Cisco 350-701 - Implementing and Operating Cisco Security Core Technologies (SCOR 350-701)

The command show authen sess int gi0/1 displays the authentication session information for the interface gi0/1, such as the MAC address, the authentication method, the authentication state, the session timeout, and the VLAN assignment. This command is useful for verifying the status of an 802.1X connection on a specific interface. The other commands are not related to 802.1X authentication. The command show authorization status displays the authorization status for the current user. The command show connection status gi0/1 is not a valid Cisco command. The command show ver gi0/1 displays the version information for the interface gi0/1. References: 802.1X Authentication Commands, Configuring IEEE 802.1x Port-Based Authentication, What Cisco command shows you the status of an 802.1X connection on interface gi0/1?

 Cisco AMP for Endpoints is the Cisco security solution that determines if an endpoint has the latest OS updates and patches installed on the system. Cisco AMP for Endpoints is a cloud-based endpoint protection platform that provides advanced malware prevention, detection, and response capabilities. One of the features of Cisco AMP for Endpoints is the Endpoint Compliance Scanner, which allows administrators to create and enforce policies that check the compliance status of endpoints based on various criteria, such as OS version, patch level, antivirus status, firewall status, and more. The Endpoint Compliance Scanner can also remediate non-compliant endpoints by applying patches, updating antivirus signatures, enabling firewall, and so on. By using the Endpoint Compliance Scanner, administrators can ensure that all endpoints are up to date and secure against known vulnerabilities and threats. References:

Cisco AMP for Endpoints

Endpoint Compliance Scanner

Implementing and Operating Cisco Security Core Technologies (SCOR) - Module 4: Endpoint Protection and Detection

Explanation

The ASA and ASASM implementations of NetFlow Secure Event Logging (NSEL) provide a stateful, IP flow tracking method that exports only those records that indicate significant events in a flow.

The significant events that are tracked include flow-create, flow-teardown, and flow-denied (excluding those flows that are denied by EtherType ACLs).

 Cisco AnyConnect with Umbrella Roaming Security module protects a user from a phishing attack by enforcing security at the DNS layer and blocking malicious domains that are used for phishing campaigns. The Umbrella Roaming Security module integrates with the Cisco AnyConnect client and provides always-on security even when no VPN is active. The Umbrella Roaming Security module can replace the existing Cisco Umbrella roaming client or be part of a new AnyConnect deployment12.

Cisco Identity Services Engine (ISE) is not an endpoint solution, but a network access control and policy enforcement platform that can integrate with AnyConnect for posture assessment and compliance3. Cisco AnyConnect with ISE Posture module is used to check the compliance status of the endpoint device and apply the appropriate network access policy based on the posture result4. Cisco AnyConnect with Network Access Manager module is used to manage the network connections and profiles of the endpoint device and support various authentication methods5. Neither of these modules directly protect the user from a phishing attack.

References :=

Roaming Client: Umbrella Roaming Security (Integration with AnyConnect)

Secure Umbrella Roaming: Cisco Secure Client (Formerly AnyConnect)

Cisco Identity Services Engine

[Cisco AnyConnect Secure Mobility Client Administrator Guide, Release 4.9 - Posture Module]

[Cisco AnyConnect Secure Mobility Client Administrator Guide, Release 4.9 - Network Access Manager Module]

 The process that uses STIX and allows uploads and downloads of block lists is sharing. STIX (Structured Threat Information Expression) is a standard language and format for exchanging cyber threat intelligence data. Block lists are collections of observables, such as IP addresses, URLs, or domains, that are associated with malicious activity and can be used to block or monitor network traffic. Cisco Threat Intelligence Director (TID) is a feature that operationalizes threat intelligence data by consuming, normalizing, publishing, and correlating data from various sources, including third-party STIX feeds. TID enables the administrator to upload STIX files from local or remote sources, or download STIX files from the Firepower Management Center (FMC) to share with other systems. TID also allows the administrator to configure actions (such as block or monitor) based on the indicators and observables in the STIX files, and generate incidents and observations when the system detects traffic that matches the threat intelligence data123

References := 1: Firepower Management Center Configuration Guide, Version 6.2.3 - Threat Intelligence Director 2 2: Introduction to STIX - GitHub Pages 4 3: Third-Party Integration of Security Feeds with FMC (Cisco Threat Intelligence Director) - Cisco Community 3

 The Cisco ESA uses the Sender Domain Reputation (SDR) service to assign a reputation verdict to each message based on the sender’s domain and other attributes. The SDR verdicts range from Awful to Good, and each verdict has a corresponding reputation score. The administrator can configure a message or content filter to take action on messages based on their SDR verdict or score. For example, the administrator can set a threshold score to drop messages that have a poor or awful reputation. However, if the SDR service cannot determine a verdict for a message, it assigns an undetermined verdict with a score of -1. This means that the message will not be dropped by the filter unless the administrator explicitly sets the threshold to -1 or lower. Therefore, the reason why the Cisco ESA is not dropping files that have an undetermined verdict is because the file has a reputation score that is above the threshold. References :=

Some possible references are:

