Appendix A. Answers to the “Do I Know This Already?” Quizzes and Review Questions
Chapter 1
Do I Know This Already?
1. D. Cybersecurity is different from traditional Information Security (InfoSec). Cybersecurity encompasses risk analysis and is the process of protecting information by preventing, detecting, and responding to attacks. Cybersecurity aims to protect people and critical infrastructure from inadvertent or intentional misuse, compromise, or destruction of information and information systems.
2. D. Cybersecurity programs and policies include risk management and oversight, threat intelligence, and threat hunting.
3. C. The NIST Cybersecurity Framework provides a common taxonomy, and one of the main goals is to address and manage cybersecurity risk in a cost-effective way to protect critical infrastructure. CVSS provides a scoring system to characterize the impact of a given security vulnerability. FIRST is an international nonprofit organization where incident response professionals exchange information, provide education, and develop new standards and best practices. NVD is a common repository of known security vulnerabilities that can be accessed at nvd.nist.gov.
4. A. A vulnerability is a weakness in the system design, implementation, software, or code, or the lack of a mechanism. Vulnerabilities can be found in software or hardware.
5. A. NVD is a common repository of known security vulnerabilities that can be accessed at nvd.nist.gov. CVSS provides a scoring system to characterize the impact of a given security vulnerability. FIRST is an international nonprofit organization where incident response professionals exchange information, provide education, and develop new standards and best practices.
6. D. The Exploit Database by Offensive Security (exploit-db.com), searchsploit, and sometimes GitHub can be used to obtain proof-of-concept software designed to exploit a security vulnerability.
7. D. STIX is a standard designed to share threat intelligence. The Common Vulnerability and Exposures (CVE) is a standard created by MITRE to identify security vulnerabilities. CVSS is a scoring system to describe the impact of a security vulnerability.
8. E. Access control lists can classify packets using Layer 2 protocol information such as EtherTypes; Layer 3 protocol information such as ICMP, TCP, or UDP; Layer 3 header information such as source and destination IP addresses; and Layer 4 header information such as source and destination TCP or UDP ports.
9. A. Pattern matching and stateful pattern-matching recognition are methodologies used by intrusion detection devices.
10. C. AMP for Endpoints provides capabilities that are more advanced than basic personal firewalls and host intrusion prevention systems (HIPS).
11. A. The WCCP protocol can be used to redirect traffic from a network infrastructure device (such as a firewall or router) to the Cisco WSA for inspection.
12. B. The operating system used by the Cisco ESA and Cisco WSA is the AsyncOS operating system. Cisco IOS-XE is used in Cisco enterprise routers and switches. Cisco FTD is a next-generation firewall solution. Cisco NX-OS is the operating system used in datacenter switches and other Cisco products.
13. A. The Cisco Content Security Management Appliance (SMA) is used to provide centralized management and reporting for one or more Cisco ESAs and Cisco WSAs. Cisco FMC is used to manage firewalls and intrusion prevention systems. Cisco Defense Orchestrator is a cloud-based solution to manage and deploy policies to Cisco firewalls. The Cisco DNA Center (DNAC) is a software defined networking (SDN) solution.
14. D. SGTs, SGALCs, and the Cisco AnyConnect Secure Mobility Client are all components of the TrustSec solution.
15. E. Cisco Cloud Email Security (CES), Cisco AMP Threat Grid, Umbrella (formerly OpenDNS), and CloudLock are all cloud-based security solutions.
16. A. The 5-tuple in a NetFlow record includes the source port, destination port, source IP address, destination IP address, and protocol.
17. A. Data Loss Prevention (DLP) systems are designed to detect any sensitive emails, documents, or information leaving your organization.
18. D. One of the primary benefits of a defense-in-depth strategy is to provide security capabilities even if a single control (such as a firewall or IPS) fails. Other controls can still protect your environment and assets.
19. A. Integrity is the component of the CIA triad that ensures that a system and its data have not been altered or compromised.
20. A. The Federal Financial Institutions Examination Council developed a tool to provide a repeatable and measurable process for organizations to measure their cybersecurity readiness.
21. D. An individual’s name, date of birth, and mother’s maiden name are all considered personally identifiable information (PII).
22. D. The principle of least privilege states that all users—whether they are individual contributors, managers, directors, or executives—should be granted only the level of privilege they need to do their jobs, and no more.
23. D. All the available answers are best practices for the Security Operations Center (SOC). Organizations should operate the SOC as a program rather than a single project. Metrics must be established to measure the effectiveness of the SOC capabilities. SOC analysts should collaborate with other groups such as public relations, legal, and IT.
24. C. A runbook is a collection of procedures and operations performed by system administrators, security professionals, or network operators.
25. B. Chain of custody is the way you document and preserve evidence from the time that you started the cyber forensics investigation to the time the evidence is presented at court or to your executives.
