CBROPS 200-201: Chapter 1 - Cybersecurity Fundamentals

Cisco Cyberops Associate CBROPS 200-201 Official Cert Guide, by Omar Santos, Cisco Press, 2021, pp. 2–80.

Get Started. It's Free
or sign up with your email address
CBROPS 200-201: Chapter 1 - Cybersecurity Fundamentals by Mind Map: CBROPS 200-201: Chapter 1 - Cybersecurity Fundamentals

1. Cybersecurity vs. Information Security (InfoSec)

1.1. InfoSec

1.1.1. In the past, information security programs and policies were designed to protect the confidentiality, integrity, and availability of data within the confines of an organization.

1.2. Cybersecurity

1.2.1. Is the process of protecting information by preventing, detecting, and responding to attacks. Builds upon traditional InfoSec

1.2.2. Includes

1.2.2.1. Cyber risk management

1.2.2.2. Threat Intelligence & information sharing

1.2.2.3. Threat Hunting

1.2.2.4. Third-party organization

1.2.2.5. Software, & Hardware Dependency Management

1.2.2.6. SQL injection (SQLi) vulnerabilities can be catastrophic because they can allow an attacker to view, insert, delete, or modify records in a database. In an SQL injection attack, the attacker inserts or injects, partial or complete SQL queries via the web application. The attacker injects SQL commands into input fields in an application or a URL to execute predefined SQL commands.

2. What is a vulnerability?

2.1. A vulnerability is a weakness in the system design, implementation, software, or code or the lack of a mechanism.

3. What is an Exploit?

3.1. An exploit refers to a piece of software, a tool, a technique, or a process that takes advantage of a vulnerability that leads to access, privilege escalation, loss of integrity, or denial of service on a computer system.

3.2. Zero-Day Exploit

3.2.1. Sometimes no one may even know the vulnerability exists, and it is exploited. That is known as a zero-day exploit.

4. What is a threat?

4.1. A threat is any potential danger to an asset.

5. Threat Intelligence

5.1. Threat intelligence is referred to as knowledge about an existing or emerging threat.

5.2. Includes

5.2.1. Context

5.2.2. Mechanisms

5.2.3. Indicators of Compromise (IoCs)

5.2.4. Implications

5.2.5. Actionable Advice

6. White, Black, & Gray Hat Hackers

6.1. White Hat

6.1.1. These individuals perform ethical hacking to help secure companies and organizations. Their belief is that you must examine your network in the same manner as a criminal hacker to better understand its vulnerabilities.

6.2. Black Hat

6.2.1. These individuals perform illegal activities, such as organized crime.

6.3. Gray Hat

6.3.1. These individuals usually follow the law but sometimes venture over to the darker side of black hat hacking. It would be unethical to employ these individuals to perform security duties for your organization because you are never quite clear where they stand.

7. Threat Intelligence Standards (STIX, TAXII, CybOX, OpenIOC, etc.)

7.1. Structured Threat Information eXpression (STIX)

7.1.1. This express language is designed for sharing cyberattack information. STIX details can contain data such as the IP addresses or domain names of command and control servers (often referred to as C2 or CnC), malware hashes, and so on. STIX was originally developed by MITRE and is now maintained by OASIS. You can obtain more information at STIX - Structured Threat Information Expression (Archive) | STIX Project Documentation.

7.2. Trusted Automated eXchange of Indicator Information (TAXII)

7.2.1. This open transport mechanism standardizes the automated exchange of cyber threat information. TAXII was originally developed by MITRE and is now maintained by OASIS. You can obtain more information at Trusted Automated eXchange of Indicator Information (TAXII™) | TAXII Project Documentation.

7.3. Cyber Observable eXpression (CybOX)

7.3.1. This free standardized schema is used for specification, capture, characterization, and communication of events of stateful properties that are observable in the operational domain. CybOX was originally developed by MITRE and is now maintained by OASIS. You can obtain more information at CybOX - Cyber Observable Expression | CybOX Project Documentation.

7.4. Open Indicators of Compromise (OpenIOC)

7.4.1. This open framework is used for sharing threat intelligence in a machine-digestible format.

7.5. Open Command & Control (OpenC2)

7.5.1. This language is used for the command and control of cyber-defense technologies. OpenC2 Forum was a community of cybersecurity stakeholders that was facilitated by the U.S. National Security Agency. OpenC2 is now an OASIS technical committee (TC) and specification. You can obtain more information at www.oasis-open.org/committees/tc_home.php?wg_abbrev=openc2

8. Threat Intelligence Platform (TIP)

8.1. Many organizations deploy their own threat intelligence platforms (TIPs) to aggregate, correlate, and analyze threat intelligence information from multiple sources in near real-time.