Configure Sender Domain Reputation for ESA

Sender Domain Reputation Filtering

Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0 (source book)

Cisco Security Intelligence is a feature that allows you to block or monitor traffic based on IP addresses or domain names that are known to be malicious or suspicious. Cisco Security Intelligence requires a Protect license on the Cisco Next Generation Intrusion Prevention System (NGIPS), which is part of the Firepower Threat Defense (FTD) software. A Protect license allows you to perform intrusion detection and prevention, file control, and Security Intelligence filtering1. The other license options (control, malware, and URL filtering) do not enable Cisco Security Intelligence on the NGIPS. References:

Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, section “Security Intelligence”

Firepower Management Center Configuration Guide, Version 6.0, section “Licensing the Firepower System”

The threat intelligence standard that contains malware hashes is trusted automated exchange of indicator information (TAXII). TAXII is a protocol that enables the exchange of cyber threat information in a standardized and automated manner. It supports various types of threat intelligence, such as indicators of compromise (IOCs), observables, incidents, tactics, techniques, and procedures (TTPs), and campaigns. Malware hashes are one example of IOCs that can be shared using TAXII. Malware hashes are cryptographic signatures that uniquely identify malicious files or programs. They can be used to detect and block malware infections on endpoints or networks. TAXII uses STIX (structured threat information expression) as the data format for representing threat intelligence. STIX is a language that defines a common vocabulary and structure for describing cyber threat information. STIX allows threat intelligence producers and consumers to share information in a consistent and interoperable way. STIX defines various objects and properties that can be used to represent different aspects of cyber threat information, such as indicators, observables, incidents, TTPs, campaigns, threat actors, courses of action, and relationships. Malware hashes can be expressed as observables in STIX, which are concrete items or events that are observable in the operational domain. Observables can have various types, such as file, process, registry key, URL, IP address, domain name, etc. Each observable type has a set of attributes that describe its properties. For example, a file observable can have attributes such as name, size, type, hashes, magic number, etc. A hash attribute can have a type (such as MD5, SHA1, SHA256, etc.) and a value (such as the hexadecimal representation of the hash). A file observable can have one or more hash attributes to represent different hashing algorithms applied to the same file. For example, a file observable can have both MD5 and SHA256 hashes to increase the confidence and accuracy of identifying the file.

The other options are incorrect because they are not threat intelligence standards that contain malware hashes. Option A is incorrect because advanced persistent threat (APT) is not a standard, but a term that describes a stealthy and sophisticated cyberattack that aims to compromise and maintain access to a target network or system over a long period of time. Option B is incorrect because open command and control (OpenC2) is not a standard that contains malware hashes, but a language that enables the command and control of cyber defense components, such as sensors, actuators, and orchestrators. Option C is incorrect because structured threat information expression (STIX) is not a standard that contains malware hashes, but a data format that represents threat intelligence. STIX uses TAXII as the transport protocol for exchanging threat intelligence, including malware hashes. References:

TAXII

STIX

Malware Hashes

Cisco Identity Services Engine (ISE) is a product that provides comprehensive and scalable access policy enforcement for wired and wireless networks. ISE supports TACACS+ for device administration, which allows for granular control over the commands and actions that network administrators can perform on network devices. ISE also supports 802.1X, MAB, and WebAuth for network access, which enables authentication and authorization of users and endpoints based on various attributes, such as identity, device type, posture, location, and time. ISE can also integrate with other Cisco security products, such as Cisco Stealthwatch and Cisco AMP for Endpoints, to provide enhanced visibility and threat detection. Therefore, ISE is the product that meets all of the requirements stated in the question. References :=

Some possible references are:

Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 4: Secure Network Access, Identity Management, and Secure Access

TACACS+ Configuration Guide, Configuring TACACS

Cisco Identity Services Engine Administrator Guide, Release 2.7, Device Administration

Cisco Identity Services Engine Administrator Guide, Release 2.7, Network Access Devices

Cisco Identity Services Engine Administrator Guide, Release 2.7, Policy Sets

Explanation

Explanation

The following are the prerequisites to integrate Active Directory with Cisco ISE.

+ Use the Network Time Protocol (NTP) server settings to synchronize the time between the Cisco ISE server

and Active Directory. You can configure NTP settings from Cisco ISE CLI.

+ If your Active Directory structure has multidomain forest or is divided into multiple forests, ensure that trust

relationships exist between the domain to which Cisco ISE is connected and the other domains that have user

and machine information to which you need access. For more information on establishing trust relationships,

refer to Microsoft Active Directory documentation.

+ You must have at least one global catalog server operational and accessible by Cisco ISE, in the domain to

which you are joining Cisco ISE.

Explanation

The Cisco Umbrella Multi-Org console has the ability to upload, store, and archive traffic activity logs from your organizations’ Umbrella dashboards to the cloud through Amazon S3. CSV formatted Umbrella logs are compressed (gzip) and uploaded every ten minutes so that there’s a minimum of delay between traffic from the organization’s Umbrella dashboard being logged and then being available to download from an S3 bucket.

By having your organizations’ logs uploaded to an S3 bucket, you can then download logs automatically to keep in perpetuity in backup storage.