CCNA Cyber Ops

CCNA Cyber Ops Complete Study Guide

If you are just about to sit the CCNA Cyber Ops exam then this is a complete study guide that will help you do some last-minute cramming. The CCNA Cyber Ops is composed of two modules – the SECFND and SECOPS – with two corresponding exams. I spent months taking notes on both of these exams so the notes below relate to both.

  • The security monitoring data type that requires the most storage space – Full packet capture
  • HTTPS traffic makes security monitoring difficult because data is encrypted.
  • Deep packet inspection allows a firewall to evaluate the application layer
  • Session data can be obtained using Net Flow.
  • Which of the following are not components of the 5-tuple of flow in NetFlow? Flow Record ID, Gateway
  • When digitally signing a document The document is hashed and then the hash is encrypted with the private key.
  • Which 2 actions are valid uses of public key infrastructure? Revoking the validation of a certificate. Validating the authenticity of a certificate.
  • A host-based intrusion detection system is often located endpoints as an agent or a desktop application
  • Definition of vulnerability – An exploitable unpatched and unmitigated weakness in software.
  • Which signature type results in a legitimate alert been dismissed? False Negative
  • Threat actors are perpetrators of attacks
  • Data normalisation can include the process where IPS events are removed to improve data integrity
  • 5-tuple components – source IP, destination IP, Source port, Destination port, Protocol
  • Three metric or scores of the common vulnerability scoring system CVSS – Base score, Environmental score, Temporal score
  • The CVSSv3 metric value that increases when the attacker is able to modify all files protected by the vulnerable component? Integrity
  • Which CVSS metric describes the conditions that are beyond the attacker’s control that must exist to exploit the vulnerability? Attack complexity
  • Which CVSSv3 Attack vector metric value requires the attacker to physically touch or manipulate the vulnerable component?  Physical
  • The Ext4 Linux file systems not only supports journaling but also modifies important data structures of the file system, such as the ones destined to store the file data for better performance and reliability.
  • The main goals of the CSIRT is to minimise and control the damage associated with incidents, provide  guidance for mitigation, and work to prevent future incidents
  • The Incident Response Plan defines the roadmap for implementing the incident response capability.
  • When performing threat hunting against a DNS server, which traffic toward the affected domain is considered a starting point? UDP traffic
  • Which of the following is true about attribution in a cybersecurity investigation? A suspect-led approach is pejorative and often biased to the disadvantage of those being investigated
  • You have video of the suspect entering your office the day your data has been stolen? Indirect evidence
  • The organisation’s leaders and managers are responsible for containment, eradication and recovery in incident handling.
  • Three broad categories of cybersecurity investigations – Public, Private, and individual investigations
  • Data mapping used for Data accuracy, data visualisation
  • Which of the following file systems is more secure, scalable and advanced? NTFS
  • A common artefact used to uniquely identify a detected file is the File hash
  • Which of the following is typically a responsibility of a PSIRT (product SIRT)? Disclosure vulnerabilities in the organisation’s products and services
  • Which option is unnecessary for determining the appropriate containment strategy according to NIST SP800-61 r2? The attack vector used to compromise the system.
  • What is a listening port? A port that remains open and waiting for incoming connections
  • Which element can be used by a threat actor to discover a possible opening into a target network and can also be used by an analyst to determine the protocol of the malicious traffic? Ports
  • According to NIST what option is unnecessary for containment strategy? The delayed containment, Monitoring with methods other than sandboxing.
  • Apache will send diagnostic information and record any errors that it encounters to which of the following? ErrorLog
  • Which of the following are examples of sandboxing implementations? Google Chromium sandboxing, Java Virtual Machine JVM sandboxing, HTML5 “sandbox” attribute for use with iframes
  • Which of the following is a type of web application vulnerability where malicious scripts are injected into a legitimate and trusted website? Cross-site scripting XSS
  • Which of the following services are provided by a lightweight access point? Transmission and reception of frames, Channel encryption
  • Authentication logs track the success and failures of legitimate users with a time stamp record
  • If a client connected to a server using SSHv1 previously, how should the client be able to authenticate with the server? The client will receive the same public key that it had stored for the server.
