Pack IT Forwarding

Reading Time: 1 minute Map the organization stakeholders against the NIST IR categories (C2M2, NIST.SP800-61 r2) Implementing Cisco Cybersecurity Operations (210-255) The best I could find for this topic were the stakeholders defined by the Cybersecurity Capability Maturity Model (C2M2) documentation as listed below. Decision makers (executives) who control the allocation of resources and the management of risk in […]

Read More »

Reading Time: 2 minutes Map elements to these steps of analysis based on the NIST.SP800-61 r2 Implementing Cisco Cybersecurity Operations (210-255) NIST.SP800-61 r2 defines an Incident Response Life Cycle as shown above. For the SECOPS test, it is necessary to know some of the common elements of the steps in the Incident Response Life Cycle. Preparation Gather Useful Information […]

Read More »

Reading Time: 1 minute Describe the elements that should be included in an incident response plan as stated in NIST.SP800-61 r2 Implementing Cisco Cybersecurity Operations (210-255) NIST’s SP 800-61 was developed to help organizations formulate incident response plans. It can be found here. Each organization’s incident response plan will be different. There are some key elements that occur in […]

Read More »

Reading Time: 1 minute Interpret a provided intrusion event and host profile to calculate the impact flag generated by Firepower Management Center (FMC) Implementing Cisco Cybersecurity Operations (210-255) The firepower management console (FMC) presents information about the incidents and hosts. Impact flag 1 indicates an incident against a host that is vulnerable to the attack. Impact flag 2 indicates […]

Read More »

Reading Time: 1 minute Compare and contrast impact and no impact for these items: False Positive, False Negative, True Positive, True Negative Implementing Cisco Cybersecurity Operations (210-255) Security analysts must work to minimize both false positives and false negatives. False positives take up time to determine that the detection is not a problem. False negatives let malicious activity succeed […]

Read More »

Reading Time: 2 minutes Map the provided events to these source technologies: NetFlow, IDS / IPS, Firewall, Network application control, Proxy logs, Antivirus Implementing Cisco Cybersecurity Operations (210-255) NetFlow NetFlow (or IPFIX) data will contain the standard 5-tuple of information: source IP address, destination IP address, source port, destination port, and the protocol. IDS/IPS Intrusion Detection or Protection Systems […]

Read More »

Reading Time: 2 minutes Interpret common artifact elements from an event to identify an alert Implementing Cisco Cybersecurity Operations (210-255) IP Address (source/destination) IP address artifacts are useful to help identify both the attacker and the victim in a cybersecurity incident. IP address information can also help with tracking an attacker when they pivot through other systems. Client and […]

Read More »

Reading Time: 1 minute Extract files from a TCP stream when given a PCAP file and Wireshark Implementing Cisco Cybersecurity Operations (210-255) For this example, I made a sample pcapng file using Wireshark. I did a wget of a graphics file from my website. Go to File>Export Objects>HTTP (works the same with the other protocols listed) 2. Choose the […]

Read More »

Reading Time: 3 minutes Identify these key elements in an intrusion from a given PCAP file : Source address, Destination address, Source port, Destination port, Protocols, and Payloads Implementing Cisco Cybersecurity Operations (210-255) PCAP files are a way of storing packet data captured using a packet sniffer like Wireshark. The Wireshark website has dozens of example packet captures that […]

Read More »