Chapter 0 Course Introduction 1
0.0 Welcome to CCNA: Cybersecurity Operations 1
0.0.1 Message to the Student 1
Chapter 1 Cybersecurity and the Security Operations Center 5
1.0 Introduction 5
1.1 The Danger 5
1.1.1 War Stories 5
1.1.1.1 Hijacked People 5
1.1.1.2 Ransomed Companies 5
1.1.1.3 Targeted Nations 6
1.1.1.4 Lab - Installing the CyberOps Workstation Virtual Machine 6
1.1.1.5 Lab - Cybersecurity Case Studies 6
1.1.2 Threat Actors 6
1.1.2.1 Amateurs 6
1.1.2.2 Hacktivists 7
1.1.2.3 Financial Gain 7
1.1.2.4 Trade Secrets and Global Politics 7
1.1.2.5 How Secure is the Internet of Things? 7
1.1.2.6 Lab - Learning the Details of Attacks 7
1.1.3 Threat Impact 8
1.1.3.1 PII and PHI 8
1.1.3.2 Lost Competitive Advantage 8
1.1.3.3 Politics and National Security 8
1.1.3.4 Lab - Visualizing the Black Hats 9
1.2 Fighters in the War Against Cybercrime 9
1.2.1 The Modern Security Operations Center 9
1.2.1.1 Elements of a SOC 9
1.2.1.2 People in the SOC 9
1.2.1.3 Process in the SOC 10
1.2.1.4 Technologies in the SOC 10
1.2.1.5 Enterprise and Managed Security 10
1.2.1.6 Security vs. Availability 11
1.2.1.7 Activity - Identify the SOC Terminology 11
1.2.2 Becoming a Defender 11
1.2.2.1 Certifications 11
1.2.2.2 Further Education 12
1.2.2.3 Sources of Career Information 12
1.2.2.4 Getting Experience 13
1.2.2.5 Lab - Becoming a Defender 13
1.3 Summary 13
Chapter 2 Windows Operating System 17
2.0 Introduction 17
2.1 Windows Overview 17
2.1.1 Windows History 17
2.1.1.1 Disk Operating System 17
2.1.1.2 Windows Versions 18
2.1.1.3 Windows GUI 19
2.1.1.4 Operating System Vulnerabilities 19
2.1.2 Windows Architecture and Operations 20
2.1.2.1 Hardware Abstraction Layer 20
2.1.2.2 User Mode and Kernel Mode 21
2.1.2.3 Windows File Systems 21
2.1.2.4 Windows Boot Process 23
2.1.2.5 Windows Startup and Shutdown 24
2.1.2.6 Processes, Threads, and Services 25
2.1.2.7 Memory Allocation and Handles 25
2.1.2.8 The Windows Registry 26
2.1.2.9 Activity - Identify the Windows Registry Hive 27
2.1.2.10 Lab - Exploring Processes, Threads, Handles, and Windows Registry 27
2.2 Windows Administration 27
2.2.1 Windows Configuration and Monitoring 27
2.2.1.1 Run as Administrator 27
2.2.1.2 Local Users and Domains 27
2.2.1.3 CLI and PowerShell 28
2.2.1.4 Windows Management Instrumentation 29
2.2.1.5 The net Command 30
2.2.1.6 Task Manager and Resource Monitor 30
2.2.1.7 Networking 31
2.2.1.8 Accessing Network Resources 33
2.2.1.9 Windows Server 33
2.2.1.10 Lab - Create User Accounts 34
2.2.1.11 Lab - Using Windows PowerShell 34
2.2.1.12 Lab - Windows Task Manager 34
2.2.1.13 Lab - Monitor and Manage System Resources in Windows 34
2.2.2 Windows Security 34
2.2.2.1 The netstat Command 34
2.2.2.2 Event Viewer 35
2.2.2.3 Windows Update Management 35
2.2.2.4 Local Security Policy 35
2.2.2.5 Windows Defender 36
2.2.2.6 Windows Firewall 37
2.2.2.7 Activity - Identify the Windows Command 37
2.2.2.8 Activity - Identify the Windows Tool 37
2.3 Summary 37
Chapter 3 Linux Operating System 41
3.0 Introduction 41
3.1 Linux Overview 41
3.1.1 Linux Basics 41
3.1.1.1 What is Linux? 41
3.1.1.2 The Value of Linux 42
3.1.1.3 Linux in the SOC 42
3.1.1.4 Linux Tools 43
3.1.2 Working in the Linux Shell 43
3.1.2.1 The Linux Shell 43
3.1.2.2 Basic Commands 43
