CCNA Cybersecurity Operations Course Booklet

Cisco Networking Academy is an innovative Cisco education initiative that delivers information and communication technology skills to improve career and economic opportunities around the world. The Academy provides online courses, interactive tools, and lab activities to prepare individuals for information technology and networking careers in virtually every industry.

• Chapter 0 Course Introduction 10.0 Welcome to CCNA: Cybersecurity Operations 10.0.1 Message to the Student 1Chapter 1 Cybersecurity and the Security Operations Center 51.0 Introduction 51.1 The Danger 51.1.1 War Stories 51.1.1.1 Hijacked People 51.1.1.2 Ransomed Companies 51.1.1.3 Targeted Nations 61.1.1.4 Lab - Installing the CyberOps Workstation Virtual Machine 61.1.1.5 Lab - Cybersecurity Case Studies 61.1.2 Threat Actors 61.1.2.1 Amateurs 61.1.2.2 Hacktivists 71.1.2.3 Financial Gain 71.1.2.4 Trade Secrets and Global Politics 71.1.2.5 How Secure is the Internet of Things? 71.1.2.6 Lab - Learning the Details of Attacks 71.1.3 Threat Impact 81.1.3.1 PII and PHI 81.1.3.2 Lost Competitive Advantage 81.1.3.3 Politics and National Security 81.1.3.4 Lab - Visualizing the Black Hats 91.2 Fighters in the War Against Cybercrime 91.2.1 The Modern Security Operations Center 91.2.1.1 Elements of a SOC 91.2.1.2 People in the SOC 91.2.1.3 Process in the SOC 101.2.1.4 Technologies in the SOC 101.2.1.5 Enterprise and Managed Security 101.2.1.6 Security vs. Availability 111.2.1.7 Activity - Identify the SOC Terminology 111.2.2 Becoming a Defender 111.2.2.1 Certifications 111.2.2.2 Further Education 121.2.2.3 Sources of Career Information 121.2.2.4 Getting Experience 131.2.2.5 Lab - Becoming a Defender 131.3 Summary 13Chapter 2 Windows Operating System 172.0 Introduction 172.1 Windows Overview 172.1.1 Windows History 172.1.1.1 Disk Operating System 172.1.1.2 Windows Versions 182.1.1.3 Windows GUI 192.1.1.4 Operating System Vulnerabilities 192.1.2 Windows Architecture and Operations 202.1.2.1 Hardware Abstraction Layer 202.1.2.2 User Mode and Kernel Mode 212.1.2.3 Windows File Systems 212.1.2.4 Windows Boot Process 232.1.2.5 Windows Startup and Shutdown 242.1.2.6 Processes, Threads, and Services 252.1.2.7 Memory Allocation and Handles 252.1.2.8 The Windows Registry 262.1.2.9 Activity - Identify the Windows Registry Hive 272.1.2.10 Lab - Exploring Processes, Threads, Handles, and Windows Registry 272.2 Windows Administration 272.2.1 Windows Configuration and Monitoring 272.2.1.1 Run as Administrator 272.2.1.2 Local Users and Domains 272.2.1.3 CLI and PowerShell 282.2.1.4 Windows Management Instrumentation 292.2.1.5 The net Command 302.2.1.6 Task Manager and Resource Monitor 302.2.1.7 Networking 312.2.1.8 Accessing Network Resources 332.2.1.9 Windows Server 332.2.1.10 Lab - Create User Accounts 342.2.1.11 Lab - Using Windows PowerShell 342.2.1.12 Lab - Windows Task Manager 342.2.1.13 Lab - Monitor and Manage System Resources in Windows 342.2.2 Windows Security 342.2.2.1 The netstat Command 342.2.2.2 Event Viewer 352.2.2.3 Windows Update Management 352.2.2.4 Local Security Policy 352.2.2.5 Windows Defender 362.2.2.6 Windows Firewall 372.2.2.7 Activity - Identify the Windows Command 372.2.2.8 Activity - Identify the Windows Tool 372.3 Summary 37Chapter 3 Linux Operating System 413.0 Introduction 413.1 Linux Overview 413.1.1 Linux Basics 413.1.1.1 What is Linux? 