Appendix A. Answers to the “Do I Know This Already?” Quizzes and Q&A
Do I Know This Already? Answers
Chapter 1
1. C. Encryption is often used to maintain confidentiality. An example is the use of encryption in virtual private networks (VPNs).
2. B. Integrity protection encompasses more than just data; it not only protects data, but also operating systems, applications, and hardware from being altered by unauthorized individuals.
3. A and C. STRIDE, DREAD, and attack trees are examples of threat modeling techniques.
4. C. Damage potential, reproducibility, exploitability, affected users, and discoverability are the components of DREAD.
5. A. Spoofing, tampering, repudiation, information disclosure, denial of service, and elevation of privilege are the components of STRIDE.
6. A, B, C. All three are examples of attack vectors.
7. C. CVAL does not exist. The rest are examples of tools that can help analyze the attack surface of a system.
8. B. The attack complexity is categorized as low when specialized access conditions or mitigating circumstances do not exist.
9. B. The risk is considered low (not high) if the attacker is already authorized or is required to have privileges on the system.
10. B. A VM escape vulnerability is an example of a vulnerability that could lead to an attack scope change.
Chapter 2
1. A. The three broad categories of cybersecurity investigations are public, private, and individual.
2. D. Evidence found on a system or network may be presented in a court of law to support accusations of crime or civil action, including all the options presented.
3. B. A suspect-led approach is pejorative and often biased to the disadvantage of those being investigated.
4. D. The reliability of the digital evidence is vital to supporting or refuting any hypothesis put forward, including the attribution of threat actors.
5. C. Each process starts with a single thread, known as the primary thread, but can also create additional threads from any of its threads.
6. D. A job is a group of processes.
7. D. NTFS is more secure, scalable, and advanced in comparison to FAT32. FAT64 and uFAT do not exist.
8. C. Ext4 supports journaling and features for better performance. LILO and GRUB are not file systems; they are boot loaders.
9. A and C. GRUB and LILO are examples of commonly used Linux boot loaders.
10. C. The journal is the most used part of the disk, making the blocks that form part of it more prone to hardware failure.
Chapter 3
1. A and D. Source and destination IP addresses, along with source and destination ports, are part of NetFlow records. Usernames and signature IDs are not part of NetFlow or IPFIX data.
2. A and D. Signature IDs as well as source and destination IP addresses are typically shown in IDS and IPS events. Passwords and PII should not be shown in IDS and IPS events.
3. A. The regular expression [bcr]at will pick up any words with “at,” starting with a b, c, or r.
4. B. The “.*” will pick up any characters after the 10.1.2. string.
5. C. Protocol header analysis has better detection of both known and unknown attacks. This is done by alerting and blocking traffic on anomalies within the protocol transactions, instead of just simply matching traffic on signatures of security vulnerability exploits.
6. A. Wireshark is one of the most popular packet capture programs used in the industry.
7. A and C. The output shows a TCP connection (HTTP) from a host with the FQDN omar.cisco.com to a destination server called www1.cisco.com.
Chapter 4
1. A, B, and C. NetFlow can be used to see what is actually happening across the entire network, to identify DoS attacks, and to quickly identify compromised endpoints and network infrastructure devices. It is not a scanning technology or solution.
2. A, B, C, and D. Flexible NetFlow can track a wide range of Layer 2, IPv4, and IPv6 flow information, including the following:
Source and destination MAC addresses
Source and destination IPv4 or IPv6 addresses
Source and destination ports
ToS
DSCP
Packet and byte counts
Input and output interface numbers
TCP flags and encapsulated protocol (TCP/UDP)
Sections of packet for deep packet inspection
All fields in an IPv4 header
All fields in an IPv6 header
Routing information
3. A, C, D. Normal, immediate, and permanent are the three types of NetFlow cache.
4. D. IPFIX is an IETF standard based on NetFlow v9, with several extensions.
5. B. Templates provide a vendor-neutral support for companies that create applications that provide collector or analysis capabilities for NetFlow so that they are not required to reinvent their product each time a new NetFlow feature is added. Additionally, templates allow for new features to be added to NetFlow more quickly, without breaking current implementations and with backward compatibility.
6. C. IPFIX uses the Stream Control Transmission Protocol (SCTP), which provides a packet transport service designed to support several features beyond TCP or UDP capabilities.
