MODULE 25 - CERTIFICATION PREPARTION Flashcards

Question 1

Q

Alert Data Alert data consists of messages generated by intrusion prevention systems (IPSs) or intrusion detection systems (IDSs) in response to traffic that violates a rule or matches the signature of a known exploit.

Answer

A

A network IDS (NIDS), such as Snort, comes configured with rules for known exploits.

Alerts are generated by Snort and are made readable and searchable by the Sguil and Squert applications, which are part of the Security Onion suite of NSM tools.

Question 2

Q

Alert Data A testing site that is used to determine if Snort is operating is the tesmyids site.

Search for it on the internet.

It consists of a single webpage that displays only the following text uid=0(root) gid=0(root) groups=0(root).

Answer

A

If Snort is operating correctly and a host visits this site, a signature will be matched and an alert will be triggered.

This is an easy and harmless way to verify that the NIDS is running.

Question 3

Q

Alert Data The Snort rule that is triggered is:

Answer

A

alert ip any any -> any any (msg:”GPL ATTACK_RESPONSE id check returned root”; content:”uid=0|28|root|29|”; fast_pattern:only; classtype:bad-unknown; sid:2100498; rev:8;)

Question 4

Q

Alert Data This rule generates an alert if any IP address in the network receives data

Answer

A

from an external source that contains content with text matching the pattern of uid=0(root).

The alert contains the message GPL ATTACK_RESPONSE id check returned root.

The ID of the Snort rule that was triggered is 2100498.

Question 5

Q

Alert Data The highlighted line in the figure displays a Sguil alert that was generated by visiting the testmyids website.

Answer

A

The highlighted line in the figure displays a Sguil alert that was generated by visiting the testmyids website.

The Snort rule and the packet data for the content received from the testmyvids webpage is displayed in the lower right-hand area of the Sguil interface.

Sguil Console Showing Test Alert from Snort IDS

https://snipboard.io/8AgTuU.jpg

Question 6

Q

Session and Transaction Data Session data is a record

Answer

A

of a conversation between two network endpoints, which are often a client and a server.

The server could be inside the enterprise network or at a location accessed over the internet.

Session data is data about the session, not the data retrieved and used by the client.

Session data will include identifying information such as the five tuples of source and destination IP addresses, source and destination port numbers, and the IP code for the protocol in use.

Data about the session typically includes a session ID, the amount of data transferred by source and destination, and information related to the duration of the session.

Question 7

Q

Session and Transaction Data Zeek, formerly Bro, is a

Answer

A

network security monitoring tool you will use in labs later in the course.

The figure shows a partial output for three HTTP sessions from a Zeek connection log.

Explanations of the fields are shown below the figure.

Zeek Session Data - Partial Contents

https://snipboard.io/CqpZbi.jpg

Question 8

Q

Session and Transaction Data

Transaction data consists of the messages that are exchanged during network sessions.

Answer

A

These transactions can be viewed in packet capture transcripts.

Device logs kept by servers also contain information about the transactions that occur between clients and servers.

For example, a session might include the downloading of content from a webserver, as shown in the figure.

The transactions that represent the requests and replies would be logged in an access log on the server or by a NIDS like Zeek.

The session is all traffic involved in making up the request, the transaction is the request itself.

Question 9

Q

Session and Transaction Data Transaction Data

Answer

A

TRANSCATION DATA RECORD AS A WEB SERVER ACCESS LOG ENTRY.

https://snipboard.io/zhRZr0.jpg

Question 10

Q

Full Packet Captures

Full packet captures are the most detailed network data that is generally collected.

Because of the amount of detail, they are also the most storage and retrieval intensive types of data used in NSM.

Answer

A

Full packet captures contain not only data about network conversations, like session data.

Full packet captures also contain the actual contents of the conversations.

Full packet captures contain the text of email messages, the HTML in webpages, and the files that enter or leave the network.

Extracted content can be recovered from full packet captures and analyzed for malware or user behavior that violates business and security policies.

The familiar tool Wireshark is very popular for viewing full packet captures and accessing the data associated with network conversations.

Question 11

Q

Full Packet Captures

The figure illustrates the interface for the Network Analysis Monitor component of Cisco Prime Infrastructure system, which, like Wireshark, can display full packet captures.

Answer

A

The figure illustrates the interface for the Network Analysis Monitor component of Cisco Prime Infrastructure system, which, like Wireshark, can display full packet captures.