413.1.1.2 The Value of Linux 423.1.1.3 Linux in the SOC 423.1.1.4 Linux Tools 433.1.2 Working in the Linux Shell 433.1.2.1 The Linux Shell 433.1.2.2 Basic Commands 433.1.2.3 File and Directory Commands 443.1.2.4 Working with Text Files 443.1.2.5 The Importance of Text Files in Linux 443.1.2.6 Lab - Working with Text Files in the CLI 453.1.2.7 Lab - Getting Familiar with the Linux Shell 453.1.3 Linux Servers and Clients 453.1.3.1 An Introduction to Client-Server Communications 453.1.3.2 Servers, Services, and Their Ports 453.1.3.3 Clients 453.1.3.4 Lab - Linux Servers 453.2 Linux Administration 463.2.1 Basic Server Administration 463.2.1.1 Service Configuration Files 463.2.1.2 Hardening Devices 463.2.1.3 Monitoring Service Logs 473.2.1.4 Lab - Locating Log Files 483.2.2 The Linux File System 483.2.2.1 The File System Types in Linux 483.2.2.2 Linux Roles and File Permissions 493.2.2.3 Hard Links and Symbolic Links 503.2.2.4 Lab - Navigating the Linux Filesystem and Permission Settings 503.3 Linux Hosts 513.3.1 Working with the Linux GUI 513.3.1.1 X Window System 513.3.1.2 The Linux GUI 513.3.2 Working on a Linux Host 523.3.2.1 Installing and Running Applications on a Linux Host 523.3.2.2 Keeping the System Up To Date 523.3.2.3 Processes and Forks 523.3.2.4 Malware on a Linux Host 533.3.2.5 Rootkit Check 543.3.2.6 Piping Commands 543.3.2.7 Video Demonstration - Applications, Rootkits, and Piping Commands 553.4 Summary 55Chapter 4 Network Protocols and Services 594.0 Introduction 594.1 Network Protocols 594.1.1 Network Communications Process 594.1.1.1 Views of the Network 594.1.1.2 Client-Server Communications 604.1.1.3 A Typical Session: Student 604.1.1.4 A Typical Session: Gamer 614.1.1.5 A Typical Session: Surgeon 614.1.1.6 Tracing the Path 624.1.1.7 Lab - Tracing a Route 624.1.2 Communications Protocols 624.1.2.1 What are Protocols? 624.1.2.2 Network Protocol Suites 634.1.2.3 The TCP/IP Protocol Suite 634.1.2.4 Format, Size, and Timing 644.1.2.5 Unicast, Multicast, and Broadcast 644.1.2.6 Reference Models 654.1.2.7 Three Addresses 654.1.2.8 Encapsulation 654.1.2.9 Scenario: Sending and Receiving a Web Page 664.1.2.10 Lab - Introduction to Wireshark 674.2 Ethernet and Internet Protocol (IP) 674.2.1 Ethernet 674.2.1.1 The Ethernet Protocol 674.2.1.2 The Ethernet Frame 684.2.1.3 MAC Address Format 684.2.1.4 Activity - Ethernet Frame Fields 684.2.2 IPv4 684.2.2.1 IPv4 Encapsulation 684.2.2.2 IPv4 Characteristics 694.2.2.3 Activity - IPv4 Characteristics 704.2.2.4 The IPv4 Packet 704.2.2.5 Video Demonstration - Sample IPv4 Headers in Wireshark 704.2.3 IPv4 Addressing Basics 704.2.3.1 IPv4 Address Notation 704.2.3.2 IPv4 Host Address Structure 704.2.3.3 IPv4 Subnet Mask and Network Address 714.2.3.4 Subnetting Broadcast Domains 714.2.3.5 Video Demonstration - Network, Host, and Broadcast Addresses 724.2.4 Types of IPv4 Addresses 724.2.4.1 IPv4 Address Classes and Default Subnet Masks 724.2.4.2 Reserved Private Addresses 734.2.5 The Default Gateway 734.2.5.1 Host Forwarding Decision 734.2.5.2 Default Gateway 