Cisco CyberOps Associate CBROPS 200-201 Official Cert Guide

Introduction xxvi Chapter 1 Cybersecurity Fundamentals 2 Do I Know This Already? Quiz 3 Foundation Topics 8 Introduction to Cybersecurity 8 Cybersecurity vs. Information Security (Infosec) 8 The NIST Cybersecurity Framework 9 Additional NIST Guidance and Documents 9 The International Organization for Standardization 10 Threats, Vulnerabilities, and Exploits 10 What Is a Threat? 10 What Is a Vulnerability? 11 What Is an Exploit? 13 Risk, Assets, Threats, and Vulnerabilities 15 Threat Actors 17 Threat Intelligence 17 Threat Intelligence Platform 19 Vulnerabilities, Exploits, and Exploit Kits 20 SQL Injection 21 HTML Injection 22 Command Injection 22 Authentication-Based Vulnerabilities 22 Cross-Site Scripting 25 Cross-Site Request Forgery 27 Cookie Manipulation Attacks 27 Race Conditions 27 Unprotected APIs 27 Return-to-LibC Attacks and Buffer Overflows 28 OWASP Top 10 29 Security Vulnerabilities in Open-Source Software 29 Network Security Systems 30 Traditional Firewalls 30 Firewalls in the Data Center 42 Virtual Firewalls 44 Deep Packet Inspection 44 Next-Generation Firewalls 45 Intrusion Detection Systems and Intrusion Prevention Systems 46 Pattern Matching and Stateful Pattern-Matching Recognition 47 Protocol Analysis 48 Heuristic-Based Analysis 49 Anomaly-Based Analysis 49 Global Threat Correlation Capabilities 50 Next-Generation Intrusion Prevention Systems 50 Firepower Management Center 50 Advanced Malware Protection 50 AMP for Endpoints 50 AMP for Networks 53 Web Security Appliance 54 Email Security Appliance 58 Cisco Security Management Appliance 60 Cisco Identity Services Engine 60 Security Cloud-Based Solutions 62 Cisco Cloud Email Security 62 Cisco AMP Threat Grid 62 Umbrella (OpenDNS) 63 Stealthwatch Cloud 63 CloudLock 64 Cisco NetFlow 64 Data Loss Prevention 65 The Principles of the Defense-in-Depth Strategy 66 Confidentiality, Integrity, and Availability: The CIA Triad 69 Confidentiality 69 Integrity 70 Availability 70 Risk and Risk Analysis 70 Personally Identifiable Information and Protected Health Information 72 PII 72 PHI 72 Principle of Least Privilege and Separation of Duties 73 Principle of Least Privilege 73 Separation of Duties 73 Security Operations Centers 74 Playbooks, Runbooks, and Runbook Automation 75 Digital Forensics 76 Exam Preparation Tasks 78 Chapter 2 Introduction to Cloud Computing and Cloud Security 82 Do I Know This Already? Quiz 82 Foundation Topics 84 Cloud Computing and the Cloud Service Models 84 Cloud Security Responsibility Models 86 Patch Management in the Cloud 88 Security Assessment in the Cloud 88 DevOps, Continuous Integration (CI), Continuous Delivery (CD), and DevSecOps 88 The Agile Methodology 89 DevOps 90 CI/CD Pipelines 90 The Serverless Buzzword 92 A Quick Introduction to Containers and Docker 92 Container Management and Orchestration 94 Understanding the Different Cloud Security Threats 95 Cloud Computing Attacks 97 Exam Preparation Tasks 99 Chapter 3 Access Control Models 102 Do I Know This Already? Quiz 102 Foundation Topics 105 Information Security Principles 105 Subject and Object Definition 106 Access Control Fundamentals 107 Identification 107 Authentication 108 Authorization 110 Accounting 110 Access Control Fundamentals: Summary 110 Access Control Process 111 Asset Classification 112 Asset Marking 113 Access Control Policy 114 Data Disposal 114 Information Security Roles and