Cisco Prime Network Analysis Module - Full Packet Capture

https://snipboard.io/gaium4.jpg

Question 12

Q

Statistical Data Like session data, statistical data is about network traffic.

Answer

A

Statistical data is created through the analysis of other forms of network data. Conclusions can be made that describe or predict network behavior from these analysis.

Statistical characteristics of normal network behavior can be compared to current network traffic in an effort to detect anomalies.

Statistics can be used to characterize normal amounts of variation in network traffic patterns in order to identify network conditions that are significantly outside of those ranges.

Statistically significant differences should raise alarms and prompt investigation.

Question 13

Q

Statistical Data Network Behavior Analysis (NBA) and Network Behavior Anomaly Detection (NBAD) are approaches to network security monitoring that use advanced analytical techniques to analyze NetFlow or Internet Protocol Flow Information Export (IPFIX) network telemetry data.

Answer

A

Techniques such as predictive analytics and artificial intelligence perform advanced analyses of detailed session data to detect potential security incidents.

Question 14

Q

Statistical Data An example of an NSM tool that utilizes statistical analysis is Cisco Cognitive Threat Analytics.

Answer

A

finds malicious activity that has bypassed security controls or entered the network through unmonitored channels (including removable media) and is operating inside an organization’s environment.

Cognitive Threat Analytics is a cloud-based product that uses machine learning and statistical modeling of networks. It creates a baseline of the traffic in a network and identifies anomalies.

It analyzes user and device behavior, and web traffic, to discover command-and-control communications, data exfiltration, and potentially unwanted applications operating in the infrastructure.

The figure illustrates an architecture for Cisco Cognitive Threat Analytics.

Cisco Cognitive Threat Analytics

https://snipboard.io/rt6kEa.jpg

Question 15

Q

End Device Logs Host Logs host-based intrusion detection systems (HIDS) run on individual hosts.

HIDS not only detects intrusions, but in the form of host-based firewalls, can also prevent intrusion.

Answer

A

This software creates logs and stores them on the host.

This can make it difficult to get a view of what is happening on hosts in the enterprise, so many host-based protections have a way to submit logs to centralized log management servers.

In this way, the logs can be searched from a central location using NSM tools.

Question 16

Q

Host Logs HIDS systems can use agents to submit logs to management servers.

Answer

A

OSSEC, a popular open-source HIDS, includes a robust log collection and analysis functionality.

Search OSSEC on the internet to learn more.

Microsoft Windows includes several methods for automated host log collection and analysis.

Tripwire offers a HIDS for Linux that includes similar functionality.

All can scale to larger enterprises.

Question 17

Q

Host Logs Microsoft Windows host logs are visible locally through Event Viewer.

Event Viewer keeps four types of logs:

Application logs System logs Setup logs Security logs Command-line logs

Answer

A

Host Logs Microsoft Windows host logs are visible locally through Event Viewer.

Event Viewer keeps four types of logs:

Application logs System logs Setup logs Security logs Command-line logs

Question 18

Q

Host Logs Event Viewer keeps four types of logs: Application logs

Answer

A

These contain events logged by various applications.

Question 19

Q

Host Logs Event Viewer keeps four types of logs: System logs

Answer

A

These include events regarding the operation of drivers, processes, and hardware.

Question 20

Q

Host Logs Event Viewer keeps four types of logs: Setup logs

Answer

A

These record information about the installation of software, including Windows updates.

Question 21

Q

Host Logs Event Viewer keeps four types of logs: Security logs

Answer

A

These record events related to security, such as logon attempts and operations related to file or object management and access.

Question 22

Q

Host Logs Event Viewer keeps four types of logs: Command-line logs

Answer

A

Attackers who have gained access to a system, and some types of malware, execute commands from the command-line interface (CLI) rather than a GUI.

Logging command line execution will provide visibility into this type of incident.

Question 23

Q

Host Logs Various logs can have different event types.

Answer

A

Security logs consist only of audit success or failure messages.

On Windows computers, security logging is carried out by the Local Security Authority Subsystem Service (LSASS), which is also responsible for enforcing security policies on a Windows host. LSASS runs as lsass.exe.

It is frequently faked by malware. It should be running from the Windows System32 directory.

If a file with this name, or a camouflaged name, such as 1sass.exe, is running or running from another directory, it could be malware.

Question 24

Q

Host Logs Windows Events are identified by ID numbers and brief descriptions.