3.1.2.3 File and Directory Commands 44
3.1.2.4 Working with Text Files 44
3.1.2.5 The Importance of Text Files in Linux 44
3.1.2.6 Lab - Working with Text Files in the CLI 45
3.1.2.7 Lab - Getting Familiar with the Linux Shell 45
3.1.3 Linux Servers and Clients 45
3.1.3.1 An Introduction to Client-Server Communications 45
3.1.3.2 Servers, Services, and Their Ports 45
3.1.3.3 Clients 45
3.1.3.4 Lab - Linux Servers 45
3.2 Linux Administration 46
3.2.1 Basic Server Administration 46
3.2.1.1 Service Configuration Files 46
3.2.1.2 Hardening Devices 46
3.2.1.3 Monitoring Service Logs 47
3.2.1.4 Lab - Locating Log Files 48
3.2.2 The Linux File System 48
3.2.2.1 The File System Types in Linux 48
3.2.2.2 Linux Roles and File Permissions 49
3.2.2.3 Hard Links and Symbolic Links 50
3.2.2.4 Lab - Navigating the Linux Filesystem and Permission Settings 50
3.3 Linux Hosts 51
3.3.1 Working with the Linux GUI 51
3.3.1.1 X Window System 51
3.3.1.2 The Linux GUI 51
3.3.2 Working on a Linux Host 52
3.3.2.1 Installing and Running Applications on a Linux Host 52
3.3.2.2 Keeping the System Up To Date 52
3.3.2.3 Processes and Forks 52
3.3.2.4 Malware on a Linux Host 53
3.3.2.5 Rootkit Check 54
3.3.2.6 Piping Commands 54
3.3.2.7 Video Demonstration - Applications, Rootkits, and Piping Commands 55
3.4 Summary 55
Chapter 4 Network Protocols and Services 59
4.0 Introduction 59
4.1 Network Protocols 59
4.1.1 Network Communications Process 59
4.1.1.1 Views of the Network 59
4.1.1.2 Client-Server Communications 60
4.1.1.3 A Typical Session: Student 60
4.1.1.4 A Typical Session: Gamer 61
4.1.1.5 A Typical Session: Surgeon 61
4.1.1.6 Tracing the Path 62
4.1.1.7 Lab - Tracing a Route 62
4.1.2 Communications Protocols 62
4.1.2.1 What are Protocols? 62
4.1.2.2 Network Protocol Suites 63
4.1.2.3 The TCP/IP Protocol Suite 63
4.1.2.4 Format, Size, and Timing 64
4.1.2.5 Unicast, Multicast, and Broadcast 64
4.1.2.6 Reference Models 65
4.1.2.7 Three Addresses 65
4.1.2.8 Encapsulation 65
4.1.2.9 Scenario: Sending and Receiving a Web Page 66
4.1.2.10 Lab - Introduction to Wireshark 67
4.2 Ethernet and Internet Protocol (IP) 67
4.2.1 Ethernet 67
4.2.1.1 The Ethernet Protocol 67
4.2.1.2 The Ethernet Frame 68
4.2.1.3 MAC Address Format 68
4.2.1.4 Activity - Ethernet Frame Fields 68
4.2.2 IPv4 68
4.2.2.1 IPv4 Encapsulation 68
4.2.2.2 IPv4 Characteristics 69
4.2.2.3 Activity - IPv4 Characteristics 70
4.2.2.4 The IPv4 Packet 70
4.2.2.5 Video Demonstration - Sample IPv4 Headers in Wireshark 70
4.2.3 IPv4 Addressing Basics 70
4.2.3.1 IPv4 Address Notation 70
4.2.3.2 IPv4 Host Address Structure 70
4.2.3.3 IPv4 Subnet Mask and Network Address 71
4.2.3.4 Subnetting Broadcast Domains 71
4.2.3.5 Video Demonstration - Network, Host, and Broadcast Addresses 72
4.2.4 Types of IPv4 Addresses 72
4.2.4.1 IPv4 Address Classes and Default Subnet Masks 72
4.2.4.2 Reserved Private Addresses 73
4.2.5 The Default Gateway 73
4.2.5.1 Host Forwarding Decision 73
4.2.5.2 Default Gateway 74
4.2.5.3 Using the Default Gateway 74
4.2.6 IPv6 75
4.2.6.1 Need for IPv6 75
4.2.6.2 IPv6 Size and Representation 75
4.2.6.3 IPv6 Address Formatting 75
4.2.6.4 IPv6 Prefix Length 76
4.2.6.5 Activity - IPv6 Address Notation 76
4.2.6.6 Video Tutorial - Layer 2 and Layer 3 Addressing 76
4.3 Connectivity Verification 76
