350-201 Performing CyberOps Using Core Security Technologies (CBRCOR) Questions and Answers

The recommended action to mitigate an attack that is broadcasting a large number of ICMP packets using a spoofed source IP address is to use the subinterface command no ip directed-broadcast. This command prevents the Cisco IOS device from forwarding packets that are addressed to IP broadcast addresses. By disabling the directed broadcast feature, the network devices will not respond to broadcast messages sent to the network’s broadcast address, thus mitigating the attack and preventing the amplification of the ICMP packets back to the victim’s IP address.

Creating an automation script for blocking URLs on the firewall when the rule is triggered will improve the effectiveness of the process by reducing the time between the detection of a request to a malicious URL and the blocking action. This proactive approach ensures that the URLs are blocked immediately, minimizing the window of opportunity for the threat to cause harm

The first step the CyberOps Tier 3 Analyst should take is to review the system and application logs to identify errors in the portal code. This step is essential to understand the root cause of the incident, such as a software bug or configuration error that may be allowing patients to view others’ PII. By analyzing the logs, the analyst can pinpoint the exact nature of the problem and take appropriate measures to fix it and prevent further unauthorized access1.

The bash command grep -i “yellow” colors.txt will print all lines from the “colors.txt” file containing the non case-sensitive pattern “Yellow”. The -i option in the grep command is used to ignore case distinctions in both the pattern and the input files, allowing it to match both “Yellow”, “yellow”, “YELLOW”, etc.

Cisco Rapid Threat Containment integrates Cisco Secure Network Analytics (Stealthwatch) and ISE to detect malware-infected endpoints. The telemetry feeds that were correlated with the Stealthwatch Management Console (SMC) to identify the malware are NetFlow and event data. NetFlow provides visibility into network traffic patterns and volumes, while event data includes logs and alerts generated by network devices and security systems. Together, these feeds enable the SMC to analyze network behavior and identify potential threats, leading to the quarantine of the infected endpoint.

References:

Cisco Secure Network Analytics (Stealthwatch) documentation would detail the types of telemetry feeds used for threat detection.

Cisco Identity Services Engine (ISE) documentation would explain how Adaptive Network Control policies are applied to respond to detected threats.

To assess the effectiveness of risk mitigation in an organization, it is essential to analyze key performance indicators (KPIs). These indicators provide measurable values that can demonstrate how effectively the company is achieving its key business objectives. In the context of risk mitigation, KPIs can include metrics such as the number of incidents or losses prevented, the percentageof risks mitigated, the cost savings achieved, or the level of stakeholder satisfaction. By analyzing these indicators, an organization can determine whether its risk mitigation strategies are successful in reducing the likelihood and impact of potential risks1.

References:

Organizations often identify specific KPIs to track the effectiveness of their risk mitigation strategies1.

The process of risk mitigation involves implementing proactive measures to minimize the probability and impact of adverse events1.

Evaluating the effectiveness of risk mitigation strategies may involve performance metrics, data analysis, incident tracking, and feedback mechanisms

The behaviors that triggered the User and Entity Behavior Analytics (UEBA) are the employee logging in during non-working hours and from a first-seen country. UEBA systems are designed to detect anomalies in user behavior that could indicate security threats. Logging in from a new location, especially during unusual hours, deviates from the user’s typical behavior patterns and raises flags about potential unauthorized access or compromised credentials.

The engineers should first determine the type of data stored on the affected asset and document the access logs to understand the potential impact of the unknown application. Engaging the incident response team is crucial for a coordinatedresponse to the security issue. Additionally, identifying who installed the application by reviewing the logs and gathering a user access log from the HR department will help trace the origin of the application and assess the extent of the unauthorized activity

 In Cisco Secure Network Analytics (Stealthwatch), when an engineer needs to analyze the top data transmissions to identify significant anomalies in traffic within a host group, the Top Conversations tool is used. This tool provides a detailed view of the communication between hosts, showing which pairs of hosts are exchanging the most data. By examining the top conversations, the engineer can pinpoint which specific data flows are contributing to the anomaly and take appropriate action.

The Top Conversations tool is particularly useful for this task because it focuses on the interactions between hosts, rather than just the volume of traffic (Top Ports), the individual hosts themselves (Top Hosts), or the peers (Top Peers) involved in the network communications. It allows for a more granular analysis of the network traffic, which is essential for identifying and addressing anomalies.

When an HTTP response code 301 is received from a web application, it indicates that the requested resource has been permanently moved to a new location. The action to be taken is to confirm the resource’s new location, as the 301 status code is used for permanent URL redirection

To prevent future attacks like the one described, where a compromised workstation gained access to sensitive customer data using insecure protocols, the best action is to use VLANs to segregate zones and configure the firewall to allow only required services and secured protocols. This approach ensures that different segments of the network are isolated, reducing the risk of lateral movement by attackers. Additionally, allowing only necessary and secure protocols through the firewall enhances the security posture by minimizing the attack surface.

References:

Network security best practices often recommend the use of VLANs and strict firewall rules as a means to enhance network security and prevent unauthorized access.

Implementing secure communication protocols and services is crucial in protecting sensitive data from being compromised.

In the context of Cisco Secure Network Analytics (formerly known as Stealthwatch) and ISE (Identity Services Engine), pxGrid (Platform Exchange Grid) is used for sharing context-aware information across different security tools toenable rapid threat containment. When a malware-infected endpoint is detected, Cisco Secure Network Analytics can communicate with ISE using pxGrid to signal the need for quarantine. This allows ISE to place the infected endpoint into a designated quarantine VLAN using an Adaptive Network Control policy, effectively isolating the threat and preventing it from spreading through the network.

References:

Cisco’s guide on pxGrid

Cisco’s solution overview on Rapid Threat Containment

The breach described could have been prevented by integrating security practices into the development lifecycle, known as SecDevOps. This approach includes continuous security checks and vulnerability assessments during the development stages, which would likely have identified the vulnerability before the code was deployed.

 The creation of privileged user accounts in the Active Directory that coincide with suspicious network traffic suggests a network compromise. This type of activity is often indicative of an attacker gaining sufficient access to create accounts with elevated privileges, which can be used for further malicious activities within the network. The cross-correlation of events from other sources that align with the timing of these account creations strengthens the case for a compromised network. This scenario is consistent with tactics used by attackers to maintain persistence and establish control over network resources for ongoing exploitation1.

References:

The Performing CyberOps Using Cisco Security Technologies (CBRCOR) course covers the fundamentals of cybersecurity operations, including the identification and analysis of security incidents and network compromises1.

The Cisco Certified CyberOps Associate certification provides knowledge on monitoring, detecting, and responding to cybersecurity threats, which includes understanding the signs of a compromised network2

After isolating the affected workstation in a malware incident, the next step in the investigation is to inspect the registry entries for recently executed files. This can provide clues about the malware’s actions and potential persistence mechanisms. It’s a critical step in understanding the scope of the breach and the methods used by the attacker

According to NIST guidelines for conducting risk assessments, two critical elements required to calculate risk are understanding the vulnerabilities of the assets (asset vulnerability assessment) and having a detailed analysis of the threat (malware analysis report). The asset vulnerability assessment identifies the weaknesses that could be exploited by the malware, while the malware analysis report provides insight into the capabilities, propagation methods, and potential impact of the malware. These elements are essential for determining the likelihood and impact of the risk, which are key components of a risk assessment

The browser page rendering permissions are displayed in the X-Frame-Options HTTP response header. This header is used to control whether a browser should be allowed to render a page in a ,