Technical Controls and Attacks 2
Click here or there to move to the next page!
Foster, M. (2026, February 28). CISA Technical Controls Explained in 2 Minutes | CISA in a Nutshell [Video]. YouTube. https://youtu.be/kqZceqK1wV0
Text
Next
Security Controls Review
There are four main categories of control:
• Managerial or Administrative – Organizational policies and procedures.
• Operational – Day-to-day duties and operations.
• Physical – Tangible items that limit access.
• Technical – Hardware and software implemented for security.
Each of those have specific method of control:
• Preventive – Intended to stop an incident before it happens.
• Deterrent – Discourages an attack or incident from occurring.
• Detective – Used in identifying possible incidents or threat actors.
• Corrective – Restoration to normal operating procedures after an incident.
• Compensating – A secondary/backup control should the primary be unavailable.
• Directive – Provides direction, rules, policies, etc. on security matters.
Back
Next
Technical Controls – Detective
- Used to identify incidents that have made it through the preventive and deterrent controls.
- Network and system monitoring tools make up the bulk of this control.
- Intrusion detection systems (IDS) monitor network activity and are instrumental in this type of control but not stop attacks like an intrusion prevention system (IPS).
Foster, M. (2026, February 28). CISA Detective Controls Explained in 2 Minutes | CISA in a Nutshell [Video]. YouTube. https://youtu.be/HXLSnNrLZdY
Text Version
IDS
Back
Next
Detective Methods – Attacks and Exploits
- IDS/IPS evasion can be performed with various techniques including:
- Compromising trusted devices and applications.
- Packet fragmentation to break up malicious code into separate network packets to confuse scanning.
- Spoofing IP addresses to appear to be legitimate sources.
- Obfuscation or even altering the code enough so the system does not recognize the malware signature or malicious code being sent.
- Deleting or altering logs after gaining access can also slow down or halt the security investigation.
Example obfuscated code meant to hide its true purpose. Similar methods were slowly added to the SolarWinds Orion software over a long time that eventually led to the substantial supply-chain attack in 2019.
Back
Next
Detective Attacks and Exploits Mitigation
Intrusion Detection Systems/ Intrusion Prevention Systems (IDS/IPS) evasion can mitigated through deep packet inspection and anomaly or behavior-based detection. IDS and IPS systems often use signature-based detection which means the malicious activity or attack must be known and maintained in a database.
Immutable logs append logs instead of overwriting them and prevent deletion which can be crucial when investigating a security event.
Behavior
Signature
Immutable
IDS/IPS
Click the buttons for more information.
Back
Next
Technical Controls – Corrective
This portion requires the most lift as previous steps are most likely automated while this portion relies heavily on incident response plans, playbooks, and other guidelines that instruct analysts to perform certain tasks.
Restoration
Closing Ports
Updates and Patching
Isolation
Restoration back to normal operations is the primary goal, whether this be from backup or recovery options.
Updates and Patching from attacks due to vulnerabilities and weakness are also considered corrective.
Isolation of malware or infected files would also occur during this portion.
Closing ports that allowed unauthorized access.
Video
Back
Next
Corrective Methods – Attacks and Exploits
Deletion, corruption, or encryption of backups and/or files needed for restoration.
- Conti ransomware not only encrypts files but can also stop over 100 Windows services related to security, backups, databases, and email, and delete Windows Volume Shadow Copies to inhibit recovery.
- The majority of ransomware today tries to prevent restoration efforts in some way.
Kaspersky. (2016, December 6). What is ransomware, how it works and what you can do to stay protected [Video]. YouTube. https://youtu.be/Vkjekr6jacg
Text
Supply-chain attacks can hijack patches meant to add features, fix bugs, update digital signatures, and/or make applications more secure.
Back
Next
Corrective Attacks and Exploits Mitigation
Creating immutable backups through offline or air-gapped backups.
- WORM storage or “Write Once, Read Many” means that once the backup is created, it cannot be edited, deleted, overwritten, etc.
- Regularly test backups and restoration procedures.
- Have multiple backup and restoration solutions in place.
Geekus Maximus. (2024, January 15). WORM - Write once read many [Video]. YouTube. https://youtu.be/p2u6yjTtTcQ
Text
Verify and test software updates prior to distributing them across entire systems.
