FlashGenius Logo FlashGenius
GIAC GDSA Certification · Domain 1 of 6

GIAC GDSA — Security Architecture Foundations

Zero Trust Model, Intrusion Kill Chain, Diamond Model, SDN, micro-segmentation, threat vector & attack surface analysis — the conceptual bedrock every GDSA candidate must master.

75 QsExam Length
63%Passing Score
2 HoursTime Limit
SEC530Aligned Course

What This Domain Covers

This foundational domain establishes the mental models and frameworks that underpin all other GDSA domains. Exam questions here test your ability to apply these frameworks to real-world scenarios — not just recite definitions.

⚔️

Kill Chain & Diamond Model

Attacker-centric frameworks for understanding, modeling, and disrupting intrusions

🔒

Zero Trust Model

Never trust, always verify — the philosophy that drives modern architecture decisions

🕸️

SDN & Micro-Segmentation

Software-defined networking and workload-level isolation to limit lateral movement

🔍

Threat Vector Analysis

Systematically identifying and prioritizing attack paths into an environment

📉

Attack Surface Reduction

Minimizing the number of exposed, exploitable entry points across the environment

🎯 Core GDSA Exam Philosophy

The GDSA exam tests defensive versatility — the ability to apply multiple overlapping controls across prevention, detection, and response. For this domain, expect scenario questions asking: "Given this attack at phase X of the Kill Chain, which control most efficiently disrupts it?" Know where in the attack lifecycle each control applies.

The Perimeter Problem — Why Old Models Fail

Traditional security relied on a hard perimeter: trust everything inside, block everything outside. This model has three fatal flaws that GDSA architecture directly addresses:

  • Flat internal networks: Once inside the perimeter, attackers move laterally with minimal friction. There are no checkpoints between systems.
  • Presumption of trust: Internal users, devices, and traffic are trusted by default — but insiders, compromised endpoints, and pivoting adversaries exploit this completely.
  • Single-layer prevention: A single firewall bypass gives an attacker full access. Defense in depth with multiple independent controls is required.
  • Static defenses: Signatures and rules that don't adapt give attackers time to enumerate and evade. Proactive, behavior-based detection is needed.

Key Concepts Deep Dive

Click each concept to expand comprehensive study notes.

⚔️
Intrusion Kill Chain (Lockheed Martin)
7-phase attacker model for disruption analysis
Very High Frequency

The Kill Chain maps an adversary's required steps to achieve their objective. Defenders who disrupt any phase prevent all subsequent phases — disruption at Delivery or earlier is highest value.