Review Questions
1. Access control is done by application awareness and visibility.
2. EnCase
3. NetFlow provides information about network session data, and NetFlow records take less space than a full packet capture.
4. A software or solution for making sure that corporate users do not send sensitive or critical information outside the corporate network
5. Source and destination ports and source and destination IP addresses
6. CWE
7. Open vSwitch
8. A. Heuristic-based algorithms may require fine-tuning to adapt to network traffic and minimize the possibility of false positives.
9. DMZs can serve as segments on which a web server farm resides or as extranet connections to business partners.
10. C. Full packet captures
11. A. Application proxies, or proxy servers, are devices that operate as intermediary agents on behalf of clients that are on a private or protected network.
B. Clients on the protected network send connection requests to the application proxy to transfer data to the unprotected network or the Internet.
12. C. Static NAT allows connections to be initiated bidirectionally.
D. NAT is often used by firewalls; however, other devices such as routers and wireless access points provide support for NAT.
Chapter 2
Do I Know This Already?
1. B. Many organizations move their applications to the cloud to transition from CapEx to OpEx (and reduce overhead).
2. B. A hybrid cloud is a type of cloud model composed of two or more clouds or cloud services (including on-premises services or private clouds and public clouds).
3. A. Cisco WebEx and Office 365 are examples of the Software as a Service (SaaS) cloud service model.
4. A. Agile uses Scrum. Scrum is a framework that helps organizations work together because it encourages teams to learn through experiences, self-organize while working on a solution, and reflect on their wins and losses to continuously improve. Scrum is used by software development teams; however, its principles and lessons can be applied to all kinds of teamwork. Scrum describes a set of meetings, tools, and roles that work in concert to help teams structure and manage their work.
5. C. DevOps includes a feedback loop to prevent problems from happening again (enabling faster detection and recovery by seeing problems as they occur and maximizing opportunities to learn and improve), as well as continuous experimentation and learning.
6. D. AWS Lambda is an example of a cloud platform often referred to as “serverless" computing, where you can develop code without having to worry about the underlying infrastructure.
7. A. In a Platform-as-a-Service (PaaS) environment the cloud consumer (customer) is responsible for the security and patching of the applications but not the underlying operating system, storage, virtual machines, and virtual networks.
8. D. Encryption, data classification, and incident response are areas of concern that must be discussed with cloud providers.
9. D. Cross-site scripting (XSS) is an input validation attack that has been used by adversaries to steal user cookies that can be exploited to gain access as an authenticated user to a cloud-based service. Attackers also have used these vulnerabilities to redirect users to malicious sites or display messages to users to obtain sensitive information.
10. A. An example of a side-channel attack is when the attacker attempts to compromise the cloud environment by placing a malicious virtual machine in close proximity to a target cloud server.
Review Questions
1. Virtual networks, storage, hypervisors
2. It can be difficult for customers to enumerate and communicate all of their needs at the beginning of the project.
3. Sprints
4. Product management, quality assurance (QA), IT operations, infosec, and cybersecurity practices
5. Continuous Integration (CI)
6. Containers (such as Docker, Rocket, and LXC)
7. Kubernetes and Apache Mesos
8. Community cloud
9. FedRAMP
10. API attacks, VM escape attacks, and web application attacks such as XSS, CSRF, session hijacking, and SQL injection
Chapter 3
Do I Know This Already?
1. A. Integrity is the element of the CIA triad that ensures that only authorized users can modify the state of a resource. Access controls are used to ensure that only authorized users can modify the state of a resource. An example of this control is a process that allows only authorized people in an engineering department to change the source code of a product under development
2. B. A subject is the active entity that requests access to a resource.
3. B. Authentication is the process of proving one’s identity.
4. A and C. Password and PIN are examples of authentication by knowledge.
5. C. False rejection rate (FRR) refers to when the system rejects a valid user that should have been authenticated.
6. B. In military classification, the Secret label is usually associated with severe damage to the organization.
7. A. Encryption and storage media access controls are commonly used to protect data at rest.
8. A. The asset owner and senior management are ultimately responsible for the security of the assets.
9. A and B. Preventive and Deterrent access controls are controls used to prevent a breach from occurring.
10. B. Attribute-based access control (ABAC) uses subject, object, and environmental attributes to make an access decision.
11. A. MAC offers better security compared to DAC because the operating system ensures compliance with the organization’s security policy.
12. A and B. Classification and category are typically found in a security label.
13. C. Role-based access control (RBAC) uses the role or function of a subject to make access decision.
14. D. Configuring an access control list is the simplest way to implement a DAC-based system. The key characteristic of an access control list is that it is assigned to the object that it is protecting. An access control list, when applied to an object, will include all the subjects that can access the object and their specific permissions.