- Have rollback procedures in place should a software patch or update have a fault or been a victim of a supply-chain attack.
Back
Next
Detective and Corrective – Knowledge Check
Back
SimplyExplained. (2025, September 26). Anomaly-based intrusion detection explained (beginner-friendly IDS tutorial) [Video]. YouTube. https://youtu.be/7vgKmbYWHiI
Anomaly (behavior-based) detection is a cybersecurity method that identifies threats by looking for unusual or abnormal activity compared to what is considered normal behavior.
Foster, M. (2026, February 28). CISA corrective controls explained in 2 minutes | CISA in a nutshell [Video]. YouTube. https://youtu.be/A0m3hxtvXY4
A corrective control in cybersecurity is a measure used to fix or recover from a security incident after it has occurred.
For closed captioning or timestamps please go to youtube.
For closed captioning or timestamps please go to youtube.
IT Encyclopedia. (2024, March 17). What is an intrusion detection system (IDS)? [Video]. YouTube. https://youtu.be/l-yLEb-MweE
An Instrusion Detection system (IDS) is a tool that automatically monitors and analyzes network traffic to detect and respond to security breaches.
For closed captioning or timestamps please go to youtube.
Introduction to Control Categories [00:00] The video transitions from the previous discussion on preventive controls, noting that while they are strong, they can still be bypassed. The Nature of Detective Controls [00:18] Detective controls are described as the "weakest" control type because they do not take action to stop an incident; they merely identify that one is occurring. Case Study: Physical Security Breach [00:42] The narrator uses an example of an attacker who has already bypassed deterrent and preventive controls. Detective controls, such as cameras and motion sensors, identify the intruder and send alerts. The Limitation of Detection [01:24] A critical flaw is highlighted: detective controls are useless if no one is available to respond to the alerts they generate. In the example, the security room is unstaffed, allowing the attacker to reach the server room undetected. Key Exam Points [01:38] The most important points for the CISA exam are: They detect incidents as they occur. They raise alerts but do not take corrective action. They are not suitable as a standalone control. Conclusion and Resources [01:59] The video concludes by mentioning that technical detective controls will be covered later and refers viewers to a controls cheat sheet for more examples.
SimplyExplained. (2025, September 25). How signature-based IDS works | Intrusion detection simplified [Video]. YouTube. https://youtu.be/RRc3gyHfkiE
Signature-based detection is a cybersecurity method that identifies threats by comparing files, network traffic, or system activity against a database of known attack patterns (signatures).
Module 3 Lesson 4: Technical Controls and Attacks 2
Teaching and Learning
Created on April 9, 2026
Start designing with a free template
Discover more than 1500 professional designs like these:
View
Essential Business Proposal
View
Project Roadmap Timeline
View
Step-by-Step Timeline: How to Develop an Idea
View
Artificial Intelligence History Timeline
View
Mobile Phone Call
View
Momentum: Tools Tutorial
View
Momentum: Onboarding Video
Explore all templates
Transcript
Technical Controls and Attacks 2
Click here or there to move to the next page!
Foster, M. (2026, February 28). CISA Technical Controls Explained in 2 Minutes | CISA in a Nutshell [Video]. YouTube. https://youtu.be/kqZceqK1wV0
Text
Next
Security Controls Review
There are four main categories of control: • Managerial or Administrative – Organizational policies and procedures. • Operational – Day-to-day duties and operations. • Physical – Tangible items that limit access. • Technical – Hardware and software implemented for security. Each of those have specific method of control: • Preventive – Intended to stop an incident before it happens. • Deterrent – Discourages an attack or incident from occurring. • Detective – Used in identifying possible incidents or threat actors. • Corrective – Restoration to normal operating procedures after an incident. • Compensating – A secondary/backup control should the primary be unavailable. • Directive – Provides direction, rules, policies, etc. on security matters.
Back
Next
Technical Controls – Detective
Foster, M. (2026, February 28). CISA Detective Controls Explained in 2 Minutes | CISA in a Nutshell [Video]. YouTube. https://youtu.be/HXLSnNrLZdY
Text Version
IDS
Back
Next
Detective Methods – Attacks and Exploits
Example obfuscated code meant to hide its true purpose. Similar methods were slowly added to the SolarWinds Orion software over a long time that eventually led to the substantial supply-chain attack in 2019.