1. ReconOSINT, scanning
2. WeaponizeExploit + payload
3. DeliverEmail, web, USB
4. ExploitCode execution
5. InstallPersistence
6. C2Callbacks
7. ActionsExfil/destroy
  • Reconnaissance: Passive (OSINT, public records) and active (port scanning, enumeration). Defenders: reduce public exposure, monitor for scanning activity
  • Weaponization: Attacker pairs an exploit with a backdoor payload. Defenders have limited visibility here — focus shifts to delivery prevention
  • Delivery: Most common vectors — phishing email, drive-by web, malicious USB. Defenders: email filtering, web proxy, user awareness training
  • Exploitation: Code execution on the target. Defenders: patch management, exploit mitigation (ASLR, DEP), application whitelisting
  • Installation: Attacker installs a backdoor for persistence (registry keys, scheduled tasks, startup entries). Defenders: endpoint detection, file integrity monitoring
  • C2 (Command & Control): Beacon to attacker-controlled infrastructure. Defenders: DNS monitoring, network proxy, traffic analysis
  • Actions on Objectives: Data exfiltration, destruction, lateral movement. Defenders: DLP, network segmentation, data classification
💡 GDSA exam framing: "Which control disrupts the Kill Chain at the earliest phase?" Disruption at Delivery (web proxy, email filtering) prevents exploitation entirely. Controls at C2 (DNS monitoring) are still valuable but allow earlier phases to succeed.
💎
Diamond Model of Intrusion Analysis
Adversary · Capability · Infrastructure · Victim
High Frequency
  • Adversary: The threat actor — their identity, motivation (financial, espionage, hacktivism), and sophistication level
  • Capability: The tools, techniques, and procedures (TTPs) used — exploits, malware, living-off-the-land techniques
  • Infrastructure: The technical resources the adversary uses — C2 servers, domains, IPs, hosting providers
  • Victim: The target — organization, person, or system. Includes infrastructure (systems) and persona (people)
  • Pivoting: Analysts can pivot between dimensions — knowing a C2 IP → find other victims using same infrastructure → identify adversary campaigns
  • Activity threads: Series of intrusion events linked by shared diamond elements — how APT campaigns are tracked
  • Meta-features: Timestamps, phase (Kill Chain), result (success/failure), direction, methodology
💡 Diamond Model complements the Kill Chain: Kill Chain = "what phase is the attacker in?" Diamond Model = "who is attacking, with what, and how do I connect it to other attacks?"
🔒
Zero Trust Model
Never trust, always verify — the modern security architecture foundation
Very High Frequency
  • Core principle: No implicit trust based on network location. Every access request must be authenticated, authorized, and continuously validated regardless of source (internal or external)
  • Three pillars: (1) Verify explicitly — use all available data: identity, location, device health, service/workload, data classification. (2) Least-privilege access — limit user and system access to minimum required. (3) Assume breach — minimize blast radius, segment access, encrypt end-to-end, use analytics for detection
  • Presumption of compromise: Act as if the attacker is already inside. Design controls to limit what they can do post-breach, not just prevent initial entry
  • Identity as the new perimeter: In Zero Trust, strong identity verification replaces network location as the primary access control mechanism
  • NIST SP 800-207: The authoritative Zero Trust Architecture reference — defines the ZTA logical components: Policy Engine, Policy Administrator, Policy Enforcement Points
  • Responding to pivoting adversaries: Zero Trust limits lateral movement — even compromised credentials grant minimal access to isolated segments
  • Insider threats: Zero Trust explicitly addresses insider threats by not granting excess trust based on employment or network location
💡 Zero Trust is not a single product — it's an architecture philosophy. On the exam, recognize that Zero Trust requires identity verification, device health checks, and least-privilege access — not just "putting in a firewall."
🕸️
Software-Defined Networking (SDN) & Micro-Segmentation
Programmatic network control and workload isolation
High Frequency
  • SDN architecture: Separates the control plane (routing decisions) from the data plane (packet forwarding). A centralized SDN controller manages the entire network programmatically
  • Security benefits of SDN: Dynamic policy enforcement, rapid response to threats (quarantine a compromised host in seconds), consistent policy across heterogeneous hardware
  • Traditional segmentation limits: VLANs create broadcast domains but don't prevent lateral movement within a VLAN. An attacker in the Finance VLAN can attack all Finance hosts
  • Micro-segmentation: Granular policy enforcement at the individual workload or VM level. Each workload has its own security policy — east-west traffic (server-to-server) is inspected and controlled, not just north-south (client-to-server)
  • Implementation: Via hypervisor-level firewalls (VMware NSX), cloud security groups, or SDN overlays. Policy follows the workload, not the physical network
  • Zero Trust enabler: Micro-segmentation makes Zero Trust network principles implementable by creating enforced boundaries between workloads regardless of physical topology
  • Blast radius limitation: If an attacker compromises one workload, micro-segmentation prevents them from pivoting to adjacent workloads — they hit a policy wall at every move
💡 Key distinction: VLANs segment broadcast domains (Layer 2). Micro-segmentation segments individual workloads regardless of network topology, and applies east-west traffic controls. For the exam, micro-segmentation = lateral movement prevention.
🔍
Threat Vector Analysis & Attack Surface Analysis
Systematically identifying and reducing exploitable entry points
High Frequency
  • Threat vector: The path or means by which an attacker gains access — phishing, vulnerable web app, exposed RDP, supply chain, physical access
  • Threat vector analysis process: (1) Enumerate all ingress paths into the environment. (2) Assess likelihood and impact for each vector. (3) Identify controls that address multiple vectors simultaneously. (4) Prioritize controls by coverage and cost
  • Attack surface: The total collection of entry points that could be exploited — software interfaces, network services, user entry points, physical access, third-party integrations
  • Attack surface reduction: Eliminate unnecessary services, close unused ports, disable default credentials, remove unneeded software, restrict admin interfaces to management VLANs
  • Surface reduction techniques: Host hardening (CIS Benchmarks), application whitelisting, disabling unnecessary protocols (e.g., Telnet, SNMP v1/v2), removing legacy systems
  • Dynamic attack surfaces: Cloud environments, IoT, BYOD, and remote work expand the attack surface — Zero Trust addresses this by verifying every access regardless of device/location
  • Continuous monitoring: Attack surfaces change as systems are added/modified — use asset inventory and vulnerability scanning to track changes
💡 Attack surface analysis answers "what can they attack?" Threat vector analysis answers "how will they attack it?" Together they drive prioritized security investment.
🏗️
Defense in Depth Architecture
Layered controls that fail independently and reinforce each other
High Frequency
  • Core principle: No single control is sufficient. Multiple independent layers ensure that failure of one does not lead to complete compromise
  • Prevention, Detection, Response triad: Prevention controls block attacks; detection controls identify successful or in-progress attacks; response controls contain and remediate. A mature architecture has all three
  • Control types: Administrative (policies, training), Technical (firewalls, IDS, encryption), Physical (badge access, cameras). Defense in depth uses all three
  • Choke points: Architectural chokepoints (DMZ, proxy servers, API gateways) force all traffic through inspectable, controllable paths — don't allow traffic to bypass inspection
  • Network-centric vs data-centric controls: GDSA architecture combines both — network controls defend the perimeter and segment the environment; data-centric controls protect data regardless of where it travels
  • Maintainability: Defense in depth must be maintainable — overly complex architectures degrade over time. GDSA emphasizes sustainable, auditable architectures
💡 GDSA's core value proposition: "a combination of network-centric AND data-centric controls." Exam questions often test whether you can identify which layer (network, data, identity, endpoint) a control operates in.