4.3.1 ICMP 76
4.3.1.1 ICMPv4 Messages 76
4.3.1.2 ICMPv6 RS and RA Messages 77
4.3.2 Ping and Traceroute Utilities 78
4.3.2.1 Ping - Testing the Local Stack 78
4.3.2.2 Ping - Testing Connectivity to the Local LAN 79
4.3.2.3 Ping - Testing Connectivity to Remote Host 79
4.3.2.4 Traceroute - Testing the Path 80
4.3.2.5 ICMP Packet Format 80
4.4 Address Resolution Protocol 81
4.4.1 MAC and IP 81
4.4.1.1 Destination on Same Network 81
4.4.1.2 Destination on Remote Network 82
4.4.2 ARP 82
4.4.2.1 Introduction to ARP 82
4.4.2.2 ARP Functions 82
4.4.2.3 Video - ARP Operation - ARP Request 83
4.4.2.4 Video - ARP Operation - ARP Reply 84
4.4.2.5 Video - ARP Role in Remote Communication 84
4.4.2.6 Removing Entries from an ARP Table 85
4.4.2.7 ARP Tables on Networking Devices 85
4.4.2.8 Lab - Using Wireshark to Examine Ethernet Frames 85
4.4.3 ARP Issues 85
4.4.3.1 ARP Broadcasts 85
4.4.3.2 ARP Spoofing 86
4.5 The Transport Layer 86
4.5.1 Transport Layer Characteristics 86
4.5.1.1 Transport Layer Protocol Role in Network Communication 86
4.5.1.2 Transport Layer Mechanisms 87
4.5.1.3 TCP Local and Remote Ports 87
4.5.1.4 Socket Pairs 88
4.5.1.5 TCP vs UDP 88
4.5.1.6 TCP and UDP Headers 89
4.5.1.7 Activity - Compare TCP and UDP Characteristics 90
4.5.2 Transport Layer Operation 90
4.5.2.1 TCP Port Allocation 90
4.5.2.2 A TCP Session Part I: Connection Establishment and Termination 91
4.5.2.3 Video Demonstration - TCP 3-Way Handshake 92
4.5.2.4 Lab - Using Wireshark to Observe the TCP 3-Way Handshake 92
4.5.2.5 Activity - TCP Connection and Termination Process 92
4.5.2.6 A TCP Session Part II: Data Transfer 92
4.5.2.7 Video Demonstration - Sequence Numbers and Acknowledgments 94
4.5.2.8 Video Demonstration - Data Loss and Retransmission 94
4.5.2.9 A UDP Session 94
4.5.2.10 Lab - Exploring Nmap 95
4.6 Network Services 95
4.6.1 DHCP 95
4.6.1.1 DHCP Overview 95
4.6.1.2 DHCPv4 Message Format 96
4.6.2 DNS 97
4.6.2.1 DNS Overview 97
4.6.2.2 The DNS Domain Hierarchy 97
4.6.2.3 The DNS Lookup Process 97
4.6.2.4 DNS Message Format 98
4.6.2.5 Dynamic DNS 99
4.6.2.6 The WHOIS Protocol 99
4.6.2.7 Lab - Using Wireshark to Examine a UDP DNS Capture 100
4.6.3 NAT 100
4.6.3.1 NAT Overview 100
4.6.3.2 NAT-Enabled Routers 100
4.6.3.3 Port Address Translation 100
4.6.4 File Transfer and Sharing Services 101
4.6.4.1 FTP and TFTP 101
4.6.4.2 SMB 102
4.6.4.3 Lab - Using Wireshark to Examine TCP and UDP Captures 102
4.6.5 Email 102
4.6.5.1 Email Overview 102
4.6.5.2 SMTP 102
4.6.5.3 POP3 103
4.6.5.4 IMAP 103
4.6.6 HTTP 103
4.6.6.1 HTTP Overview 103
4.6.6.2 The HTTP URL 104
4.6.6.3 The HTTP Protocol 104
4.6.6.4 HTTP Status Codes 105
4.6.6.5 Lab - Using Wireshark to Examine HTTP and HTTPS Traffic 105
4.7 Summary 105
Chapter 5 Network Infrastructure 109
5.0 Introduction 109
5.1 Network Communication Devices 109
5.1.1 Network Devices 109
5.1.1.1 End Devices 109
5.1.1.2 Video Tutorial - End Devices 109
5.1.1.3 Routers 110
5.1.1.4 Activity - Match Layer 2 and Layer 3 Addressing 110
5.1.1.5 Router Operation 110
5.1.1.6 Routing Information 111
5.1.1.7 Video Tutorial - Static and Dynamic Routing 112
5.1.1.8 Hubs, Bridges, LAN Switches 112
5.1.1.9 Switching Operation 113
5.1.1.10 Video Tutorial - MAC Address Tables on Connected Switches 114
5.1.1.11 VLANs 114
