Based on "Cisco CyberOps Associate CBROPS 200-201 Official Cert Guide" by Omar Santos
By Will Posted on September 8, 2024
1.1 Describe the CIA triad
Confidentiality
ISO 27000: “confidentiality is the property that information is not made available or disclosed to unauthorized individuals, entities, or processes.”
commonly protected via encryption
Common Vulnerability Scoring System (CVSS) uses CIA triad principles within metrics used to calculate CVSS base score
Integrity
ability to make sure system and data have not already been altered or compromised
data AND systems
i.e. data taken/changed, network/server config change, etc.
Availability
means system must be available to auth’d users at all times
CVSS Version 3 specification: measures the impact to the availability of the impacted component resulting from a successfully exploited vulnerability.”
1.2 Compare security deployments
a. Network, endpoint, and application security systems
Traditional Firewall (https://www.geeksforgeeks.org/difference-between-traditional-firewall-and-next-generation-firewall/)
looks at packet state, source IP, destination IP, port, and protocol
if any of these are blocked by a rule, the packet itself is blocked and the firewall raises an event
like a traditional firewall, but with additional features
can operate on layers 2-7
has application awareness
can inspect SSL traffic
extends protocols ike NAT, PAT, and VPN, integrates new threat management tech
IPS and IDS is usually integrated in
Personal Firewall
firewall, but at the level of an individual computer
different from ACL as it is stateful (keeps track of context), stateless (doesn’t keep track of historical context)
Intrusion Detection System (IDS)
monitors traffic to search for known threats/suspicious/malicious activity
i.e. address spoofing, fragmentation, pattern evasion, coordinated attack
Intrusion Prevention System (IPS/NGIPS)
analyzes real-time traffic by sitting in the direct communication path
takes automated preventative action
looks for suspicious traffic outside the baseline
Anomaly Detection Systems
detects unusual traffic by comparing with the historical data trend
Advanced Malware Protection (AMP)
is able to detect and flag malware that uses obfuscation techniques
not reliant on signatures
Web Security Appliances
deployed at edge of network
specializes in web traffic and related threats
i.e. web secure gateway appliance can identify potential threats/data leaks
Email Security Appliances
searches through email to look for spam, malicious attachemets/links, graymail (marketing mail, corporate spam, etc.) filtering, DLP (data loss prevention), outbound message control, etc.
Identity Management Systems
AKA IAM (Identity and Access Management), helps control authentication, authorization, and accounting of users and their permissions
helps detect and prevent attacks on hosts and endpoints within a network:
antimalware: detects and sandboxes malware on endpoints
HIDS: Host-Based Intrusion Detection System
Host-Based Firewall: firewall at the host level, allows for more granular and custom protections
b. Agentless and agent-based protections
agent based:
uses software installed on the host system to perform certain actions.
patching
scanning
rebooting
config changes
agentless:
uses other infrastructure to monitor and control security on endpoints
c. Legacy antivirus and antimalware
detects malware and vriuses using a signature database
d. SIEM, SOAR, and log management
Security Information and Event Management
allows for detection and analysis of suspicious activity
collects and collates logs from different sources
compares this to historical traffic
serves the following functions:
log collection:
receiving and centralizing logs from various devices
log normalization
takes logs in different formats and stores them into a common model
log aggregation
combines common info and prevents duplicates
log correlation
ability to correlate events across different systems
reporting
compiling events into readable reports for analysts to act upon
Security Orchestration Automation and Response
Automation of Security prevention and response for attacks
Orchestration: allows to coordinate automation tools from a centralized point
Automation: allows for certain tools and scripts to trigger by certain rules
Log Management:
centralizes logs from across the environment
primarily used as a data source by a siem
ELK (Elastisearch, Logstash, Kibana) is a common way to collect and analyze logs
1.3 Describe security terms
a. Threat intelligence (TI)
collecting and understanding potential vulnerabilities and threats found within an organization
aggregate, analyze, and correlate potential security threats from across an organization
b. Threat hunting
act of proactively and iteratively looking for threats in your org
requires deep knowledge of network
process:
Hypothesis: what do you think is vulnerable? (based on Threat Intel, Internal Anomaly, Intuition)
Investigation: use tools/methodologies, etc.