744.2.5.3 Using the Default Gateway 744.2.6 IPv6 754.2.6.1 Need for IPv6 754.2.6.2 IPv6 Size and Representation 754.2.6.3 IPv6 Address Formatting 754.2.6.4 IPv6 Prefix Length 764.2.6.5 Activity - IPv6 Address Notation 764.2.6.6 Video Tutorial - Layer 2 and Layer 3 Addressing 764.3 Connectivity Verification 764.3.1 ICMP 764.3.1.1 ICMPv4 Messages 764.3.1.2 ICMPv6 RS and RA Messages 774.3.2 Ping and Traceroute Utilities 784.3.2.1 Ping - Testing the Local Stack 784.3.2.2 Ping - Testing Connectivity to the Local LAN 794.3.2.3 Ping - Testing Connectivity to Remote Host 794.3.2.4 Traceroute - Testing the Path 804.3.2.5 ICMP Packet Format 804.4 Address Resolution Protocol 814.4.1 MAC and IP 814.4.1.1 Destination on Same Network 814.4.1.2 Destination on Remote Network 824.4.2 ARP 824.4.2.1 Introduction to ARP 824.4.2.2 ARP Functions 824.4.2.3 Video - ARP Operation - ARP Request 834.4.2.4 Video - ARP Operation - ARP Reply 844.4.2.5 Video - ARP Role in Remote Communication 844.4.2.6 Removing Entries from an ARP Table 854.4.2.7 ARP Tables on Networking Devices 854.4.2.8 Lab - Using Wireshark to Examine Ethernet Frames 854.4.3 ARP Issues 854.4.3.1 ARP Broadcasts 854.4.3.2 ARP Spoofing 864.5 The Transport Layer 864.5.1 Transport Layer Characteristics 864.5.1.1 Transport Layer Protocol Role in Network Communication 864.5.1.2 Transport Layer Mechanisms 874.5.1.3 TCP Local and Remote Ports 874.5.1.4 Socket Pairs 884.5.1.5 TCP vs UDP 884.5.1.6 TCP and UDP Headers 894.5.1.7 Activity - Compare TCP and UDP Characteristics 904.5.2 Transport Layer Operation 904.5.2.1 TCP Port Allocation 904.5.2.2 A TCP Session Part I: Connection Establishment and Termination 914.5.2.3 Video Demonstration - TCP 3-Way Handshake 924.5.2.4 Lab - Using Wireshark to Observe the TCP 3-Way Handshake 924.5.2.5 Activity - TCP Connection and Termination Process 924.5.2.6 A TCP Session Part II: Data Transfer 924.5.2.7 Video Demonstration - Sequence Numbers and Acknowledgments 944.5.2.8 Video Demonstration - Data Loss and Retransmission 944.5.2.9 A UDP Session 944.5.2.10 Lab - Exploring Nmap 954.6 Network Services 954.6.1 DHCP 954.6.1.1 DHCP Overview 954.6.1.2 DHCPv4 Message Format 964.6.2 DNS 974.6.2.1 DNS Overview 974.6.2.2 The DNS Domain Hierarchy 974.6.2.3 The DNS Lookup Process 974.6.2.4 DNS Message Format 984.6.2.5 Dynamic DNS 994.6.2.6 The WHOIS Protocol 994.6.2.7 Lab - Using Wireshark to Examine a UDP DNS Capture 1004.6.3 NAT 1004.6.3.1 NAT Overview 1004.6.3.2 NAT-Enabled Routers 1004.6.3.3 Port Address Translation 1004.6.4 File Transfer and Sharing Services 1014.6.4.1 FTP and TFTP 1014.6.4.2 SMB 1024.6.4.3 Lab - Using Wireshark to Examine TCP and UDP Captures 1024.6.5 Email 1024.6.5.1 Email Overview 1024.6.5.2 SMTP 1024.6.5.3 POP3 1034.6.5.4 IMAP 1034.6.6 HTTP 1034.6.6.1 HTTP Overview 1034.6.6.2 The HTTP URL 1044.6.6.3 The HTTP Protocol 1044.6.6.4 HTTP Status Codes 1054.6.6.5 Lab - Using Wireshark to Examine HTTP and HTTPS Traffic 1054.7 Summary 105Chapter 5 Network Infrastructure 1095.0 Introduction 1095.1 Network Communication Devices 1095.1.1 Network Devices 1095.1.1.1 End Devices 1095.1.1.2 Video Tutorial - End Devices 1095.1.1.3 Routers 1105.1.1.4 Activity - Match Layer 2 and Layer 3 Addressing 1105.1.1.5 Router