8.2. Supports

8.2.1. Threat intelligence collection

8.2.2. Data correlation

8.2.3. Enrichment and contextualization

8.2.4. Analyze

8.2.5. Integrations with other security systems

8.2.6. Act

9. SQL Injection

9.1. SQL injection (SQLi) vulnerabilities can be catastrophic because they can allow an attacker to view, insert, delete, or modify records in a database. In an SQL injection attack, the attacker inserts or injects, partial or complete SQL queries via the web application. The attacker injects SQL commands into input fields in an application or a URL to execute predefined SQL commands.

9.2. Out-of-band SQL Injection

9.2.1. With this type of injection, the attacker retrieves data using a different channel. For example, an email, a text, or an instant message could be sent to the attacker with the results of the query. Alternatively, the attacker might be able to send the compromised data to another system.

9.3. In-Band SQL Injection

9.3.1. With this type of injection, the attacker obtains the data by using the same channel that is used to inject the SQL code. This is the most basic form of an SQL injection attack, where the data is dumped directly in a web application (or web page).

9.4. Blind (inferential) SQL injection

9.4.1. With this type of injection, the attacker does not make the application display or transfer any data; rather, the attacker is able to reconstruct the information by sending specific statements and discerning the behavior of the application and database.

10. Command Injection

10.1. A command injection is an attack in which an attacker tries to execute commands that she is not supposed to be able to execute on a system via a vulnerable application. Command injection attacks are possible when an application does not validate data supplied by the user (for example, data entered in web forms, cookies, HTTP headers, and other elements). The vulnerable system passes that data into a system shell.

11. Identifying authentication-based vulnerabilities

11.1. Credential brute forcing

11.2. Session hijacking

11.3. Redirecting

11.4. Exploiting default credentials

11.5. Exploiting weak credentials

11.6. Exploiting Kerberos vulnerabilities

12. Cross-Site Scripting

12.1. Reflected XSS

12.1.1. Reflected XSS attacks (nonpersistent XSS) occur when malicious code or scripts are injected by a vulnerable web application using any method that yields a response as part of a valid HTTP request. An example of a reflected XSS attack is a user being persuaded to follow a malicious link to a vulnerable server that injects (reflects) the malicious code back to the user’s browser.

12.2. Stored/Persistent XSS

12.2.1. Stored, or persistent, XSS attacks occur when the malicious code or script is permanently stored on a vulnerable or malicious server, using a database. These attacks are typically carried out on websites hosting blog posts (comment forms), web forums, and other permanent storage methods.

12.3. DOM-based XSS

12.3.1. In a DOM-based XSS attack, the attacker sends a malicious URL to the victim, and after the victim clicks on the link, it may load a malicious website or a site that has a vulnerable DOM route handler. After the vulnerable site is rendered by the browser, the payload executes the attack in the user’s context on that site.

12.4. XSS is typically found

12.4.1. Search fields that echo a search string back to the user

12.4.2. HTTP headers

12.4.3. Input fields that echo user data

12.4.4. Error messages that return user-supplied text

12.4.5. hidden fields that may include user input Applications (or websites) that display user-supplied data

13. Cross-Site Request Forgery (CSRF or XSRF)

13.1. Attacks occur when unauthorized commands are transmitted from a user who is trusted by the application. CSRF attacks are different from XSS attacks because they exploit an application's trust in a user’s browser. CSRF vulnerabilities are also referred to as one-click attacks or session riding.

14. OWASP Top 10

14.1. OWASP lists the top 10 most common vulnerabilities against application at the following address: www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

15. Network Firewalls

15.1. Network-based firewalls provide key features that are used for perimeter security.

15.2. Network Address Translation (NAT), access control lists, and application inspection. The primary task of a network firewall is to deny or permit traffic that attempts to enter or leave the network based on explicit preconfigured policies and rules.

15.3. Techniques

15.3.1. Simple packet-filtering techniques

15.3.2. Application proxies

15.3.3. Network Address Translation

15.3.4. Stateful inspection firewalls

15.3.5. Next-generation context-aware firewalls

16. Access Control Lists (ACLs)

16.1. Are a collection of permit and deny conditions, called rules, that provide security by blocking unauthorized users and allowing authorized users to access specific resources.