15. C. Host-based IDS can detect attacks using encryption because it can see the decrypted payload on the host.
16. B. Host-based antimalware can detect attacks using encryption because it can see the decrypted payload on the host.
17. D. A security group access control list (SGACL) implements access control based on a security group tag (SGT) assigned to a packet. The SGT could be assigned, for example, based on the role of the user.
18. C. TACACS+ encrypts the TACACS+ message payload.
19. A. Cisco TrustSec uses MACSec to provide link-level encryption.
Review Questions
1. In the authorization phase, access is granted to a resource.
2. Uniqueness, nondescriptiveness, and secured issuance are characteristics of a secure identity.
3. Authentication by knowledge, authentication by characteristic, authentication by ownership. Strong authentication is obtained by the combination of at least two factors. Examples of factors are authentication by knowledge, by characteristic, or by ownership—for example, authenticating to a web application using your username and password (factor 1) and then using an application (like DUO) in your phone to further authenticate to the system (factor 2).
4. The asset owner assigns the classification.
5. Clearing ensures protection against simple and noninvasive data-recovery techniques.
6. Security training is a type of administrative control.
7. Dropping a packet prevents a security incident from occurring.
8. Physical, deterrent
9. Several objects with user access rights
10. Between the network access server and the authentication server
11. Diameter
12. 802.1x
13. Between the supplicant and the authenticator
14. To send security group tag information to a hardware-capable Cisco TrustSec device for tagging
15. The promiscuous port only
16. It may add latency due to packet processing.
17. It can block malware at the entry point.
18. Part of the environmental attributes
19. Mandatory access control (MAC)
20. Stricter control over the information access.
21. The object owner
Chapter 4
Do I Know This Already?
1. B, C, D. Nmap, Nexpose, and Nessus are examples of vulnerability and port scanners.
2. C. UDP scans rely on ICMP “port unreachable” messages to determine whether a port is open. When the scanner sends a UDP packet and the port is not open on the victim’s system, that system will respond with an ICMP “port unreachable” message.
3. D. In a phishing attack the attacker sends an email and presents a link that looks like a valid, trusted resource to a user. After clicking it, the user is prompted to disclose confidential information such as username and password. The attacker can also send a malicious attachment to compromise the user’s system.
4. C. A backdoor is an application or code used by an attacker either to allow future access or to collect information to use in further attacks.
5. B. An amplification denial of service (DoS) attack is a form of reflected attack in which the response traffic (sent by the unwitting participant) is made up of packets that are much larger than those that were initially sent by the attacker (spoofing the victim).
6. D. Attackers can exploit buffer overflow vulnerabilities by sending more data that a buffer can hold or when a program tries to put data in a memory location past a buffer. Buffer overflows are input validation vulnerabilities and in some cases could lead to code execution.
7. A. XSS is a type of web application vulnerability where malicious scripts are injected into legitimate and trusted websites. Attackers can leverage XSS vulnerabilities to redirect users to malicious sites, steal cookies, or interact with the user to steal sensitive data.
8. A. A SQL injection is a type of vulnerability where an attacker can insert or “inject” a SQL query via the input data from the client to the application or database.
Review Questions
1. An attacker computes possible passwords and their hashes in a given system and puts the results into a lookup table.
2. War driving
3. Cross-site scripting (XSS)
4. SQL injection
5. Man-in-the-middle
6. Deserialization of untrusted data
7. Buffer overflow
8. Evil twin
9. ARP cache poisoning
10. Dynamic ARP inspection
Chapter 5
Do I Know This Already?
1. A, B, C. Transposition, substitution, and polyalphabetic are all examples of common methods used by cybers. Polynomials are mathematical expressions consisting of variables and coefficients, but they are not cipher types.
2. A, B, D. AES, 3DES, and Blowfish are examples of symmetric block cipher encryption algorithms. DSA and ElGamal are examples of asymmetric encryption algorithms.
3. A. A symmetric encryption algorithm, also known as a symmetric cipher, uses the same key to encrypt the data and decrypt it.
4. B, C, D. SHA-1, SHA-2, and MD5 are all examples of hashing algorithms. DES is an example of an encryption algorithm.
5. A, B. Providing authentication and nonrepudiation are benefits of digital signatures. Masking and encoding are not benefits or features of digital signatures.
6. A, C. AES-GCM mode (for encryption) and SHA-512 (for hashing) are considered next-generation cryptographic protocols. AES-CBC mode provides strong encryption, but a stronger alternative is AES-GCM mode, which provides authenticated encryption.
7. A. Examples of key management include Diffie-Hellman (DH), which can be used to dynamically generate symmetric keys to be used by symmetric algorithms; PKI, which supports the function of digital certificates issued by trusted CAs; and Internet Key Exchange (IKE), which does a lot of the negotiating and management needed for IPsec to operate.
8. A, C. A key pair is a set of two keys that work in combination with each other as a team. They are used in implementations such as digital certificates, Pretty Good Privacy (PGP), S/MIME, and others. Also, if you use the public key to encrypt data using an asymmetric encryption algorithm, the corresponding private key is used to decrypt the data.
