Cisco 200-201 - Understanding Cisco Cybersecurity Operations Fundamentals (CBROPS)

DDoS attacks are divided into two categories: reflected and direct. Reflected attacks use a third-party system to amplify the attack traffic and send it to the target. For example, an attacker can send a spoofed request to a DNS server, which will reply with a large amount of data to the target’s IP address. Direct attacks send the attack traffic directly from the attacker’s system or a botnet to the target. For example, an attacker can send a large number of SYN packets to the target’s port, exhausting its resources. References := Cisco Cybersecurity Operations Fundamentals, Module 1: Security Concepts, Lesson 1.3: Common Network Application Operations and Attacks, Topic 1.3.4: Denial-of-Service Attacks

Full packet captures are essential for troubleshooting security and performance issues as they provide detailed information on network traffic (option B). They also allow for reassembling fragmented traffic from raw data, enabling analysts to review complete transactions or sessions (option C). References := Cisco Cybersecurity Operations Fundamentals - Module 3: Network Data and Event Analysis

 SYN flood and teardrop are two types of denial-of-service (DoS) attacks, which aim to disrupt the availability of a service or a system by overwhelming it with malicious traffic or requests. A SYN flood attack exploits the TCP three-way handshake process by sending a large number of SYN packets to the target’s port, without completing the connection. This causes the target to allocate resources for half-open connections, eventually exhausting its memory or bandwidth. A teardrop attack exploits the IP fragmentation process by sending malformed or overlapping IP fragments to the target, causing it to crash or reboot when trying to reassemble them. References := Cisco Cybersecurity Operations Fundamentals, Module 1: Security Concepts, Lesson 1.3: Common Network Application Operations and Attacks, Topic 1.3.4: Denial-of-Service Attacks

The Delivery phase of the Cyber Kill Chain is the stage where an attacker transmits a malicious payload to the target. In phishing attacks, this typically occurs through email messages containing malicious links or attachments sent to intended victims.

In this scenario, the phishing emails were identified and blocked by the organization’s email antivirus solution before they reached users or were interacted with. This indicates that the attack was mitigated during the delivery phase, as the malicious content was stopped in transit and never executed on the target systems.

Weaponization refers to the creation of malicious payloads, which occurs before delivery. Command and Control involves establishing remote communication with compromised systems, which requires successful execution. Actions on Objectives represent the final stage where attackers achieve their goals, such as data theft or account compromise.

Cybersecurity operations fundamentals emphasize that email security controls are designed to disrupt attacks as early as possible in the kill chain. Blocking phishing emails at delivery significantly reduces risk and prevents downstream compromise.

Therefore, the correct answer is Delivery.

Rule-based detection methods rely on predefined rules and patterns that are known beforehand. These rules are created based on prior knowledge of what constitutes normal and abnormal behavior.

Statistical detection, on the other hand, involves analyzing data to identify anomalies. It is based on assumptions about what normal behavior looks like and uses statistical methods to detect deviations from this norm.

Rule-based systems are typically straightforward but may miss novel attacks that do not match existing rules.

Statistical methods can detect previously unknown threats by recognizing patterns that deviate from established baselines but may produce more false positives.

References

Intrusion Detection Systems (IDS) Concepts

Comparative Studies on Rule-based and Statistical Anomaly Detection

Understanding Anomaly Detection in Network Security