  • Why are reputation filters typically the first filters that are applied to inbound emails in content security systems? To reduce the processing load on other filters by eliminating emails from known bad sources.
  • According to the common vulnerability scoring system, which term is associated with scoring multiple vulnerabilities that are exploited in the course of a single attack? Vulnerability chaining
  • Which two are uses for DNS covert tunnels? Stealthy data exfiltration, issue CnC traffic to bots on the network.
  • Which four of the following are considered the main protocols of the Internet Protocol suite? UDP, TCP, IP, ICMP
  • Which of the following are examples of cloud-based security solutions? Cisco cloud email security CES, Cisco AMP threat grid, Cisco threat awareness Service CTAS
  • What two statements are true regarding the services an LDAP provides? It is a protocol that provides access for management and browser applications that provide read/write interactive access to the x.500 directory. It is a protocol that is designed to store information about an organisation that could include information about users, user groups, organisations, or other resources such as files or devices on the enterprise network.
  • What must a user do when making any changes to the logging configuration? Restart the logging service
  • What 3 changes have occurred in modern networks that require enhanced security? Modern networks utilise a common set of widely known and open protocols. The global connectivity of the internet provides more opportunities for threat actors to connect to information systems, the increased complexity of operating systems and application software has made it more difficult to ensure security across all systems.
  • Which method allows a space in a filename to be correctly interpreted by Windows command line interpreter? Enclose the file name in a double quote characters
  • Which definition of permissions in linux is true? Attributes of ownership and control of an object
  • Which of the following statements best describes the benefit of following the phases of the attack continuum? Organisations are able to combat advanced persistent threats by having visibility and control across the extended network.
  • What are the two best ways to protect a device from a rootkit attack? Keep current with software updates and security patches from the vendor, Utilise anti-malware, anti-virus, and next-generation firewall and IPS services within your network.
  • What is the destination port defined in the DHCP discover message? 67 UDP
  • Which one of the following options is the attack that can be used to find collisions in a cryptographic hash function? Birthday attack
  • Which of the following options describes the steps to enable a Span Configuration? Define the source port or vlan, then select a destination port
  • Which of the following would give an IPS the most trouble? Encryption
  • What is a runbook? A runbook is a collection of procedures and operations performed by a system administrator, security professionals or network operators.
  • Which of the following statements is not true about the daemon process? Daemons are controlled by the active user
  • What is launched using Windows msconfig command? System configuration
  • Powershell command – get-execution policy output = RemoteSigned means only the externally downloaded Powershell scripts must be digitally signed.
  • Which of the following is not a metadata feature of the diamond model? Devices
  • Which source provides reports of vulnerabilities in software and hardware to a security operations centre? Internal CSIRT
  • Which of the following is not an example of weaponisation? Connecting to a CNC server
  • In Veris, an incident is viewed as a series of events that adversely affects the information assets of an organisation.  Which option contains the elements that every event is comprised of according to Veris incident model? Actors, Actions, Assets, Attributes
  • According to NIST what option is unnecessary for containment strategy? The delayed containment, Monitoring with methods other than sandboxing
  • Which option is a misuse variety per Veris enumerations? Hacking
  • What is accomplished in the identification phase of incident handling? Determining the responsible user
  • IP is sending and receiving traffic for multiple devices by modifying the IP Header- NAT Behaviour
  • Purpose of port scanning – Identify which ports and services are open on the target host.
  • Intrusion detection system begins receiving an abnormally high volume of scanning from numerous sources indicates the resource exhaustion evasion technique.
  • Examples of Social Engineering activities – Receiving a call from the I.T department asking you to verify your username and password, sending a verbal request to an administrator to change the password to the account of a user the administrator does know.
  • pxGrid is used to enable the sharing of contextual-based information from a Cisco ISE session directory to other policy network systems such as Cisco IOS devices and the Cisco ASA
  • Daemon on Linux – program that runs unobtrusively in the background
  • TCP Injection – Many SYNs that have the same sequence number and destination IP address but have different payloads
  • SEIM Security Information and Event Management – a Security product that collects, normalises and correlates event log data to provide holistic views of the security posture.
  • Information security property supported by encryption – Confidentiality
  • Privilege escalation – the act of a user, without authority or permission, obtaining rights on a system beyond what was assigned.