Answer

A

An encyclopedia of security event IDs, some with additional details, is available from Ultimate Windows Security on the web.

Question 25

Q

Host Logs Event Type : Error

Answer

A

Description:

An error is an event that indicates a significant problem such as loss of data or loss of functionality.

For example, if a service fails to load during startup, an error event is logged.

Question 26

Q

Host Logs Event Type : Warning

Answer

A

Description:

A Warning is an event that is not necessarily significant but may indicate a possible future problem.

For example, when disk space is low, a warning event is logged.

If an application can recover from an event without loss of functionality or data, it can generally classify the event as a warning event.

Question 27

Q

Host Logs Event Type : Information

Answer

A

Description:

An information event describes the successful operation of an application, driver, or service.

For example, when a network driver loads successfully, it may be appropriate to log an information event.

Note that it is generally inappropriate for a desktop application to log an event each time it starts.

Question 28

Q

Host Logs Event Type : Success Audit

Answer

A

A success audit is an event that records an audited security access attempt that is successful.

For example, a user’s successful attempt to log on to the system is logged as a success audit event.

Question 29

Q

Host Logs Event Type : Failure Audit

Answer

A

A failure audit is an event that records an audited security access attempt that fails.

For example, if a user tries to access a network drive and fails, the attempt is logged as a failure audit event.

Question 30

Q

Syslog Syslog incudes specifications formessage formats, a client-server application structure, and network protocol.

Many different types of network devices can be configured to use the syslog standard to log events to centralized syslog servers.

Answer

A

Syslog Syslog incudes specifications formessage formats, a client-server application structure, and network protocol.

Many different types of network devices can be configured to use the syslog standard to log events to centralized syslog servers.

Question 31

Q

Syslog is a client/server protocol. Syslog was defined within the Syslog working group of the IETF (RFC 5424) and is supported by a wide variety of devices and receivers across multiple platforms.

Answer

A

Syslog is a client/server protocol. Syslog was defined within the Syslog working group of the IETF (RFC 5424) and is supported by a wide variety of devices and receivers across multiple platforms.

Question 32

Q

The Syslog sender sends a small (less than 1KB) text message to the Syslog receiver.

The Syslog receiver is commonly called “syslogd,” “Syslog daemon,” or “Syslog server.” Syslog messages can be sent via UDP (port 514) and/or TCP (typically, port 5000).

While there are some exceptions, such as SSL wrappers, this data is typically sent in plaintext over the network.

Answer

A

The Syslog sender sends a small (less than 1KB) text message to the Syslog receiver.

The Syslog receiver is commonly called “syslogd,” “Syslog daemon,” or “Syslog server.” Syslog messages can be sent via UDP (port 514) and/or TCP (typically, port 5000).

While there are some exceptions, such as SSL wrappers, this data is typically sent in plaintext over the network.

Question 33

Q

The full format of a Syslog message that is seen on the network has three distinct parts, as shown in the figure.

PRI (priority) HEADER MSG (message text)

Answer

A

The full format of a Syslog message that is seen on the network has three distinct parts, as shown in the figure.

PRI (priority) HEADER MSG (message text)

Question 34

Q

Syslog PRI (priority)

Answer

A

The PRI consists of two elements, the Facility and Severity of the message, which are both integer values.

The Facility consists of broad categories of sources that generated the message, such as the system, process, or application.

The Facility value can be used by logging servers to direct the message to the appropriate log file.

The Severity is a value from 0-7 that defines the severity of the message.

Question 35

Q

Syslog Syslog Packet Format

Answer

A

Syslog Packet Format

https://snipboard.io/YM0Plj.jpg

Question 36

Q

Syslog Syslog packet descriptions:

Answer

A

FACILITY SEVERITY PRIORITY

Question 37

Q

Syslog Syslog packet descriptions: FACILITY

Answer

A

Note: Facility codes between 15 and 23 (local0-local7) are not assigned a keyword or name. They can be assigned to different meanings depending on the use context.

Also, various operating systems have been found to utilize both facilities 9 and 15 for clock messages.

The HEADER section of the message contains the timestamp in MMM DD HH:MM:SS format. If the timestamp is preceded by the period (.) or asterisk (*) symbols, a problem is indicated with NTP. The HEADER section also includes the hostname or IP address of the device that is the source of the message.

The MSG portion contains the meaning of the syslog message. This can vary between device manufacturers and can be customized.

