Cycle 18 CCNA CyberOps
What does Cisco AMP do when it detects an unknown file received on an endpoint?
it submits the file to the cloud for future analysis
To ensure sysinternal toll runs properly on windows
run sysinternal tool as admin
Linux fork
running program creating a copy of itself
Linux command scp
secure copy file from source to destination
What can cause a handle leak?
A handles thats not released after being used
PXgrid is used to enable the sharing of contextual-based information from which devices?
From a Cisco ISE session directory to other policy network systems, such as Cisco IoS devices and the Cisco ASA
Buffer Overflow Attack
Goal- find system memory-related flaw on a server & exploit it. Exploiting the buffer memory by overwhelming it with unexpected values
ARP Ethertype / IPv4 Ethertype
0x806 / 0x800
If the parent process is terminated before its children, what will the PPID column show in the ps command?
1
Used in Cisco TrustSec architecture to provide link-level encryption
MACSec
Hashing Algorithms (weakest to strongest)
MD5, SHA1, SHA2
IIS log parser tool
powerful, versatile tool that makes it possible to run SQL-like queries against log files
Network socket information includes...
protocol, port, and ip address
Cryptographic key contained in an X.509 certificate
public key
If an engineering server's risk of being hacked is assigned a risk level of very high, which assessment strategy is being used?
qualitative
Uses for nslookup
query DNS servers for A records, display the default DNS server, display all the mail servers for a domain
Used to pass multiple virtual LANs
trunk link
CA in a PKI deployment
trusted 3rd party that signs the public keys; issues either a certificate revocation list or uses an OCSP process to determine certificate validity
WMI cannot be used to...
uninstall an application
Pins monitored by a network tap
TX pin on inbound, TX pin on outbound
Fork System vs Exec System
Fork system call creates a new kernel instance. Exec system call executes a command within the current kernel instance.
Default location in Linux for the syslog or rsyslog config file
/etc directory
File which can be referenced to show the boot parameters processed by the boot loader
/proc/cmdline
2 true statements regarding malvertisements
1. are sometimes set up to affect all visitors to a site during a specific period of time 2. affect both trustworthy & untrustworthy sites
3 changes in modern networks that require enhances security
1. widely known and open ports. 2.global connectivity of internet 3.increased complexity of OS and application software
Router with 4 interfaces, each connected to four switches; how many broadcast domains?
4
Port access control tech that allows dynamic authorization policy to be downloaded from the authentication server
802.1X
During incident investigations, what does the AMP for endpoints device trajectory feature show?
Actions that have been performed on the victims host
Collision Attacks
An attempt to find two input strings of a hash function that produce the same hash result
Practical usage of the Diamond model
Analytical pivoting
Examples of exploit kits
Angler & Blackhole
two data items that an analyst can learn about a data exfiltration alarm by using Cisco stealthwatch
Application or protocol used to transfer data + IP address to which data sent
Where is EAPol traffic seen?
Between supplicant & authenticator
RADIUS exchange happens
Between the network access server & the authentication server
Software that can enable you to encrypt files on your hard drive
Bitlocker
Two IT security control frameworks offering good starting points & can be used together
COBIT & ISO/IEC 27002:2013
Used by Cisco AVC to provide deep packet inspection tech to identify a wide variety of applications within a network flow using layer3-layer7 data
Cisco Network-based Application Recognition version 2 (NBAR2)
Cisco cloud security solutions
Cloudlock & Open DNS
3 factors that contribute to CVSS score
Confidentiality, privileges, and availability
Important distinctions of HTTP
Cookie info is sent in response header, request header, and is stored on the clients browser
Option used by Diffie-Hellman to determine strength of key used in a key agreement process
DH Group
one way to mitigate DHCP attacks using a Cisco switch
DHCP snooping
2 protocols often used for DDOS amplification attacks
DNS & NTP
DNS tunneling tool example
DNScapy
DNS tunneling tools
DNScapy, dns2tcp, DeNiSe
Why are enterprises reluctant to move to cloud-based security services
Data within cloud is not natively secure, and customer data breaches are a major concern for enterprises
Established attacks can be detected by which 3 methods
Decent set of IPS signatures applied, updated anti-virus signatures, and updated IP/domain blacklists
Best defense for traffic fragmentation attacks
Deploying a proxy or inline security solution
Transparent proxy vs Explicit proxy deployment
Deploying an explicit proxy configuration, the client-web browser must be statically set to use HTTP proxy specifically
AAA protocol allows for capability exchange
Diameter
Depending on the version of Netflow, a network infrastructure device can gather...
Differentiated services codepoint (DSCP), device's input interface, TCP flags, and Type of Service (TOS) byte
Asymmetrical Encryption Algorithms
Diffie-Hellman key exchange protocol, RSA, EIGamal, Digital Signature Algorithm (DSA), and Elliptic Curve Cryptography (ECC)
2 fields within an X.509v3 and entity certificate
Digital signature & public key associated with the subject
Classless routing protocols
EIGRP, OSPF, RIPv2
ICMP messages used by ping command
Echo Request & Echo Reply
Evasion Methods
Encryption + tunneling, resource exhaustion, traffic fragmentation, protocol level misinterpretation, traffic substitution, traffic insertion, pivoting, and rootkits
Attributes exchanged in IKEv1 phase 1
Encryption algorithms, hashing algorithms, Diffie-Hellman Groups, Vendor-specific attributes
File & folder attributes that can help with application whitelisting
File path, file name, and file size
HTTP method used to request a response without the response body
HEAD
What type of security tool is OSSEC?
