CCNA CyberOps SECFND Objective 2.3

Describe these terms: Threat actor, run book automation, chain of custody, reverse engineering, sliding window anomaly detection, PII and PHI.

Understanding Cisco Cybersecurity Fundamentals (210-250)

Threat Actor

A threat actor is the individual or group that performs the attack or security incident. Several types of threat actors exist.

  • Script kiddies: Uses existing scripts to hack into computers without expertise to do it themselves.
  • Organized crime: Steal information, scam people and make money. Often funds very intelligent hackers.
  • State sponsors and governments: interested in stealing data and sabotage
  • Hacktivists: Carry out attacks to promote social or political causes
  • Terrorist groups: Motivated by political or religious belief

Runbook Automation (RBA)

A runbook is a collection of procedures and operations. The goal is to ensure that tasks are done in the same manner correctly. This allows for automation of some tasks. Examples of RBA include Rundeck and Cisco Workload Automation.

Chain of Custody

When collecting forensic evidence during a security incident, the chain of custody must be maintained. This allows evidence to be presented in court. It is extremely important to be able to answer the following questions:

  • How the evidence was collected
  • When it was collected
  • How it was transported
  • How it was tracked
  • How it was stored
  • Who had access to the evidence and how it was accessed

Often it is advisable to only work with copies of digital evidence. If that is not possible a write blocker should be used to prevent changing the evidence.

Reverse Engineering

Methodology for getting information about something created by someone else. In cybersecurity reverse engineering may be used for forensics and to determine how malware works and how to counter it. Cybersecurity analysts may also reverse engineer systems to find and correct vulnerabilities.

Sliding Window Anomaly Detection

By setting a window of time to set a baseline, anomalies from that baseline can be identified. These anomalies may indicate cybersecurity incidents. These baselines can be based on bandwidth, latency or other metrics. In a sliding window the baseline is rebuilt based on the latest data over the decided window.


Personally Identifiable Information is a class of sensitive data. This data can identify a person and be used in identity theft.

  • Name
  • SSN
  • Biometric information
  • Date and place of birth
  • Mother’s maiden name
  • Credit Card number
  • Bank account number
  • Driver’s License number
  • Address information including e-mail, street addresses and telephone numbers


Protected Health Information is defined by regulations including HIPAA.

  • Patient Name
  • Dates including birth, death, discharge and administration
  • Telephone or fax numbers
  • E-mail addresses and physical addresses
  • Medical record numbers
  • SSN
  • Driver’s License
  • Biometrics
  • Photos that include the face or recognizable features
  • Any unique number or characteristic
  • Health conditions
  • Payment or provisioning of healthcare