Domain 1 Study Checklist

Check off each item as you master it. This domain is concept-heavy — focus on applying frameworks to scenarios, not memorizing definitions.

Progress: 0 / 16 complete
Concept

Memorize all 7 Kill Chain phases and example attacker TTPs for each

Be able to identify which phase an attack scenario is in and which controls disrupt it

Exam Prep

Practice "which phase does this control disrupt?" for 20+ controls

Email filtering = Delivery; patching = Exploitation; EDR = Installation/C2; DLP = Actions on Objectives

Concept

Know the 4 Diamond Model elements and how analysts pivot between them

Adversary, Capability, Infrastructure, Victim — each can be a pivot point to discover related attacks

Concept

Understand Zero Trust's 3 core principles: verify explicitly, least privilege, assume breach

NIST SP 800-207 is the authoritative reference; know the Policy Engine/Administrator/Enforcement Point components

Exam Prep

Distinguish presumption of compromise from traditional perimeter security

Traditional = prevent breach. ZT/GDSA = assume breach, limit blast radius, detect and respond rapidly

Concept

Understand SDN: control plane vs data plane separation

SDN controller makes routing decisions centrally; forwarding hardware executes those decisions

Exam Prep

Explain micro-segmentation vs VLANs — why micro-seg is better for lateral movement prevention

VLANs = Layer 2 broadcast domain isolation. Micro-seg = workload-level policy enforcement including east-west traffic

Concept

Define threat vector vs attack surface — know examples of each

Vector = the path (phishing, web). Surface = the totality of exploitable entry points

Practice

Perform a threat vector analysis on a sample 3-tier web application

List all ingress paths, prioritize by likelihood × impact, map to Kill Chain phases