9. A, D. Digital certificates include different entities such as the serial number of a certificate, the contents of the public key, the validity dates, information about the certificate authority (CA) that issued the certificate, and the subject of the certificate. A certificate does not include information about the DNS server IP addressed or default gateway.
10. C. Root certificates expire. Root certificates do not contain information about the user or a network security device (such as a firewall or intrusion prevention system). Root certificates do indeed contain information about the public key of the root certificate authority.
11. B, C. PKCS #10 and PKCS #12 are examples of public key standards that specify the format and the implementation of digital certificates.
12. B. The Online Certificate Status Protocol (OCSP) is an alternative to certificate revocation lists (CRLs). Using OCSP, a client (such as a web browser) simply sends a request to find the status of a certificate and gets a response without having to know the complete list of revoked certificates.
13. C. For a client to verify the chain of authority, a client needs both the subordinate CA’s certificate and the root certificate. The root certificate (and its public key) is required to verify the digital signature of the subordinate CA, and the subordinate CA’s certificate (and its public key) is required to verify the signature of the subordinate CA. If there are multiple levels of subordinate CAs, a client needs the certificates of all the devices in the chain, from the root all the way to the CA that issued the client’s certificate.
14. A. With cross-certification, you would have a CA with a horizontal trust relationship over to a second CA so that clients of either CA can trust the signatures of the other CA.
Review Questions
1. chicken.txt and cat.txt
2. A collision attack is an attempt to find two input strings of a hash function that produce the same hash result.
3. SHA-2
4. Subordinate CAs
5. A list of certificates, based on their serial numbers, that had initially been issued by a CA but have since been revoked and as a result should not be trusted
6. PKCS #12
7. PKCS #10
8. AES and IDEA
9. Diffie-Hellman and RSA
10. SHA and MD5
Chapter 6
Do I Know This Already?
1. B and E. SSL/TLS and IPsec are used for remote access VPN implementations. Tor is not a VPN protocol and MPLS is a protocol mostly used by service providers to provide connectivity to their customers.
2. A, B, E. L2TP, GRE, and MPLS are protocols that do not provide encryption. IPsec and SSL/TLS provide data integrity, authentication, and data encryption.
3. C, D. VPN implementations are generally categorized into site-to-site and remote access VPNs.
4. B. The Cisco AnyConnect Secure Mobility Client is a remote-access VPN client provided by Cisco.
5. E. IKEv1 phase one proposals include different attributes such as encryption algorithms, hashing algorithms, Diffie-Hellman groups, and vendor-specific attributes.
6. C and D. SHA and MD5 are hashing algorithms used in IPsec and other implementations.
7. A. In IKEv1 Phase 2, each security association (SA) is assigned an SPI.
8. A. FlexVPN is a standards-based IKEv2 site-to-site IPsec VPN implementation that provides multivendor support and supports point-to-point, hub-and-spoke, and remote-access VPN topologies.
9. B. The remote client needs only an SSL-enabled web browser to access resources on the private network of the VPN head end device. Clients can use digital certificates and pre-shared keys (PSKs) and/or username and passwords. Clientless SSL VPN can provide the same level of encryption as client-based SSL VPNs. The expiration of clientless SSL VPN sessions is configurable.
10. D. Agents (clients) such as the AnyConnect Secure Mobility Client are used in SSL VPN implementations.
Review Questions
1. Because the ESP protocol does not have any ports like TCP or UDP.
2. Transport mode protects upper-layer protocols, such as UDP and TCP, and tunnel mode protects the entire IP packet.
3. Diffie-Hellman is an encapsulation protocol that enables two users or devices to send data to each other.
4. Remote-access VPNs
5. There is a single exchange of a message pair for IKEv2 IKE_SA.
6. AES
7. NAT Traversal
8. Tor
9. To exfiltrate data, to encrypt traffic between a compromised host and a command and control system, to evade detection.
10. AES-GCM
Chapter 7
Do I Know This Already?
1. C. Access rights are assigned in the privileges provisioning phase of the identity and account lifecycle.
2. B. An advantage of a system-generated password is that it can be configured to comply with the organization’s password policy.
3. B. Asynchronous token systems are a password system that’s based on tokens and uses a challenge-response mechanism.
4. A. In the context of the X.500 standard, an entity is uniquely identified by its distinguished name (DN) within a directory information tree.
5. A. One of the main advantages of single sign-on (SSO) is that the user authenticates with a single service (via SSO) and is authorized to access resources on multiple systems.
6. B. One of the main advantages of a SIEM is that it provides log correlation. A traditional log collector might not perform any correlation or analysis of the collected data.