  • IIS Log Parser Tool – a Powerful, versatile tool that makes it possible to run SQL like queries against log files.
  • Full Duplex mode – Each station can send and receive at the same time, It avoids collisions
  • Chain of custody – a chronological record of how evidence was collected, analysed, preserved, and transferred.
  • In which case does an employee return his laptop to the organisation – As described in the asset return policy.
  • Firewalls require deep packet inspection to evaluate the application layer.
  • Intrusion event occurs when a signature-based IDS encounters network traffic.
  • Man in the middle – when an attacker is successful in eavesdropping on a conversation between two IP phones
  • Application-level whitelisting – allow specific executable files and deny specific executable files
  • Anti-virus – a program used to detect and remove unwanted malicious software from the system.
  • Heuristic-based algorithms – may require fine-tuning to adapt to network traffic and minimise the possibility of false positives
  • Separation of duties – security principle that states that more than one person is required to perform a critical task.
  • Exploit kit – tool commonly used by threat actors on a web page to take advantage of the software vulnerabilities of a system to spread malware.
  • A web server accepts input from the user and pastes it to a bash shell, which attack method is it vulnerable? Command Injection
  • Security policy defined by the owner of an object – discretionary access control security model grant or restrict access
  • Virtual address space for a windows process – Set of virtual memory addresses that it can use
  • The main purpose of a vulnerability management framework – Manage a list of reported vulnerabilities
  • Protocol primarily supported by the third layer of the OSI model – IPv4/IPv6
  • Host-based IPS – It can view encrypted files, it can have more restrictive policies than network-based IPS, It can generate alerts based on behaviour at the desktop level.
  • Two features of NGFW – Application visibility and control, IDS
  • Which hashing algorithm is the weakest – SHA-12
  • Actions a promiscuous IPS can take to mitigate an attack – Resetting the TCP connection, Requesting host blocking, Requesting connection blocking
  • Types of Layer 2 attacks – Arp attacks, Spoofing attacks, VLAN hopping
  • Type of algorithm that uses the same key to encrypt and decrypt data – Asymmetric algorithm
  • In which context is it inappropriate to use a hash algorithm – Telnet Logins
  • Mandatory Access Control MAC – Access control model that uses security labels to make access decisions.
  • Useful reports that can be \gathered from Cisco ISE – Web server log reports, Top application reports, Administrator login reports.
  • Application Attack Surface – the sum of risks presented by an application
  • Linux directory used to store log files – /var/log
  • NTP command that configures the local device as an NTP reference clock source – NTP master
  • An attacker installs a rogue switch that sends superior BPDUs on the Network can result in the switch becoming the root bridge
  • Linux Daemon – a long-running process that is the child at the init process
  • Types of cross-site scripting attacks – Stored, reflected
  • Two features an NGFW must include – Application visibility and control and Intrusion detection system
  • Which security principle is violated by running all processes as root/admin – Principle of least privilege.
  • Linux commands to show the process for all users – ps -a
  •  Where does routing occur within the DoD TCP/IP reference model – Internet
  • Which CVSSv3 metric value increases when the attacker is able to modify all files protected by the vulnerable. – Integrity
  • Confidentiality is defined in the CVSSv3 framework as the confidentiality of the information resources managed by a software component due to a successfully exploited vulnerability
  • Which Cyber Kill Chain Category does attacking a vulnerability belong to – Exploitation
  • The team that handles the investigation, resolution, and disclosure of security vulnerabilities in vendor products and services? PSIRT
  • When Incident data is collected it is important that cross-contamination is prevented.  How is this accomplished? By not permitting a device to store evidence if it is the evidence itself.
  • CSIRT category that provides incident handling services to their parent organisation such as a bank, a manufacturing company or federal agency – Internal CSIRT
  • What is a listening port? – a port that remains open and waiting for incoming connections
  • Which component of the NIST SP800-61 r2 incident handling strategy reviews data – post-incident analysis
  • Which source provides reports of vulnerabilities in software and hardware to a security operations centre? Internal CSIRT
  • Three broad categories of cybersecurity investigations? Public, Private and Individual investigations
  • Which phase of the forensic process are tools and techniques used to extract the relevant information from the collective data? Examination
  • Confidential data being exfiltrated to an IP address that is attributed to a known Advanced Persistent threat group. – the event falls under the type “Action on Objectives”
  • When Collecting data as part of digital forensics, data must be preserved and integrity checked.
