Cisco Cybersecurity Operations Fundamentals CBROPS 200-201 Official Cert Guide

<p>Introduction xxvi<br><strong>Chapter 1</strong> Cybersecurity Fundamentals 2<br>“Do I Know This Already?” Quiz 3<br>Foundation Topics 8<br>Introduction to Cybersecurity 8<br> Cybersecurity vs. Information Security (Infosec) 8<br> The NIST Cybersecurity Framework 9<br> Additional NIST Guidance and Documents 9<br> The International Organization for Standardization 10<br>Threats, Vulnerabilities, and Exploits 10<br> What Is a Threat? 10<br> What Is a Vulnerability? 11<br> What Is an Exploit? 13<br> Risk, Assets, Threats, and Vulnerabilities 15<br> Threat Actors 17<br> Threat Intelligence 17<br> Threat Intelligence Platform 19<br> Vulnerabilities, Exploits, and Exploit Kits 20<br> SQL Injection 21<br> HTML Injection 22<br> Command Injection 22<br> Authentication-Based Vulnerabilities 22<br> Cross-Site Scripting 25<br> Cross-Site Request Forgery 27<br> Cookie Manipulation Attacks 27<br> Race Conditions 27<br> Unprotected APIs 27<br> Return-to-LibC Attacks and Buffer Overflows 28<br> OWASP Top 10 29<br> Security Vulnerabilities in Open-Source Software 29<br>Network Security Systems 30<br> Traditional Firewalls 30<br> Firewalls in the Data Center 42<br> Virtual Firewalls 44<br> Deep Packet Inspection 44<br> Next-Generation Firewalls 45<br>Intrusion Detection Systems and Intrusion Prevention Systems 46<br> Pattern Matching and Stateful Pattern-Matching Recognition 47<br> Protocol Analysis 48<br> Heuristic-Based Analysis 49<br> Anomaly-Based Analysis 49<br> Global Threat Correlation Capabilities 50<br> Next-Generation Intrusion Prevention Systems 50<br> Firepower Management Center 50<br>Advanced Malware Protection 50<br> AMP for Endpoints 50<br> AMP for Networks 53<br>Web Security Appliance 54<br>Email Security Appliance 58<br>Cisco Security Management Appliance 60<br>Cisco Identity Services Engine 60<br>Security Cloud-Based Solutions 62<br> Cisco Cloud Email Security 62<br> Cisco AMP Threat Grid 62<br> Umbrella (OpenDNS) 63<br> Stealthwatch Cloud 63<br> CloudLock 64<br>Cisco NetFlow 64<br>Data Loss Prevention 65<br>The Principles of the Defense-in-Depth Strategy 66<br>Confidentiality, Integrity, and Availability: The CIA Triad 69<br> Confidentiality 69<br> Integrity 70<br> Availability 70<br>Risk and Risk Analysis 70<br>Personally Identifiable Information and Protected Health Information 72<br> PII 72<br> PHI 72<br>Principle of Least Privilege and Separation of Duties 73<br> Principle of Least Privilege 73<br> Separation of Duties 73<br>Security Operations Centers 74<br>Playbooks, Runbooks, and Runbook Automation 75<br>Digital Forensics 76<br>Exam Preparation Tasks 78<br><strong>Chapter 2</strong> Introduction to Cloud Computing and Cloud Security 82<br>“Do I Know This Already?” Quiz 82<br>Foundation Topics 84<br>Cloud Computing and the Cloud Service Models 84<br>Cloud Security Responsibility Models 86<br> Patch Management in the Cloud 88<br> Security Assessment in the Cloud 88<br>DevOps, Continuous Integration (CI), Continuous Delivery (CD), and DevSecOps 88<br> The Agile Methodology 89<br> DevOps 90<br> CI/CD Pipelines 90<br> The Serverless Buzzword 92<br> A Quick Introduction to Containers and Docker 92<br> Container Management and Orchestration 94<br>Understanding the Different Cloud Security Threats 95<br> Cloud Computing Attacks 97<br>Exam Preparation Tasks 99<br><strong>Chapter 3</strong> Access Control Models 102<br>“Do I Know This Already?” Quiz 102<br>Foundation Topics 105<br>Information Security Principles 105<br>Subject and Object Definition 106<br>Access Control Fundamentals 107<br> Identification 107<br> Authentication 108<br> Authorization 110<br> Accounting 110<br> Access Control Fundamentals: Summary 110<br>Access Control Process 111<br> Asset Classification 112<br> Asset Marking 113<br> Access Control Policy 114<br> Data Disposal 114<br>Information Security Roles and Responsibilities 