350-201 Performing CyberOps Using Core Security Technologies (CBRCOR) Questions and Answers

During the recovery phase of the incident response process, especially after a phishing attack, it’s crucial to update the Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) signatures to detect and prevent similar attacks in the future. Additionally, reimaging the affected hosts ensures that any malware or changes made by the attacker are removed and that the systems are restored to a known good state.  This step is essential to eradicate the threat and restore normal operations

In the case of a suspicious email, the security analyst should communicate with employees to determine who opened the link and isolate the affected assets to prevent further spread of potential malware.  Additionally, checking the email header to identify the sender and analyzing the link in an isolated environment are crucial steps to begin the investigation and understand the scope and impact of the potential breach 1 3 .

 The “permission denied” error during script execution indicates that the script does not have execute permissions. The  chmod +x ex.sh  command changes the script’s permissions to make it executable.  This is the necessary step to resolve the permission issue and allow the script to run

In the context of investigating a security incident involving suspicious connections, a packet sniffer is the most appropriate tool for identifying the source IP of the offender. A packet sniffer captures and analyzes network traffic, allowing the analyst to see the details of each packet that is transmitted over the network. This includes source and destination IP addresses, port numbers, protocols used, and the content of the data being sent. By examining the captured data, the analyst can identify the source IP address of the suspicious connections and take appropriate action. This is particularly useful in scenarios where an attacker might be attempting to communicate with compromised systems within the network.

 According to the NIST incident response handbook, after detecting a ransomware outbreak and notifying the affected parties, the next step is to eradicate the malicious software from the infected machines.  This involves removing the ransomware and any associated malware to prevent further encryption or spread of the infection 3

 According to the NIST incident handling guide, the steps for handling an incident include preparation, detection and analysis, containment, eradication, recovery, and post-incident activity 1 2 . In the scenario described, the incident response team has detected the malware, eradicated it by removing the malware, and recovered by restoring the functionality and data of infected systems. However, the step of containment, which should occur before eradication and recovery to prevent the spread of malware and further damage, appears to have been missed.  Containment strategies are crucial to limit the scope and magnitude of an incident 1 .

References  :=

NIST SP 800-61 Rev.  2, Computer Security Incident Handling Guide 1

NIST Incident Response: Your Go-To Guide to Handling Cybersecurity 2

 If multiple assets received requests on TCP port 79, which is associated with the Finger service, the SOC team should take action to disable the Finger service on affected devices.  This service is known to be used for reconnaissance by attackers, and disabling it can help mitigate the attack and prevent further information leakage

Implementing a confirmation step in the SOAR (Security Orchestration, Automation, and Response) workflow can significantly reduce false positives and improve the accuracy of threat detection. By adding a mechanism that informs the affected user of the detected activity and asks for their confirmation, the system can distinguish between legitimate and malicious actions more effectively. This approach respects the user’s context and behavior patterns, allowing for a more nuanced response to security alerts. It also reduces the inconvenience caused to legitimate users by avoiding unnecessary account blocks or credential resets.

The other options, while potentially useful in certain contexts, do not address the immediate issue of distinguishing between false positives and actual threats as effectively as a confirmation step does. Meeting with privileged users (option A) and increasing incorrect login tries (option D) may help to some extent but do not provide an immediate verification mechanism. Changing the SOAR configuration flow (option B) could reduce automatic remediation, but it might also reduce the system’s ability to respond to actual threats promptly.

Therefore, adding a confirmation step is the most direct and effective way to improve the workflow and resolve the issues described. It enhances the precision of the SOAR system and maintains a balance between security and user convenience.

When analyzing a possible compromise that occurred in the past, tools like Wireshark and Autopsy can be instrumental. Wireshark is a network protocol analyzer that can capture and display the data traveling back and forth on a network in real-time. It’s useful for understanding what happened during the compromise by analyzing the packets for signs of malicious activity. Autopsy is a digital forensics platform that can analyze hard drives and smartphones to recover evidence of a compromise, such as malware artifacts or suspicious file changes. Both tools would provide an engineer with the necessary data to analyze the events leading up to and during the compromise.

 When dealing with a CSRF vulnerability discovered in multiple applications, the recommended approach is to prioritize patching based on the risk scores associated with each application. This ensures that the most critical vulnerabilities that pose the greatest risk to the organization are addressed first.  It is a strategic approach that aligns remediation efforts with the potential impact of the vulnerabilities 4 .