Responsibilities 115 Access Control Types 117 Access Control Models 119 Discretionary Access Control 121 Mandatory Access Control 122 Role-Based Access Control 123 Attribute-Based Access Control 125 Access Control Mechanisms 127 Identity and Access Control Implementation 129 Authentication, Authorization, and Accounting Protocols 130 Port-Based Access Control 135 Network Access Control List and Firewalling 138 Identity Management and Profiling 140 Network Segmentation 141 Intrusion Detection and Prevention 144 Antivirus and Antimalware 148 Exam Preparation Tasks 149 Chapter 4 Types of Attacks and Vulnerabilities 152 Do I Know This Already? Quiz 152 Foundation Topics 154 Types of Attacks 154 Reconnaissance Attacks 154 Social Engineering 160 Privilege Escalation Attacks 162 Backdoors 163 Buffer Overflows and Code Execution 163 Man-in-the Middle Attacks 165 Denial-of-Service Attacks 166 Direct DDoS 166 Botnets Participating in DDoS Attacks 167 Reflected DDoS Attacks 167 Attack Methods for Data Exfiltration 168 ARP Cache Poisoning 169 Spoofing Attacks 170 Route Manipulation Attacks 171 Password Attacks 171 Wireless Attacks 172 Types of Vulnerabilities 172 Exam Preparation Tasks 174 Chapter 5 Fundamentals of Cryptography and Public Key Infrastructure (PKI) 178 Do I Know This Already? Quiz 178 Foundation Topics 182 Cryptography 182 Ciphers and Keys 182 Keys 183 Key Management 183 Block and Stream Ciphers 183 Block Ciphers 184 Stream Ciphers 184 Symmetric and Asymmetric Algorithms 184 Symmetric Algorithms 184 Asymmetric Algorithms 185 Elliptic Curve 186 Quantum Cryptography 187 More Encryption Types 187 Hashes 189 Hashed Message Authentication Code 191 Digital Signatures 192 Digital Signatures in Action 192 Next-Generation Encryption Protocols 195 IPsec and SSL/TLS 196 IPsec 196 Secure Sockets Layer and Transport Layer Security 196 SSH 198 Fundamentals of PKI 199 Public and Private Key Pairs 199 RSA Algorithm, the Keys, and Digital Certificates 199 Certificate Authorities 200 Root and Identity Certificates 202 Root Certificate 202 Identity Certificates 204 X.500 and X.509v3 204 Authenticating and Enrolling with the CA 205 Public Key Cryptography Standards 206 Simple Certificate Enrollment Protocol 206 Revoking Digital Certificates 207 Using Digital Certificates 207 PKI Topologies 208 Cross-Certifying CAs 208 Exam Preparation Tasks 209 Chapter 6 Introduction to Virtual Private Networks (VPNs) 212 Do I Know This Already? Quiz 212 Foundation Topics 214 What Are VPNs? 214 Site-to-Site vs. Remote-Access VPNs 215 An Overview of IPsec 216 IKEv1 Phase 1 217 IKEv1 Phase 2 220 IKEv2 222 SSL VPNs 225 SSL VPN Design Considerations 227 Exam Preparation Tasks 229 Chapter 7 Introduction to Security Operations Management 232 Do I Know This Already? Quiz 232 Foundation Topics 235 Introduction to Identity and Access Management 235 Phases of the Identity and Access Life Cycle 235 Password Management 236 Directory Management 241 Single Sign-On 243 Federated SSO 246 Security Events and Log Management 251 Log Collection, Analysis, and Disposal 251 Security Information and Event Manager 255 Security Orchestration, Automation, and Response (SOAR) 257 SOC Case Management (Ticketing) Systems 257 Asset Management 257 Asset Inventory 258 Asset Ownership 259 Asset Acceptable Use and Return Policies 259 Asset Classification 260 Asset Labeling 260 Asset and Information Handling 260 Media Management 260 Introduction to Enterprise