5.1.1.12 STP 114
5.1.1.13 Multilayer Switching 115
5.1.2 Wireless Communications 116
5.1.2.1 Video Tutorial - Wireless Communications 116
5.1.2.2 Protocols and Features 116
5.1.2.3 Wireless Network Operations 117
5.1.2.4 The Client to AP Association Process 118
5.1.2.5 Activity - Order the Steps in the Client and AP Association Process 119
5.1.2.6 Wireless Devices - AP, LWAP, WLC 119
5.1.2.7 Activity - Identify the LAN Device 119
5.2 Network Security Infrastructure 120
5.2.1 Security Devices 120
5.2.1.1 Video Tutorial - Security Devices 120
5.2.1.2 Firewalls 120
5.2.1.3 Firewall Type Descriptions 120
5.2.1.4 Packet Filtering Firewalls 121
5.2.1.5 Stateful Firewalls 121
5.2.1.6 Next-Generation Firewalls 121
5.2.1.7 Activity - Identify the Type of Firewall 122
5.2.1.8 Intrusion Protection and Detection Devices 122
5.2.1.9 Advantages and Disadvantages of IDS and IPS 122
5.2.1.10 Types of IPS 123
5.2.1.11 Specialized Security Appliances 124
5.2.1.12 Activity - Compare IDS and IPS Characteristics 125
5.2.2 Security Services 125
5.2.2.1 Video Tutorial - Security Services 125
5.2.2.2 Traffic Control with ACLs 125
5.2.2.3 ACLs: Important Features 126
5.2.2.4 Packet Tracer - ACL Demonstration 126
5.2.2.5 SNMP 126
5.2.2.6 NetFlow 127
5.2.2.7 Port Mirroring 127
5.2.2.8 Syslog Servers 128
5.2.2.9 NTP 128
5.2.2.10 AAA Servers 129
5.2.2.11 VPN 130
5.2.2.12 Activity - Identify the Network Security Device or Service 130
5.3 Network Representations 130
5.3.1 Network Topologies 130
5.3.1.1 Overview of Network Components 130
5.3.1.2 Physical and Logical Topologies 131
5.3.1.3 WAN Topologies 131
5.3.1.4 LAN Topologies 131
5.3.1.5 The Three-Layer Network Design Model 132
5.3.1.6 Video Tutorial - Three-Layer Network Design 132
5.3.1.7 Common Security Architectures 133
5.3.1.8 Activity - Identify the Network Topology 134
5.3.1.9 Activity - Identify the Network Design Terminology 134
5.3.1.10 Packet Tracer - Identify Packet Flow 134
5.4 Summary 134
Chapter 6 Principles of Network Security 137
6.0 Introduction 137
6.1 Attackers and Their Tools 137
6.1.1 Who is Attacking Our Network? 137
6.1.1.1 Threat, Vulnerability, and Risk 137
6.1.1.2 Hacker vs. Threat Actor 138
6.1.1.3 Evolution of Threat Actors 138
6.1.1.4 Cybercriminals 139
6.1.1.5 Cybersecurity Tasks 139
6.1.1.6 Cyber Threat Indicators 139
6.1.1.7 Activity - What Color is my Hat? 140
6.1.2 Threat Actor Tools 140
6.1.2.1 Introduction of Attack Tools 140
6.1.2.2 Evolution of Security Tools 140
6.1.2.3 Categories of Attacks 141
6.1.2.4 Activity - Classify Hacking Tools 141
6.2 Common Threats and Attacks 141
6.2.1 Malware 141
6.2.1.1 Types of Malware 141
6.2.1.2 Viruses 141
6.2.1.3 Trojan Horses 141
6.2.1.4 Trojan Horse Classification 142
6.2.1.5 Worms 142
6.2.1.6 Worm Components 143
6.2.1.7 Ransomware 143
6.2.1.8 Other Malware 144
6.2.1.9 Common Malware Behaviors 144
6.2.1.10 Activity - Identify the Malware Type 145
6.2.1.11 Lab - Anatomy of Malware 145
6.2.2 Common Network Attacks 145
6.2.2.1 Types of Network Attacks 145
6.2.2.2 Reconnaissance Attacks 145
6.2.2.3 Sample Reconnaissance Attacks 146
6.2.2.4 Access Attacks 146
6.2.2.5 Types of Access Attacks 147
6.2.2.6 Social Engineering Attacks 147
6.2.2.7 Phishing Social Engineering Attacks 148
6.2.2.8 Strengthening the Weakest Link 149