Therefore, this portion of the message is the most meaningful and useful to the cybersecurity analyst.

Question 38

Q

Syslog Syslog packet descriptions: SEVERITY

Answer

A

VALUE >>>> SEVERITY 0 Emergency: system is unusable 1 Alert: action must be taken immediately

2 – Critical: critical conditions that should be corrected immediately and indicates failure in a system

3 Error: a failure that is not urgent, should be resolved within a given time

4 Warning: an error does not presently exist; however, an error will occur in the future if the condition is not addressed

5 Notice: an event that is not an error, but that is considered unusual. Does not require immediate action.

6 Informational: messages issued regarding normal operation

7 Debug: messages of interest to developers

Question 39

Q

Syslog Syslog packet descriptions: PRIORITY

Answer

A

The Priority (PRI) value is calculated by multiplying the Facility value by 8, and then adding it to the Severity value, as shown below.

Priority = (Facility * 8) + Severity

The Priority value is the first value in a packet and occurs between angled brackets <>.

Question 40

Q

Server Logs

Answer

A

Server logs are an essential source of data for network security monitoring.

Network application servers such as email and web servers keep access and error logs.

Question 41

Q

Server Logs DNS proxy server logs which document all the DNS queries and responses that occur on the network are especially important.

Answer

A

DNS proxy logs are useful for identifying hosts that may have visited dangerous websites and for identifying DNS data exfiltration and connections to malware command-and-control servers.

Many UNIX and Linux servers use syslog.

Others may use proprietary logging.

The contents of log file events depend on the type of server.

Question 42

Q

Server Logs Two important log files to be familiar with are

Answer

A

the Apache webserver access logs and Microsoft Internet Information Server (IIS) access logs.

Examples of each are shown below.

Question 43

Q

Server Logs Apache Access Log

Answer

A

203.0.113.127 – dsmith [10/Oct/2016:10:26:57 - 0500] “GET /logo_sm.gif HTTP/1.0” 200 2254 “http://www.example.com/links.html” “Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0”

Question 44

Q

Server Logs IIS Access Log

Answer

A

6/14/2016, 16:22:43, 203.0.113.24, -, W3SVC2, WEB3, 198.51.100.10, 80, GET, /home.htm, -, 200, 0, 15321, 159, 15, HTTP/1.1, Mozilla/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5; Trident/5.0; IEMobile/9.0), -,

http://www.example.com

Question 45

Q

SIEM and Log Collection Security Information and Event Management (SIEM) technology is used in many organizations to provide real-time reporting and long-term analysis of security events, as shown in the figure.

Answer

A

Security Information and Event Management (SIEM) technology is used in many organizations to provide real-time reporting and long-term analysis of security events, as shown in the figure.

SIEM Inputs and Outputs

https://snipboard.io/QDKLju.jpg

Question 46

Q

SIEM and Log Collection SIEM combines the essential functions of security event management (SEM) and security information management (SIM) tools to provide a comprehensive view of the enterprise network using the following functions:

Log collection

Normalization Correlation

Aggregation Reporting Compliance

Answer

A

SIEM and Log Collection SIEM combines the essential functions of security event management (SEM) and security information management (SIM) tools to provide a comprehensive view of the enterprise network using the following functions:

Log collection

Normalization Correlation

Aggregation Reporting Compliance

Question 47

Q

SIEM and Log Collection enterprise network using the following functions:

Log collection

Answer

A

Event records from sources throughout the organization provide important forensic information and help to address compliance reporting requirements.

Question 48

Q

SIEM and Log Collection enterprise network using the following functions:

Normalization

Answer

A

This maps log messages from different systems into a common data model, enabling the organization to connect and analyze related events, even if they are initially logged in different source formats.

Question 49

Q

SIEM and Log Collection enterprise network using the following functions:

Correlation

Answer

A

This links logs and events from disparate systems or applications, speeding detection of and reaction to security threats.

Question 50

Q

SIEM and Log Collection enterprise network using the following functions:

Aggregation

Answer

A

This reduces the volume of event data by consolidating duplicate event records.

Question 51

Q

SIEM and Log Collection enterprise network using the following functions:

Reporting

Answer

A

This presents the correlated, aggregated event data in real-time monitoring and long-term summaries, including graphical interactive dashboards.

Question 52

Q

SIEM and Log Collection enterprise network using the following functions:

Compliance

Answer

A

This is reporting to satisfy the requirements of various compliance regulations.