7. A. An asset inventory is used to create a list of assets owned by the organization.
8. B, C, D. Flexibility, scalability, and easier maintenance are advantages of cloud-based mobile device management when compared to an on-premise model.
9. B. PIN lock enforcement is a typical feature of an MDM solution.
10. A. A configuration that has been formally reviewed and approved is referred to as a security baseline configuration.
11. A. A change that is low risk and might not need to follow the full change management process is classified as a standard.
12. A. In a white box penetration testing assessment significant information of the underlying systems and networks are known to the ethical hacker (pen tester).
13. C. In a coordinated vulnerability disclosure the finder does not disclose any information about the vulnerability and underlying exploit before notifying the affected vendor.
14. A, B, C. In most environments, a patch is not applied to critical systems before you start a request for change, perform a security assessment of the patch, and test the patch in the lab.
Review Questions
1. Unique and nondescriptive
2. To avoid privilege creep
3. After job termination, when a user moves to another job, because of a security violation
4. Asset security classification and asset disposal
5. OU=CyberOps Learning
6. As described in the asset return policy
7. In a CMDB
8. Active
9. Agent-based patch management model
10. 164
11. It extracts relevant attributes from logs received in different formats and stores them in a common data model or template.
12. Mobile device management (MDM) server
13. In the review and close change record
14. A machine-readable file that contains information about how to check a system for the presence of vulnerabilities
Chapter 8
Do I Know This Already?
1. A. The NIST Special Publication 800-61 revision 2 (r2) covers the incident response process. It is one of the mostly widely used references for many incident response teams in the industry.
2. D. The definition of QoS policies in network infrastructure devices is not part of the policy elements in NIST SP 800-61r2. Statement of management commitment; purpose and objectives of the incident response policy; and the scope of the incident response policy are part of the policy elements described in NIST’s Special Publication 800-61r2.
3. B. NIST’s definition of standard operating procedures (SOPs) is “A delineation of the specific technical processes, techniques, checklists, and forms used by the incident response team.”
4. A. The preparation phase of the incident response process is where you create risk assessment capabilities within your organization.
5. D. Incident prioritization is part of the detection and analysis phase of the incident response process.
6. B. Identifying the attacking hosts is not part of the post-incident activity (postmortem) phase.
7. D. The Financial Services Information Sharing and Analysis Center (FS-ISAC) is a good example of an information-sharing community. You can obtain more information about the FS-ISAC at https://www.fsisac.com.
8. E. During the investigation and resolution of a security incident, you might need to communicate with many different outside parties, such as law enforcement, Internet service providers (ISPs), the vendor of your hardware and software products (in case you encounter vulnerabilities in those products), and coordination centers.
9. D. A penetration testing team is not an example of an incident response team.
10. D. CSIRT, PSIRT, and coordination centers are all examples of common incident response team structures.
11. A and D. Destination and source ports are artifacts of NetFlow records. NetFlow records do not include usernames or IPS signature IDs.
12. Signature IDs and source/destination IP addresses are usually shown in IDS and IPS events.
13. A. grep invalid user.*ssh /var/log/auth.log will display log messages for any invalid users attempting to connect to the Linux server.
14. B. The regular expression 10.1.2..* will match any IP address on the 10.1.2.0/24 network.
15. C. Protocol header analysis has several benefits over more primitive security techniques because it has better detection of both known and unknown attacks. This is done by alerting and blocking traffic on anomalies within the protocol transactions, instead of just simply matching traffic on signatures of security vulnerability exploits.
16. A. Wireshark is one of the most popular packet capture programs used by security and IT professionals.
17. A and C. The packet capture shown depicts TCP transactions between omar.cisco.com (source) and www1.cisco.com (destination).
Review Questions
1. The protocol is Telnet. The Telnet transaction is timing out and the server is not responding.
2. True positive
3. True negative
4. False positive
5. Fragmentation, encryption, encapsulation, encoding
6. A NetFlow record
7. Computer security incident
8. Standard operating procedure (SOP)
9. Security event
10. Post-incident activity (postmortem)
11. National CERTs
12. PSIRT
13. CVSS
14. Confidentiality, integrity, and availability
Chapter 9
Do I Know This Already?
1. A. Public, private, and individual investigations are the three broad categories of cybersecurity investigations.
2. D. Fraud, money laundering, and theft; drug-related crime; and murder and acts of violence could be evidence found on a system or network that can be presented in a court of law to support accusations of crime or civil action.
3. B. A suspect-led approach is pejorative and often biased to the disadvantage of those being investigated.
4. D. Digital forensics evidence provides implications and extrapolations that can assist in proving some key fact of the case. Digital evidence helps legal teams and the court develop reliable hypotheses or theories as to the committer of the crime or threat actor. The reliability of the digital evidence is vital to supporting or refuting any hypothesis put forward, including the attribution of threat actors. The reliability of the digital evidence is indeed as important as someone’s testimony to supporting or refuting any hypothesis put forward, including the attribution of threat actors.