16.2. Access Control Entry (ACE)

16.2.1. Each entry of an ACL is referred to as an access control entry (ACE).

16.3. Packet Classification

16.3.1. Layer 2 protocol information such as EtherTypes

16.3.2. Layer 3 protocol information such as ICMP, TCP, or UDP

16.3.3. Layer 3 header information such as source and destination IP addresses

16.3.4. Layer 4 header information such as source and destination TCP or UDP ports

17. Extended ACLs

17.1. the most commonly deployed ACLs.

17.2. Packet Classification

17.2.1. Source and destination IP addresses

17.2.2. Layer 3 protocols

17.2.3. Source and/or destination TCP and UDP ports

17.2.4. Destination ICMP type for ICMP packets

18. Application Proxies

18.1. Application proxies, or proxy servers, are devices that operate as intermediary agents on behalf of clients that are on a private or protected network. Clients on the protected network send connection requests to the application proxy to transfer data to the unprotected network or the Internet.

19. Network Address Translation (NAT)

19.1. Several Layer 3 devices can supply Network Address Translation (NAT) services. The Layer 3 device translates the internal host’s private (or real) IP addresses to a publicly routable (or mapped) address. By using NAT, the firewall hides the internal private addresses from the unprotected network and exposes only its own address or public range.

20. Port Address Translation (PAT)

20.1. Port Address Translation (PAT) - Typically, firewalls perform a technique called Port Address Translation (PAT). This feature, which is a subset of the NAT feature, allows many devices on the internal protected network to share one IP address by inspecting the Layer 4 information on the packet. This shared address is usually the firewall’s public address;

21. Static Translation

21.1. A different methodology is used when hosts in the unprotected network need to initiate a new connection to specific hosts behind the NAT device. You configure the firewall to allow such connections by creating a static one-to-one mapping of the public (mapped) IP address to the address of the internal (real) protected device. For example, static NAT can be configured when a web server resides on the internal network and has a private IP address but needs to be contacted by hosts located in the unprotected network or the Internet.

22. Demilitarized Zones (DMZs)

22.1. Firewalls can be configured to separate multiple network segments (or zones), usually called demilitarized zones (DMZs). These zones provide security to the systems that reside within them with different security levels and policies between them.

23. Application-Based segmentation & Micro-segmentation

23.1. Cisco Application Centric Infrastructure (ACI)

23.1.1. Provide micro-segmentation capabilities. Micro-segmentation in Cisco ACI can be accomplished by integrating with vCenter or Microsoft System Center Virtual Machine Manager (SCVMM), Cisco ACI API (controller), and leaf switches.

23.2. Endpoint Groups (EPGs)

23.2.1. Cisco ACI allows organizations to automatically assign endpoints to logical security zones called endpoint groups (EPGs).

23.3. μSeg EPGs

23.3.1. A micro-segment in ACI. You can apply policies to these segments based on attributes. Applying attributes to μSeg EPGs enables you to apply forwarding and security policies with greater granularity than you can to EPGs without attributes. Attributes are unique within the tenant.

24. Understanding global threat correlation capabilities

24.1. Cisco NGIPS devices include global correlation capabilities that utilize real-world data from Cisco Talos. Cisco Talos is a team of security researchers who leverage big-data analytics for cybersecurity and provide threat intelligence for many Cisco security products and services. Global correlation allows an IPS sensor to filter network traffic using the “reputation” of a packet’s source IP address. The reputation of an IP address is computed by Cisco threat intelligence using the past actions of that IP address. IP reputation has been an effective means of predicting the trustworthiness of current and future behaviors from an IP address.

25. Advanced Malware Protection (AMP)

25.1. Cisco provides advanced malware protection capabilities for endpoint and network security devices.

26. Cisco Web Security Appliance (WSA)

26.1. Cisco Web Security Appliance (WSA), Cisco Security Management Appliance (SMA), and Cisco Cloud Web Security (CWS). These solutions enable malware detection and blocking, continuous monitoring, and retrospective alerting.

26.2. Attack Continuum

26.2.1. The life cycle of an attack including before, during, & after.

27. Cisco Email Security Appliance (ESA)

27.1. Users are no longer accessing email only from the corporate network or from a single device. Cisco provides cloud-based, hybrid, and on-premises solutions based on the Email Security Appliance (ESA) that can help protect any dynamic environment.