Question 53

Q

SIEM and Log Collection A popular SIEM is Splunk

Answer

A

which is made by a Cisco partner.

The figure shows a Splunk Threat Dashboard. Splunk is widely used in SOCs.

Another popular SIEM solution is Security Onion with ELK, which consists of the integrated Elasticsearch, Logstash, and Kibana applications.

Security Onion includes other open-source network security monitoring tools.

Splunk Threat Dashboard

https://snipboard.io/tajyfV.jpg

Question 54

Q

SIEM and Log Collection security orchestration, automation, and response (SOAR)

Answer

A

takes SIEM and goes beyond into automating security response workflows and facilitating incidence response.

Because of the importance of network security, numerous companies have brought excellent products to the security tools market.

Question 55

Q

SIEM and Log Collection security orchestration, automation, and response (SOAR) PART 2

However, these tools lack compatibility and require monitoring multiple independent product dashboards in order to process the many alerts that they generate.

Because of the lack of cybersecurity professionals to monitor and analyze the large volume of security data, it is important that tools from multiple vendors can be integrated into a single platform.

Answer

A

Integrated security platforms go beyond SIEM and SOAR to unify multiple security technologies, processes, and people into a unified team whose components build on rather than impede each other.

Security platforms such as Cisco SecureX, Fortinet Security Fabric, and Paloalto Networks Cortex XDR promise to address network security monitoring complexity by integrating multiple functions and data sources into a single platform that will greatly enhance alert accuracy while offering robust defense.

Question 56

Q

Network Logs Tcpdump : A Large Broadcast Domain

Answer

A

The tcpdump command line tool is a very popular packet analyzer.

It can display packet captures in real time or write packet captures to a file.

It captures detailed packet protocol and content data. Wireshark is a GUI built on tcpdump functionality.

The structure of tcpdump captures varies depending on the protocol captured and the fields requested.

Question 57

Q

Network Logs NetFlow NetFlow is a protocol that was developed by Cisco as a tool for network troubleshooting and session-based accounting.

Answer

A

NetFlow efficiently provides an important set of services for IP applications, including network traffic accounting, usage-based network billing, network planning, security, Denial-of-Service monitoring capabilities, and network monitoring.

NetFlow provides valuable information about network users and applications, peak usage times, and traffic routing.

Question 58

Q

Network Logs NetFlow NetFlow does not do a full packet capture or capture the actual content in the packet.

Answer

A

NetFlow records information about the packet flow including metadata.

Cisco developed NetFlow and then allowed it to be used as a basis for an IETF standard called IPFIX.

IPFIX is based on Cisco NetFlow Version 9.

Question 59

Q

Network Logs NetFlow NetFlow information can be viewed with tools such as the nfdump.

Answer

A

Similar to tcpdump, nfdump provides a command line utility for viewing NetFlow data from the nfcapd capture daemon, or collector.

Tools exist that add GUI functionality to viewing flows.

The figure shows a screen from the open source FlowViewer tool.

Question 60

Q

Network Logs NetFlow FlowViewer NetFlow

Session Data Dashboard

Answer

A

FlowViewer NetFlow Session Data Dashboard :

https://snipboard.io/udVSvX.jpg

Question 61

Q

Network Logs NetFlow Traditionally, an IP Flow is based on a set of 5 to 7 IP packet attributes flowing in a single direction.

Answer

A

A flow consists of all packets transmitted until the TCP conversation terminates.

IP Packet attributes used by NetFlow are:

IP source address IP destination address

Source port

Destination port

Layer 3 protocol type

Class of Service Router or switch interface

Question 62

Q

Network Logs NetFlow

All packets with the same source/destination IP address, source/destination ports, protocol interface and class of service are grouped into a flow, and then packets and bytes are tallied.

Answer

A

This methodology of fingerprinting or determining a flow is scalable because a large amount of network information is condensed into a database of NetFlow information called the NetFlow cache.

Question 63

Q

Network Logs NetFlow All NetFlow flow records will contain the first five items in the list above, and flow start and end timestamps.

The additional information that may appear is highly variable and can be configured on the NetFlow Exporter device.

Answer

A

Exporters are devices that can be configured to create flow records and transmit those flow records for storage on a NetFlow collector device.

An example of a basic NetFlow flow record, in two different formats, is shown in the figure.