HIDS
Big data analytics tech used by several frameworks in SOCs
Hadoop
DNS tunneling attack
Hides malicious instructions inside DNS queries and responses
3 options needed for a host to ping another host on the same network
ICMP echo request+reply, Source & Destination IP addresses, and Source & Destination MAC addresses
two techniques an attacker will utilize to have a client send packets to the wrong gateway
ICMP redirect & ARP poisoning
Required command on interface to apply ACL as packet filter
IP access-group
Cisco switches can incorporate VLAN traffic into a trunk using these two methods
ISL & 802.1Q
Which IP header field is used to recognize fragments from the same packet?
Identification
Why is using ECDHE_ECDSA stronger than using RSA?
If the server's private key is later compromised, all the prior TLS handshakes that are done using the cipher suite cannot be compromised
How does 802.1q incorporate VLAN info onto an ethernet frame
Inserts 4-byte header after the source MAC address in the original ethernet frame
ISO 31000
International standard for general risk management; principles and guidelines for managing risks
The FMC can share HTML, PDF, and CSV data types related to...
Intrusion events
Malicious Windows OS codes that share a single virtual address space, and can manage the system CPU and memory resources directly are running in which mode?
Kernal
Examples of P2P tools
Lionshare, Napster, Peercoin
Host on an ethernet network must know the __________ of a destination in order to send an ethernet frame to that destination
MAC Address
When researching a Windows OS vulnerability, __________ can provide information about a specific vulnerability
NIST
3 types of traffic to be aware of cuz traffic might be botnet C&C traffic
P2P, DNS, and IRC
Public Key Standard
PKCS #10
Used TCP port 110
POP
Windows directory that stores 64-bit applications
Program Files
Established keyword in ACL entry indicates
Reply packets that belong to established TCP connection will be permitted if the TCP packet has the ACK or RST bit set
Splunk
SIEM system; one of the more proprietary SIEM systems used by SOCs
UDP-based attack examples
SQL slammer + UDP flooding
Regulation that specifically addresses credit card compliance
Safe Harbor Act
Examples of protocols used for VPN implementations
Secure Socket Layer (SSL), Multiprotocol Label Switching (MPLS), Internet Protocol Security (IPSec)
Root CAs can delegate their authority to ___________ to create + assign identity certificates to clients
Subordinate CAs
2 primary linux processes that are used for managing services
System v init & Systemd
On a multilayer switch, which table retains QoS info?
TCAM
IMAP
TCP port 143
How network-based malware protection feature detects a possible event
The firewall applies broad-based application and file control policies to detect malware
True statement about the Diffie-Hellman key agreement
The higher the Diffie-Hellman group number, the larger the key size
Process of key management deals with...
The secure generation, verification, exchange, storage, and destruction of keys
Application -specific records generated from network traffic
Transaction data
Not a defense against a traffic substitution and insertion attack
Using unicode instead of ASCII
2 hypervisors currently supported in a virtual implementation of Cisco WSA
VMware ESXI & Kernal-based virtual machine
Best description of malware reverse engineering
a method of understanding how malware behaves
Best describes amplification attack
a small forged packet elicits a large reply from reflectors
Patch management model to install patch automatically
agent based
Determines speed at which password can be cracked using the brute force method
attacker's computer speed & length of complexity of the password
why can encryption cause problems when analyzing data in packet captures?
because you cannot see the actual payload of the packet
What does 766 command do to a file?
changes the file's read/write/execute permissions to a desired configuration
Services provided by lightweight access points
channel encryption & the transmission+reception of frames
Programs designed to interact with Powershell
cmdlets
Not a defense against a pivot attack
content filtering
Needed to map your dynamic ip address to your domain name
dynamic dns
Implicit ACL entry that is at the end of the ACL
deny ip any any
3 reasons to use HTTPS
encrypt data, ensure identity, and avoid detection
Important function of winload.exe
ensure that the drivers that it reads are digitally signed to maintain the security of the system
2 critical elements required during chain of custody of forensic evidence
exact time evidence was collected & who handled the evidence
DNS shadowing attack
hijacked domains are used to create subdomains which are used to resolve to malicious websites
Use _________ to block a host port scan
host-based firewall
How can you tell if a route has been poisoned in the routing table?
it has an infinite metric assigned to it
Cisco CTA
leverages network traffic behaviors, machine learning, and anomaly detection to detect security breaches.
command allowing you to view a list of open files/connections
lsof
On an infected windows host, what command can verify if the host has an established HTTP connection to the CnC server?
netstat
Examples of vulnerability + port scanners
nmap, Nexpose, Nessus
Windows component used by applications to modify system resources
object handle
This action must be taken to validate a digital signature
obtain the signers public key
How many broadcast domains are created if 3 hosts are connected to a layer2 switch in full-duplex mode?
one
3 valid SQL commands
select, update, alter
DNS iterative query
sent from a DNS server to other servers to resolve a domain
2 uses for DNS covert tunnels
stealthy data exfiltration & issuing CnC traffic to bots on the network
2 options to be included in the CSR that is to be signed by a CA
subject's public key info & subject's identity info
After attackers gain access to a system, what method can they use to expand their access to other systems without exploiting vulnerabilities on the other system's network?
take advantage of domain trust to make connections to a partner network
TCP injection attack
the addition of a forged TCP packet to an existing TCP session
When investigating a malicious windows application, these two also need to be investigated
threads and processes
How can SMB worm self-propagate throughout network?
using windows file shares
Useful reports collected from Cisco ISE related endpoints
web server log reports, top application reports, and admin login reports
A __________ process continues to be recorded in the process table after it has ended & status is returned to the parent
zombie