5. D. Chain of custody includes the documentation of how evidence was collected and transported. Chain of custody also defines how to protect evidence integrity and evidence preservation.
6. A. Debuggers are used by reverse engineers to observe the program while it is running and to set breakpoints. Debuggers also provide the ability to trace through code.
7. C. In Windows and Linux-based systems, each process starts with a single thread, known as the primary thread, but can also create additional threads from any of its threads.
8. D. A job in Windows is a group of processes.
9. D. NTFS is more secure than FAT32, FAT64, and uFAT.
10. C. Ext4 not only supports journaling but also modifies important data structures of the file system, such as the ones destined to store the file data for better performance and reliability than FAT32. LILO and GRUB are not file systems.
11. C. LILO and GRUB are Linux boot loaders. ILOS and Ubuntu BootPro are not correct.
12. C. The journal is the most used part of the disk, making the blocks that form part of it more prone to hardware failure.
Review Questions
1. VirtualAlloc
2. HeapAlloc
3. Investigator’s name and the date when the image was created
4. Evidence that can be presented in court in the original form
5. Swap
6. Journaling file system
7. Indirect or circumstantial evidence
8. Ext4
9. Heaps
10. image a disk or a disk partition (make a bit-to-bit copy of a disk or a partition)
Chapter 10
Do I Know This Already?
1. B. You should enable Network Time Protocol (NTP) when you collect logs from network devices because log data is useless if it shows the wrong date and time. Using NTP ensures that the correct time is set and that all devices within the network are synchronized.
2. D. Logging to a syslog server is recommended because the storage size of a syslog server does not depend on the router’s resources and is limited only by the amount of disk space available on the external syslog server. Messages in each syslog severity level not only display the events for that level but also show the messages from the lower severity levels. Syslog level 7 should be enabled only when troubleshooting network or system problems.
3. D. The Cisco ASA supports console, terminal, and email logging, along with logging to buffer and to a syslog server.
4. D. ELK is an open source solution for log collection and analysis (including syslog).
5. B and C. Access control policies enable you to specify, inspect, and log the traffic that can traverse your network. An access control policy determines how the system handles traffic on your network. Next-generation firewalls and next-generation IPSs help you identify and mitigate the effects of malware. The FMC file control, network file trajectory, and advanced malware protection (AMP) can detect, track, capture, analyze, log, and optionally block the transmission of files, including malware files and nested files inside archive files.
6. B. NetFlow can help security analysts obtain network traffic metadata in an effective manner to detect abnormal network activity.
7. B. The exhibit shows NetFlow records for traffic from 192.168.88.123 to 172.18.10.2 over TCP port 443.
8. A. Full packet capture demands great system resources and engineering efforts, not only to collect the data and store it but also to be able to analyze it. That is why, in many cases, it is better to obtain network metadata by using NetFlow.
9. B. The exhibit is a network packet capture in tshark or tcpdump showing potential scanning activity from 10.6.6.104.
10. D. Used and open ports, throughput, and session duration are all types of telemetry that can be used to perform network profiling.
Review Questions
1. Wireshark, tcpdump, tshark
2. Hadoop
3. Because you cannot see the actual payload of the packet
4. tshark
5. Source IP address, destination IP address, source port, destination port, and protocol
6. NTP
7. Cisco Network-Based Application Recognition Version 2 (NBAR2)
8. Quality of service (QoS)
9. UDP packets
10. IPFIX
Chapter 11
Do I Know This Already?
1. A, B, C. The IP address of the endpoint or DNS host name, application logs, and processes running on the machine are all useful attributes you should seek to collect from endpoints.
2. A, D. SIEM solutions can collect logs from popular host security products, including antivirus or antimalware applications and personal (host-based) firewalls, as well as host-based intrusion detection systems (HIDS).
3. C, D. RADIUS authentication and administrator login reports are useful reports you can collect from Cisco ISE related to endpoints.
4. B. A listening port is a port held open by a running application to accept inbound connections. Listening ports use values that can range between 1 and 65,535. TCP port 80 is commonly known for Internet traffic. Seeing traffic from a known port will not always identify the associated service, because you can configure different services on different ports. For example, you can configure a web service on TCP port 22 and it does not necessarily mean that you are running SSH. At the same time, SSH can be configured to run in any port.
5. C. Traffic substitution and insertion attack substitutes the payload with data in a different format but with the same meaning.
6. B. Reading port security logs is not a method for identifying running processes. Reading network traffic from a SPAN port with the proper technology, reading traffic inline, and using port scanner technology are all methods that can help identify running processes.
7. A. When it comes to host profiling, throughput is typically measured in bandwidth. In a valley there is an unusually low amount of throughput compared to the normal baseline. In a peak there is a spike in throughput compared to the normal baseline.