7. C. NetFlow, along with other telemetry features, can be enabled within your infrastructure to provide the necessary data used for identifying and classifying threats and anomalies. Before implementing these anomaly-detection capabilities, you should perform traffic analysis to gain an understanding of general traffic rates and patterns. This is often referred to as a traffic baseline.
8. A and B. Both DHCP logs and VPN logs are examples of other telemetry sources that can be correlated with NetFlow.
9. A, B, D. SiLK, ELK, and Graylog are open source tools that can be used for NetFlow analysis.
10. A and B. StealthWatch Management Console, FlowCollector, FlowSensor, FlowReplicator, and StealthWatch IDentity are components of the Cisco Lancope StealthWatch solution.
Chapter 5
1. A. NIST’s Special Publication 800-61 was created to provide guidelines for incident response and all related processes and procedures.
2. D. Definition of QoS policies in network infrastructure devices is not part of NIST’s Special Publication 800-61.
3. B. An SOP is a delineation of the specific technical processes, techniques, checklists, and forms used by the incident response team.
4. D. Although network monitoring is part of the preparation phase, it is not a phase as a whole of the incident response process, as defined by NIST.
5. D. Incident prioritization is part of the detection and analysis phase.
6. B. Identifying the attacking hosts is not part of the post-incident phase.
7. D. The FS-ISAC is a good example of an information-sharing community.
8. A, B, C, and D. All of these are examples of external parties you may need to communicate with during the resolution of a security incident.
9. D. Product Security Incident Response Teams (PSIRTs), National CSIRTs and Computer Emergency Response Teams (CERTs), and the incident response teams of security vendors and managed security service providers (MSSPs) are all examples of incident response teams.
10. A. Centralized incident response teams, distributed incident response teams, and coordinating teams are all examples of the most common incident response team structures.
Chapter 6
1. B, C, D, and E. Incident classification and handling, information classification and protection, information dissemination, and record retentions and destruction are the responsibilities of a CSIRT or policies it helps create. Typically, corporate CSIRTs do not scan the network of vendors or their customers.
2. C. One of the main goals of a CSIRT is to minimize risk, contain cyber damage, and save money by preventing incidents from happening—and if they do occur, to mitigate them efficiently.
3. B, C, and D. The base, temporal, and environmental scores are the three main components of the CVSS.
4. D. PSIRTs are typically responsible for disclosing vulnerabilities in products and services sold by the organization to its customers.
5. B. National CSIRTs and CERTs aim to protect their citizens by providing security vulnerability information, security awareness training, best practices, and other information.
6. C. The CERT division of the Software Engineering Institute (SEI) is an example of a coordination center. Both Cisco PSIRT and Microsoft MSRC are PSIRTs, and FIRST is a forum for incident response teams.
7. B. The Cisco ATA service offers customers 24-hour continuous monitoring and advanced-analytics capabilities, combined with threat intelligence and security analysts and investigators to detect security threats in the customer networks. More information about Cisco ATA can be obtained at https://www.cisco.com/c/en/us/products/security/managed-services.html.
Chapter 7
1. B. PCI DSS is designed to protect financial transactions, meaning the primary account number (PAN), account data on the magmatic strip, and data on the embedded chip.
2. D. In this case, D is the best answer. B is incorrect because someone’s personal home network doesn’t impact the networks they work on during their day job, unless those networks are connected and are the responsibility of the employer (IE working from home).
3. C. PCI is related to financial data and includes the full account number. A health condition would be something related to HIPAA.
4. A. Answer A is a good practice; however, it is not specifically called out as a high-level PCI DSS 3.2 requirement. Encryption would fall under protecting cardholder data; however, PCI DSS states that encryption does not remove PCI compliance requirements.
5. D. Answer D is the best answer. Answers A and B do not consider the installed software. Answer C includes a false aspect (that is, contractors).
6. C. HIPAA is designed to guard protected health information (PHI) and electronic PHI (e-PHI).
7. D. PHI is protected health information.
8. C. Any health condition is protected by HIPAA.
9. B. SOX is a U.S.-based compliance requirement. Answer B could mean organizations outside the U.S. The other answers are associated with U.S.-based financial services and therefore must be SOX compliant.
10. B. The Open Web Application Security Project (OWASP) creates web application security content and is not related to SOX compliance.