Concept

Understand attack surface reduction techniques

CIS Benchmarks, disable unnecessary protocols, application whitelisting, remove legacy systems

Concept

Know the three control types: administrative, technical, physical

Defense in depth uses all three — exam tests whether you can identify which type a given control belongs to

Exam Prep

Understand prevention, detection, and response as three required architecture layers

A GDSA architecture must have all three — not just prevention. Know which controls go in each layer

Concept

Understand network-centric vs data-centric controls — the GDSA dual approach

Network-centric = firewalls, IDS, segmentation. Data-centric = DLP, WAF, encryption. GDSA combines both

Practice

Map 10 common security controls to Kill Chain phases AND control types

Example: NGFW = Technical control, disrupts Delivery and C2 phases

Exam Prep

Understand insider threat scenarios and how Zero Trust addresses them

ZT removes implicit trust from internal users — least-privilege and behavior monitoring apply to insiders too

Practice

Read NIST SP 800-207 Zero Trust Architecture overview section

Focus on the three ZTA deployment models and the logical components (PE, PA, PEP)

Quick Reference

Framework comparisons and key model details for rapid review.

Kill Chain vs MITRE ATT&CK

Kill ChainATT&CK Equivalent
ReconnaissanceReconnaissance TA0043
WeaponizationResource Development TA0042
DeliveryInitial Access TA0001
ExploitationExecution TA0002
InstallationPersistence TA0003
C2Command & Control TA0011
ActionsExfiltration TA0010 / Impact TA0040

Diamond Model Elements

ElementKey Questions
AdversaryWho? What motivation? What sophistication?
CapabilityWhat TTPs? What malware/tools? Custom or off-shelf?
InfrastructureWhich IPs/domains? Shared hosting? Bulletproof?
VictimWhich org/person? Why targeted? What data at risk?

Control → Kill Chain Phase Mapping

ControlDisrupts Phase(s)
Email filtering / SPF/DKIM/DMARCDelivery
Web proxy / URL filteringDelivery, C2
Patch managementExploitation
EDR / application controlInstallation
DNS sinkholingC2
Network segmentation / micro-segActions (lateral movement)
DLPActions (exfiltration)
Threat intel / IOC feedsAll phases

Zero Trust vs Perimeter Security

AspectPerimeterZero Trust
Trust basisNetwork locationIdentity + device health
Internal trafficTrusted by defaultVerified every session
Lateral movementUnrestricted internallyBlocked by micro-segmentation
Breach assumptionTry to preventAssume it happens; limit damage
Insider threatsPoorly addressedExplicitly addressed

SDN / Micro-Segmentation Quick Facts

FeatureTraditionalSDN/Micro-seg
Traffic inspectionNorth-south onlyEast-west included
Policy granularityVLAN/subnetIndividual workload
Response speedManual reconfigurationAutomated, real-time
Policy managementPer-deviceCentralized controller

GDSA Architecture Principles Summary

PrincipleWhat It Means
Defense in DepthMultiple independent control layers
Least PrivilegeMinimum access required for function
Presumption of CompromiseDesign for breach containment
Reduce Attack SurfaceEliminate unnecessary exposure
Prevent + Detect + RespondAll three tiers required
Network + Data-centricControls at both layers

Domain 1 Practice Quiz

6 exam-style scenario questions. The GDSA exam favors application over memorization.

Domain 1 Study Plan

Foundations require conceptual depth — plan 1.5–2 weeks for this domain.