6.2.2.9 Lab - Social Engineering 149
6.2.2.10 Denial of Service Attacks 149
6.2.2.11 DDoS Attacks 149
6.2.2.12 Example DDoS Attack 150
6.2.2.13 Buffer Overflow Attack 150
6.2.2.14 Evasion Methods 151
6.2.2.15 Activity - Identify the Types of Network Attack 151
6.2.2.16 Activity - Components of a DDoS Attack 151
6.3 Summary 152
Chapter 7 Network Attacks: A Deeper Look 155
7.0 Introduction 155
7.1 Attackers and Their Tools 155
7.1.1 Who is Attacking Our Network? 155
7.1.1.1 Network Security Topology 155
7.1.1.2 Monitoring the Network 156
7.1.1.3 Network Taps 156
7.1.1.4 Traffic Mirroring and SPAN 156
7.1.2 Introduction to Network Monitoring Tools 157
7.1.2.1 Network Security Monitoring Tools 157
7.1.2.2 Network Protocol Analyzers 157
7.1.2.3 NetFlow 158
7.1.2.4 SIEM 159
7.1.2.5 SIEM Systems 159
7.1.2.6 Activity - Identify the Network Monitoring Tool 159
7.1.2.7 Packet Tracer - Logging Network Activity 159
7.2 Attacking the Foundation 160
7.2.1 IP Vulnerabilities and Threats 160
7.2.1.1 IPv4 and IPv6 160
7.2.1.2 The IPv4 Packet Header 160
7.2.1.3 The IPv6 Packet Header 161
7.2.1.4 IP Vulnerabilities 161
7.2.1.5 ICMP Attacks 162
7.2.1.6 DoS Attacks 163
7.2.1.7 Amplification and Reflection Attacks 163
7.2.1.8 DDoS Attacks 163
7.2.1.9 Address Spoofing Attacks 164
7.2.1.10 Activity - Identify the IP Vulnerability 164
7.2.1.11 Lab - Observing a DDoS Attack 164
7.2.2 TCP and UDP Vulnerabilities 165
7.2.2.1 TCP 165
7.2.2.2 TCP Attacks 165
7.2.2.3 UDP and UDP Attacks 166
7.2.2.4 Lab - Observing TCP Anomalies 166
7.3 Attacking What We Do 167
7.3.1 IP Services 167
7.3.1.1 ARP Vulnerabilities 167
7.3.1.2 ARP Cache Poisoning 167
7.3.1.3 DNS Attacks 168
7.3.1.4 DNS Tunneling 169
7.3.1.5 DHCP 169
7.3.1.6 Lab - Exploring DNS Traffic 170
7.3.2 Enterprise Services 170
7.3.2.1 HTTP and HTTPS 170
7.3.2.2 Email 173
7.3.2.3 Web-Exposed Databases 174
7.3.2.4 Lab - Attacking a MySQL Database 176
7.3.2.5 Lab - Reading Server Logs 176
7.3.2.6 Lab - Reading Server Logs 176
7.4 Summary 176
Chapter 8 Protecting the Network 179
8.0 Introduction 179
8.1 Understanding Defense 179
8.1.1 Defense-in-Depth 179
8.1.1.1 Assets, Vulnerabilities, Threats 179
8.1.1.2 Identify Assets 179
8.1.1.3 Identify Vulnerabilities 180
8.1.1.4 Identify Threats 181
8.1.1.5 Security Onion and Security Artichoke Approaches 181
8.1.2 Security Policies 182
8.1.2.1 Business Policies 182
8.1.2.2 Security Policy 182
8.1.2.3 BYOD Policies 183
8.1.2.4 Regulatory and Standard Compliance 184
8.2 Access Control 184
8.2.1 Access Control Concepts 184
8.2.1.1 Communications Security: CIA 184
8.2.1.2 Access Control Models 185
8.2.1.3 Activity - Identify the Access Control Model 185
8.2.2 AAA Usage and Operation 185
8.2.2.1 AAA Operation 185
8.2.2.2 AAA Authentication 186
8.2.2.3 AAA Accounting Logs 187
8.2.2.4 Activity - Identify the Characteristic of AAA 187
8.3 Threat Intelligence 187
8.3.1 Information Sources 187
8.3.1.1 Network Intelligence Communities 187
8.3.1.2 Cisco Cybersecurity Reports 188
8.3.1.3 Security Blogs and Podcasts 188
8.3.2 Threat Intelligence Services 188
8.3.2.1 Cisco Talos 188
8.3.2.2 FireEye 189
8.3.2.3 Automated Indicator Sharing 189
8.3.2.4 Common Vulnerabilities and Exposures Database 189
8.3.2.5 Threat Intelligence Communication Standards 189