27.2. Features

27.2.1. Access Control

27.2.2. Anti-Spam

27.2.3. Network Antivirus

27.2.4. Advanced Malware Protection (AMP)

28. Cisco Identity Services Engine (ISE)

28.1. The Cisco Identity Services Engine (ISE) is a comprehensive security identity management solution designed to function as a policy decision point for network access. It allows security administrators to collect real-time contextual information from a network, its users, and devices.

29. Security cloud-based solutions

29.1. Cisco Cloud Email Security (CES)

29.2. Cisco AMP Threat Grid

29.3. Cisco Threat Awareness Service

29.4. Umbrella (formerly OpenDNS)

29.5. Stealthwatch Cloud

29.6. CloudLock

30. Cisco AMP Threatgrid

30.1. Cisco integrated Cisco AMP and Threat Grid to provide a solution for advanced malware analysis with deep threat analytics. The Cisco AMP Threat Grid integrated solution analyzes millions of files and correlates them with hundreds of millions of malware samples. This provides a look into attack campaigns and how malware is distributed.

31. Umbrella (OpenDNS)

31.1. Cisco acquired a company called OpenDNS that provides DNS services, threat intelligence, and threat enforcement at the DNS layer.

31.2. OpenDNS has a global network that delivers advanced security solutions (as a cloud-based service) regardless of where Cisco customer offices or employees are located. This service is extremely easy to deploy and easy to manage.

32. Stealthwatch Cloud

32.1. Stealthwatch Cloud is a Software as a Service cloud solution.

32.2. You can use Stealthwatch Cloud to monitor many different public cloud environments, such as Amazon’s AWS, Google Cloud Platform, and Microsoft Azure.

33. CloudLock

33.1. Cisco acquired a company called CloudLock that creates solutions to protect customers against data breaches in any cloud environment and application (app) through a highly configurable cloud-based data loss prevention (DLP) architecture.

33.2. Policy Actions

33.2.1. File-level encryption

33.2.2. Quarantine

33.2.3. End-user notifications

34. Cisco Netflow

34.1. NetFlow is a Cisco technology that provides comprehensive visibility into all network traffic that traverses a Cisco-supported device.

34.2. Original Usage

34.2.1. NetFlow was initially created for billing and accounting of network traffic and to measure other IP traffic characteristics such as bandwidth utilization and application performance. NetFlow has also been used as a network capacity planning tool and to monitor network availability.

34.3. Security Usage

34.3.1. Used as a network security tool because its reporting capabilities provide nonrepudiation, anomaly detection, and investigative capabilities. As network traffic traverses a NetFlow-enabled device, the device collects traffic flow data and provides a network administrator or security professional with detailed information about such flows.

35. Data Loss Prevention (DLP)

35.1. Data loss prevention is the ability to detect any sensitive emails, documents, or information leaving your organization.

35.2. Integrations

35.2.1. Cisco ESA

35.2.1.1. RSA email DLP for outbound email traffic

35.2.2. Cisco Cloud Email Service & Hybrid Email Security

35.2.2.1. Their own DLP. engine

35.2.2.2. Their own DLP. engine

35.2.3. Cisco WSA

35.2.3.1. can redirect outbound traffic to a third-party DLP solution.

36. The Principles of the Defense-in-Depth Strategy

36.1. Layered and cross-boundary “defense-in-depth” strategy is what is needed to protect your network and corporate assets.

36.2. Layers

36.2.1. Nontechnical activities

36.2.1.1. Nontechnical activities such as appropriate security policies and procedures and end-user and staff training.

36.2.2. Physical Security

36.2.2.1. including cameras, physical access control (such as badge readers, retina scanners, and fingerprint scanners), and locks.

36.2.3. Network Security

36.2.3.1. Network security best practices, such as routing protocol authentication, control plane policing (CoPP), network device hardening, and so on.

36.2.4. Host Security

36.2.4.1. Host security solutions such as advanced malware protection (AMP) for endpoints, antiviruses, and so on.

36.2.5. Application Security

36.2.5.1. Application security best practices such as application robustness testing, fuzzing, defenses against cross-site scripting (XSS), cross-site request forgery (CSRF) attacks, SQL injection attacks, and so on.

36.2.6. Data network traversal

36.2.6.1. You can employ encryption at rest and in transit to protect data.

36.3. Role-based Network Security Approach

36.3.1. When applying defense-in-depth strategies, you can also look at a roles-based network security approach for security assessment in a simple manner. Each device on the network serves a purpose and has a role; subsequently, you should configure each device accordingly.

