Cisco 200-201 - Understanding Cisco Cybersecurity Operations Fundamentals (CBROPS)

According to NIST SP800-61, the incident response lifecycle consists of four phases: Preparation, Detection and Analysis, Containment, Eradication and Recovery, and Post-Incident Activity.

When a SOC team member checks the Cisco Firepower Manager dashboard for further isolation actions, they are working within the Eradication and Recovery phase.

This phase focuses on removing the threat from the environment and recovering affected systems to normal operations.

References

NIST SP800-61 Computer Security Incident Handling Guide

Incident Response Phases Explained

Role of SOC in Incident Response

TCP injection is an attack where the attacker sends crafted packets into an existing TCP session. These packets appear to be part of the session.

The presence of many SYN packets with the same sequence number, source, and destination IP but different payloads indicates that an attacker might be injecting packets into the session.

This method can be used to disrupt communication, inject malicious commands, or manipulate the data being transmitted.

References

Understanding TCP Injection Attacks

Analyzing Packet Captures for Injection Attacks

Network Security Monitoring Techniques

The packet capture exhibit shows that the source IP address is 192.168.122.100 and it is sending a packet from source port 50272 to destination port 80 of destination IP address 81.179.179.69 using TCP protocol. The TCP protocol is indicated by the Protocol field which has the value 6. The source and destination ports are indicated by the SrcPort and DstPort fields respectively. The source and destination IP addresses are indicated by the SrcAddr and DstAddr fields respectively. References := Cisco Cybersecurity Operations Fundamentals - Module 3: Network Data and Event Analysis

Traffic mirroring is a technique that copies the traffic from a source port or VLAN to a destination port or VLAN, where it can be analyzed by a security device or tool. Traffic mirroring does not affect the original traffic flow and does not introduce any latency or modification to the packets. Inline traffic interrogation is a technique that forwards the traffic directly to the security device or tool, where it can be inspected and modified before being sent to the destination. Inline traffic interrogation can introduce latency and affect the performance of the network. References:

Understanding Cisco Cybersecurity Operations Fundamentals (CBROPS) - Cisco, Module 2: Security Monitoring, Lesson 2.2: Network Security Monitoring Tools

200-201 CBROPS - Cisco, Exam Topics, 2.0 Security Monitoring, 2.2 Describe the impact of various technologies on security monitoring

Cisco Certified CyberOps Associate Overview - Cisco Learning Network, Videos, 2.2 Describe the impact of various technologies on security monitoring

What Are Ports 139 And 445? SMB has always been a network file sharing protocol. As such, SMB requires network ports on a computer or server to enable communication to other systems. SMB uses either IP port 139 or 445. Port 139 - SMB originally ran on top of NetBIOS using port 139. NetBIOS is an older transport layer that allows Windows computers to talk to each other on the same network. Port 445 - Later versions of SMB (after Windows 2000) began to use port 445 on top of a TCP stack. Using TCP allows SMB to work over the internet. https://www.varonis.com/blog/smb-port SMB Ports 139 and 445 are open Email Ports 25 and 110 are closed Therefore "D. Email Ports are closed on the Server."

 To analyze both payload and header information, an engineer must capture the full packet data. This includes all protocol and payload information for the traffic, allowing for a comprehensive analysis of the data being transmitted5678. References: Full packet capture is a common practice in network monitoring and security, as it provides detailed insights into the data transmitted over the network, including both payload and header information

An SSL certificate enables the establishment of a secure connection between the client and the server using the TLS protocol. The client and the server exchange keys and agree on a cipher suite to encrypt and decrypt the data transmitted over the network. References := Cisco Cybersecurity Source Documents

Rule-based detection systems operate using predefined patterns and signatures to identify known threats. These patterns are based on prior knowledge of attack methods and vulnerabilities.

Behavioral detection systems, on the other hand, analyze the normal behavior of a network or system to establish a baseline. They thenmonitor for deviations from this baseline, which may indicate potential threats.

Rule-based systems are effective at detecting known threats but may struggle with novel or zero-day attacks that do not match existing signatures.

Behavioral systems can detect unknown threats by recognizing abnormal activities, making them useful in identifying zero-day exploits and other sophisticated attacks.

References

Comparison of Rule-based and Behavioral Detection Methods in IDS

Advantages of Behavioral Analysis in Network Security

Cybersecurity Detection Techniques