Operation 1105.1.1.6 Routing Information 1115.1.1.7 Video Tutorial - Static and Dynamic Routing 1125.1.1.8 Hubs, Bridges, LAN Switches 1125.1.1.9 Switching Operation 1135.1.1.10 Video Tutorial - MAC Address Tables on Connected Switches 1145.1.1.11 VLANs 1145.1.1.12 STP 1145.1.1.13 Multilayer Switching 1155.1.2 Wireless Communications 1165.1.2.1 Video Tutorial - Wireless Communications 1165.1.2.2 Protocols and Features 1165.1.2.3 Wireless Network Operations 1175.1.2.4 The Client to AP Association Process 1185.1.2.5 Activity - Order the Steps in the Client and AP Association Process 1195.1.2.6 Wireless Devices - AP, LWAP, WLC 1195.1.2.7 Activity - Identify the LAN Device 1195.2 Network Security Infrastructure 1205.2.1 Security Devices 1205.2.1.1 Video Tutorial - Security Devices 1205.2.1.2 Firewalls 1205.2.1.3 Firewall Type Descriptions 1205.2.1.4 Packet Filtering Firewalls 1215.2.1.5 Stateful Firewalls 1215.2.1.6 Next-Generation Firewalls 1215.2.1.7 Activity - Identify the Type of Firewall 1225.2.1.8 Intrusion Protection and Detection Devices 1225.2.1.9 Advantages and Disadvantages of IDS and IPS 1225.2.1.10 Types of IPS 1235.2.1.11 Specialized Security Appliances 1245.2.1.12 Activity - Compare IDS and IPS Characteristics 1255.2.2 Security Services 1255.2.2.1 Video Tutorial - Security Services 1255.2.2.2 Traffic Control with ACLs 1255.2.2.3 ACLs: Important Features 1265.2.2.4 Packet Tracer - ACL Demonstration 1265.2.2.5 SNMP 1265.2.2.6 NetFlow 1275.2.2.7 Port Mirroring 1275.2.2.8 Syslog Servers 1285.2.2.9 NTP 1285.2.2.10 AAA Servers 1295.2.2.11 VPN 1305.2.2.12 Activity - Identify the Network Security Device or Service 1305.3 Network Representations 1305.3.1 Network Topologies 1305.3.1.1 Overview of Network Components 1305.3.1.2 Physical and Logical Topologies 1315.3.1.3 WAN Topologies 1315.3.1.4 LAN Topologies 1315.3.1.5 The Three-Layer Network Design Model 1325.3.1.6 Video Tutorial - Three-Layer Network Design 1325.3.1.7 Common Security Architectures 1335.3.1.8 Activity - Identify the Network Topology 1345.3.1.9 Activity - Identify the Network Design Terminology 1345.3.1.10 Packet Tracer - Identify Packet Flow 1345.4 Summary 134Chapter 6 Principles of Network Security 1376.0 Introduction 1376.1 Attackers and Their Tools 1376.1.1 Who is Attacking Our Network? 1376.1.1.1 Threat, Vulnerability, and Risk 1376.1.1.2 Hacker vs. Threat Actor 1386.1.1.3 Evolution of Threat Actors 1386.1.1.4 Cybercriminals 1396.1.1.5 Cybersecurity Tasks 1396.1.1.6 Cyber Threat Indicators 1396.1.1.7 Activity - What Color is my Hat? 1406.1.2 Threat Actor Tools 1406.1.2.1 Introduction of Attack Tools 1406.1.2.2 Evolution of Security Tools 1406.1.2.3 Categories of Attacks 1416.1.2.4 Activity - Classify Hacking Tools 1416.2 Common Threats and Attacks 1416.2.1 Malware 1416.2.1.1 Types of Malware 1416.2.1.2 Viruses 1416.2.1.3 Trojan Horses 1416.2.1.4 Trojan Horse Classification 1426.2.1.5 Worms 1426.2.1.6 Worm Components 1436.2.1.7 Ransomware 1436.2.1.8 Other Malware 1446.2.1.9 Common Malware Behaviors 1446.2.1.10 Activity - Identify the Malware Type 1456.2.1.11 Lab - Anatomy of Malware 1456.2.2 Common Network Attacks 1456.2.2.1 Types of Network Attacks 1456.2.2.2 Reconnaissance Attacks 1456.2.2.3 Sample