Chapter 8
1. A. sFlow (also called sampled flow) provides fewer details than NetFlow.
2. C. Developing a list of users on the network is not necessary for developing a network baseline.
3. D. Port security is a feature that is available with most modern switches, meaning it does not have an additional cost. Automated NAC typically is purchased, meaning it has a higher cost to acquire the technology.
4. C. Session is the total time a user or device connects to a network and later disconnects from a network.
5. A. Answer A would not help with monitoring connections to the network because firewalls tend not to see switch layer data, depending on how they are deployed.
6. B. Although the statement in answer B is usually true, this is not always the case. Administrators can choose to use other ports. Although it is common to use industry ports, this is not required.
7. C. Answer C is the best answer. Answers A and D do not include a payload, meaning there isn’t an associated attack. Answer B is incorrect because if the same payload is used, it will be detected by most security solutions.
8. B. Answer B has nothing to do with running processes due to port security being only MAC address based.
9. D. NetFlow does not have application layer data.
10. A. Answer A is not always true, meaning latency can be introduced anywhere in the network.
Chapter 9
1. A. Data normalization is the process of capturing, storing, and analyzing data (security-related events, in this case) so that it exists in only one form.
2. B. First normal form (1NF), second normal form (2NF), and third normal form (3NF) are data normalization categories used in the industry.
3. D. IP option is not part of the 5-tuple.
4. D. The event shown is an IPS/IDS log. One key field in recognizing this is the presence of a signature ID.
5. C. Cisco AMP uses threat intelligence from Cisco to perform retrospective analysis and protection. Cisco AMP also provides device and file trajectory capabilities to allow the security administrator to analyze the full spectrum of an attack.
6. D. DNS intelligence and URL reputation are used in many security solutions like the Cisco Firepower appliances, Cisco Firepower Threat Defense (FTD), the Cisco Web and Email security appliances, and others. For instance, you can correlate security events based on threat intelligence to identify communications to known malicious command and control (CnC) servers based on DNS information.
7. C. In deterministic analysis, you know and obtain “facts” about the incident, breach, affected applications, and other information.
Chapter 10
1. A. Adversaries must use both some form of infrastructure and the capability to access the victim.
2. D. Activity threads represent attacks that the attacker has already used.
3. B. Answer B defines what an activity-attack graph is best for. Answers A and C lack the proactive planning value offered by activity-attack graphs. Answer D is simply incorrect.
4. D. The final step is “action.” One example of an action could be to remove data. Action is not a required step of an attack and not part of the kill chain. For example, an attacker’s goal could be to take down the network from within.
5. A. Although answer D is close, answer A provides the best definition. Delivery is how the attacker communicates while exploitation is the attacker taking advantage of a vulnerability.
6. B. This is a man-in-the-middle attack and is something done as an attack, not as research.
7. B. The command and control (C2) stage is best defined as when the attacker completes the delivery of the attack and now can access the breached network.
8. D. Attacking internal targets or stealing data could be goals. Sometimes listening to traffic is the goal. For example, hackers might breach a company and use inside information to affect stock trading decisions. This was done by a group, which is believed to have made millions doing this.
9. C. It’s best to start doing analysis early so you can detect when an adversary attempts to communicate with you and then attack. Waiting for the attack is okay, but proactive measures, such as making it hard for attackers to communicate with you, is the best and earliest detection approach.
10. B. An insider threat could be an attacker who has breached the network and is now moving around like other users. The best approach to detect this is to look for unusual behavior, such as systems connecting to new systems for the first time, internal recon, data exfiltration, and so on.
Q&A Answers
Chapter 1
1. A. A DoS attack against a web server affects availability; the attack by itself does not affect integrity, repudiation, or confidentiality.
2. C. Integrity covers any changes to a system or its data.
3. B. Confidentiality is the promise that data is not unveiled to unauthorized users, applications, or processes. Depending on the type of information, a higher level of confidentiality might be required, depending on how sensitive it is.
4. A. An attack against a VM escape vulnerability is an example of an attack whose scope has potentially been changed. This scope is defined in CVSSv3 and later.
5. A and B. STRIDE and DREAD are examples of thread modeling techniques.
6. C. Malicious web page content, malicious email attachments and malicious email links, and social engineering are all attack vectors. DDoS is a type of attack.
Chapter 2
1. A. VirtualAlloc is a specialized allocation of the Windows virtual memory system, meaning it allocates straight into virtual memory via reserved blocks of memory.