36.3.2. Planes

36.3.2.1. Management

36.3.2.1.1. This is the distributed and modular network management environment.

36.3.2.2. Control

36.3.2.2.1. This plane includes routing control. It is often a target because the control plane depends on direct CPU cycles.

36.3.2.3. User/Data

36.3.2.3.1. This plane receives, processes, and transmits network data among all network elements.

36.3.2.4. Services

36.3.2.4.1. This is the Layer 7 application flow built on the foundation of the other layers.

36.3.2.5. Policies

36.3.2.5.1. The plane includes the business requirements. Cisco calls policies the “business glue” for the network. Policies and procedures are part of this section, and they apply to all the planes in this list.

37. SDN and the traditional management, control, & data plane

37.1. Software-defined networking

37.1.1. Software-defined networking introduced the notion of a centralized controller. The SDN controller has a global view of the network, and it uses a common management protocol to configure the network infrastructure devices. The SDN controller can also calculate reachability information from many systems in the network and pushes a set of flows inside the switches. The flows are used by the hardware to do the forwarding. Here you can see a clear transition from a distributed “semi-intelligent brain” approach to a “central and intelligent brain” approach.

37.2. Control & Data Plane changes

37.2.1. The big change was in the control and data planes in software-based switches and routers (including virtual switches inside of hypervisors). For instance, the Open vSwitch project started some of these changes across the industry.

37.3. Management Pane changes

37.3.1. These benefits are in both physical switches and virtual switches. SDN is now widely adopted in data centers. A great example of this is Cisco ACI.

38. Confidentiality, Integrity, & Availability: The CIA Triad

38.1. Confidentiality

38.1.1. The ISO 27000 standard has a very good definition: “confidentiality is the property that information is not made available or disclosed to unauthorized individuals, entities, or processes.”

38.2. Integrity

38.2.1. Integrity is the ability to make sure that a system and its data have not been altered or compromised. It ensures that the data is an accurate and unchanged representation of the original secure data.

38.3. Availability

38.3.1. Availability means that a system or application must be “available” to authorized users at all times. According to the CVSS Version 3 specification, the availability metric “measures the impact to the availability of the impacted component resulting from a successfully exploited vulnerability.

39. Risk & Risk Analysis

39.1. Risk

39.1.1. In the world of cybersecurity, risk can be defined as the possibility of a security incident (something bad) happening.

39.2. Federal Financial Institutions Examination Council (FFIEC)

39.2.1. Developed the Cybersecurity Assessment Tool (Assessment) to help financial institutions identify their risks and determine their cybersecurity preparedness.

39.2.2. Inherent Risk Profile and Cybersecurity Maturity

39.2.2.1. The Inherent Risk Profile identifies the institution’s inherent risk before implementing controls. Cybersecurity includes domains, assessment factors, components, and individual declarative statements across five maturity levels to identify specific controls and practices that are in place.

39.2.3. The International Organization for Standardization (ISO) 27001

39.2.3.1. This is the international standard for implementing an information security management system (ISMS). ISO 27001 is heavily focused on risk-based planning to ensure that the identified information risks (including cyber risks) are appropriately managed according to the threats and the nature of those threats.

39.2.4. ISO/IEC 27005 Information technology—Security techniques—Information security risk management

39.2.4.1. Establish the risk management context, Quantitatively or qualitatively assess risks, Treat risks, Keep stakeholders informed, Monitor & review risks

39.3. Common Weakness Scoring System (CWSS)

39.3.1. A methodology for scoring software weaknesses. CWSS is part of the Common Weakness Enumerator (CWE) standard.

39.4. Common Misuse Scoring System (CMSS)

39.4.1. A standardized way to measure software feature misuse vulnerabilities. More information about CMSS is available at http://scap.nist.gov/emerging-specs/listing.html#cmss

39.5. Common Configuration Scoring System

39.5.1. More information about CCSS can be found at http://csrc.nist.gov/publications/nistir/ir7502/nistir-7502_CCSS.pdf

40. Defining PHI

40.1. The Health Insurance Portability and Accountability Act (HIPAA) requires healthcare organizations and providers to adopt certain security regulations for protecting health information.