Mobility Management 261 Mobile Device Management 263 Configuration and Change Management 268 Configuration Management 268 Change Management 270 Vulnerability Management 273 Vulnerability Identification 273 Vulnerability Analysis and Prioritization 282 Vulnerability Remediation 286 Patch Management 287 Exam Preparation Tasks 291 Chapter 8 Fundamentals of Intrusion Analysis 294 Do I Know This Already? Quiz 294 Foundation Topics 299 Introduction to Incident Response 299 The Incident Response Plan 301 The Incident Response Process 302 The Preparation Phase 302 The Detection and Analysis Phase 302 Containment, Eradication, and Recovery 303 Post-Incident Activity (Postmortem) 304 Information Sharing and Coordination 304 Incident Response Team Structure 307 Computer Security Incident Response Teams 307 Product Security Incident Response Teams 309 National CSIRTs and Computer Emergency Response Teams 314 Coordination Centers 315 Incident Response Providers and Managed Security Service Providers (MSSPs) 315 Common Artifact Elements and Sources of Security Events 316 The 5-Tuple 317 File Hashes 320 Tips on Building Your Own Lab 321 False Positives, False Negatives, True Positives, and True Negatives 326 Understanding Regular Expressions 327 Protocols, Protocol Headers, and Intrusion Analysis 330 How to Map Security Event Types to Source Technologies 333 Exam Preparation Tasks 335 Chapter 9 Introduction to Digital Forensics 338 Do I Know This Already? Quiz 338 Foundation Topics 341 Introduction to Digital Forensics 341 The Role of Attribution in a Cybersecurity Investigation 342 The Use of Digital Evidence 342 Defining Digital Forensic Evidence 343 Understanding Best, Corroborating, and Indirect or Circumstantial Evidence 343 Collecting Evidence from Endpoints and Servers 344 Using Encryption 345 Analyzing Metadata 345 Analyzing Deleted Files 346 Collecting Evidence from Mobile Devices 346 Collecting Evidence from Network Infrastructure Devices 346 Evidentiary Chain of Custody 348 Reverse Engineering 351 Fundamentals of Microsoft Windows Forensics 353 Processes, Threads, and Services 353 Memory Management 356 Windows Registry 357 The Windows File System 359 FAT 360 NTFS 361 Fundamentals of Linux Forensics 362 Linux Processes 362 Ext4 366 Journaling 366 Linux MBR and Swap File System 366 Exam Preparation Tasks 367 Chapter 10 Network Infrastructure Device Telemetry and Analysis 370 Do I Know This Already? Quiz 370 Foundation Topics 373 Network Infrastructure Logs 373 Network Time Protocol and Why It Is Important 374 Configuring Syslog in a Cisco Router or Switch 376 Traditional Firewall Logs 378 Console Logging 378 Terminal Logging 379 ASDM Logging 379 Email Logging 379 Syslog Server Logging 379 SNMP Trap Logging 379 Buffered Logging 379 Configuring Logging on the Cisco ASA 379 Syslog in Large-Scale Environments 381 Splunk 381 Graylog 381 Elasticsearch, Logstash, and Kibana (ELK) Stack 382 Next-Generation Firewall and Next-Generation IPS Logs 385 NetFlow Analysis 395 What Is a Flow in NetFlow? 