2. D. HeapAlloc allocates any size of memory that is requested dynamically in Windows, and is a concept of Microsoft Windows.
3. A and C. When you’re performing forensics, the storage device you are investigating should immediately be write-protected before it is imaged and should be labeled to include the investigator’s name and the date when the image was created.
4. A. In cyber forensics, the original device can be returned to the owner or stored for trial, normally without having to be examined repeatedly.
5. A. Evidence that can be presented in court in the original form is referred to as “best evidence.”
6. C. Swap is extra memory on the hard disk drive or SSD that is an expansion of the system’s physical memory.
7. C. A file system that supports journaling maintains a record of changes not yet committed to the file system’s main part.
8. A. Indirect or circumstantial evidence is a type of evidence that relies on an extrapolation to a conclusion of fact.
9. D. Ext4 is one of the most used Linux file systems. It has several improvements over its predecessors and supports journaling. NTFS is typically used in Windows. Ext5 does not exist as of the time of writing, and exFAT does not support journaling.
10. D. Heaps are set up by VirtualAlloc and are used to initially reserve allocation space from the operating system.
Chapter 3
1. C. The packet capture shown includes a Telnet connection attempt from omar.cisco.com that eventually times out due to no answer from the server (93.184.216.34).
2. A. A true positive is a successful identification of a security attack or a malicious event.
3. B. A true negative is when the intrusion detection device identifies an activity as acceptable behavior and the activity is actually acceptable.
4. C. A false positive is when a security device triggers an alarm but there is no malicious activity or an actual attack taking place.
5. D. Fragmentation has traditionally been used by attackers to evade IDS and IPS devices.
6. C. A Flow record is an element in NetFlow, not an example of an element in an IDS alert or event.
7. B and C. The 5-tuple refers to source and destination IP addresses, source and destination ports, and protocols.
Chapter 4
1. A and B. Using NetFlow along with identity management systems, an administrator can detect the person who initiated the data transfer and the host involved.
2. A, B, and D. Each forensics team needs to have awareness of assets, risks, impact, and the likelihood of events. In addition, the team needs to know incident response policies and procedures in mock events and collect NetFlow on a regular basis to analyze what is happening in the network. Other items the team should be aware of are how to handle evidence and what chain of custody is.
3. A, B, and C. DHCP server logs, VPN server logs, and 802.1x authentication logs are good telemetry sources for attribution for who is the potential threat actor in a security incident or attack.
4. A and B. The following are the steps required to configure Flexible NetFlow in Cisco IOS or Cisco IOS-XE:
1. Configure a flow record.
2. Configure a flow monitor.
3. Configure a flow exporter for the flow monitor.
4. Apply the flow monitor to an interface.
5. D. Network Time Protocol, or NTP, is used to make sure that time is synchronized effectively in network infrastructure devices, servers, and any other computing devices.
6. C. Flow records, monitors, and samplers are examples of Flexible NetFlow components.
7. C. Source and destination IP addresses and ports as well as the protocol are part of the 5-tuple.
8. A. The default cache in NetFlow is the “normal cache.”
9. D. Encryption security association serial numbers are not part of NetFlow or Flexible NetFlow.
10. D. Flexible NetFlow is based on NetFlow Version 9 and it uses the concept of templates.
Chapter 5
1. D. According to NIST, a computer security incident is a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices.
2. B. An SOP is a delineation of the specific technical processes, techniques, checklists, and forms used by the incident response team.
3. A. A security event is any observable occurrence in a system or network.
4. D. PSIRT is not an example of the most common incident response team staffing models. Staffing models are employees, partially outsourced team, and fully outsourced team.
5. C and D. The containment, eradication, and recovery phase includes choosing a containment strategy and evidence gathering and handling.
6. A. The post-incident activity phase in the incident response process includes lessons learned, how to use collected incident data, and evidence retention.
7. A. The preparation phase is the phase in the incident response process that includes creating processes for incident handler communications and the facilities that will host the security operation center (SOC) and incident response team.
8. A and D. Centralized and distributed are examples of the most common incident response team structures.
9. D. The main five sections of the VERIS schema are:
Incident Tracking
Victim Demographics
Incident Description
Discovery & Response
Impact Assessment
10. C. The Incident Description section of the VERIS schema includes the following elements:
Actors
Actions
Assets
Attributes
Chapter 6
1. A. National CERTs aim to protect their citizens by providing security vulnerability information, security awareness training, best practices, and other information. PSIRTs are vendor Product Security Incident Response Teams. ATA is a Cisco-managed security service, and global CERTs do not exist.