40.2. The Privacy Rule calls this information “protected health information,” or PHI.

40.3. Examples

40.3.1. An individual’s name (that is, patient’s name)

40.3.2. All dates directly linked to an individual, including date of birth, death, discharge, and administration

40.3.3. Telephone and fax numbers

40.3.4. Email addresses

40.3.5. geographic subdivisions such as street addresses

40.3.6. ZIP codes & County

40.3.7. Medical record numbers and health plan beneficiary number

40.3.8. Certificate numbers or account numbers

40.3.9. Social security number

40.3.10. Driver license number

40.3.11. Biometric identifiers, including voice or fingerprints

40.3.12. Photos of the full face or recognizable features

40.3.13. Any unique number-based code or characteristic

40.3.14. The individual’s past, present, and future physical or mental health or condition

40.3.15. The provision of health care to the individual, or the past, present, or future payment for the provision of health care to the individual

41. Defining PII

41.1. According to the Executive Office of the President, Office of Management and Budget (OMB), and the U.S. Department of Commerce, Office of the Chief Information Officer, PII refers to “information which can be used to distinguish or trace an individual’s identity.”

41.2. Examples

41.2.1. An individuals name

41.2.2. social security number

41.2.3. biological or personal characteristics

41.2.4. date & place of birth

41.2.5. mothers maiden name

41.2.6. credit card numbers

41.2.7. bank account numbers

41.2.8. driver's license

41.2.9. address information (email, street, telephone numbers)

42. Principle of Least Privilege

42.1. All users—whether they are individual contributors, managers, directors, or executives—should be granted only the level of privilege they need to do their jobs, and no more. Also known as "need to know".

43. Separation of Duties

43.1. Separation of duties is an administrative control dictating that a single individual should not perform all critical- or privileged-level duties. The goal is to safeguard against a single individual performing sufficiently critical or privileged actions that could seriously damage a system or the organization as a whole.

44. Security Operations Centers (SOCs)

44.1. are facilities where an organization’s assets, including applications, databases, servers, networks, desktops, and other endpoints, are monitored, assessed, and protected.

44.2. Addresses these security concerns

44.2.1. How can you detect a compromise in a timely manner?

44.2.2. How do you triage a compromise to determine the severity and the scope?

44.2.3. What is the impact of the compromise to your business?

44.2.4. Who is responsible for detecting and mitigating a compromise?

44.2.5. Who should be informed or involved, and when do you deal with the compromise once detected?

44.2.6. How and when should you communicate a compromise internally or externally, and is that needed in the first place?

44.3. SOCs need these in order to be effective

44.3.1. Executive sponsorship

44.3.2. SOC operating as a program. Organizations should operate the SOC as a program rather than a single project.

44.3.3. A governance structure

44.3.4. Effective team collaboration

44.3.5. Access to data and systems

44.3.6. Applicable processes and procedures

44.3.7. Team skill sets and experience

44.3.8. Budget (for example, will it be handled in-house or outsourced?)

45. Playbooks, Runbooks, & Runbook Automation

45.1. Organizations need to have capabilities to define, build, orchestrate, manage, and monitor the different operational processes and workflows.

45.2. Runbook

45.2.1. A runbook is a collection of procedures and operations performed by system administrators, security professionals, or network operators. According to Gartner, “the growth of RBA has coincided with the need for IT operations executives to enhance IT operations efficiency measures.”

45.3. Metrics to measure effectiveness

45.3.1. Mean time to repair (MTTR)

45.3.2. Mean time between failures (MTBF)

45.3.3. Mean time to discover a security incident

45.3.4. Mean time to contain or mitigate a security incident

45.3.5. Automation of the provisioning of IT resources

45.4. Example

45.4.1. Rundeck

46. Digital Forensics

46.1. Forensics is the process of using scientific knowledge for collecting, analyzing, and presenting evidence to the courts. (The word forensics means “to bring to the court.”) Forensics deals primarily with the recovery and analysis of latent evidence. Latent evidence can take many forms, from fingerprints left on a window to DNA evidence recovered from blood stains to the files on a hard drive.

46.2. Examples

46.2.1. Computers

46.2.2. Smartphones

46.2.3. Tablets

46.2.4. Network Infrastructure Devices

46.2.5. Network Management Systems

46.2.6. Printers

46.2.7. IoT Devices

47. Chain of custody

47.1. Chain of custody is how you document and preserve evidence from the time you started a cyber forensics investigation to the time the evidence is presented at court or to your executives (in the case of an internal investigation).