115<br>Access Control Types 117<br>Access Control Models 119<br> Discretionary Access Control 121<br> Mandatory Access Control 122<br> Role-Based Access Control 123<br> Attribute-Based Access Control 125<br>Access Control Mechanisms 127<br>Identity and Access Control Implementation 129<br> Authentication, Authorization, and Accounting Protocols 130<br> Port-Based Access Control 135<br> Network Access Control List and Firewalling 138<br> Identity Management and Profiling 140<br> Network Segmentation 141<br> Intrusion Detection and Prevention 144<br> Antivirus and Antimalware 148<br>Exam Preparation Tasks 149<br><strong>Chapter 4</strong> Types of Attacks and Vulnerabilities 152<br>“Do I Know This Already?” Quiz 152<br>Foundation Topics 154<br>Types of Attacks 154<br> Reconnaissance Attacks 154<br> Social Engineering 160<br> Privilege Escalation Attacks 162<br> Backdoors 163<br> Buffer Overflows and Code Execution 163<br> Man-in-the Middle Attacks 165<br> Denial-of-Service Attacks 166<br> Direct DDoS 166<br> Botnets Participating in DDoS Attacks 167<br> Reflected DDoS Attacks 167<br> Attack Methods for Data Exfiltration 168<br> ARP Cache Poisoning 169<br> Spoofing Attacks 170<br> Route Manipulation Attacks 171<br> Password Attacks 171<br> Wireless Attacks 172<br>Types of Vulnerabilities 172<br>Exam Preparation Tasks 174<br><strong>Chapter 5</strong> Fundamentals of Cryptography and Public Key Infrastructure (PKI) 178<br>“Do I Know This Already?” Quiz 178<br>Foundation Topics 182<br>Cryptography 182<br> Ciphers and Keys 182<br> Keys 183<br> Key Management 183<br>Block and Stream Ciphers 183<br> Block Ciphers 184<br> Stream Ciphers 184<br>Symmetric and Asymmetric Algorithms 184<br> Symmetric Algorithms 184<br> Asymmetric Algorithms 185<br> Elliptic Curve 186<br> Quantum Cryptography 187<br> More Encryption Types 187<br>Hashes 189<br> Hashed Message Authentication Code 191<br>Digital Signatures 192<br> Digital Signatures in Action 192<br>Next-Generation Encryption Protocols 195<br>IPsec and SSL/TLS 196<br> IPsec 196<br> Secure Sockets Layer and Transport Layer Security 196<br> SSH 198<br>Fundamentals of PKI 199<br> Public and Private Key Pairs 199<br> RSA Algorithm, the Keys, and Digital Certificates 199<br> Certificate Authorities 200<br>Root and Identity Certificates 202<br> Root Certificate 202<br> Identity Certificates 204<br> X.500 and X.509v3 204<br> Authenticating and Enrolling with the CA 205<br> Public Key Cryptography Standards 206<br> Simple Certificate Enrollment Protocol 206<br>Revoking Digital Certificates 207<br>Using Digital Certificates 207<br> PKI Topologies 208<br> Cross-Certifying CAs 208<br>Exam Preparation Tasks 209<br><strong>Chapter 6 </strong>Introduction to Virtual Private Networks (VPNs) 212<br>“Do I Know This Already?” Quiz 212<br>Foundation Topics 214<br>What Are VPNs? 214<br>Site-to-Site vs. Remote-Access VPNs 215<br>An Overview of IPsec 216<br> IKEv1 Phase 1 217<br> IKEv1 Phase 2 220<br> IKEv2 222<br>SSL VPNs 225<br> SSL VPN Design Considerations 227<br>Exam Preparation Tasks 229<br><strong>Chapter 7</strong> Introduction to Security Operations Management 232<br>“Do I Know This Already?” Quiz 232<br>Foundation Topics 235<br>Introduction to Identity and Access Management 235<br> Phases of the Identity and Access Life Cycle 235<br> Password Management 236<br> Directory Management 241<br> Single Sign-On 243<br> Federated SSO 246<br>Security Events and Log Management 251<br> Log Collection, Analysis, and Disposal 251<br> Security Information and Event Manager 255<br> Security Orchestration, Automation, and Response (SOAR) 257<br> SOC Case Management (Ticketing) Systems 257<br>Asset Management 257<br> Asset Inventory 258<br> Asset Ownership 259<br> Asset Acceptable Use and Return Policies 259<br> Asset Classification 260<br> Asset Labeling 260<br> Asset and Information Handling 260<br> Media Management 260<br>Introduction to Enterprise Mobility Management 