Cisco 200-201 - Understanding Cisco Cybersecurity Operations Fundamentals (CBROPS)

Table Description automatically generated

Lateral movement relies heavily on reconnaissance to identify systems, services, and attack paths inside a compromised network. The Nmap scan in the exhibit reveals open ports and associated services, which directly support this objective.

Option A is correct because identifying the function and service the server is providing allows the attacker to understand the system’s role. Services such as msrpc, netbios-ssn, and microsoft-ds strongly indicate a Windows host offering file sharing, remote procedure calls, and domain-related services. This information helps attackers select appropriate exploits, credential theft techniques, or privilege escalation paths.

Option C is also correct because running services and open ports are one of the most valuable outputs of a network scan. Open ports such as 135, 139, and 445 expose services that are commonly targeted for lateral movement using techniques like SMB relay attacks, Pass-the-Hash, or exploitation of known vulnerabilities.

Option B is incorrect because CPU details and vendor versions are not revealed in this scan output. Option D is incorrect because Nmap does not enumerate logged-in user security identifiers. Option E is incorrect because latency values are not used for command injection planning in lateral movement scenarios.

Therefore, the two scan elements that assist the attacker are the server’s function and its running services and ports.

Graphical user interface, application Description automatically generated

The source IP address from an audit log that indicates a session which may have exploited a vulnerability is considered corroborative evidence. This type of evidence supports other evidence that suggests a security breach occurred. In the context of cybersecurity, corroborative evidence can help establish that an attack was carried out and can be used in conjunction with other data points to build a case during an investigation.

References := The Understanding Cisco Cybersecurity Operations Fundamentals (CBROPS) training material discusses the types of data needed to investigate security incidents, which includes understanding the role of different types of evidence in building a security incident case1.

A Certificate Authority (CA) is responsible for issuing digital certificates to validate the identity of the certificate holder and provide a means to establish secure communications over networks like the Internet. References := Cisco Cybersecurity Source Documents

X.509 certificates are used in conjunction with secure data transfer protocols to ensure the confidentiality and integrity of communication. They are part of a public keyinfrastructure (PKI) that authenticates the identity of entities and encrypts data in transit. References: Implementing X.509 certificates along with secure data transfer protocols like SFTP, HTTPS, FTPS, and IPSec can help secure data sharing with third-party companies

Wireshark is a widely-used network protocol analyzer that allows users to capture and interactively browse the traffic running on a computer network. It provides full packet capture capabilities, enabling detailed analysis of network traffic. References: This is supported by the CBROPS course materials, which discuss security monitoring and the analysis of network traffic, including full packet capture tools like Wireshark