Reconnaissance Attacks 1466.2.2.4 Access Attacks 1466.2.2.5 Types of Access Attacks 1476.2.2.6 Social Engineering Attacks 1476.2.2.7 Phishing Social Engineering Attacks 1486.2.2.8 Strengthening the Weakest Link 1496.2.2.9 Lab - Social Engineering 1496.2.2.10 Denial of Service Attacks 1496.2.2.11 DDoS Attacks 1496.2.2.12 Example DDoS Attack 1506.2.2.13 Buffer Overflow Attack 1506.2.2.14 Evasion Methods 1516.2.2.15 Activity - Identify the Types of Network Attack 1516.2.2.16 Activity - Components of a DDoS Attack 1516.3 Summary 152Chapter 7 Network Attacks: A Deeper Look 1557.0 Introduction 1557.1 Attackers and Their Tools 1557.1.1 Who is Attacking Our Network? 1557.1.1.1 Network Security Topology 1557.1.1.2 Monitoring the Network 1567.1.1.3 Network Taps 1567.1.1.4 Traffic Mirroring and SPAN 1567.1.2 Introduction to Network Monitoring Tools 1577.1.2.1 Network Security Monitoring Tools 1577.1.2.2 Network Protocol Analyzers 1577.1.2.3 NetFlow 1587.1.2.4 SIEM 1597.1.2.5 SIEM Systems 1597.1.2.6 Activity - Identify the Network Monitoring Tool 1597.1.2.7 Packet Tracer - Logging Network Activity 1597.2 Attacking the Foundation 1607.2.1 IP Vulnerabilities and Threats 1607.2.1.1 IPv4 and IPv6 1607.2.1.2 The IPv4 Packet Header 1607.2.1.3 The IPv6 Packet Header 1617.2.1.4 IP Vulnerabilities 1617.2.1.5 ICMP Attacks 1627.2.1.6 DoS Attacks 1637.2.1.7 Amplification and Reflection Attacks 1637.2.1.8 DDoS Attacks 1637.2.1.9 Address Spoofing Attacks 1647.2.1.10 Activity - Identify the IP Vulnerability 1647.2.1.11 Lab - Observing a DDoS Attack 1647.2.2 TCP and UDP Vulnerabilities 1657.2.2.1 TCP 1657.2.2.2 TCP Attacks 1657.2.2.3 UDP and UDP Attacks 1667.2.2.4 Lab - Observing TCP Anomalies 1667.3 Attacking What We Do 1677.3.1 IP Services 1677.3.1.1 ARP Vulnerabilities 1677.3.1.2 ARP Cache Poisoning 1677.3.1.3 DNS Attacks 1687.3.1.4 DNS Tunneling 1697.3.1.5 DHCP 1697.3.1.6 Lab - Exploring DNS Traffic 1707.3.2 Enterprise Services 1707.3.2.1 HTTP and HTTPS 1707.3.2.2 Email 1737.3.2.3 Web-Exposed Databases 1747.3.2.4 Lab - Attacking a MySQL Database 1767.3.2.5 Lab - Reading Server Logs 1767.3.2.6 Lab - Reading Server Logs 1767.4 Summary 176Chapter 8 Protecting the Network 1798.0 Introduction 1798.1 Understanding Defense 1798.1.1 Defense-in-Depth 1798.1.1.1 Assets, Vulnerabilities, Threats 1798.1.1.2 Identify Assets 1798.1.1.3 Identify Vulnerabilities 1808.1.1.4 Identify Threats 1818.1.1.5 Security Onion and Security Artichoke Approaches 1818.1.2 Security Policies 1828.1.2.1 Business Policies 1828.1.2.2 Security Policy 1828.1.2.3 BYOD Policies 1838.1.2.4 Regulatory and Standard Compliance 1848.2 Access Control 1848.2.1 Access Control Concepts 1848.2.1.1 Communications Security: CIA 1848.2.1.2 Access Control Models 1858.2.1.3 Activity - Identify the Access Control Model 1858.2.2 AAA Usage and Operation 1858.2.2.1 AAA Operation 1858.2.2.2 AAA Authentication 1868.2.2.3 AAA Accounting Logs 1878.2.2.4 Activity - Identify the Characteristic of AAA 1878.3 Threat Intelligence 1878.3.1 Information Sources 1878.3.1.1 Network Intelligence Communities 1878.3.1.2 Cisco Cybersecurity Reports 1888.3.1.3 Security Blogs and Podcasts 1888.3.2 Threat Intelligence Services 1888.3.2.1 Cisco Talos 1888.3.2.2 FireEye 1898.3.2.3 Automated Indicator Sharing 1898.3.2.4 Common Vulnerabilities and Exposures Database 1898.3.2.5 Threat Intelligence Communication Standards 1898.3.2.6 Activity - Identify the Threat Intelligence Information Source 1908.4 Summary 190Chapter 9 Cryptography and the Public Key Infrastructure 1939.0 Introduction 1939.1 Cryptography 1939.1.1 What is Cryptography? 