8.3.2.6 Activity - Identify the Threat Intelligence Information Source 190
8.4 Summary 190
Chapter 9 Cryptography and the Public Key Infrastructure 193
9.0 Introduction 193
9.1 Cryptography 193
9.1.1 What is Cryptography? 193
9.1.1.1 Securing Communications 193
9.1.1.2 Cryptology 194
9.1.1.3 Cryptography - Ciphers 195
9.1.1.4 Cryptanalysis - Code Breaking 195
9.1.1.5 Keys 196
9.1.1.6 Lab - Encrypting and Decrypting Data Using OpenSSL 197
9.1.1.7 Lab - Encrypting and Decrypting Data Using a Hacker Tool 197
9.1.1.8 Lab - Examining Telnet and SSH in Wireshark 197
9.1.2 Integrity and Authenticity 197
9.1.2.1 Cryptographic Hash Functions 197
9.1.2.2 Cryptographic Hash Operation 198
9.1.2.3 MD5 and SHA 198
9.1.2.4 Hash Message Authentication Code 199
9.1.2.5 Lab - Hashing Things Out 200
9.1.3 Confidentiality 200
9.1.3.1 Encryption 200
9.1.3.2 Symmetric Encryption 200
9.1.3.3 Symmetric Encryption Algorithms 201
9.1.3.4 Asymmetric Encryption Algorithms 202
9.1.3.5 Asymmetric Encryption - Confidentiality 202
9.1.3.6 Asymmetric Encryption - Authentication 203
9.1.3.7 Asymmetric Encryption - Integrity 203
9.1.3.8 Diffie-Hellman 204
9.1.3.9 Activity - Classify the Encryption Algorithms 204
9.2 Public Key Infrastructure 204
9.2.1 Public Key Cryptography 204
9.2.1.1 Using Digital Signatures 204
9.2.1.2 Digital Signatures for Code Signing 206
9.2.1.3 Digital Signatures for Digital Certificates 206
9.2.1.4 Lab - Create a Linux Playground 206
9.2.2 Authorities and the PKI Trust System 206
9.2.2.1 Public Key Management 206
9.2.2.2 The Public Key Infrastructure 207
9.2.2.3 The PKI Authorities System 207
9.2.2.4 The PKI Trust System 208
9.2.2.5 Interoperability of Different PKI Vendors 208
9.2.2.6 Certificate Enrollment, Authentication, and Revocation 209
9.2.2.7 Lab - Certificate Authority Stores 209
9.2.3 Applications and Impacts of Cryptography 210
9.2.3.1 PKI Applications 210
9.2.3.2 Encrypting Network Transactions 210
9.2.3.3 Encryption and Security Monitoring 211
9.3 Summary 212
Chapter 10 Endpoint Security and Analysis 215
10.0 Introduction 215
10.1 Endpoint Protection 215
10.1.1 Antimalware Protection 215
10.1.1.1 Endpoint Threats 215
10.1.1.2 Endpoint Security 216
10.1.1.3 Host-Based Malware Protection 216
10.1.1.4 Network-Based Malware Protection 217
10.1.1.5 Cisco Advanced Malware Protection (AMP) 218
10.1.1.6 Activity - Identify Antimalware Terms and Concepts 218
10.1.2 Host-Based Intrusion Protection 218
10.1.2.1 Host-Based Firewalls 218
10.1.2.2 Host-Based Intrusion Detection 219
10.1.2.3 HIDS Operation 220
10.1.2.4 HIDS Products 220
10.1.2.5 Activity - Identify the Host-Based Intrusion Protection Terminology 220
10.1.3 Application Security 221
10.1.3.1 Attack Surface 221
10.1.3.2 Application Blacklisting and Whitelisting 221
10.1.3.3 System-Based Sandboxing 222
10.1.3.4 Video Demonstration - Using a Sandbox to Launch Malware 222
10.2 Endpoint Vulnerability Assessment 222
10.2.1 Network and Server Profiling 222
10.2.1.1 Network Profiling 222
10.2.1.2 Server Profiling 223
10.2.1.3 Network Anomaly Detection 223
10.2.1.4 Network Vulnerability Testing 224
10.2.1.5 Activity - Identify the Elements of Network Profiling 225
10.2.2 Common Vulnerability Scoring System (CVSS) 225
10.2.2.1 CVSS Overview 225