8. A. In Windows, user authentication data is stored in a token that is used to describe the security context of all processes associated with the user.
9. A. Heaps can allocate a block of memory at any time and free it at any time.
10. C. The Windows Registry is a database used to store information necessary to configure the system for users, applications, and hardware devices.
11. B. One of the functions of the Windows Registry is to load device drivers and startup programs.
12. D. WMI allows scripting languages to locally and remotely manage Microsoft Windows computers and services.
13. C. A virtual address space in Windows is the set of virtual memory addresses that references the physical memory object a process is permitted to use.
14. A. A handle is an abstract reference to a value, whereas a pointer is a direct reference.
15. A. When Windows moves an object such as a memory block to make room in memory and the location of the object is impacted, the handles table is updated.
16. C. Microsoft Windows services run in their own user session. The rest of the answers are relevant to Windows services.
17. B. Orphan processes can be found on a system when a parent process is terminated and the remaining child process is permitted to continue on its own.
18. D. A zombie process occurs when a process releases the associated memory and resources but remains in the entry table.
19. B. A fork (system call) in Linux is when a parent process creates a child process for a given operation.
20. A. The -rwx-rx-x Linux file permission statement gives permissions to the group owners for read and execute; gives the file owner permission for read, write, and execute; and gives all others permissions for execute.
21. D. Linux and macOS daemons run at different privileges, which are provided by their parent process.
22. A. A symlink will cause a system error if the file it points to is removed.
23. C. A daemon is a computer program that runs as a background process rather than being under direct control of an interactive user.
24. D. Logs with priority levels err, crit, alert, and emerg will be sent if the priority level is set to err on the underlying system.
25. D. Mail is an example of a log facility in Linux.
26. B. A Trojan horse is a type of malware that executes instructions determined by the nature of the Trojan to delete files, steal data, and compromise the integrity of the underlying operating system, typically by leveraging social engineering and convincing a user to install such software.
27. A. Ransomware is a type of malware that compromises a system and then often demands a ransom from the victim to pay the attacker in order for the malicious activity to cease, to recover encrypted files, or for the malware to be removed from the affected system.
28. C and D. ClamAV and Immunet are free antivirus or antimalware software.
29. B. Host-based firewalls are often referred to as personal firewalls.
30. C. The Cisco AMP for Endpoints is an example of a Cisco solution for endpoint protection.
31. B, C, D. File path, filename, and file size are all examples of application file and folder attributes that can help with application whitelisting.
32. A, B, D. The Google Chromium sandboxing, Java virtual machine (JVM) sandboxing, and HTML5 “sandbox” attribute for use with iframes are all examples of sandboxing implementations. HTML CSS and JavaScript sandboxing does not exist.
Review Questions
1. private
2. volatile
3. regedit
4. Windows Registry
5. Windows Management Instrumentation
6. A handle that’s not released after being used
7. Log Parser
8. system-based
9. The continuous management of what is and is not on the whitelist.
10. A list of different entities that have been determined to be malicious
Chapter 12
Do I Know This Already?
1. B. Privacy and confidentiality are benefits of encryption.
2. C. Encryption can be challenging to security monitoring because it can be used by threat actors as a method of evasion and obfuscation, and security monitoring tools might not be able to inspect encrypted traffic.
3. B. The Cisco Stealthwatch System can correlate security monitoring events in environments where NAT is deployed.
4. C. NTP is recommended to make sure that the date and time are synchronized among network and security devices. If the time and date are not synchronized among systems, logs can become almost impossible to correlate.
5. C A DNS tunnel is when data is encapsulated in the payload of a DNS packet.
6. A, B, C. DeNiSe, dns2tcp, and DNScapy are examples of DNS tunneling tools.
7. D. Tor is a free tool that enables its users to surf the Internet anonymously. You can obtain more information about Tor and the Tor browser at https://www.torproject.org/.
8. B. A Tor exit node is last Tor node or the gateways where the Tor-encrypted traffic exits to the Internet.
9. A. A SQL injection vulnerability is an input validation vulnerability where an attacker can insert or inject a SQL query via the input data from the client to the application or database.
10. A. Peer-to-peer networking is a distributed architecture that partitions tasks or workloads between peers.
11. D. In a timing attack, an attacker sends traffic slower than normal, not exceeding thresholds inside the time windows the signatures use to correlate different packets together.
12. B. Encryption has been used by attackers to evade IPS and other security technologies.
13. A. A resource exhaustion attack can be used to send a lot of traffic and IP packets to any system (including an IPS) to cause a partial or full denial of service condition.
14. A. Modifying routing tables is not an example of traffic fragmentation. Traffic fragmentation can be done by modifying the TCP/IP in a way that is unexpected by security detection devices, modifying IP headers to cause fragments to overlap, and by segmenting TCP packets.
