It begins with the Open Systems Interconnect (OSI) model and the TCP/IP model. If you don’t have experience working with these tables, you’ll simply have to memorize them. The table below contains a mnemonic to help you memorize the OSI, TCP/IP, and protocol data unit (PDU) that is mappable to each. Start from the bottom and read upward.
| PDU | LAYER | TITLE | TCP/IP | |
| d | 7 | A | nymore | A |
| d | 6 | P | hotos | A |
| d | 5 | S | nap | A |
| s | 4 | T | o | t |
| p | 3 | N | eed | i |
| f | 2 | D | on’t | N |
| b | 1 | P | eople | N |
Again, start by going from the bottom up to visualize it properly. Repeat the phrase “people don’t need to snap photos anymore” (now they take “pics”) or whatever you want to put in there.
The PDU, or protocol data unit refers to:
- Bits
- Frames
- Packets
- Segments
- Data
But again, read these from the table going upwards. You can memorize these by saying or writing the phrase “big feet point straight downwards”.
The TCP/IP model on the right side can be memorized by saying/writing “N2, A3,” with “IT” in the middle, or “NitA,” which could be someone’s name.
I recommend writing these mnemonics down several times on your memorization sheet.
The following table shows each layer, quick examples, attacks, and mitigations. While this is not exhaustive, be sure to familiarize yourself with what each layer is and how to protect it by knowing the vulnerabilities.
| LAYER | EXAMPLES | ATTACKS | MITIGATIONS | |
| 7 | Application | GUI interface | Software vulnerabilities | Sandboxing, malware and vulnerability scans, review and test application code, patch management/updates. |
| 6 | Presentation | Presents data to the application | Unicode vulnerabilities, code injection | Separation of user input and program control, input validation |
| 5 | Session | Connection session | Sniffing, brute force, session hijacking, information leak, spoofing | Password encryption, authentication protocols, |
| 4 | Transport | Establishing the connection | Infiltration, DOS | RUBAC, monitoring |
| 3 | Network | IP address | Spoofing | Firewalls, routing policies, ARP broadcast monitoring |
| 2 | Data Link | MAC address | MAC Spoofing, VLAN circumvention, ARP poisoning | Filter MAC addresses, don’t solely rely on VLANs for security, ensure wireless applications have encryption and authentication baked in. |
| 1 | Physical | Dumb devices, cabling, modems | Power interruption, disconnection, damage, theft | Fiber optic, use of star/mesh topology, STP |
Internetworking refers to how two separate sets of servers and communication components use network protocol stacks to interact and coordinate their activities. When comparing the top three layers (which include the boxes and payload data) with the lower layers, a few key differences emerge:
- The uppermost layers do not encapsulate data. Unlike lower layers, they do not receive data from a higher-level function, package it with address and control information, and then pass it down the stack.
- In the encapsulated layers, the data portion of each layer takes on a new name as it moves through the stack.
Threat Modeling and Internetworking
Before exploring threat modeling in the context of internetworking, it’s important to distinguish between two broad categories of potential issues that can affect networks:
- Hazards refer to events that are not intentionally caused by any actor or agent but still have the potential to damage or disrupt an organization’s information or information systems. Examples include corrosion, wear and tear, weather-related damage, utility power failures, fires, smoke, and accidents. Additionally, mechanical failures or errors that occur during installation or maintenance also fall under hazards rather than threats.
- Threats, on the other hand, involve deliberate actions taken by an actor or agent with the specific intent of causing harm or disruption to an organization’s information or systems. Threats encompass both malicious and inappropriate actions that result in damage or interference.
The key difference between these two categories is intent. Threats are carried out through deliberate attacks, whereas hazards occur naturally or accidentally. For instance, an earthquake or a storm does not “attack” a system, but their effects must be anticipated and mitigated through system safety and support planning. Threats, however, require security measures and defense strategies. While hazard prevention and threat mitigation may overlap in some areas, they serve distinct functions with different objectives.
Advanced Persistent Threat Models
For more than a decade, the field of information security has grappled with the challenge of advanced persistent threats (APTs). These threats exhibit an exceptional degree of technical and operational sophistication (advanced) and can span months or even years from initial reconnaissance to execution (persistent). APT attacks are often carried out by groups of attackers, sometimes structured in ways that compartmentalize activity, expertise, and awareness of the broader campaign.
The term APT refers not only to the attacks themselves but also to the threat actors behind them and the risks they pose. For instance, an APT attack targeting the U.S. nuclear fuel industry impacted multiple nuclear power operators and companies within their supply chains. The SolarWinds attack is another example that bore all the hallmarks of an APT operation.
In 2014, a U.S. Senate committee report introduced a cybersecurity model based on classical military doctrine. This was one of the first high-profile instances of applying the kill chain—a framework traditionally used in military strategy—to cybersecurity.
This approach encourages security teams to recognize that seemingly minor or isolated security incidents may, in fact, be linked to a broader APT campaign. A new phishing attempt or an unfamiliar malware strain might not be random events but rather components of a larger coordinated effort. The Target breach of 2013 and similar incidents have demonstrated how compromised businesses, organizations, and individuals can unintentionally aid an APT’s overarching objectives.
While APTs represent one of the most severe cyber risks organizations face today, they are not the only concern. Insider threats, for example, can also pose significant dangers. Defending against APTs requires a comprehensive, full-spectrum security strategy, ensuring protection across all phases of the kill chain. Cybersecurity professionals must counter these threats step by step, one action at a time, to disrupt an APT’s long-term objectives.