Trending The OSI Model's Seven Layers of Cyberattack

All network communications depend on layered protocols that work by encapsulating one protocol within another. The traditional metaphor for understanding this is an envelope with a letter inside. Another common visualization is to compare layered communication protocols to an onion. Using the envelope concept, the address is written on the outside to display the destination, which is required for routing, and the message inside) often referred to as the payload) contains the message.  In reality, network protocols are a little more complicated than that. Considering the high risk of network protocol misconfigurations, an IT admin's experience is a power factor in building IT environments that are resilient to attack. 

In this article, we will discuss the most common conceptual framework for describing the layered stacks of protocols that are used for network communications - the Open Systems Interconnection (OSI) model.

What is the Open Systems Interconnection (OSI) Model?

The OSI (Open Systems Interconnection) model is a protocol-independent, conceptual framework for visualizing how network and remote service application protocols are layered. It was developed by the International Organization for Standardization (ISO) as ISO 51.100 in 1984. The model organizes network functions into seven layers representing distinct core functions of the modern network communication stack.

IT professionals use the OSI Model as a reference to diagnose and troubleshoot networking issues and communicate about network processes. IT administrators and engineers can quickly assign the symptoms of IT problems to an OSI layer and then the specific protocols that might be causing the issue.

Cybersecurity defenders can also use the OSI Model to analyze how cyber attacks can affect different parts of a network and to ensure that all possible attack surfaces have been considered when developing comprehensive security controls and evaluated when conducting penetration testing assessments. 

Let's dig deeper into the OSI Model and review each layer to gain a better understanding.

Layers Of the OSI Model

The OSI Model is divided into seven layers, each responsible for different aspects of network communication. These layers work together to transmit data from the source to the destination. The OSI Model can be used in threat modeling and plan comprehensive penetration testing campaigns to ensure that every aspect of a network penetration test has been addressed.

The diagram below shows the seven OSI layers. It's important to note that the OSI Model is just a tool for visualizing protocols. The OSI Model is not always an exact fit for how networks behave. Next, let's discuss each one.

Layer 1: The Physical Layer

The Physical Layer includes the physical equipment that transfers data in chunks known as "frames". Electrical signals are transmitted over physical cable types and connectors, while radio waves are used to transmit over empty space in the case of wireless protocols.

• Key Protocols/Standards: Ethernet (IEEE 802.3), WiFi (IEEE 802.11), USB, Bluetooth, RS-232, DSL, BlueTooth, and NFC.

• Attacks on the Physical Layer: Disrupting, tampering, or sniffing data via the hardware or transmission medium: cutting cables, jamming wireless signals, inserting malicious devices such as network taps—to sniff and record data.

Layer 2: Data Link Layer

The Data Link Layer ensures that data is routed from one node to another on a network. Network devices use MAC (Media Access Control) addressing and ARP to identify interfaces and determine routing on the Data Link layer. Flow control, the process of managing the rate of data transmission between two devices to prevent data loss, also happens on the Data Link layer.

• Key Protocols/Standards: Media Access Control (MAC), ARP (Address Resolution Protocol), VLAN (IEEE 802.1Q), Spanning Tree Protocol (STP).

• Attacks on the Data Link Layer: Some attacks include MAC spoofing, ARP poisoning, VLAN hopping, or other manipulation of switch behavior—to intercept, alter, or redirect traffic within a local network.

Layer 3: Network Layer

The Network Layer is also responsible for packet forwarding, including routing through different routers and determining the best path for data. It uses logical addressing (IP addresses) to identify devices on a network. Network layer protocols manage packet routing across a network, logical addressing, and congestion control.

Key Protocols/Standards: Internet Protocol (IP), ICMP (Internet Control Message Protocol), OSPF (Open Shortest Path First), BGP (Border Gateway Protocol), Network Address Translation (NAT), DNS is used to resolve IP addresses, which enables Layer 3.