Question 64

Q

Network Logs NetFlow Simple NetFlow v5 Records

Answer

A

Date flow start Duration Proto Src IP Addr:Port Dst IP Addr:Port Flags Tos Packets Bytes Flows2017-08-30 00:09:12.596 00.010 TCP 10.1.1.2:80 -> 13.1.1.2:8974 .AP.SF 0 62 3512 1 Traffic Contribution: 8% (3/37)Flow information:IPV4 SOURCE ADDRESS:10.1.1.2IPV4 DESTINATION ADDRESS:13.1.1.2INTERFACE INPUT:Se0/0/1TRNS SOURCE PORT:8974TRNS DESTINATION PORT:80IP TOS:0x00IP PROTOCOL:6FLOW SAMPLER ID:0FLOW DIRECTION:Inputipv4 source mask:/0ipv4 destination mask:/8counter bytes:205ipv4 next hop address:13.1.1.2tcp flags:0x1binterface output:Fa0/0counter packets:5timestamp first:00:09:12.596timestamp last:00:09:12.606ip source as:0ip destination as:0

Answer 65

A

The IANA registry of IPFIX entities lists several hundred, with the first 128 being the most common.

Answer 66

A

It can be used to construct a timeline of compromise, understand individual host behavior, or to track the movement of an attacker or exploit from host to host within a network.

The Cisco/Lancope Stealthwatch technology enhances the use of NetFlow data for NSM.

Answer 67

A

Application Visibility and Control The Cisco Application Visibility and Control (AVC) system which is shown in the figure, combines multiple technologies to recognize, analyze, and control over 1000 applications.

These include voice and video, email, file sharing, gaming, peer-to-peer (P2P), and cloud-based applications.

AVC uses Cisco next-generation network-based application recognition version 2 (NBAR2), also known as Next-Generation NBAR, to discover and classify the applications in use on the network.

The NBAR2 application recognition engine supports over 1000 network applications.

https://snipboard.io/pmTVPH.jpg

Answer 68

A

Identification of network applications by port provides very little granularity and visibility into user behavior.

However, application visibility through the identification of application signatures identifies what users are doing, whether it be teleconferencing or downloading movies to their phones.

Answer 69

A

Application usage can also be controlled through quality of service classification and policies based on the AVC information.

Answer 70

A

Application Visibility and Control Port Monitoring vs. Application Monitoring

https://snipboard.io/3ZCjfX.jpg

Answer 71

A

Logging is available for many of these functionalities.

Answer 72

A

has more than 30 logs that can be used to monitor most aspects of email delivery, system functioning, antivirus, antispam operations, and blacklist and whitelist decisions.

Most of the logs are stored in text files and can be collected on syslog servers, or can be pushed to FTP or SCP servers.

In addition, alerts regarding the functioning of the appliance itself and its subsystems can be monitored by email to administrators who are responsible for monitoring and operating the device.

Answer 73

A

Content Filter Logs WSA devices offer a similar depth of functioning.

WSA effectively acts as a web proxy, meaning that it logs all inbound and outbound transaction information for HTTP traffic.

These logs can be quite detailed and are customizable. They can be configured in a W3C compatibility format.

The WSA can be configured to submit the logs to a server in various ways, including syslog, FTP, and SCP.

Answer 74

A

Content Filter Logs Other logs that are available to the WSA:

include ACL decision logs, malware scan logs, and web reputation filtering logs.

Answer 75

A

The figure illustrates the “drill-down” dashboards available from Cisco content filtering devices.

By clicking components of the Overview reports, more relevant details are displayed.

Target searches provide the most focused information.

https://snipboard.io/KSZluC.jpg

Answer 76

A

The figure illustrates a syslog message generated by a Cisco ASA device and a syslog message generated by a Cisco IOS device. Cisco Syslog Message Formats

https://snipboard.io/tuUzKG.jpg

Note that there are two meanings used for the term facility in Cisco syslog messages.

The first is the standard set of Facility values that were established by the syslog standards.

These values are used in the PRI message part of the syslog packet to calculate the message priority.

Cisco uses some of the values between 15 and 23 to identify Cisco log Facilities, depending on the platform.

For example, Cisco ASA devices use syslog Facility 20 by default, which corresponds to local4.

The other Facility value is assigned by Cisco and occurs in the MSG part of the syslog message.

Answer 77

A

A dictionary of Cisco ASA syslog messages is available on the Cisco website.

Answer 78

A

Proxy Logs Proxy servers, such as those used for web and DNS requests

contain valuable logs that are a primary source of data for network security monitoring.