399 The NetFlow Cache 400 NetFlow Versions 401 IPFIX 402 IPFIX Architecture 403 IPFIX Mediators 404 IPFIX Templates 404 Commercial NetFlow Analysis Tools 404 Big Data Analytics for Cybersecurity Network Telemetry 411 Cisco Application Visibility and Control (AVC) 413 Network Packet Capture 414 tcpdump 415 Wireshark 417 Network Profiling 418 Throughput 419 Measuring Throughput 421 Used Ports 423 Session Duration 424 Critical Asset Address Space 424 Exam Preparation Tasks 427 Chapter 11 Endpoint Telemetry and Analysis 430 Do I Know This Already? Quiz 430 Foundation Topics 435 Understanding Host Telemetry 435 Logs from User Endpoints 435 Logs from Servers 440 Host Profiling 441 Listening Ports 441 Logged-in Users/Service Accounts 445 Running Processes 448 Applications Identification 450 Analyzing Windows Endpoints 454 Windows Processes and Threads 454 Memory Allocation 456 The Windows Registry 458 Windows Management Instrumentation 460 Handles 462 Services 463 Windows Event Logs 466 Linux and macOS Analysis 468 Processes in Linux 468 Forks 471 Permissions 472 Symlinks 479 Daemons 480 Linux-Based Syslog 481 Apache Access Logs 484 NGINX Logs 485 Endpoint Security Technologies 486 Antimalware and Antivirus Software 486 Host-Based Firewalls and Host-Based Intrusion Prevention 488 Application-Level Whitelisting and Blacklisting 490 System-Based Sandboxing 491 Sandboxes in the Context of Incident Response 493 Exam Preparation Tasks 494 Chapter 12 Challenges in the Security Operations Center (SOC) 496 Do I Know This Already? Quiz 496 Foundation Topics 499 Security Monitoring Challenges in the SOC 499 Security Monitoring and Encryption 500 Security Monitoring and Network Address Translation 501 Security Monitoring and Event Correlation Time Synchronization 502 DNS Tunneling and Other Exfiltration Methods 502 Security Monitoring and Tor 504 Security Monitoring and Peer-to-Peer Communication 505 Additional Evasion and Obfuscation Techniques 506 Resource Exhaustion 508 Traffic Fragmentation 509 Protocol-Level Misinterpretation 510 Traffic Timing, Substitution, and Insertion 511 Pivoting 512 Exam Preparation Tasks 517 Chapter 13 The Art of Data and Event Analysis 520 Do I Know This Already? Quiz 520 Foundation Topics 522 Normalizing Data 522 Interpreting Common Data Values into a Universal Format 523 Using the 5-Tuple Correlation to Respond to Security Incidents 523 Using Retrospective Analysis and Identifying Malicious Files 525 Identifying a Malicious File 526 Mapping Threat Intelligence with DNS and Other Artifacts 527 Using Deterministic Versus Probabilistic Analysis 527 Exam Preparation Tasks 528 Chapter 14 Classifying Intrusion Events into Categories 530 Do I Know This Already? Quiz 530 Foundation Topics 532 Diamond Model of Intrusion 532 Cyber Kill Chain Model 539 Reconnaissance 540 Weaponization 543 Delivery 544 Exploitation 545 Installation 545 Command and Control 546 Action on Objectives 547 The Kill Chain vs. MITRE's ATT&CK 548 Exam Preparation Tasks 550 Chapter 15 Introduction to Threat Hunting 552 Do I Know This Already? Quiz 552 Foundation Topics 554 What Is Threat Hunting? 554 Threat Hunting vs. Traditional SOC Operations vs. Vulnerability Management 555 The Threat-Hunting Process 556 Threat-Hunting Maturity Levels 557 Threat Hunting and MITRE's ATT&CK 558 Automated Adversarial Emulation 563 Threat-Hunting Case Study 567 Threat Hunting, Honeypots, Honeynets, and Active Defense 571 Exam Preparation Tasks 571 Chapter 16 Final Preparation 574 Hands-on Activities 574 Suggested Plan for Final Review and Study 574 Summary 575 Glossary of Key Terms 577 Appendix A Answers to the Do I Know This Already? Quizzes and Review Questions 592 Appendix B Understanding Cisco Cybersecurity Operations Fundamentals CBROPS 200-201 Exam Updates 614 Online Elements Appendix C Study Planner Glossary of Key Terms 9780136807834 TOC 10/13/2020