Cisco CyberOps Associate CBROPS 200-201 Practice Test

Based on the scenario you're presented with, let's break down the tasks according to the categories outlined in your question:

1- Host-based Analysis (20%):

Endpoint Technologies:

• Functionality of endpoint technologies for security monitoring: Endpoint detection and response (EDR) solutions monitor and analyze system and application events on endpoints. They can detect abnormal behavior, prevent known threats, and collect and analyze data to respond to security incidents.
• Components of an operating system in a given scenario: For Windows, you might identify the Windows Registry, Process Explorer (Procexp.exe), System Monitor (TaskManager.exe), Event Logs (EventVwr.msc), User Account Control (UAC), and file system components like %APPDATA% or %WINDIR%. For Linux, you'd look at process lists (ps aux), system logs (/var/log), SELinux or AppArmor contexts, and so on.
• Role of attribution in an investigation: Attribution involves identifying the source of a security incident by analyzing indicators of compromise (IoCs) and other evidence to determine the attacker's identity, affiliation, and capabilities.
• Type of evidence used based on provided logs: System or application logs can provide evidence of user actions, process executions, access to resources, errors, and security events that could be indicative of a compromise or an intrusion attempt.
• Comparing tampered and untampered disk images: You would look for discrepancies in file timestamps, file integrity checks (like Tripwire), or unauthorized changes in the disk's metadata, among other indicators.
• Interpreting operating system, application, or command line logs: These logs provide a chronological record of events that can help identify when and how an incident occurred, including user actions, system updates, and potential malicious activity.
• Interpreting the output report of a malware analysis tool: You would analyze the report for information about the malware's behavior, its infection vector, potential damage or exfiltration of data, and any other relevant artifacts.

2- Network Intrusion Analysis (20%):

Mapping events to source technologies:

• Deep packet inspection vs. packet filtering and stateful firewall operation: Deep packet inspection (DPI) examines the contents of each packet for protocol non-compliance, irrational routing or suspicious content. Packet filtering checks headers to allow or block packets. Stateful firewalls track the state of connections and can make more informed decisions about traffic based on the context of an ongoing session.
• Inline traffic interrogation vs. taps or traffic monitoring: Inline traffic interrogation actively inspects and can modify traffic as it passes through a network device, while taps (like SPAN/Mirror ports) passively send a copy of traffic to monitoring tools without affecting the flow of data.
• Data obtained from taps vs. transactional data (NetFlow): Data from taps provides detailed visibility into every packet, including encrypted packets, whereas NetFlow (Cisco's version is sFlow, or similar) captures summary data about flows and can be used to analyze network traffic patterns without deep packet inspection.
• Extracting files from a TCP stream with Wireshark: Use Wireshark to capture a TCP stream, then filter for the application protocol (e.g., HTTP). You can then reconstruct the TCP stream and save it to a file.
• Identifying key elements in an intrusion from a given PCAP file: Look for anomalies such as unexpected ports, unusual traffic volumes, or patterns that match known attack signatures.
• Interpreting protocol headers: Protocol headers contain metadata about the packet, including source and destination IP addresses, port numbers, flags, and timestamps, which are crucial for understanding network activity and intrusions.
• Common artifact elements from an event to identify an alert: These could include unusual outbound connections, unrecognized services running on a host, or anomalies in access patterns that deviate from the norm.

3-SOC Metrics (Part of Host-based and Network Intrusion Analysis):

Relationship of SOC metrics to scope analysis:

• Time to detect (TTD), time to contain (TTC), time to respond (TTResponse), and time to control/erase (TTCE): These are key performance indicators for a security operations center (SOC). They measure how quickly the SOC can identify, respond to, and neutralize or mitigate a security incident. Analyzing these metrics helps in understanding the scope of an intrusion and the effectiveness of the response.

4-Classifying Intrusion Events (Part of Host-based and Network Intrusion Analysis):

Intrusion models:

• Cyber Kill Chain Model: This model describes the stages of a cyberattack, from reconnaissance to exfiltration. By classifying events into these stages, you can better understand the nature of the attack and potentially disrupt it before it reaches its goal.
• Diamond Model of Intrusion: This model focuses on the behaviors exhibited by adversaries throughout the intrusion process, categorizing them into actions taken (Reconnaissance, Resource Development, Delivery, Exploitation, Installation), goals pursued (Objective Focus, Tactic Employment, Pivot to Privilege Elevation, Out with Objectives), and the platforms they use (Pre-Intrusion, Initial Vectors, Established Foothold, Persistence, Piveting, Command & Control).

In your analysis, you would use a combination of forensic techniques, threat intelligence, and understanding of security frameworks to determine the scope and nature of a security incident, and to attribute it if possible.