Answer 79

A

For example, an enterprise may configure a web proxy to handle web requests on the behalf of clients.

Instead of requests for web resources being sent directly to the server from the client, the request is sent to a proxy server first.

The proxy server requests the resources and returns them to the client. The proxy server generates logs of all requests and responses.

These logs can then be analyzed to determine which hosts are making the requests, whether the destinations are safe or potentially malicious, and to also gain insights into the kind of resources that have been downloaded.

Answer 80

A

It is also possible to use web proxies to inspect outgoing traffic as means of data loss prevention (DLP).

DLP involves scanning outgoing traffic to detect whether the data that is leaving the web contains sensitive, confidential, or secret information.

Examples of popular web proxies are Squid, CCProxy, Apache Traffic Server, and WinGate.

Answer 81

A

An example of a Squid web proxy log in the Squid-native forma appears below.

Explanations of the field values appear in the table below the log entry.

DNS Proxy Log Example

https://snipboard.io/71Kmof.jpg

Answer 82

A

Proxy Logs

Note: Open web proxies, which are proxies that are available to any internet user, can be used to obfuscate threat actor IP addresses. Open proxy addresses may be used in blacklisting internet traffic.

Answer 83

A

The Cisco Umbrella suite of security products apply real-time threat intelligence to managing DNS access and the security of DNS records.

DNS access logs are available from Cisco Umbrella for the subscribed enterprise.

Instead of using local or ISP DNS servers, an organization can choose to subscribe to Cisco Umbrella for DNS and other security services.

An example of a DNS proxy log appears below. The table explains the meaning of the fields in the log entry.

Answer 84

A

“2015-01-16 17:48:41”,”ActiveDirectoryUserName”, “ActiveDirectoryUserName,ADSite,Network”, “10.10.1.100”,”24.123.132.133”,”Allowed”,”1 (A)”, “NOERROR”,”domain-visited.com.”, “Chat,Photo Sharing,Social Networking,Allow List”

https://snipboard.io/NKSHWV.jpg

Answer 85

A

Next-Generation Firewalls Next-Generation or NextGen Firewall devices extend network security beyond IP addresses and Layer 4 port numbers to the application layer and beyond.

NexGen Firewalls are advanced devices that provided much more functionality than previous generations of network security devices.

One of those functionalities is reporting dashboards with interactive features that allow quick point-and-click reports on very specific information without the need for SIEM or other event correlators.

Answer 86

A

Next-Generation Firewalls Cisco’s line of NextGen Firewall devices (NGFW) use Firepower Services to consolidate multiple security layers into a single platform. This helps to contain costs and simplify management.

Firepower services include application visibility and control, Firepower Next-Generation IPS (NGIPS), reputation and category-based URL filtering, and Advanced Malware Protection (AMP).

Firepower devices allow monitoring network security through a web-enabled GUI called Event Viewer.

Answer 87

A

Next-Generation Firewalls Common NGFW events include:

Connection Event Intrusion Event

Host or Endpoint Event Network

Discovery Event Netflow Event

Answer 88

A

Connection logs contain data about sessions that are detected directly by the NGIPS.

Connection events include basic connection properties such as timestamps, source and destination IP addresses, and metadata about why the connection was logged, such as which access control rule logged the event.

Answer 89

A

Intrusion Event

The system examines the packets that traverse the network for malicious activity that could affect the availability, integrity, and confidentiality of a host and its data.

When the system identifies a possible intrusion, it generates an intrusion event, which is a record of the date, time, type of exploit, and contextual information about the source of the attack and its target.

Answer 90

A

Host or Endpoint Event

When a host appears on the network it can be detected by the system and details of the device hardware, IP addressing, and the last known presence on the network can be logged.

Answer 91

A

Network Discovery Event

Network discovery events represent changes that have been detected in the monitored network.

These changes are logged in response to network discovery policies that specify the kinds of data to be collected, the network segments to be monitored, and the hardware interfaces of the device that should be used for event collection.

Answer 92

A

Netflow Event

Network discovery can use a number of mechanisms, one of which is to use exported NetFlow flow records to generate new events for hosts and servers.

Answer 93

A

Next-Generation Firewalls Services Provided by NGFW

https://snipboard.io/5t2mO4.jpg

Brainscape's Knowledge GenomeTM

MODULE 25 - CERTIFICATION PREPARTION Flashcards

Brainscape's Knowledge Genome^TM