Attacks on the Network Layer: Attacks on Layer 3 typically exhaust infrastructure for Denial of Service (DoS) or confuse routing tables (NAT or DNS) to reroute traffic through malicious attacker controlled endpoints. Target IP-based communication and routing infrastructure—such as DNS poisoning, IP spoofing, ICMP redirect attacks, DoS/DDoS volumetric attacks, DHCP starvation attack, rouge DHCP routing and more.

Layer 4: Transport Layer

The Transport Layer provides reliable end-to-end communication between devices. It handles segmentation, error correction and recovery, reassembly of data, and flow control. Transport layer protocols are either connection oriented (such as TCP) or not connection-oriented (such as UDP).

• Key Protocols/Standards: Transmission Control Protocol (TCP), User Datagram Protocol (UDP), SCTP (Stream Control Transmission Protocol), QUIK. Also, network ports operate on Layer 4 via TCP or UDP.

• Attacks on the Transport Layer: Exploit vulnerabilities in TCP and UDP to disrupt or hijack communication. TCP SYN floods and UDP floods can exhaust resources. RST injection can disrupt connections, while TCP session hijacking can allow attackers to take over connections. Other DoS attacks like Slowloris, fragmentation attacks, and UDP amplification abuse Layer 4.

Layer 5: Session Layer

The Session Layer manages sessions between applications. Sessions control authenticated activity and coordinate other application layer communication between devices and their users such as login and logout and other authorization systems.

• Key Protocols/Standards: NetBIOS, RPC (Remote Procedure Call), SMB (Server Message Block), and  SSH (Secure Shell) are classic Layer 5 protocols. More modern examples include Single Sign On (SSO) protocols such as Kerberos, used to manage authenticated sessions to network services. VPN tunneling protocols, SIP (Session Initiation Protocol) for VoIP and multimedia calls, and RADIUS and TACACS+ authenticate, authorize, and account (AAA) for user sessions on network devices or Enterprise Wifi networks.

• Attacks on the Session Layer: Focus on session token theft (such as Kerberoasting), session hijacking (such as Pass the Hash), enabling adversaries to impersonate legitimate users, escalate privileges, or move laterally to new network devices.

Layer 6: Presentation Layer

The Presentation Layer provides digital formats for translating, encrypting, encoding, and compressing data between the sender and receiver so that it can be understood by Layer 7, the Application Layer.

• Key Protocols/Standards: SSL/TLS (Secure Socket Layer/Transport Layer Security) and X.509 – Standard for public key certificates. JPEG, GIF, and MPEG media formats. Character encoding standards for representing text (ASCII, UTF-8), Data compression formats used in web and network transmission (Gzip, Brotli), and more.

• Attacks on the Presentation Layer: Target TLS encryption through cryptographic exploits such as BEAST and POODLE, Heartbleed, and downgrade attacks, Harvest Now Decrypt Later (HNDL) and other cryptographic attacks. Other attacks exploit flaws in data serialization or encoding formats—such as JSON injection, XML External Entity (XXE) attacks, or malformed media files.

Layer 7: Application Layer

The Application Layer is the topmost layer of the OSI Model and represents actual use-case application of the network communication. Layer 7 facilitates file transfer, email clients and servers, web-browsers and other user-interface based applications such as for network management, productivity, finance, healthcare, or entertainment.

• Key Protocols/Standards: HTTP, FTP, SMTP, APIs such as SOAP, REST, gRPC and many more.

• Attacks on Application Layer: Exploit software vulnerabilities (e.g., CVEs) in poorly designed applications or common misconfigurations that expose sensitive data, allow unauthorized access, such as hardcoded credentials, path traversal, improper authentication, and more. Additionally, attackers may use physical access attacks or social engineering to manipulate users into revealing credentials or executing malicious actions within applications themselves. 

Conclusion

The OSI Model is a standard framework that conceptualizes how network communication processes work, making it easier for IT professionals to diagnose issues, design networks, and implement security measures.

Understanding the OSI Model and becoming familiar with which protocols are in each layer helps to troubleshoot network problems as well as architect and verify effective defensive IT security controls. They can be used in threat modeling and top plan comprehensive penetration testing campaigns to ensure that every aspect of a network penetration test has been addressed.