Days 1–3 · Kill Chain & Diamond Model

  • Study the Lockheed Martin Kill Chain paper — read the original, not just summaries
  • For each of the 7 phases, list 3 attacker TTPs and 3 defensive controls that disrupt it
  • Study the Diamond Model whitepaper — practice pivoting between elements using real APT reports
  • Read 2 MITRE ATT&CK case studies and map TTPs to Kill Chain phases

Days 4–6 · Zero Trust Architecture

  • Read NIST SP 800-207 Zero Trust Architecture (especially sections 2 and 3)
  • Study the ZTA logical components: Policy Engine, Policy Administrator, Policy Enforcement Point
  • Research 2 real-world ZTA implementations (Google BeyondCorp, Microsoft Zero Trust)
  • Practice differentiating ZTA from traditional perimeter security in scenario questions

Days 7–9 · SDN, Micro-Segmentation & Threat Analysis

  • Study VMware NSX or comparable SDN solution to understand micro-segmentation in practice
  • Perform a threat vector analysis on a sample environment (3-tier web app + database)
  • Review CIS Benchmarks for attack surface reduction techniques
  • Map controls to prevention/detection/response categories for the Reference tab

Days 10–12 · Integration & Exam Practice

  • Complete 40+ practice questions focused on framework application scenarios
  • Review GDSA sample questions on the GIAC website
  • Build a personal "control library" — list 30+ controls with: phase disrupted, layer (network/data/endpoint), control type (admin/technical/physical)
  • Drill the Reference tab tables until you can reconstruct them from memory

Common GDSA Exam Mistakes — Domain 1

1

Treating Kill Chain phase disruption as binary (stop = good)

Ignoring the value of detection at later phases

What Goes Wrong

Candidates answer "phase 1 disruption is always best" but the exam expects nuance — a control that detects at phase 6 (C2) while allowing phases 1-5 still provides critical intelligence about ongoing campaigns and enables response.

The Fix

Prevention at early phases is preferred. But detection at any phase is valuable — it enables response. A mature architecture does both. The exam often asks for the "most effective" single control, which is typically early-phase prevention.

🛡️ Rule: "Earliest disruption wins for prevention. Detection at any phase enables response. GDSA architecture requires both."
2

Confusing micro-segmentation with VLANs

VLANs don't prevent east-west lateral movement

What Goes Wrong

Answering that "VLANs provide micro-segmentation" — incorrect. VLANs create broadcast domain isolation at Layer 2 but all hosts within a VLAN can communicate freely. An attacker compromising one host in a VLAN can pivot to all others in that VLAN.

The Fix

Micro-segmentation enforces policy at the individual workload level, inspecting and controlling east-west (intra-VLAN) traffic. It's implemented via SDN, hypervisor firewalls, or cloud security groups — not traditional VLANs.

🛡️ VLANs = broadcast domain isolation. Micro-seg = workload-level policy. Only micro-seg stops lateral movement within a segment.
3

Describing Zero Trust as a product or perimeter replacement

ZT is a philosophy and architecture, not a technology

What Goes Wrong

Selecting answers like "deploy Zero Trust firewall" or "Zero Trust replaces the perimeter firewall." Zero Trust is an architecture philosophy — it uses many existing technologies (MFA, micro-segmentation, identity management) orchestrated around the principle of continuous verification.

The Fix

Zero Trust requires: (1) Strong identity verification for every access request. (2) Device health assessment. (3) Least-privilege access. (4) Continuous monitoring and re-verification. Multiple technologies work together — it's not a single product.

🛡️ ZT = philosophy requiring identity, device health, least-privilege, and continuous verification. Not a product, not a perimeter replacement.
4

Applying only network-centric controls in architecture scenarios

GDSA specifically tests the network + data-centric combination

What Goes Wrong

When asked to "design a defensible architecture," candidates list only network controls (firewall, IDS, segmentation) and miss data-centric controls (DLP, database activity monitoring, WAF). GDSA explicitly tests both layers.

The Fix

Defensible Security Architecture = network-centric controls + data-centric controls. Network controls defend transit; data-centric controls protect data at rest, in use, and in transit regardless of which network it's on.

🛡️ Always pair network controls with data-centric controls in architecture scenarios. One layer alone is insufficient for GDSA.
5

Underestimating the insider threat model in Zero Trust questions

Perimeter thinking doesn't address insider threats

What Goes Wrong

Treating insider threats as only "malicious employees" and ignoring the larger category of compromised insiders — legitimate user accounts used by external attackers after credential theft, which is the most common real-world pivot scenario.

