Reading Time: 1 minute Describe these concepts as they are documented in NIST SP800-86: evidence collection order, data integrity, data preservation, volatile data collection Implementing Cisco Cybersecurity Operations (210-255) The best way to study for this objective is to read or at least read the highlights of the NIST document. Here are some of my notes. Evidence Collection Order […]
Reading Time: 1 minute Define these activities as they relate to incident handling Implementing Cisco Cybersecurity Operations (210-255) Identification Continuous monitoring of the environment by the SOC allows for identification of true positive incidents. This monitoring can come from multiple sources including IPS/IDS, Firewalls, Endpoint Agents and the SIEM. Once detected and confirmed the incident is sent to the […]
Reading Time: 2 minutes Apply the NIST.SP800-61 r2 incident handling process to an event Implementing Cisco Cybersecurity Operations (210-255) The NIST.SP800-61 r2 incident handling process document contains several example scenarios. These are all contained in Appendix A of the document. Below are some of the suggested questions for each phase from section A-1 of the document. Preparation: Would the […]
Reading Time: 2 minutes Classify intrusion events into these categories as defined by the Cyber Kill Chain Model Implementing Cisco Cybersecurity Operations (210-255) The cyber kill chain model outlines all of the steps necessary for a cyber attack to be successful. If the chain is broken, the attack will fail. The cyber kill chain is also an ordered list […]
Reading Time: 1 minute Compare and contrast deterministic and probabilistic analysis Implementing Cisco Cybersecurity Operations (210-255) Deterministic Analysis Deterministic analysis uses data that is known beforehand. One example is using port-based analysis to establish what application is being used in network communication. Basically, deterministic analysis uses known facts. Probabilistic Analysis Probabilistic analysis looks at all possibilities and tries to […]
Reading Time: 1 minute Identify a correlation rule to distinguish the most significant alert from a given set of events from multiple data sources using the firepower management console Implementing Cisco Cybersecurity Operations (210-255) The Cisco Firepower Management Center has the ability for custom correlation rules. These rules can be created to trigger based on many different attributes. Once […]
Reading Time: 1 minute Map DNS logs and HTTP logs together to find a threat actor Implementing Cisco Cybersecurity Operations (210-255) Map DNS, HTTP, and threat intelligence data together Implementing Cisco Cybersecurity Operations (210-255) Understanding logs from DNS servers and HTTP servers is important. Analyzing data from the logs can help with determining security incidents. Both types of logs […]
Reading Time: 1 minute Identify potentially compromised hosts within the network based on a threat analysis report containing malicious IP address or domains Implementing Cisco Cybersecurity Operations (210-255) A threat analysis report helps an analyst by providing a list of all of the IPs or domains that a potentially compromised host has been communicating with. This information can help […]
Reading Time: 1 minute Describe the retrospective analysis method to find a malicious file, provided file analysis report Implementing Cisco Cybersecurity Operations (210-255) The above image is a screenshot from a Cisco Firepower Management Center. In particular, it is a Network File Trajectory. In this case, it’s not overly interesting since the file was only seen going from one […]
Reading Time: 1 minute Describe 5-tuple correlation Implementing Cisco Cybersecurity Operations (210-255) Describe the 5-tuple approach to isolate a compromised host in a grouped set of logs Implementing Cisco Cybersecurity Operations (210-255) As noted in the discussion of Netflow, the 5-tuple consists of the Protocol, Source IP, Source Port, Destination IP, and Destination Port. When doing a correlation, the […]
© Ben Story 2019.
© Pack IT Forwarding 2019. Powered by WordPress
