HAPPY BOOKSGIVING
Use code BOOKSGIVING during checkout to save 40%-55% on books and eBooks. Shop now.
Register your product to gain access to bonus material or receive a coupon.
This eBook includes the following formats, accessible from your Account page after purchase:
EPUB The open industry format known for its reflowable content and usability on supported mobile devices.
PDF The popular standard, used most often with the free Acrobat® Reader® software.
This eBook requires no passwords or activation to read. We customize your eBook by discreetly watermarking it with your name, making it uniquely yours.
CCNA Cybersecurity Operations Companion Guide is the official supplemental textbook for the Cisco Networking Academy CCNA Cybersecurity Operations course.
The course emphasizes real-world practical application, while providing opportunities for you to gain the skills needed to successfully handle the tasks, duties, and responsibilities of an associate-level security analyst working in a security operations center (SOC).
The Companion Guide is designed as a portable desk reference to use anytime, anywhere to reinforce the material from the course and organize your time.
The book’s features help you focus on important concepts to succeed in this course:
· Chapter Objectives—Review core concepts by answering the focus questions listed at the beginning of each chapter.
· Key Terms—Refer to the lists of networking vocabulary introduced and highlighted in context in each chapter.
· Glossary—Consult the comprehensive Glossary with more than 360 terms.
· Summary of Activities and Labs—Maximize your study time with this complete list of all associated practice exercises at the end of each chapter.
· Check Your Understanding—Evaluate your readiness with the end-of-chapter questions that match the style of questions you see in the online course quizzes. The answer key explains each answer.
How To—Look for this icon to study the steps you need to learn to perform certain tasks.
Interactive Activities—Reinforce your understanding of topics with dozens of exercises from the online course identified throughout the book with this icon.
Packet Tracer Activities—Explore and visualize networking concepts using Packet Tracer. There are exercises interspersed throughout the chapters and provided in the accompanying Lab Manual book.
Videos—Watch the videos embedded within the online course.
Hands-on Labs—Develop critical thinking and complex problem-solving skills by completing the labs and activities included in the course and published in the separate Lab Manual.
Introduction xxiv
Chapter 1 Cybersecurity and the Security Operations Center 1
Objectives 1
Key Terms 1
Introduction (1.0) 2
The Danger (1.1) 2
War Stories (1.1.1) 2
Hijacked People (1.1.1.1) 2
Ransomed Companies (1.1.1.2) 3
Nations (1.1.1.3) 3
Threat Actors (1.1.2) 4
Amateurs (1.1.2.1) 4
Hacktivists (1.1.2.2) 4
Financial Gain (1.1.2.3) 4
Trade Secrets and Global Politics (1.1.2.4) 4
How Secure Is the Internet of Things? (1.1.2.5) 4
Threat Impact (1.1.3) 5
PII and PHI (1.1.3.1) 5
Lost Competitive Advantage (1.1.3.2) 6
Politics and National Security (1.1.3.3) 6
Fighters in the War Against Cybercrime (1.2) 7
The Modern Security Operations Center (1.2.1) 7