  • Which Identifies both the source and destination location – IP address
  • Threat Actors – They are perpetrators of attacks
  • Which option is a misuse variety per VERIS enumerations? Hacking
  • Which option is an example of a coordination centre? CERT division of the Software Engineering Institute
  • Main goals of CSIRT – To minimise and control the damage associated with Incidents, provide guidance for mitigation, and work to prevent future incidents
  • According to NIST SP800-86, Which action describes volatile data collection? Collection of data before a system reboot.
  • Not true regarding the use of digital evidence – The reliability of the digital evidence is not as important as someone’s testimony to supporting or refuting any hypothesis put forward, including the attribution of threat actors.
  • Which two useful pieces of information can be collected from the IPv4 protocol header? – Source IP address of the packet, the destination IP address of the packet.
  • Which is not an example of reconnaissance? Redirecting users to a source and scanning traffic to learn about the target
  • What is NAC? Network Access Control
  • Data Normalisation – Purge redundant data, Maintain data integrity
  • Which event artefact can be used to identify HTTP GET requests for a specific file? URI
  • Which type of analysis allows you to see how likely an exploit could affect your network? Probabilistic
  • Which option allows a file to be extracted from a TCP stream within WireShark? File > Export Objects
  • From a security perspective, why is it important to employ a clock? To construct an accurate timeline of events when responding to an incident?
  • Which data type is protected under the PCI compliance? Primary account holder
  • Which element is included in an incident response plan? Organisation mission
  • Which identifies both the source and destination location? IP address
  • Which two components are included in a 5-tuple? Port number, destination IP address
  • PHI – Protected health information
  • Cisco cloud security options – OpenDNS, CloudLock
  • Timing Attack – Evasion method involving performing actions slower than normal to prevent detection
  • The encryption algorithm that is the strongest – AES
  • Stand-alone and lightweight access points – Standalone access points can be configured one by one and offer complete functionality by themselves, Lightweight access points rely on a central wireless LAN controller to retrieve their configurations.
  • Which TCP flags must be set in a packet in order for the packet to match an ACL entry that contains the established keywords? ACK and RST
  • Which technology allows a large number of private IP addresses to be represented by a smaller number of public IP addresses? NAT
  • ARP operates between layer 2 and layer 3
  • Which two following options are layers of the TCP/IP model? Transport and Internet
  • Interior gateway protocols – EIGRP, IS-IS, OSPF, RIP
  • What is a Daemon? A computer program that runs as a background process rather than being under the direct control of an interactive user
  • Two UDP applications? – TFTP, SNMP
  • A lack of validation of the ARP replies can allow an attacker to successfully execute what type of attack? Man in the middle
  • Two Protocols used to retrieve mail – IMAP, POP
  • Three primary items that are tracked by a security intelligence feed? Known Attackers, Open Relays, IP address with a poor reputation
  • There are several differences between Netflow and full packet capture – One of the major differences and disadvantages of full packet capture is cost and the amount of data to be analysed.
  • The main purpose of an exploit kit for malicious actors is to scan a potential victim’s computer for vulnerable applications so that Malware can be delivered
  • Linux was started by Linus Torvalds as a project to create a Unix like environment that could run on his personal computer because the systems at the university that he attended ran Unix.
  • Linux is openly available to others with very limited restrictions under the terms of the GNU public licensing or GPL Guidelines
  • Resource record type used to display the mail servers for a domain – MX
  • Hashtag Algorithm used in IPSec – Secure Hash Algorithm SHA, Message Digest Algorithm 5 MD5
  • ISE enforces network segmentation to reduce the risk of pivoting to a higher trusted network.
  • What is used in the Cisco TrustSec architecture to provide link-level encryption? MACSec
  • Application blacklisting – permissive security control in which only specified applications can run on an end host while all other applications are prevented.
  • The vulnerability assessment process typically includes which four activities – Device discovery, Service enumeration, Scanning, Validation
  • The primary difference between reputation-based detection and anomaly-based detection – reputation-based detection allows the IPS to block all traffic from known bad sources before the significant inspection is done.