15. D. Deploying a proxy or inline security solution is one of the best defenses for traffic fragmentation attacks.
16. C. A TCP-injection attack is when the attacker adds a forged TCP packet to an existing TCP session.
17. C. A traffic substitution and insertion attack is when the attacker substitutes the payload with data in a different format but with the same meaning, not modifying the payload.
18. B. Using Unicode instead of ASCII is not a defense against a traffic substitution and insertion attack. To defend against traffic substitution and insertion attacks, you can de-obfuscate Unicode messages, adopt packet format changes, and properly process extended characters.
19. A. Proper patch management, network segmentation, and proper access control are defenses against a pivot attack. Content filtering will not help against a pivoting attack.
20. C. NetFlow can be used to detect a pivot attack.
Review Questions
1. NAT can present a challenge when performing security monitoring and analyzing logs, NetFlow, and other data because device IP addresses can be seen in the logs as the “translated” IP address versus the “real” IP address.
2. A Tor exit node is the last Tor node or the gateway where the Tor encrypted traffic exits to the Internet.
3. exfiltrate
4. encoding
5. Using NTP ensures that the correct time is set and that all devices within the network are synchronized. Also, it helps reduce the number of duplicate logs.
6. Managing networking devices and servers remotely
7. This attack works by setting the offset values in the IP header to not match up, causing one fragment to overlap another.
8. Sending traffic slowly enough where the system can accept it but overlooks it
9. Tor
10. Pivoting or lateral movement
Chapter 13
Do I Know This Already?
1. A. Data normalization is the process of capturing, storing, and analyzing data so that it exists in only one form.
2. B. First normal form (1NF), Second normal form (2NF), and Third normal form (3NF) are data normalization methods. First data ingest (FDI) is not a data normalization method.
3. D. Source IP address, source port, destination IP address, destination port, and protocol are the elements of the 5-tuple. IP option is not an element of the 5-tuple.
4. D. The event log shown is an IPS/IDS log. Notice the event and signature IDs.
5. C. Cisco AMP uses threat intelligence from Cisco Talos to perform retrospective analysis and protection. Cisco AMP also provides device and file trajectory capabilities to allow the security administrator to analyze the full spectrum of an attack.
6. D. DNS can be combined with security event logs to identify compromised systems and communications to command and control (CnC or C2) servers.
7. C. Deterministic is the type of analysis where you know and obtain “facts” about the incident, breach, and affected applications.
Review Questions
1. NetFlow record
2. A firewall syslog
3. command and control servers
4. intelligence
5. data normalization
Chapter 14
Do I Know This Already?
1. A. Meta-features are not a required component of the Diamond Model. Technology and social metadata features establish connections between relations. A diamond represents a single event. Adversaries can use one or more infrastructure component to access or compromise a victim.
2. B. An activity-attack graph is useful for highlighting the attacker’s preferences for attacking the victim as well as alternative paths that could be used.
3. D. Weaponization, command and control (C2), and installation are all steps in the cyber kill chain.
4. A. Delivery is how the attacker communicates with the victim, whereas exploitation is the attack used against the victim.
5. B. Redirecting users to a source and scanning traffic to learn about the target is not an example of reconnaissance. The rest of the options are examples of reconnaissance techniques.
6. C. An example of the command and control phase of the kill chain is when the compromise device communicates with a remote command and control (C2) server for instructions.
7. D. Attacking another target, taking data off the network, and listening to traffic inside the network are all examples of an action step from the cyber kill chain.
8. D. Initial access, execution, and credential access are adversary tactics described in ATT&CK.
Review Questions
1. ATT&CK
2. weaponization
3. Diamond Model of Intrusion
4. PRE-ATT&CK
5. weaponization
Chapter 15
Do I Know This Already?
1. C. In threat hunting, the hunting process requires deep knowledge of the network and often is performed by SOC analysts (otherwise known as investigators, threat hunters, tier 2 or tier 3 analysts, and so on).
2. D. Threat hunting could start with a trigger based on an anomaly in the network, information obtained from threat intelligence, and a hypothesis of what an adversary could do to the underlying network and systems in the organization.
3. B. MITRE’s PRE-ATT&CK includes information about the tactics and techniques that adversaries use while preparing for an attack, including gathering information (open-source intelligence [OSINT], technical and people weakness identification, and more).
4. D. Yeti is a tool that can be used to collect and analyze threat intelligence, as well as document investigations and adversarial campaigns. Caldera is a tool created by MITRE and based on the ATT&CK framework to perform automated adversarial emulation. Atomic Red Team is a framework created by Red Canary to help automate red team (adversarial) emulation and attack simulation. Atomic Red Team can be integrated (as a plugin) with MITRE’s Caldera tool.
5. D. None of the available answers can provide all necessary information to conduct a system-specific threat hunt.
Review Questions
1. MITRE ATT&CK
2. vulnerability management
3. threat-hunting
4. automated adversarial emulation
5. Atomic Red Team