261<br> Mobile Device Management 263<br>Configuration and Change Management 268<br> Configuration Management 268<br> Change Management 270<br>Vulnerability Management 273<br> Vulnerability Identification 273<br> Vulnerability Analysis and Prioritization 282<br> Vulnerability Remediation 286<br>Patch Management 287<br>Exam Preparation Tasks 291<br><strong>Chapter 8</strong> Fundamentals of Intrusion Analysis 294<br>“Do I Know This Already?” Quiz 294<br>Foundation Topics 299<br>Introduction to Incident Response 299<br>The Incident Response Plan 301<br>The Incident Response Process 302<br> The Preparation Phase 302<br> The Detection and Analysis Phase 302<br> Containment, Eradication, and Recovery 303<br> Post-Incident Activity (Postmortem) 304<br>Information Sharing and Coordination 304<br>Incident Response Team Structure 307<br> Computer Security Incident Response Teams 307<br> Product Security Incident Response Teams 309<br> National CSIRTs and Computer Emergency Response Teams 314<br> Coordination Centers 315<br> Incident Response Providers and Managed Security Service Providers (MSSPs) 315<br>Common Artifact Elements and Sources of Security Events 316<br> The 5-Tuple 317<br> File Hashes 320<br> Tips on Building Your Own Lab 321<br> False Positives, False Negatives, True Positives, and True Negatives 326<br>Understanding Regular Expressions 327<br>Protocols, Protocol Headers, and Intrusion Analysis 330<br>How to Map Security Event Types to Source Technologies 333<br>Exam Preparation Tasks 335<br><strong>Chapter 9</strong> Introduction to Digital Forensics 338<br>“Do I Know This Already?” Quiz 338<br>Foundation Topics 341<br>Introduction to Digital Forensics 341<br>The Role of Attribution in a Cybersecurity Investigation 342<br>The Use of Digital Evidence 342<br> Defining Digital Forensic Evidence 343<br> Understanding Best, Corroborating, and Indirect or Circumstantial Evidence 343<br> Collecting Evidence from Endpoints and Servers 344<br> Using Encryption 345<br> Analyzing Metadata 345<br> Analyzing Deleted Files 346<br> Collecting Evidence from Mobile Devices 346<br> Collecting Evidence from Network Infrastructure Devices 346<br>Evidentiary Chain of Custody 348<br>Reverse Engineering 351<br>Fundamentals of Microsoft Windows Forensics 353<br> Processes, Threads, and Services 353<br> Memory Management 356<br> Windows Registry 357<br> The Windows File System 359<br> FAT 360<br> NTFS 361<br>Fundamentals of Linux Forensics 362<br> Linux Processes 362<br> Ext4 366<br> Journaling 366<br> Linux MBR and Swap File System 366<br>Exam Preparation Tasks 367<br><strong>Chapter 10 </strong>Network Infrastructure Device Telemetry and Analysis 370<br>“Do I Know This Already?” Quiz 370<br>Foundation Topics 373<br>Network Infrastructure Logs 373<br> Network Time Protocol and Why It Is Important 374<br> Configuring Syslog in a Cisco Router or Switch 376<br>Traditional Firewall Logs 378<br> Console Logging 378<br> Terminal Logging 379<br> ASDM Logging 379<br> Email Logging 379<br> Syslog Server Logging 379<br> SNMP Trap Logging 379<br> Buffered Logging 379<br> Configuring Logging on the Cisco ASA 379<br>Syslog in Large-Scale Environments 381<br> Splunk 381<br> Graylog 381<br> Elasticsearch, Logstash, and Kibana (ELK) Stack 382<br>Next-Generation Firewall and Next-Generation IPS Logs 385<br>NetFlow Analysis 395<br> What Is a Flow in NetFlow? 