 To automate the task of receiving alerts and processing data for further investigations, the script must include the variables that allow it to communicate with the SIEM console.  These would typically be the console’s IP address ( console_ip ) and an authentication token ( api_token ) to establish a secure connection and access the necessary data 2 .

After a remote code execution attack, it is crucial to determine which systems were involved in the incident and to deploy any available patches to those systems. This step is part of the recovery stage, where the focus is on restoring the integrity of the systems and preventing the same vulnerability from being exploited again.  Patching the systems helps to close the security gaps that the threat actor exploited and is a key measure in the process of recovering from such an attack

Continuous delivery is a software development approach that enables teams to produce software in short cycles, ensuring that the software can be reliably released at any time. It aims to build, test, and release software with greater speed and frequency.  This approach helps in closing feedback loops and enables teams to quickly apply patches, making it ideal for situations where code updates need to reach the market as often as possible

 A Security Information and Event Management (SIEM) tool is primarily used to collect and analyze security data from various sources, such as network devices and servers, and then produce alerts based on this analysis. SIEM tools aggregate and correlate data to identify patterns that may indicate a security incident, allowing organizations to respond to threats more effectively.

 In Cisco Secure Network Analytics (Stealthwatch), when an engineer needs to analyze the top data transmissions to identify significant anomalies in traffic within a host group, the  Top Conversations  tool is used. This tool provides a detailed view of the communication between hosts, showing which pairs of hosts are exchanging the most data. By examining the top conversations, the engineer can pinpoint which specific data flows are contributing to the anomaly and take appropriate action.

The  Top Conversations  tool is particularly useful for this task because it focuses on the interactions between hosts, rather than just the volume of traffic (Top Ports), the individual hosts themselves (Top Hosts), or the peers (Top Peers) involved in the network communications. It allows for a more granular analysis of the network traffic, which is essential for identifying and addressing anomalies.

The correct code snippet that will parse the response to identify the status of the domain as malicious, clean, or undefined is Option B. This option contains conditional checks for the domain status and prints out the result accordingly. If the  domain_status  is ‘malicious’, it prints that the domain is found malicious; if the  domain_status  is ‘clean’, it prints that the domain is found clean; and for any other case, it prints that the domain status is undefined or risky. This aligns with the typical structure of a response parser that handles different statuses and provides a corresponding output.

References  :=

Python’s conditional statements documentation for handling multiple conditions.

Best practices for parsing JSON responses in Python, which often involve checking for various statuses and handling each one appropriately.

 The tactics, techniques, and procedures that align with the analysis of an internal workstation communicating over port 80 with an external server, where the file hash is associated with Duqu malware, would be Command and Control (C2) via an Application Layer Protocol.  Duqu is known for its sophisticated command and control capabilities, which often involve communication over common network protocols to evade detection 6 7 .

System hardening is the process of securing a system by reducing its surface of vulnerability, which is larger when a system performs more functions; in principle, a single-function system is more secure than a multipurpose one.  Reducing available ways of attack typically includes changing default passwords, the removal of unnecessary software, unnecessary usernames or logins, and the disabling or removal of unnecessary services 1

The threat model for the SQL database, given that it manages transactions, access control, and atomicity, is primarily concerned with the confidentiality and integrity of the data. An attacker who gains access to the database could potentially read sensitive information or modify data, which could lead to unauthorized transactions, access control breaches, or compromise the atomicity of database operations. Therefore, the most pertinent threat is that an attacker can read or change data within the database.

References :

Understanding Cisco CyberOps Using Core Security Technologies (CBRCOR) course material would cover the various threats to databases and the importance of securing them against unauthorized access or modification.

The Cisco Certified CyberOps Associate certification includes knowledge about identifying and protecting against threats to critical infrastructure, such as SQL databases.

To mitigate attacks on a webserver from the Internet, it’s crucial to implement security measures that control the traffic reaching the server and provide an additional layer of abstraction.

A.  Create an ACL on the firewall to allow only TLS 1.3 : This step ensures that only secure, encrypted traffic using the latest version of the TLS protocol can reach the webserver. TLS 1.3 includes improvements over previous versions that enhance security and performance, making it a strong choice for protecting web traffic.

B.  Implement a proxy server in the DMZ network : A proxy server acts as an intermediary between users on the Internet and the webserver. It can provide additional security features like content filtering and load balancing. By processing requests and responses through the proxy, direct access to the webserver is avoided, reducing the attack surface.