48. Definitions

48.1. network firewalls

48.1.1. A firewall that provides key features used for perimeter security. The primary task of a network firewall is to deny or permit traffic that attempts to enter or leave the network based on explicit preconfigured policies and rules. Firewalls are often deployed in several other parts of the network to provide network segmentation within the corporate infrastructure and also in data centers.

48.2. Access Control Lists (ACLs)

48.2.1. Devices that can enable ACLs

48.2.1.1. Firewalls

48.2.1.2. Routers

48.2.1.3. Switches

48.2.1.4. Wireless LAN Controllers (WCLs)

48.2.2. A set of predetermined rules against which stateful and traditional firewalls can analyze packets and judge them.

48.2.3. Judges based on

48.2.3.1. Source Address

48.2.3.2. Destination Address

48.2.3.3. Source Port

48.2.3.4. Destination Port

48.2.3.5. Protocol

48.3. Network Address Translation (NAT)

48.3.1. A method often used by firewalls; however, other devices such as routers and wireless access points provide support for NAT. By using NAT, the firewall hides the internal private addresses from the unprotected network and exposes only its own address or public range. This enables a network professional to use any IP address space as the internal network.

48.4. Data Loss Prevention (DLP)

48.4.1. A software or cloud solution for making sure that corporate users do not send sensitive or critical information outside the corporate network.

48.5. Advanced Malware Protection (AMP)

48.5.1. A Cisco solution for detecting and mitigating malware in the corporate network.

48.6. Intrusion Prevention System (IPS)

48.6.1. A network security appliance or software technology that inspects network traffic to detect and prevent security threats and exploits.

48.7. Netflow

48.7.1. Cisco technology that provides comprehensive visibility into all network traffic that traverses a Cisco-supported device.

48.7.2. NetFlow is used as a network security tool because its reporting capabilities provide nonrepudiation, anomaly detection, and investigative capabilities.

48.7.3. As network traffic traverses a NetFlow-enabled device, the device collects traffic.

48.8. Security Information and Event Manager (SIEM)

48.8.1. A specialized device or software for security event management.

48.8.2. Provides these capabilities

48.8.2.1. Log Collection

48.8.2.2. Normalization

48.8.2.3. Aggregation

48.8.2.4. Corralation

48.8.2.5. Built-in Reporting

48.9. Security Orchestration, Automation, and Response (SOAR)

48.9.1. A system that provides automation and security orchestration capabilities for the security operations center (SOC).

48.10. Common Vulnerabilities & Exposures (CVE)

48.10.1. A dictionary of vulnerabilities and exposures in products and systems maintained by MITRE. A CVE-ID is the industry standard method to identify vulnerabilities.

48.11. Common Vulnerability Scoring System (CVSS)

48.11.1. An industry standard used to convey information about the severity of vulnerabilities.

48.12. Common Weakness Enumeration (CWE)

48.12.1. A specification developed and maintained by MITRE to identify the root cause (weaknesses) of security vulnerabilities. You can obtain the list of CWEs from cwe.mitre.org.

48.13. Common Weakness Scoring System (CWSS)

48.13.1. A specification developed and maintained by MITRE to provide a way to prioritize software weaknesses that can introduce security vulnerabilities. You can obtain the list of CWSS from cwe.mitre.org/cwss.

48.14. Structured Threat Information Expression (STIX)

48.14.1. A standard used to create and share cyber threat intelligence information in a machine-readable format.

48.15. Trusted Automated Exchange of Indicator Information (TAXII)

48.15.1. A standard that provides a transport mechanism (data exchange) of cyber threat intelligence information in STIX format. In other words, TAXII servers can be used to author and exchange STIX documents among participants.

48.16. Cyber Observable eXpression (CybOX)

48.16.1. A standard to document cyber threat intelligence observables in a machine-readable format. The OASIS Cyber Threat Intelligence (CTI) Technical Committee (TC) decided to merge the CybOX and the Structured Threat Information Expression (STIX) specifications into one standard. CybOX objects are now called STIX Cyber Observables. You can find additional information about the migration of CybOX to STIX at https://oasis-open.github.io/cti-documentation/stix/compare.html.

48.17. Indicator of Compromise (IoC)

48.17.1. One aspect of threat intelligence, which is the knowledge about an existing or emerging threat to assets, including networks and systems.

48.18. Script Kiddies

48.18.1. People who use existing “scripts” or tools to hack into computers and networks; however, they lack the expertise to write their own scripts.