Elements of an SOC (1.2.1.1) 7
People in the SOC (1.2.1.2) 8
Process in the SOC (1.2.1.3) 8
Technologies in the SOC (1.2.1.4) 9
Enterprise and Managed Security (1.2.1.5)
Security vs. Availability (1.2.1.6)
Becoming a Defender (1.2.2)
Certifications (1.2.2.1)
Further Education (1.2.2.2)
Sources of Career Information (1.2.2.3)
Getting Experience (1.2.2.4)
Summary (1.3)
Practice
Check Your Understanding
Chapter 2 Windows Operating System
Objectives
Key Terms
Introduction (2.0)
Windows Overview (2.1)
Windows History (2.1.1)
Disk Operating System (2.1.1.1)
Windows Versions (2.1.1.2)
Windows GUI (2.1.1.3)
Operating System Vulnerabilities (2.1.1.4)
Windows Architecture and Operations (2.1.2)
Hardware Abstraction Layer (2.1.2.1)
User Mode and Kernel Mode (2.1.2.2)
Windows File Systems (2.1.2.3)
Windows Boot Process (2.1.2.4)
Windows Startup and Shutdown (2.1.2.5)
Processes, Threads, and Services (2.1.2.6)
Memory Allocation and Handles (2.1.2.7)
The Windows Registry (2.1.2.8)
Windows Administration (2.2)
Windows Configuration and Monitoring (2.2.1)
Run as Administrator (2.2.1.1)
Local Users and Domains (2.2.1.2)
CLI and PowerShell (2.2.1.3)
Windows Management Instrumentation (2.2.1.4)
The net Command (2.2.1.5)
Task Manager and Resource Monitor (2.2.1.6)
Networking (2.2.1.7)
Accessing Network Resources (2.2.1.8)
Windows Server (2.2.1.9)
Windows Security (2.2.2)
The netstat Command (2.2.2.1)
Event Viewer (2.2.2.2)
Windows Update Management (2.2.2.3)
Local Security Policy (2.2.2.4)
Windows Defender (2.2.2.5)
Windows Firewall (2.2.2.6)
Chapter 3 Linux Operating System
Objectives
Key Terms
Introduction (3.0)
Linux Overview (3.1)
Linux Basics (3.1.1)
What is Linux? (3.1.1.1)
The Value of Linux (3.1.1.2)
Linux in the SOC (3.1.1.3)
Linux Tools (3.1.1.4)
Working in the Linux Shell (3.1.2)
The Linux Shell (3.1.2.1)
Basic Commands (3.1.2.2)
File and Directory Commands (3.1.2.3)
Working with Text Files (3.1.2.4)
The Importance of Text Files in Linux (3.1.2.5)
Linux Servers and Clients (3.1.3)
An Introduction to Client-Server Communications (3.1.3.1)
Servers, Services, and Their Ports (3.1.3.2)
Clients (3.1.3.3)
Linux Administration (3.2)
Basic Server Administration (3.2.1)
Service Configuration Files (3.2.1.1)
Hardening Devices (3.2.1.2)
Monitoring Service Logs (3.2.1.3)
The Linux File System (3.2.2)
The File System Types in Linux (3.2.2.1)
Linux Roles and File Permissions (3.2.2.2)
Hard Links and Symbolic Links (3.2.2.3)
Linux Hosts (3.3)
Working with the Linux GUI (3.3.1)
X Window System (3.3.1.1)
The Linux GUI (3.3.1.2)
Working on a Linux Host (3.3.2)
Installing and Running Applications on a
Linux Host (3.3.2.1)
Keeping the System Up to Date (3.3.2.2)
Processes and Forks (3.3.2.3)
Malware on a Linux Host (3.3.2.4)
Rootkit Check (3.3.2.5)
Piping Commands (3.3.2.6)
Summary (3.4)
Practice
Check Your Understanding
Chapter 4 Network Protocols and Services
Objectives
Key Terms
Introduction (4.0)
Network Protocols (4.1)
Network Communications Process (4.1.1)
Views of the Network (4.1.1.1)
Client-Server Communications (4.1.1.2)
A Typical Session: Student (4.1.1.3)
A Typical Session: Gamer (4.1.1.4)
A Typical Session: Surgeon (4.1.1.5)
Tracing the Path (4.1.1.6)
Communications Protocols (4.1.2)