Discovery: reveal new patterns, tactics, techniques, and procedures
Tuning: refine and enrich using analytics
Mitigation: threat identified and mitigated
usually done by SOC analysts
aka threat hunters, tier 2/3 analyst, etc.)
not incident response or vuln management
![[Screenshot from 2024-06-10 20-57-26.png]]
c. Malware analysis
detects and blocks malicious exploits
detonates suspicious files (sandboxing)
analyzes file behavior
cisco advanced malware protection (AMP) networks and for endpoints
d. Threat actor
individuals that perform an attack/are responsible for security incident that impacts an org or individual
e. Run book automation (RBA)
runbook: collection of procedures and operations performed by sys admins, sec pros, and network operators
runbook metrics:
MTTR: Mean time to repair
MTBF: Mean time between failures
Mean time to discover a security incident
mean time to contain/mitigate
automating the provisioning of IT resources
rundeck is a good job scheduler and runbook automator
f. Reverse engineering
acquiring architectural info about anything originally created by someone else
both a red/blue team technique
used to understand malware, reversing cryptographic algorithms, reversing DRM or Digital Rights management solutions
using system monitoring tools, disassembler (binary -> assembly code), debuggers, decompilers (binary to readable file), etc.
g. Sliding window anomaly detection
in order to save on compute, anomaly detection is limited to a given span of time
h. Principle of least privilege
people only have the exact permissions they need to do their job, no more no less
i. Zero trust
“requires strict identity verification for every person and device on private network, regardless of whether they are sitting within or outside the network perimeter”
Observables describe what has been or might be seen in cyber
Indicators describe patterns for what might be seen and what they mean if they are
Incidents describe instances of specific adversary actions
Adversary Tactics, Techniques, and Procedures describe attack patterns, malware, exploits, kill chains, tools, infrastructure, victim targeting, and other methods used by the adversary
Exploit Targets describe vulnerabilities, weaknesses, or configurations that might be exploited
Courses of Action describe response actions that may be taken in response to an attack or as a preventative measure
Campaigns describe sets of incidents and/or TTPs with a shared intent
Threat Actors describe identification and/or characterization of the adversary
Reports collect related STIX content and give them shared context
TAXII: Trusted Automated eXchange of Indicator Information
defines how to exchange threat information and data i.e. message formats, protocols, requirements
two key concepts:
collection:
set of STIX packages organized by vendor/agency
channel:
a way for an org to access a specific collection (i.e. API, file exchange, etc.)
CybOX: Cyber Observable eXpression
standardized lang for encoding/communicating high-fidelity security info
specification, capture, characterization, and communication of security events
OpenIOC: OpenIndicators of Compromise
A Indicator of Compromise is any piece of information that allows for an analyst to determine if a compromise has happened.
OpenIOC is a way for analysts to communicate their finding effectively
OpenC2: OpenCommand and Control
standardized lang for command and control of tech that provide/support defenses
conveys the “action” part of cybersecurity process
1.4 Compare security concepts
a. Risk (risk scoring/risk weighting, risk reduction, risk assessment)
Common Vulnerability Scoring System (CVSS) is the primary standard
Base Metric group:
exploitability metrics
attack vector
attack complexity
privileges required
user interaction
impact metrics
confidentiality impact
integrity impact
availability impact
scope
Temporal Metric Group:
exploit code maturity
remediation level
report confidence
environment metric group:
modified base metrics
confidentiality requirement
integrity requirement
availability requirement
severity rating scale:
none: 0.0
low: 0.1-3.9
medium: 4.0-6.9
high: 7.0-8.9
critical: 9.0-10.0
reduce risk by mitigating cvss’s from your env in order of severity
b. Threat
potential danger to an asset
latent threat: a threat that has not been realized
threat actor: the individual or group that engages in malicious activity
threat agent/vector: the path the threat actor used to leverage threat
countermeasure: a safeguard that mitigates a potential risk
c. Vulnerability
an exploitable weakness in a system or its design
vulnerabilities can be found in protocols, operating systems, applications, hardware, and system designs
example:
sql injection
cross site scripting
buffer overflow
privilege escalation
cryptographic vulns
common vulnerabilities, and exposures
supported by US-CERT and MITRE
naming convention allowing vulns to be easy to search
d. Exploit
software/ sequence of commands that takes advantage of a vuln to cause harm
many classifications, but the two main ones are
remote exploit
launches over network and carries out attack without prior access
Local exploit
requires prior access to vulnerable system
exploit kit
compilation of exploits that are often served from a web server
main purpose is identifying software vulns in client machines and the exploiting such vulns to upload and execute malicious code on client
1.5 Describe the principles of the defense-in-depth strategy
“Defense in depth is a strategy that leverages multiple security measures to protect an organization’s assets. The thinking is that if one line of defense is compromised, additional layers exist as a backup to ensure that threats are stopped along the way. Defense in depth addresses the security vulnerabilities inherent not only with hardware and software but also with people, as negligence or human error are often the cause of a security breach.”