  • The organisational benefit of incorporating CVSS into risk analysis – It is a structured method to assist with prioritising a vulnerability response.
  • Types of controls best describe a fence? Physical, Deterrent
  • Which is not a Netflow version? IPFIX
  • Two HTTP header fields relate to intrusion analysis? Host, user agent
  • In the context of incident handling phases,  which two activities fall under scoping? Determining what and how much data may have been affected? Identifying the extent that a security incident is impacting protected resources on the network
  • Which option is a misuse variety of VERIS enumeration? Hacking
  • Which option is unnecessary for determining the appropriate containment strategy according to NIST.SP800-61 r2? The attack vector used to compromise the system.
  • Collected evidence data must be preserved and integrity verified
  • When performing threat hunting against a DNS server, which traffic toward the affected domain is considered a starting point? UDP traffic
  • What are the metric values of confidentiality based on the CVSS framework? High – Low – None
  • Which regular expression matches “color” and “colour” – Colou?r
  • Which kind of evidence can be considered most reliable to arrive at an analytical assertion? Direct
  • Which CVSS metric describes the conditions that are beyond the attacker’s control that must exist to exploit the vulnerability? Privileges required
  • Which option is missing a malware variety per VERIS enumerations – abuse of functionality, cache poisoning, remote file inclusion.
  • MITM attack – a system that has the ability to view the communication between two systems and imposes itself in the communication path between those other systems
  • Two ways pass-the-hash attack allows an attacker to gain access – these attacks allow attackers to take advantage of other systems horizontal acknowledgement of user permissions without requiring re-authentication, many systems will accept a hash of the user password allowing the captured hash to be used for authentication
  • The destination port defined in the DHCP discover message – 67 UDP
  • The main cause of successful buffer overflow attacks? – Poorly written application code that does not validate input data size
  • Two impacts of cryptography on security investigations – With the increased legitimate usage of HTTPS traffic, attackers have taken advantage of this blind spot to launch attacks over https more than ever before, Cryptographic attacks can be used to find a weakness in the cryptographic algorithms.
  • The higher the Diffie-hellman group number indicates a larger key size
  • Functions provided by SIEM – Log Archiving, Log Correlation, Log normalisation
  • What information may an attacker obtain with WMI access to the Windows domain controller security events? User login and log off events
  • For which purpose can Windows management Instrumentation be used? Remote viewing of a computer
  • Ransomware – a type of malware that compromises a system and then often demands a ransom from the victim to pay the attacker in order for the malicious activity to cease or for the malware to be removed from the affected system
  • Shadow domain – a second-level domain that is registered by a malicious person using compromised domain registration information from a legitimate site
  • Attack surface – the sum of the different points (“attack vectors”) in a given computing device or network that are accessible to an unauthorised user (Attacker)
  • An IPS should never have to monitor traffic “in the wild” due to the overhead that is involved.
  • Benefits of VLSM when subnetting a block of IP addresses – More efficient use of IP addresses, Better defined network hierarchical levels
  • Cisco Netflow records are usually exported via UDP packets
  • Which Vulnerability is an example of a heartbleed? Buffer overflow
  • Which three are valid fields in the Set-Cookie Http header? Expires, Domain, Path
  • Encrypting traffic – not a technique used to confuse an IPS from assembling fragmenting packets
  • After a file disposition changes from unknown to malicious, what is the next step that should be taken? Go back to the system where the file was previously seen and quarantine the malicious file
  • Features implemented by a wireless controller – Wireless station Authentication, Quality of service
  • Which data handling concept pertains to securing artefact against change? Integrity
  • Windows services – Microsft windows services run in their own user session
  • Which term represents a potential danger that could take advantage of a weakness in a system? Threat
  • Which option can be addressed when using retrospective security techniques? – How the malware entered our network
  • In the context of incident handling phases, which activities fall under scoping? Determining what and how much data may have been affected, identifying the attackers that are associated with a security incident.