The Fix

Zero Trust treats any access attempt as potentially compromised — including from internal users with valid credentials. Behavioral analytics, least-privilege, and continuous re-verification catch compromised insiders that perimeter defenses miss entirely.

🛡️ Insider threat = malicious employees + compromised credentials used by external attackers. ZT addresses both via behavioral monitoring and least-privilege.

Frequently Asked Questions

What is the difference between the Kill Chain and MITRE ATT&CK? +
The Kill Chain (Lockheed Martin, 2011) is a high-level 7-phase sequential model for understanding attack campaigns. MITRE ATT&CK is a detailed, regularly updated knowledge base of specific adversary tactics, techniques, and procedures (TTPs) with hundreds of entries. For GDSA, the Kill Chain provides strategic framing; ATT&CK provides tactical detail. The GDSA exam primarily uses Kill Chain language but expects familiarity with ATT&CK concepts.
What is presumption of compromise and how does it change architecture decisions? +
Presumption of compromise assumes attackers have or will breach the perimeter. This shifts investment from purely preventive controls (firewalls, AV) to detection and response capabilities (SIEM, EDR, network forensics). Architecturally, it drives micro-segmentation (limit what compromised systems can reach), behavioral monitoring (detect anomalous activity), and data-centric controls (protect data even when the network is breached).
How does SDN improve security response capability? +
SDN's centralized control plane enables immediate, automated security responses. When a threat is detected, the SDN controller can instantly quarantine a compromised host (block all its traffic), redirect traffic through inspection infrastructure, or isolate a segment — all without physical reconfiguration. Traditional networks require manual CLI changes on individual devices, taking minutes to hours.
Why is east-west traffic inspection critical and what implements it? +
East-west traffic (server-to-server, within the data center) represents most lateral movement in a breach. Traditional security only inspects north-south traffic (external to internal). Micro-segmentation via SDN, hypervisor firewalls (VMware NSX, AWS Security Groups), or physical firewall choke points implements east-west inspection. Without it, an attacker who compromises one server can freely move to all others in the same network segment.
What is the relationship between Zero Trust and micro-segmentation? +
Micro-segmentation is the technical implementation of Zero Trust's "never trust, always verify" principle at the network level. Zero Trust says no traffic should be implicitly trusted — micro-segmentation enforces this by requiring policy-based authorization for every workload-to-workload communication. Together, they ensure that a compromised workload cannot access other workloads without explicit policy permission.
How do you reduce attack surface without impacting business operations? +
Use a risk-based approach: (1) Inventory all services, ports, and protocols — eliminate anything not actively used. (2) Apply CIS Benchmarks to harden hosts without breaking functionality. (3) Use application whitelisting to allow only approved software. (4) Replace legacy insecure protocols with secure equivalents (Telnet → SSH, HTTP → HTTPS, SNMPv1 → SNMPv3). (5) Restrict administrative access to dedicated management VLANs — don't expose admin interfaces to regular user networks.
What does "defense in depth" mean in the GDSA context specifically? +
In GDSA, defense in depth means combining network-centric controls (firewalls, IDS, network segmentation) with data-centric controls (DLP, WAF, database monitoring) with endpoint controls (EDR, patch management, host hardening) with identity controls (MFA, PAM). Each layer is independent — failure of one layer does not compromise the entire defense. The goal is that an attacker must successfully bypass multiple independent controls to reach their objective.
Is the GDSA exam open book? +
Yes — GIAC exams are open book. You may bring printed notes or a physical index. However, the GDSA exam is scenario-based and timed (75 questions in 2 hours), so you won't have time to look up every answer. Deep conceptual understanding is required to answer scenario questions quickly. Use your notes for specific formula recall or reference tables, not as a primary study source.
Official Resources

Domain 1 Study Resources

SANS SEC530, GIAC GDSA, NIST Zero Trust reference

GDSA Certification NIST SP 800-207