? where do trust boundaries live and where are they soft? […]

Intermediate 15 →

M20

The Network Forensics Mindset

Network logs are evidentiary in regulator inquiries and lawsuits. They have weight when properly preserved. The discipline: timestamps in UTC, defined retention, chain of custody, immutable archive. Without these, “we have logs” doesn’t answer “can the regulator rely on them?” The mindset: every log is a future court exhibit. Build retention and integrity for that […]

Intermediate 15 →

Common questions about this track

How long will this track take me? +

Most learners finish in 4-8 weeks at a sustainable 4-5 hours per week. Modules are self-paced so you can move faster or slower as life allows.

Do I need prior experience? +

Module 1 sets the entry baseline. The first module is always free; if it feels approachable, the track is for you.

Will this prepare me for industry certifications? +

Most modules align with the body of knowledge tested by senior security certifications. The Academy is not a cert-prep course but produces working knowledge that transfers to any cert exam in the same domain.

Ready to start?

Begin with Module 1. Work through at your own pace. Free modules require no signup — everything else unlocks with a free RingSafe Academy account.

Start Module 1 → View pricing tiers 🗺️ Explore Skill Map