2. D. Product Security Incident Response Teams (PSIRTs) are the ones that handle the investigation, resolution, and disclosure of security vulnerabilities in vendor products and services.
3. C. CERT/CC is an example of a coordination center.
4. B. The Common Vulnerability Scoring System (CVSS) is the most widely adopted standard to calculate the severity of a given security vulnerability.
5. C, D, E. Confidentiality, integrity, and availability (CIA) are part of the CVSS base score metrics.
Chapter 7
1. C. Images presented on cards are not part of what PCI DSS is responsible to protect.
2. A. Answer A is a SOX requirement.
3. A. Answer A is the best definition of CDE.
4. C. Answer C is a great practice; however, it is not a requirement listed for the HIPAA security rule.
5. C. Answer C relates to SOX compliance.
6. B. Answer B is a good practice to enforce but not part of SOX compliance. Remember compliance can offer good practices but should be considered the minimal best practices. There are usually other areas that can be improved beyond what is required for compliance.
7. A. PCI does not supersede legal requirements.
8. B. Currently, biometrics isn’t listed as part of a PCI DSS 3.2 security requirement.
9. C. Answer C is a good best practice; however, it is not part of the PCI DSS 3.2 Implementing strong access control measure requirements.
10. B. Answer B is the correct CIA breakdown.
Chapter 8
1. B. Capturing network packets offers more details than NetFlow.
2. C. Knowing the number of devices can help; however, devices can have different impacts on throughput. An example would be comparing a user browsing the Internet versus another user streaming video. The video user would have a larger impact on the network; hence, it’s more important to see the type of traffic versus types of devices when establishing throughput requirements.
3. D. DNS provides name resolution when searching the web; however, it doesn’t have the same value as the others in regard to identifying the types of devices connected to the network.
4. B. Baselining typically is about how users impact network performance versus how long they use a system. This can help with baselining, but the other answers are more valuable uses of session duration data.
5. A. Segmenting hosts has to do with controlling traffic between address spaces versus provisioning addresses to hosts.
6. B. Endpoint posture is a good thing to consider for an access control policy; however, it is not required for IP address management (IPAM).
7. C. Understanding bandwidth utilization could possibly help a little; however, bandwidth utilization is typically something developed from a network baseline versus the types of devices on the network.
8. B. Implementing strong access control policies is helpful for controlling access to the network, but this does not help with securing systems already authorized that have listening ports.
9. C. Native NetFlow does not have application layer data.
10. A. Answer A shows who is logged in, not what is running.
Chapter 9
1. A. The table includes a NetFlow record. You can see information such as the 5-tuple and next-hop router information, as well as TCP flags, which are supported by NetFlow.
2. A. The ASA syslog shown is an example of a firewall log.
3. A and C. You can identify communications to CnC servers and malicious domains based on reputation by correlating DNS intelligence and other security events.
4. C. AMP for Networks and AMP for Endpoints use threat intelligence to allow you to perform retrospective analysis and protection.
5. B. Purging redundant data while maintaining data integrity is one of the main goals of data normalization.
Chapter 10
1. A. Connecting to a command and control server would be C2, not weaponization.
2. B. Delivery is the earliest option out of the choices listed.
3. A. Installation is when the malware is installed while Command and Control is when that software provides keyboard access to the attacker.
4. D. Email would be an infrastructure.
5. C. The user connecting to a malicious website would represent how the attack is delivered. You might think answer B is correct; however, that is how the ransomware is installed—hence, the installation stage post-exploitation.
6. B. The attacker accessing the internal network through a breached system is an example of C2. Answers C and D are actions that happen after the attacker gets network access. Answer A doesn’t give the attacker keyboard access yet.
7. D. Meta-features are not required.
8. A. Activity-attack graphs are good for both current and future attack data. That data, however, is always changing and wouldn’t typically represent a single product that is needed for purchase. Deciding what to purchase would require more than this type of information.
9. D. Port security would be more of a “before” technology. It involves preventing attackers from having the chance to attack the network by physically plugging in an unauthorized device.
10. C. Devices are the victim, or what is attacked. Direction is additional data about delivery. Result is extra data about the attack. Resources provide more details about what is being used to attack the victim.