1939.1.1.1 Securing Communications 1939.1.1.2 Cryptology 1949.1.1.3 Cryptography - Ciphers 1959.1.1.4 Cryptanalysis - Code Breaking 1959.1.1.5 Keys 1969.1.1.6 Lab - Encrypting and Decrypting Data Using OpenSSL 1979.1.1.7 Lab - Encrypting and Decrypting Data Using a Hacker Tool 1979.1.1.8 Lab - Examining Telnet and SSH in Wireshark 1979.1.2 Integrity and Authenticity 1979.1.2.1 Cryptographic Hash Functions 1979.1.2.2 Cryptographic Hash Operation 1989.1.2.3 MD5 and SHA 1989.1.2.4 Hash Message Authentication Code 1999.1.2.5 Lab - Hashing Things Out 2009.1.3 Confidentiality 2009.1.3.1 Encryption 2009.1.3.2 Symmetric Encryption 2009.1.3.3 Symmetric Encryption Algorithms 2019.1.3.4 Asymmetric Encryption Algorithms 2029.1.3.5 Asymmetric Encryption - Confidentiality 2029.1.3.6 Asymmetric Encryption - Authentication 2039.1.3.7 Asymmetric Encryption - Integrity 2039.1.3.8 Diffie-Hellman 2049.1.3.9 Activity - Classify the Encryption Algorithms 2049.2 Public Key Infrastructure 2049.2.1 Public Key Cryptography 2049.2.1.1 Using Digital Signatures 2049.2.1.2 Digital Signatures for Code Signing 2069.2.1.3 Digital Signatures for Digital Certificates 2069.2.1.4 Lab - Create a Linux Playground 2069.2.2 Authorities and the PKI Trust System 2069.2.2.1 Public Key Management 2069.2.2.2 The Public Key Infrastructure 2079.2.2.3 The PKI Authorities System 2079.2.2.4 The PKI Trust System 2089.2.2.5 Interoperability of Different PKI Vendors 2089.2.2.6 Certificate Enrollment, Authentication, and Revocation 2099.2.2.7 Lab - Certificate Authority Stores 2099.2.3 Applications and Impacts of Cryptography 2109.2.3.1 PKI Applications 2109.2.3.2 Encrypting Network Transactions 2109.2.3.3 Encryption and Security Monitoring 2119.3 Summary 212Chapter 10 Endpoint Security and Analysis 21510.0 Introduction 21510.1 Endpoint Protection 21510.1.1 Antimalware Protection 21510.1.1.1 Endpoint Threats 21510.1.1.2 Endpoint Security 21610.1.1.3 Host-Based Malware Protection 21610.1.1.4 Network-Based Malware Protection 21710.1.1.5 Cisco Advanced Malware Protection (AMP) 21810.1.1.6 Activity - Identify Antimalware Terms and Concepts 21810.1.2 Host-Based Intrusion Protection 21810.1.2.1 Host-Based Firewalls 21810.1.2.2 Host-Based Intrusion Detection 21910.1.2.3 HIDS Operation 22010.1.2.4 HIDS Products 22010.1.2.5 Activity - Identify the Host-Based Intrusion Protection Terminology 22010.1.3 Application Security 22110.1.3.1 Attack Surface 22110.1.3.2 Application Blacklisting and Whitelisting 22110.1.3.3 System-Based Sandboxing 22210.1.3.4 Video Demonstration - Using a Sandbox to Launch Malware 22210.2 Endpoint Vulnerability Assessment 22210.2.1 Network and Server Profiling 22210.2.1.1 Network Profiling 22210.2.1.2 Server Profiling 22310.2.1.3 Network Anomaly Detection 22310.2.1.4 Network Vulnerability Testing 22410.2.1.5 Activity - Identify the Elements of Network Profiling 