Back
Next
Detective Attacks and Exploits Mitigation
Intrusion Detection Systems/ Intrusion Prevention Systems (IDS/IPS) evasion can mitigated through deep packet inspection and anomaly or behavior-based detection. IDS and IPS systems often use signature-based detection which means the malicious activity or attack must be known and maintained in a database. Immutable logs append logs instead of overwriting them and prevent deletion which can be crucial when investigating a security event.
Behavior
Signature
Immutable
IDS/IPS
Click the buttons for more information.
Back
Next
Technical Controls – Corrective
This portion requires the most lift as previous steps are most likely automated while this portion relies heavily on incident response plans, playbooks, and other guidelines that instruct analysts to perform certain tasks.
Restoration
Closing Ports
Updates and Patching
Isolation
Restoration back to normal operations is the primary goal, whether this be from backup or recovery options.
Updates and Patching from attacks due to vulnerabilities and weakness are also considered corrective.
Isolation of malware or infected files would also occur during this portion.
Closing ports that allowed unauthorized access.
Video
Back
Next
Corrective Methods – Attacks and Exploits
Deletion, corruption, or encryption of backups and/or files needed for restoration.
Kaspersky. (2016, December 6). What is ransomware, how it works and what you can do to stay protected [Video]. YouTube. https://youtu.be/Vkjekr6jacg
Text
Supply-chain attacks can hijack patches meant to add features, fix bugs, update digital signatures, and/or make applications more secure.
Back
Next
Corrective Attacks and Exploits Mitigation
Creating immutable backups through offline or air-gapped backups.
Geekus Maximus. (2024, January 15). WORM - Write once read many [Video]. YouTube. https://youtu.be/p2u6yjTtTcQ
Text
Verify and test software updates prior to distributing them across entire systems.
Back
Next
Detective and Corrective – Knowledge Check
Back
SimplyExplained. (2025, September 26). Anomaly-based intrusion detection explained (beginner-friendly IDS tutorial) [Video]. YouTube. https://youtu.be/7vgKmbYWHiI
Anomaly (behavior-based) detection is a cybersecurity method that identifies threats by looking for unusual or abnormal activity compared to what is considered normal behavior.
Foster, M. (2026, February 28). CISA corrective controls explained in 2 minutes | CISA in a nutshell [Video]. YouTube. https://youtu.be/A0m3hxtvXY4
A corrective control in cybersecurity is a measure used to fix or recover from a security incident after it has occurred.
For closed captioning or timestamps please go to youtube.
For closed captioning or timestamps please go to youtube.
IT Encyclopedia. (2024, March 17). What is an intrusion detection system (IDS)? [Video]. YouTube. https://youtu.be/l-yLEb-MweE
An Instrusion Detection system (IDS) is a tool that automatically monitors and analyzes network traffic to detect and respond to security breaches.
For closed captioning or timestamps please go to youtube.
Introduction to Control Categories [00:00] The video transitions from the previous discussion on preventive controls, noting that while they are strong, they can still be bypassed. The Nature of Detective Controls [00:18] Detective controls are described as the "weakest" control type because they do not take action to stop an incident; they merely identify that one is occurring. Case Study: Physical Security Breach [00:42] The narrator uses an example of an attacker who has already bypassed deterrent and preventive controls. Detective controls, such as cameras and motion sensors, identify the intruder and send alerts. The Limitation of Detection [01:24] A critical flaw is highlighted: detective controls are useless if no one is available to respond to the alerts they generate. In the example, the security room is unstaffed, allowing the attacker to reach the server room undetected. Key Exam Points [01:38] The most important points for the CISA exam are: They detect incidents as they occur. They raise alerts but do not take corrective action. They are not suitable as a standalone control. Conclusion and Resources [01:59] The video concludes by mentioning that technical detective controls will be covered later and refers viewers to a controls cheat sheet for more examples.
SimplyExplained. (2025, September 25). How signature-based IDS works | Intrusion detection simplified [Video]. YouTube. https://youtu.be/RRc3gyHfkiE
Signature-based detection is a cybersecurity method that identifies threats by comparing files, network traffic, or system activity against a database of known attack patterns (signatures).