Options C and D are less effective in this context: C.  Create an ACL on the firewall to allow only external connections : This would not be a mitigation step, as it does not restrict the type of traffic or provide additional security measures. D.  Move the webserver to the internal network : This could potentially expose the internal network to more risks if the webserver is compromised. It’s generally safer to keep public-facing services in a DMZ.

Moving the Intrusion Prevention System (IPS) before the firewall facing the outside network is a strategic action to harden the network. This placement allows the IPS to analyze and filter incoming traffic before it reaches the firewall, providing an additional layer of security.  By positioning the IPS externally, it can prevent malicious traffic from ever reaching the internal network devices, thus reducing the number of false positives generated by trusted IP addresses and internal devices 1 .

To prevent future attacks like the one described, where a compromised workstation gained access to sensitive customer data using insecure protocols, the best action is to use  VLANs to segregate zones  and configure the  firewall to allow only required services and secured protocols . This approach ensures that different segments of the network are isolated, reducing the risk of lateral movement by attackers. Additionally, allowing only necessary and secure protocols through the firewall enhances the security posture by minimizing the attack surface.

References :

Network security best practices often recommend the use of VLANs and strict firewall rules as a means to enhance network security and prevent unauthorized access.

Implementing secure communication protocols and services is crucial in protecting sensitive data from being compromised.

The breach described could have been prevented by integrating security practices into the development lifecycle, known as SecDevOps. This approach includes continuous security checks and vulnerability assessments during the development stages, which would likely have identified the vulnerability before the code was deployed.

 Upon receiving an alert of a zero-day vulnerability, the first step an engineer should take is to initiate a triage meeting to acknowledge the vulnerability and assess its potential impact 2 . This step is crucial for understanding the severity of the vulnerability, determining the scope of affected systems, and deciding on the subsequent actions to mitigate the risk.  It involves gathering the relevant stakeholders and security experts to evaluate the threat and develop a response plan 2 .

The 2xx series of HTTP response codes indicate that the client’s request was successfully received, understood, and accepted 1 . These codes are used to communicate that the action requested by the client was processed successfully without any server-side issues.  For example, a 200 OK status code confirms that the request has succeeded, and a 201 Created indicates that a new resource has been created as a result of the request 1 .

Following behavioral analysis in a controlled laboratory, the next step in the malware analysis process is to perform static and dynamic code analysis of the specimen. Static analysis involves examining the malware without executing it, while dynamic analysis involves observing the malware’s behavior in a controlled environment.  These analyses provide deeper insights into the malware’s capabilities and intentions 2 .

The stage of the threat kill chain indicated by the URIs of inbound web requests from known malicious Internet scanners is  reconnaissance . During this stage, attackers are gathering information about the target system, looking for vulnerabilities or weak points that can be exploited. The URIs provided in the exhibit suggest attempts to discover administrative interfaces, exploit known vulnerabilities, and test for common web application weaknesses such as cross-site scripting (XSS) and SQL injection. These activities are characteristic of the reconnaissance phase, where attackers are probing and mapping out the target environment to plan their subsequent moves.

Key risk indicators (KRIs) provide a clear perspective into the risk position of an organization. KRIs are metrics used to proactively measure risks that a business may face.  They serve as early warning signs of upcoming crises, which can provide an organization’s management team time to create an action plan to mitigate that risk’s potential impact or prevent it from occurring 2 .

After using antivirus and malware removal tools, if abnormal processes are still occurring, the engineer should analyze the components of the infected hosts and their associated business services. This step is crucial to understand the scope of the infection, determine how the malware is affecting the system, and identify any changes made by the malware.  This analysis will help in planning the subsequent steps for cleaning the infected host and restoring its functionality 1 .

The combination of increased incoming spam emails and web scraping alerts suggests a phishing attempt. Phishing is a type of social engineering attack where attackers send fraudulent messages designed to trick individuals into revealing sensitive information or deploying malicious software.  Web scraping can be used to gather email addresses for such campaigns

In the context of Cisco Secure Network Analytics (formerly known as Stealthwatch) and ISE (Identity Services Engine), pxGrid (Platform Exchange Grid) is used for sharing context-aware information across different security tools to enable rapid threat containment. When a malware-infected endpoint is detected, Cisco Secure Network Analytics can communicate with ISE using pxGrid to signal the need for quarantine. This allows ISE to place the infected endpoint into a designated quarantine VLAN using an Adaptive Network Control policy, effectively isolating the threat and preventing it from spreading through the network.

References :

Cisco’s guide on pxGrid

Cisco’s solution overview on Rapid Threat Containment