399<br> The NetFlow Cache 400<br> NetFlow Versions 401<br> IPFIX 402<br> IPFIX Architecture 403<br> IPFIX Mediators 404<br> IPFIX Templates 404<br> Commercial NetFlow Analysis Tools 404<br> Big Data Analytics for Cybersecurity Network Telemetry 411<br> Cisco Application Visibility and Control (AVC) 413<br>Network Packet Capture 414<br> tcpdump 415<br> Wireshark 417<br>Network Profiling 418<br> Throughput 419<br> Measuring Throughput 421<br> Used Ports 423<br> Session Duration 424<br> Critical Asset Address Space 424<br>Exam Preparation Tasks 427<br><strong>Chapter 11</strong> Endpoint Telemetry and Analysis 430<br>“Do I Know This Already?” Quiz 430<br>Foundation Topics 435<br>Understanding Host Telemetry 435<br> Logs from User Endpoints 435<br> Logs from Servers 440<br>Host Profiling 441<br> Listening Ports 441<br> Logged-in Users/Service Accounts 445<br> Running Processes 448<br> Applications Identification 450<br>Analyzing Windows Endpoints 454<br> Windows Processes and Threads 454<br> Memory Allocation 456<br> The Windows Registry 458<br> Windows Management Instrumentation 460<br> Handles 462<br> Services 463<br> Windows Event Logs 466<br>Linux and macOS Analysis 468<br> Processes in Linux 468<br> Forks 471<br> Permissions 472<br> Symlinks 479<br> Daemons 480<br> Linux-Based Syslog 481<br> Apache Access Logs 484<br> NGINX Logs 485<br>Endpoint Security Technologies 486<br> Antimalware and Antivirus Software 486<br> Host-Based Firewalls and Host-Based Intrusion Prevention 488<br> Application-Level Whitelisting and Blacklisting 490<br> System-Based Sandboxing 491<br> Sandboxes in the Context of Incident Response 493<br>Exam Preparation Tasks 494<br><strong>Chapter 12</strong> Challenges in the Security Operations Center (SOC) 496<br>“Do I Know This Already?” Quiz 496<br>Foundation Topics 499<br>Security Monitoring Challenges in the SOC 499<br> Security Monitoring and Encryption 500<br> Security Monitoring and Network Address Translation 501<br> Security Monitoring and Event Correlation Time Synchronization 502<br> DNS Tunneling and Other Exfiltration Methods 502<br> Security Monitoring and Tor 504<br> Security Monitoring and Peer-to-Peer Communication 505<br>Additional Evasion and Obfuscation Techniques 506<br> Resource Exhaustion 508<br> Traffic Fragmentation 509<br> Protocol-Level Misinterpretation 510<br> Traffic Timing, Substitution, and Insertion 511<br> Pivoting 512<br>Exam Preparation Tasks 517<br><strong>Chapter 13</strong> The Art of Data and Event Analysis 520<br>“Do I Know This Already?” Quiz 520<br>Foundation Topics 522<br>Normalizing Data 522<br> Interpreting Common Data Values into a Universal Format 523<br>Using the 5-Tuple Correlation to Respond to Security Incidents 523<br>Using Retrospective Analysis and Identifying Malicious Files 525<br> Identifying a Malicious File 526<br>Mapping Threat Intelligence with DNS and Other Artifacts 527<br>Using Deterministic Versus Probabilistic Analysis 527<br>Exam Preparation Tasks 528<br><strong>Chapter 14</strong> Classifying Intrusion Events into Categories 530<br>“Do I Know This Already?” Quiz 530<br>Foundation Topics 532<br>Diamond Model of Intrusion 532<br>Cyber Kill Chain Model 539<br> Reconnaissance 540<br> Weaponization 543<br> Delivery 544<br> Exploitation 545<br> Installation 545<br> Command and Control 546<br> Action on Objectives 547<br>The Kill Chain vs. MITRE’s ATT&amp;CK 548<br>Exam Preparation Tasks 550<br><strong>Chapter 15</strong> Introduction to Threat Hunting 552<br>“Do I Know This Already?” Quiz 552<br>Foundation Topics 554<br>What Is Threat Hunting? 554<br> Threat Hunting vs. Traditional SOC Operations vs. Vulnerability Management 555<br>The Threat-Hunting Process 556<br> Threat-Hunting Maturity Levels 557<br>Threat Hunting and MITRE’s ATT&amp;CK 558<br> Automated Adversarial Emulation 563<br>Threat-Hunting Case Study 567<br>Threat Hunting, Honeypots, Honeynets, and Active Defense 571<br>Exam Preparation Tasks 571<br><strong>Chapter 16</strong> Final Preparation 574<br>Hands-on Activities 574<br>Suggested Plan for Final Review and Study 574<br>Summary 575<br><strong>Glossary of Key Terms</strong> 577<br><strong>Appendix A</strong> Answers to the “Do I Know This Already?” Quizzes and Review Questions 592<br><strong>Appendix B</strong> Understanding Cisco Cybersecurity Operations Fundamentals CBROPS 200-201 Exam Updates 614<br>Online Elements<br><strong>Appendix C</strong> Study Planner<br><strong>Glossary</strong> of Key Terms<br>9780136807834 TOC 10/13/2020</p>