What Are Protocols? (4.1.2.1)
Network Protocol Suites (4.1.2.2)
The TCP/IP Protocol Suite (4.1.2.3)
Format, Size, and Timing (4.1.2.4)
Unicast, Multicast, and Broadcast (4.1.2.5)
Reference Models (4.1.2.6)
Three Addresses (4.1.2.7)
Encapsulation (4.1.2.8)
Scenario: Sending and Receiving a Web Page (4.1.2.9)
Ethernet and Internet Protocol (IP) (4.2)
Ethernet (4.2.1)
The Ethernet Protocol (4.2.1.1)
The Ethernet Frame (4.2.1.2)
MAC Address Format (4.2.1.3)
IPv4 (4.2.2)
IPv4 Encapsulation (4.2.2.1)
IPv4 Characteristics (4.2.2.2)
The IPv4 Packet (4.2.2.4)
IPv4 Addressing Basics (4.2.3)
IPv4 Address Notation (4.2.3.1)
IPv4 Host Address Structure (4.2.3.2)
IPv4 Subnet Mask and Network Address (4.2.3.3)
Subnetting Broadcast Domains (4.2.3.4)
Types of IPv4 Addresses (4.2.4)
IPv4 Address Classes and Default Subnet Masks (4.2.4.1)
Reserved Private Addresses (4.2.4.2)
The Default Gateway (4.2.5)
Host Forwarding Decision (4.2.5.1)
Default Gateway (4.2.5.2)
Using the Default Gateway (4.2.5.3)
IPv6 (4.2.6)
Need for IPv6 (4.2.6.1)
IPv6 Size and Representation (4.2.6.2)
IPv6 Address Formatting (4.2.6.3)
IPv6 Prefix Length (4.2.6.4)
Connectivity Verification (4.3)
ICMP (4.3.1)
ICMPv4 Messages (4.3.1.1)
ICMPv6 RS and RA Messages (4.3.1.2)
Ping and Traceroute Utilities (4.3.2)
Ping: Testing the Local Stack (4.3.2.1)
Ping: Testing Connectivity to the Local LAN (4.3.2.2)
Ping: Testing Connectivity to Remote Host (4.3.2.3)
Traceroute: Testing the Path (4.3.2.4)
ICMP Packet Format (4.3.2.5)
Address Resolution Protocol (4.4)
MAC and IP (4.4.1)
Destination on the Same Network (4.4.1.1)
Destination on a Remote Network (4.4.1.2)
ARP (4.4.2)
Introduction to ARP (4.4.2.1)
ARP Functions (4.4.2.2)
Removing Entries from an ARP Table (4.4.2.6)
ARP Tables on Networking Devices (4.4.2.7)
ARP Issues (4.4.3)
ARP Broadcasts (4.4.3.1)
ARP Spoofing (4.4.3.2)
The Transport Layer (4.5)
Transport Layer Characteristics (4.5.1)
Transport Layer Protocol Role in Network Communication (4.5.1.1)
Transport Layer Mechanisms (4.5.1.2)
TCP Local and Remote Ports (4.5.1.3)
Socket Pairs (4.5.1.4)
TCP vs. UDP (4.5.1.5)
TCP and UDP Headers (4.5.1.6)
Transport Layer Operation (4.5.2)
TCP Port Allocation (4.5.2.1)
A TCP Session Part I: Connection Establishment and Termination (4.5.2.2)
A TCP Session Part II: Data Transfer (4.5.2.6)
A UDP Session (4.5.2.9)
Network Services (4.6)
DHCP (4.6.1)
DHCP Overview (4.6.1.1)
DHCPv4 Message Format (4.6.1.2)
DNS (4.6.2)
DNS Overview (4.6.2.1)
The DNS Domain Hierarchy (4.6.2.2)
The DNS Lookup Process (4.6.2.3)
DNS Message Format (4.6.2.4)
Dynamic DNS (4.6.2.5)
The WHOIS Protocol (4.6.2.6)
NAT (4.6.3)
NAT Overview (4.6.3.1)
NAT-Enabled Routers (4.6.3.2)
Port Address Translation (4.6.3.3)
File Transfer and Sharing Services (4.6.4)
FTP and TFTP (4.6.4.1)
SMB (4.6.4.2)
Email (4.6.5)
Email Overview (4.6.5.1)
SMTP (4.6.5.2)
POP3 (4.6.5.3)
IMAP (4.6.5.4)
HTTP (4.6.6)
HTTP Overview (4.6.6.1)
The HTTP URL (4.6.6.2)
The HTTP Protocol (4.6.6.3)
HTTP Status Codes (4.6.6.4)
Summary (4.7)
Practice
Check Your Understanding
Chapter 5 Network Infrastructure
Objectives
Key Terms
Introduction (5.0)
Network Communication Devices (5.1)
Network Devices (5.1.1)
End Devices (5.1.1.1)
Routers (5.1.1.3)