22510.2.2 Common Vulnerability Scoring System (CVSS) 22510.2.2.1 CVSS Overview 22510.2.2.2 CVSS Metric Groups 22510.2.2.3 CVSS Base Metric Group 22610.2.2.4 The CVSS Process 22610.2.2.5 CVSS Reports 22710.2.2.6 Other Vulnerability Information Sources 22710.2.2.7 Activity - Identify CVSS Metrics 22810.2.3 Compliance Frameworks 22810.2.3.1 Compliance Regulations 22810.2.3.2 Overview of Regulatory Standards 22810.2.3.3 Activity - Identify Regulatory Standards 22910.2.4 Secure Device Management 23010.2.4.1 Risk Management 23010.2.4.2 Activity - Identify the Risk Response 23110.2.4.3 Vulnerability Management 23110.2.4.4 Asset Management 23110.2.4.5 Mobile Device Management 23210.2.4.6 Configuration Management 23210.2.4.7 Enterprise Patch Management 23310.2.4.8 Patch Management Techniques 23310.2.4.9 Activity - Identify Device Management Activities 23410.2.5 Information Security Management Systems 23410.2.5.1 Security Management Systems 23410.2.5.2 ISO-27001 23410.2.5.3 NIST Cybersecurity Framework 23410.2.5.4 Activity - Identify the ISO 27001 Activity Cycle 23510.2.5.5 Activity - Identify the Stages in the NIST Cybersecurity Framework 23510.3 Summary 235Chapter 11 Security Monitoring 23911.0 Introduction 23911.1 Technologies and Protocols 23911.1.1 Monitoring Common Protocols 23911.1.1.1 Syslog and NTP 23911.1.1.2 NTP 24011.1.1.3 DNS 24011.1.1.4 HTTP and HTTPS 24111.1.1.5 Email Protocols 24111.1.1.6 ICMP 24211.1.1.7 Activity - Identify the Monitored Protocol 24211.1.2 Security Technologies 24211.1.2.1 ACLs 24211.1.2.2 NAT and PAT 24211.1.2.3 Encryption, Encapsulation, and Tunneling 24311.1.2.4 Peer-to-Peer Networking and Tor 24311.1.2.5 Load Balancing 24411.1.2.6 Activity - Identify the Impact of the Technology on Security and Monitoring 24411.2 Log Files 24411.2.1 Types of Security Data 24411.2.1.1 Alert Data 24411.2.1.2 Session and Transaction Data 24511.2.1.3 Full Packet Captures 24511.2.1.4 Statistical Data 24611.2.1.5 Activity - Identify Types of Network Monitoring Data 24611.2.2 End Device Logs 24611.2.2.1 Host Logs 24611.2.2.2 Syslog 24711.2.2.3 Server Logs 24811.2.2.4 Apache Webserver Access Logs 24811.2.2.5 IIS Access Logs 24911.2.2.6 SIEM and Log Collection 24911.2.2.7 Activity - Identify Information in Logged Events 25011.2.3 Network Logs 25011.2.3.1 Tcpdump 25011.2.3.2 NetFlow 25011.2.3.3 Application Visibility and Control 25111.2.3.4 Content Filter Logs 25111.2.3.5 Logging from Cisco Devices 25211.2.3.6 Proxy Logs 25211.2.3.7 NextGen IPS 25311.2.3.8 Activity - Identify the Security Technology from the Data Description 25411.2.3.9 Activity - Identify the NextGen IPS Event Type 25411.2.3.10 Packet Tracer - Explore a NetFlow Implementation 25411.2.3.11 Packet Tracer - Logging from Multiple Sources 25411.3 Summary 254Chapter 12 Intrusion Data Analysis 25712.0 Introduction 25712.1 Evaluating Alerts 25712.1.1 Sources of Alerts 25712.1.1.1 Security Onion 25712.1.1.2 Detection Tools for Collecting Alert Data 25712.1.1.3 Analysis Tools 25812.1.1.4 Alert Generation 25912.1.1.5 Rules and Alerts 26012.1.1.6 Snort Rule Structure 26012.1.1.7 Lab - Snort and Firewall Rules 26112.1.2 Overview of Alert Evaluation 26212.1.2.1 The Need for Alert Evaluation 26212.1.2.2 Evaluating Alerts 