Cisco 300-740 - Designing and Implementing Secure Cloud Access for Users and Endpoints (SCAZT)

MITRE ATT&CK is a globally accessible knowledge base that catalogs adversarial tactics and techniques based on real-world observations. According to SCAZT Section 6: Threat Response (Page 113), this framework enables security professionals to map and anticipate adversarial behavior throughout the attack lifecycle. It supports threat modeling, detection engineering, and incident response.

The flow data in the exhibit shows multiple short-duration, high-volume HTTPS connections (443/TCP) from IP 10.10.10.10 to multiple destination IPs in the 50.10.10.0/24 network. All flows are 22 seconds long and transfer exactly 1.77M of data. This uniform behavior to a large set of IP addresses strongly indicates a Denial of Service (DoS) pattern, where an internal host (10.10.10.10) is overwhelming external systems in the 50.10.10.0/24 range.

The SCAZT guide (Section 6: Threat Response, Pages 114–117) explains how Secure Cloud Analytics uses NetFlow and behavioral modeling to identify such volumetric threats. Key identifiers include:

Same connection size (1.77M)

Multiple unique peer IPs in a single external subnet

Same destination port and protocol (HTTPS)

Zero TCP connections completed, indicating unacknowledged connections

This matches the behavioral pattern of a DoS originating from an internal host.

When integrating Cisco ISE with Azure AD using SAML SSO:

B: The Azure AD metadata must be uploaded into ISE to establish trust and allow token validation.

D: External Identity Sources settings must be configured in ISE to recognize and process authentication requests via SAML-based identity providers like Azure AD.

These are mandatory steps for enabling browser-based SSO authentication in ISE as explained in SCAZT Section 2 (User and Device Security, Pages 42–44), which describes federated identity integration.

Note: Option A is already completed as stated in the prompt. Options C and E are not essential to the authentication flow in this SAML context.

Rule 3 denies all DNS traffic from the subnet 10.1.0.0/30, which includes the client at 10.1.0.6. Since DNS resolution is required to resolve www.salesforce.com, this DNS deny rule is preventing the client from obtaining the IP address needed for HTTPS connection. Removing Rule 3 allows DNS traffic from the client, while Rule 4 permits it specifically for the 4.4.4.4 DNS server.

As per SCAZT Section 3: Network and Cloud Security (Pages 70–73), DNS resolution must be allowed before HTTPS connectivity is attempted. Rule priority and traffic dependency should always be considered in firewall design.

When configuring Cisco Umbrella to block all traffic except to domains explicitly allowed (e.g., cisco.com), the “Allow-Only Mode” must be enabled. This setting overrides default behavior and ensures that only entries listed in the allow list are accessible—everything else is automatically blocked. According to SCAZT Section 1 (Cloud Security Architecture, Pages 16–19), enabling Allow-Only Mode is crucial for strict outbound DNS filtering.

Without this setting, the system allows access to all domains not explicitly blocked, which is why the engineer was able to access non-cisco.com domains despite defining an allow list.

Web Application Firewalls (WAFs) use rate-based rules as one of the primary mechanisms to detect and mitigate Distributed Denial of Service (DDoS) attacks. According to the SCAZT Study Guide, Section 3 (Network and Cloud Security, Pages 74–77), rate-based rules dynamically detect unusual spikes in traffic and can throttle or block connections exceeding predefined thresholds. This form of protection is more adaptive and intelligent than standard ACLs or static filtering, enabling protection against zero-day and volumetric attacks that may not follow known patterns.

Directory traversal attacks exploit improper file path validations to access unauthorized directories and files. To prevent this, it is critical to restrict what areas of the file system an application or user can access. Limiting file system permissions prevents attackers from gaining access to sensitive areas even if a traversal vulnerability exists.

As explained in SCAZT Section 4 (Application and Data Security, Pages 85–87), enforcing minimal privileges and file system segmentation is a key defense against such attacks.