10.2.2.2 CVSS Metric Groups 225
10.2.2.3 CVSS Base Metric Group 226
10.2.2.4 The CVSS Process 226
10.2.2.5 CVSS Reports 227
10.2.2.6 Other Vulnerability Information Sources 227
10.2.2.7 Activity - Identify CVSS Metrics 228
10.2.3 Compliance Frameworks 228
10.2.3.1 Compliance Regulations 228
10.2.3.2 Overview of Regulatory Standards 228
10.2.3.3 Activity - Identify Regulatory Standards 229
10.2.4 Secure Device Management 230
10.2.4.1 Risk Management 230
10.2.4.2 Activity - Identify the Risk Response 231
10.2.4.3 Vulnerability Management 231
10.2.4.4 Asset Management 231
10.2.4.5 Mobile Device Management 232
10.2.4.6 Configuration Management 232
10.2.4.7 Enterprise Patch Management 233
10.2.4.8 Patch Management Techniques 233
10.2.4.9 Activity - Identify Device Management Activities 234
10.2.5 Information Security Management Systems 234
10.2.5.1 Security Management Systems 234
10.2.5.2 ISO-27001 234
10.2.5.3 NIST Cybersecurity Framework 234
10.2.5.4 Activity - Identify the ISO 27001 Activity Cycle 235
10.2.5.5 Activity - Identify the Stages in the NIST Cybersecurity Framework 235
10.3 Summary 235
Chapter 11 Security Monitoring 239
11.0 Introduction 239
11.1 Technologies and Protocols 239
11.1.1 Monitoring Common Protocols 239
11.1.1.1 Syslog and NTP 239
11.1.1.2 NTP 240
11.1.1.3 DNS 240
11.1.1.4 HTTP and HTTPS 241
11.1.1.5 Email Protocols 241
11.1.1.6 ICMP 242
11.1.1.7 Activity - Identify the Monitored Protocol 242
11.1.2 Security Technologies 242
11.1.2.1 ACLs 242
11.1.2.2 NAT and PAT 242
11.1.2.3 Encryption, Encapsulation, and Tunneling 243
11.1.2.4 Peer-to-Peer Networking and Tor 243
11.1.2.5 Load Balancing 244
11.1.2.6 Activity - Identify the Impact of the Technology on Security and Monitoring 244
11.2 Log Files 244
11.2.1 Types of Security Data 244
11.2.1.1 Alert Data 244
11.2.1.2 Session and Transaction Data 245
11.2.1.3 Full Packet Captures 245
11.2.1.4 Statistical Data 246
11.2.1.5 Activity - Identify Types of Network Monitoring Data 246
11.2.2 End Device Logs 246
11.2.2.1 Host Logs 246
11.2.2.2 Syslog 247
11.2.2.3 Server Logs 248
11.2.2.4 Apache Webserver Access Logs 248
11.2.2.5 IIS Access Logs 249
11.2.2.6 SIEM and Log Collection 249
11.2.2.7 Activity - Identify Information in Logged Events 250
11.2.3 Network Logs 250
11.2.3.1 Tcpdump 250
11.2.3.2 NetFlow 250
11.2.3.3 Application Visibility and Control 251
11.2.3.4 Content Filter Logs 251
11.2.3.5 Logging from Cisco Devices 252
11.2.3.6 Proxy Logs 252
11.2.3.7 NextGen IPS 253
11.2.3.8 Activity - Identify the Security Technology from the Data Description 254
11.2.3.9 Activity - Identify the NextGen IPS Event Type 254
11.2.3.10 Packet Tracer - Explore a NetFlow Implementation 254
11.2.3.11 Packet Tracer - Logging from Multiple Sources 254
11.3 Summary 254
Chapter 12 Intrusion Data Analysis 257
12.0 Introduction 257
12.1 Evaluating Alerts 257
12.1.1 Sources of Alerts 257
12.1.1.1 Security Onion 257
12.1.1.2 Detection Tools for Collecting Alert Data 257
12.1.1.3 Analysis Tools 258
12.1.1.4 Alert Generation 259
12.1.1.5 Rules and Alerts 260
12.1.1.6 Snort Rule Structure 260
12.1.1.7 Lab - Snort and Firewall Rules 261
12.1.2 Overview of Alert Evaluation 262
12.1.2.1 The Need for Alert Evaluation 262
12.1.2.2 Evaluating Alerts 262
12.1.2.3 Deterministic Analysis and Probabilistic Analysis 263
