CoursesAdvanced Linux securityThe attacker on the host

The host threat model

What an attacker does after landing.

Advanced12 min · lesson 1 of 17

The hardening course made a host harder to break into; this course assumes someone got in anyway and asks the harder questions — what will they do next, how would you see it, and how do you respond. That mindset shift is what separates advanced Linux security from configuration: you stop thinking only about walls and start thinking like the person already inside, because you cannot detect or investigate an attacker whose playbook you do not understand.

An attacker who lands on a Linux host almost always arrives as an unprivileged user — a compromised web app running as www-data, a stolen low-privilege SSH key, a poisoned dependency executing in a service account. From that foothold their goals are predictable: escalate to root, establish persistence so they survive a reboot or a patch, and then act — steal data, pivot to other hosts, or use the machine’s resources. Everything in this course maps to seeing and stopping one of those moves.

What the attacker wants, and what you build against it
their objectives
escalate
foothold user → root
persist
survive reboot / patch
act
exfiltrate, pivot, abuse
your capabilities
reduce
privesc + persistence audit
detect
audit, osquery, eBPF, Falco
respond
triage, forensics, IR
Offense-informed defense: understand escalate/persist/act, then build the audit, detection, and response to counter each.

Assume breach is not pessimism

Assuming a breach will happen is not giving up on prevention — it is acknowledging that prevention is never perfect, so a mature security posture also invests in detection and response. A host you have hardened but cannot see into is a host where an attacker operates in the dark; a host with good visibility means their every escalation attempt, persistence mechanism, and lateral move leaves a trace you can catch. Defense in depth means the walls and the alarms and the response plan, not just the walls.

You cannot detect what you do not understand
Every detection in this course exists because it catches a specific attacker technique — and writing good detections requires knowing those techniques well enough to key on what an attacker cannot easily avoid. That is why we study privilege escalation and persistence before detection engineering: the defender who understands how the attack works writes detections that survive contact, and the one who does not writes brittle rules that catch only the careless.