  • You see 100 HTTP GET and POST requests for various pages on one of your webservers. The user agent in the requests contains PHP code that if executed creates and writes to a new PHP file on the webserver.  Which Category in the Diamond Model of Intrusion? Delivery
  • Which string matches the regular expression r(ege)+x? regeegex
  • Which data element must be protected with regards to PCI? Full Name
  • What mechanism does the LINUX operating system provide to control access to files? File permissions
  • Which source provides reports of vulnerabilities in software and hardware to a security operations centre? Analysis centre
  • What information from HTTP logs can be used to find a threat actor? IP address
  • An organisation has recently adjusted its stance in response to online threats made by a known hacktivist group. Which term defines the initial event in the NIST SP800-61 r2? Precursor
  • After running a suspicious file in a sandbox you find that outbound callouts were made post-infection. What two pieces of information from the report is needed to investigate callouts? File size and host IP address
  • Which option filters a LibPCAP capture that used a host as a gateway? Gateway host <host>
  • Which network device creates and sends the initial packet? Source
  • When performing threat hunting against a DNS server, UDP traffic is considered a starting point
  • Data being exfiltrated to an IP address that is attributed to a known Advanced Persistent Threat Group – Action on objectives
  • Which option has a drastic impact on network traffic because it can cause legitimate traffic to be blocked – false positive
  • Which CVSSv3 metric increases when the attacker is able to modify all files protected by the vulnerable component? Integrity
  • Collection – data related to an event is labelled and recorded to preserve its integrity.
  • Which information must be left out of a final incident report? Server hardware configurations
  • Which 2 components are included in a 5-tuple? Port number, destination IP address
  • Elements that every event is comprised of according to VERIS incident model – Actors, Actions, Assets, Attributes
  • Which two options can be used by a threat actor to determine the role of a server – running processes, applications
  • Wireshark filter ip address and hostname – ip.addr == <addr> or Iip.host == <host>
  • Which type of analysis assigns values to scenarios to see what the outcomes might be in each scenario? Deterministic
  • The feature used to find possible vulnerable services running on a server? Listening ports
  • Which CVSSv3 metric value increases when an attack consumes network bandwidth, processor cycles, or disk space? Availability
  • Which security operations centre’s goal is to provide incident handling to a country? National CSIRT
  • The goal of data normalisation? Reduce data redundancy
  • Retrospective malware detection – You use historical information from one or more sources to identify the affected host or file.
  • Incident response plan – includes organisation mission
  • The creation of alternating used and unused areas of various sizes – free space fragmentation
  • Two activities that fall under the incident handling scope – determining what and how much data may have been affected, identifying the attackers that are associated with a security incident
  • The regular expression that matches color and colour – colou?r
  • The phase of the forensic process where tools and techniques are used to extract the relevant information from the collective data? Examination
  • Wireshark – to extract from a tcp stream go to File then Export options
  • Which option can be addressed when using retrospective security techniques? How the malware entered our network.
  • Which option is a misuse variety per VERIS enumerations? Hacking
  • Evidence considered most reliable – Direct
  • The string that matches regular expression r(ege)+x – regeegex
  • The data element must be protected with regards to PCI – Full name
  • Element part of incident response plan – organisational approach to incident response
  • The source that provides reports of vulnerabilities in software and hardware to security operations centres? Analysis Centre
  • Information from HTTP logs can find threat actors? Ip address
  • An organisation has adjusted its security stance in response to online threats made by a known hacktivist. Which term defines the initial event in the NIST SP800-61 r2 – PrecursorFile size and IP address are two pieces of information needed to investigate call outs
  • Probabilistic Analysis allows you to see how likely an exploit could affect your network.
  • Refer to exhibit – application protocol is in PCAP file – HTTP
  • Action on objectives – you see confidential data being exfiltrated to an IP address that is attributed to a known advanced persistent threat group.
  • CVSSv3 value increases when an attacker is able to modify all files protected by the vulnerable component – Integrity.
  • Collection – phase in the forensic process where data is related to a specific event is labelled and recorded to preserve its integrity
  • The information must be left out of a final incident report? Server hardware configurations
  • Type of analysis that assigns values to scenarios to see what the outcome might be in each scenario? Deterministic
  • Which process is being utilised when IPS events are removed to improve data integrity? Data normalisation
  • Which of the following are examples of some of the responsibility of a corporate CSIRT and the policies it helps create?

Leave a Reply