12.1.2.4 Activity - Identify Deterministic and Probabilistic Scenarios 264
12.1.2.5 Activity - Identify the Alert Classification 264
12.2 Working with Network Security Data 264
12.2.1 A Common Data Platform 264
12.2.1.1 ELSA 264
12.2.1.2 Data Reduction 264
12.2.1.3 Data Normalization 265
12.2.1.4 Data Archiving 265
12.2.1.5 Lab - Convert Data into a Universal Format 266
12.2.1.6 Investigating Process or API Calls 266
12.2.2 Investigating Network Data 266
12.2.2.1 Working in Sguil 266
12.2.2.2 Sguil Queries 267
12.2.2.3 Pivoting from Sguil 267
12.2.2.4 Event Handling in Sguil 268
12.2.2.5 Working in ELSA 268
12.2.2.6 Queries in ELSA 269
12.2.2.7 Investigating Process or API Calls 269
12.2.2.8 Investigating File Details 270
12.2.2.9 Lab - Regular Expression Tutorial 270
12.2.2.10 Lab - Extract an Executable from a PCAP 270
12.2.3 Enhancing the Work of the Cybersecurity Analyst 270
12.2.3.1 Dashboards and Visualizations 270
12.2.3.2 Workflow Management 271
12.3 Digital Forensics 271
12.3.1 Evidence Handling and Attack Attribution 271
12.3.1.1 Digital Forensics 271
12.3.1.2 The Digital Forensics Process 272
12.3.1.3 Types of Evidence 272
12.3.1.4 Evidence Collection Order 273
12.3.1.5 Chain of Custody 273
12.3.1.6 Data Integrity and Preservation 274
12.3.1.7 Attack Attribution 274
12.3.1.8 Activity - Identify the Type of Evidence 275
12.3.1.9 Activity - Identify the Forensic Technique Terminology 275
12.4 Summary 275
Chapter 13 Incident Response and Handling 277
13.0 Introduction 277
13.1 Incident Response Models 277
13.1.1 The Cyber Kill Chain 277
13.1.1.1 Steps of the Cyber Kill Chain 277
13.1.1.2 Reconnaissance 278
13.1.1.3 Weaponization 278
13.1.1.4 Delivery 278
13.1.1.5 Exploitation 279
13.1.1.6 Installation 279
13.1.1.7 Command and Control 279
13.1.1.8 Actions on Objectives 279
13.1.1.9 Activity - Identify the Kill Chain Step 279
13.1.2 The Diamond Model of Intrusion 280
13.1.2.1 Diamond Model Overview 280
13.1.2.2 Pivoting Across the Diamond Model 280
13.1.2.3 The Diamond Model and the Cyber Kill Chain 281
13.1.2.4 Activity - Identify the Diamond Model Features 282
13.1.3 The VERIS Schema 282
13.1.3.1 What is the VERIS Schema? 282
13.1.3.2 Create a VERIS Record 282
13.1.3.3 Top-Level and Second-Level Elements 283
13.1.3.4 The VERIS Community Database 285
13.1.3.5 Activity - Apply the VERIS Schema to an Incident 285
13.2 Incident Handling 285
13.2.1 CSIRTs 285
13.2.1.1 CSIRT Overview 285
13.2.1.2 Types of CSIRTs 286
13.2.1.3 CERT 286
13.2.1.4 Activity - Match the CSIRT with the CSIRT Goal 287
13.2.2 NIST 800-61r2 287
13.2.2.1 Establishing an Incident Response Capability 287
13.2.2.2 Incident Response Stakeholders 288
13.2.2.3 NIST Incident Response Life Cycle 288
13.2.2.4 Preparation 289
13.2.2.5 Detection and Analysis 290
13.2.2.6 Containment, Eradication, and Recovery 291
13.2.2.7 Post-Incident Activities 293
13.2.2.8 Incident Data Collection and Retention 294
13.2.2.9 Reporting Requirements and Information Sharing 295
13.2.2.10 Activity - Identify the Incident Response Plan Elements 296
13.2.2.11 Activity - Identify the Incident Handling Term 296
13.2.2.12 Activity - Identify the Incident Handling Step 296
13.2.2.13 Lab - Incident Handling 296
13.3 Summary 296
9781587134371 TOC 3/7/2018