26212.1.2.3 Deterministic Analysis and Probabilistic Analysis 26312.1.2.4 Activity - Identify Deterministic and Probabilistic Scenarios 26412.1.2.5 Activity - Identify the Alert Classification 26412.2 Working with Network Security Data 26412.2.1 A Common Data Platform 26412.2.1.1 ELSA 26412.2.1.2 Data Reduction 26412.2.1.3 Data Normalization 26512.2.1.4 Data Archiving 26512.2.1.5 Lab - Convert Data into a Universal Format 26612.2.1.6 Investigating Process or API Calls 26612.2.2 Investigating Network Data 26612.2.2.1 Working in Sguil 26612.2.2.2 Sguil Queries 26712.2.2.3 Pivoting from Sguil 26712.2.2.4 Event Handling in Sguil 26812.2.2.5 Working in ELSA 26812.2.2.6 Queries in ELSA 26912.2.2.7 Investigating Process or API Calls 26912.2.2.8 Investigating File Details 27012.2.2.9 Lab - Regular Expression Tutorial 27012.2.2.10 Lab - Extract an Executable from a PCAP 27012.2.3 Enhancing the Work of the Cybersecurity Analyst 27012.2.3.1 Dashboards and Visualizations 27012.2.3.2 Workflow Management 27112.3 Digital Forensics 27112.3.1 Evidence Handling and Attack Attribution 27112.3.1.1 Digital Forensics 27112.3.1.2 The Digital Forensics Process 27212.3.1.3 Types of Evidence 27212.3.1.4 Evidence Collection Order 27312.3.1.5 Chain of Custody 27312.3.1.6 Data Integrity and Preservation 27412.3.1.7 Attack Attribution 27412.3.1.8 Activity - Identify the Type of Evidence 27512.3.1.9 Activity - Identify the Forensic Technique Terminology 27512.4 Summary 275Chapter 13 Incident Response and Handling 27713.0 Introduction 27713.1 Incident Response Models 27713.1.1 The Cyber Kill Chain 27713.1.1.1 Steps of the Cyber Kill Chain 27713.1.1.2 Reconnaissance 27813.1.1.3 Weaponization 27813.1.1.4 Delivery 27813.1.1.5 Exploitation 27913.1.1.6 Installation 27913.1.1.7 Command and Control 27913.1.1.8 Actions on Objectives 27913.1.1.9 Activity - Identify the Kill Chain Step 27913.1.2 The Diamond Model of Intrusion 28013.1.2.1 Diamond Model Overview 28013.1.2.2 Pivoting Across the Diamond Model 28013.1.2.3 The Diamond Model and the Cyber Kill Chain 28113.1.2.4 Activity - Identify the Diamond Model Features 28213.1.3 The VERIS Schema 28213.1.3.1 What is the VERIS Schema? 28213.1.3.2 Create a VERIS Record 28213.1.3.3 Top-Level and Second-Level Elements 28313.1.3.4 The VERIS Community Database 28513.1.3.5 Activity - Apply the VERIS Schema to an Incident 28513.2 Incident Handling 28513.2.1 CSIRTs 28513.2.1.1 CSIRT Overview 28513.2.1.2 Types of CSIRTs 28613.2.1.3 CERT 28613.2.1.4 Activity - Match the CSIRT with the CSIRT Goal 28713.2.2 NIST 800-61r2 28713.2.2.1 Establishing an Incident Response Capability 28713.2.2.2 Incident Response Stakeholders 28813.2.2.3 NIST Incident Response Life Cycle 28813.2.2.4 Preparation 28913.2.2.5 Detection and Analysis 29013.2.2.6 Containment, Eradication, and Recovery 29113.2.2.7 Post-Incident Activities 29313.2.2.8 Incident Data Collection and Retention 29413.2.2.9 Reporting Requirements and Information Sharing 29513.2.2.10 Activity - Identify the Incident Response Plan Elements 29613.2.2.11 Activity - Identify the Incident Handling Term 29613.2.2.12 Activity - Identify the Incident Handling Step 29613.2.2.13 Lab - Incident Handling 29613.3 Summary 296  9781587134371   TOC   3/7/2018