Router Operation (5.1.1.5)
Routing Information (5.1.1.6)
Hubs, Bridges, LAN Switches (5.1.1.8)
Switching Operation (5.1.1.9)
VLANs (5.1.1.11)
STP (5.1.1.12)
Multilayer Switching (5.1.1.13)
Wireless Communications (5.1.2)
Protocols and Features (5.1.2.2)
Wireless Network Operations (5.1.2.3)
The Client to AP Association Process (5.1.2.4)
Wireless Devices: AP, LWAP, WLC (5.1.2.6)
Network Security Infrastructure (5.2)
Security Devices (5.2.1)
Firewalls (5.2.1.2)
Firewall Type Descriptions (5.2.1.3)
Packet Filtering Firewalls (5.2.1.4)
Stateful Firewalls (5.2.1.5)
Next-Generation Firewalls (5.2.1.6)
Intrusion Protection and Detection Devices (5.2.1.8)
Advantages and Disadvantages of IDS and IPS (5.2.1.9)
Types of IPS (5.2.1.10)
Specialized Security Appliances (5.2.1.11)
Security Services (5.2.2)
Traffic Control with ACLs (5.2.2.2)
ACLs: Important Features (5.2.2.3)
SNMP (5.2.2.5)
NetFlow (5.2.2.6)
Port Mirroring (5.2.2.7)
Syslog Servers (5.2.2.8)
NTP (5.2.2.9)
AAA Servers (5.2.2.10)
VPN (5.2.2.11)
Network Representations (5.3)
Network Topologies (5.3.1)
Overview of Network Components (5.3.1.1)
Physical and Logical Topologies (5.3.1.2)
WAN Topologies (5.3.1.3)
LAN Topologies (5.3.1.4)
The Three-Layer Network Design Model (5.3.1.5)
Common Security Architectures (5.3.1.7)
Summary (5.4)
Practice
Check Your Understanding
Chapter 6 Principles of Network Security
Objectives
Key Terms
Introduction (6.0)
Attackers and Their Tools (6.1)
Who Is Attacking Our Network (6.1.1)
Threat, Vulnerability, and Risk (6.1.1.1)
Hacker vs. Threat Actor (6.1.1.2)
Evolution of Threat Actors (6.1.1.3)
Cybercriminals (6.1.1.4)
Cybersecurity Tasks (6.1.1.5)
Cyber Threat Indicators (6.1.1.6)
Threat Actor Tools (6.1.2)
Introduction of Attack Tools (6.1.2.1)
Evolution of Security Tools (6.1.2.2)
Categories of Attacks (6.1.2.3)
Common Threats and Attacks (6.2)
Malware (6.2.1)
Types of Malware (6.2.1.1)
Viruses (6.2.1.2)
Trojan Horses (6.2.1.3)
Trojan Horse Classification (6.2.1.4)
Worms (6.2.1.5)
Worm Components (6.2.1.6)
Ransomware (6.2.1.7)
Other Malware (6.2.1.8)
Common Malware Behaviors (6.2.1.9)
Common Network Attacks (6.2.2)
Types of Network Attacks (6.2.2.1)
Reconnaissance Attacks (6.2.2.2)
Sample Reconnaissance Attacks (6.2.2.3)
Access Attacks (6.2.2.4)
Types of Access Attacks (6.2.2.5)
Social Engineering Attacks (6.2.2.6)
Phishing Social Engineering Attacks (6.2.2.7)
Strengthening the Weakest Link (6.2.2.8)
Denial-of-Service Attacks (6.2.2.10)
DDoS Attacks (6.2.2.11)
Example DDoS Attack (6.2.2.12)
Buffer Overflow Attack (6.2.2.13)
Evasion Methods (6.2.2.14)
Summary (6.3)
Practice
Check Your Understanding
Chapter 7 Network Attacks: A Deeper Look
Objectives
Key Terms
Introduction (7.0)
Network Monitoring and Tools (7.1)
Introduction to Network Monitoring (7.1.1)
Network Security Topology (7.1.1.1)
Monitoring the Network (7.1.1.2)
Network TAPs (7.1.1.3)
Traffic Mirroring and SPAN (7.1.1.4)
Introduction to Network Monitoring Tools (7.1.2)
Network Security Monitoring Tools (7.1.2.1)
Network Protocol Analyzers (7.1.2.2)
NetFlow (7.1.2.3)
SIEM (7.1.2.4)
SIEM Systems (7.1.2.5)
Attacking the Foundation (7.2)
IP Vulnerabilities and Threats (7.2.1)
IPv4 and IPv6 (7.2.1.1)
The IPv4 Packet Header (7.2.1.2)
The IPv6 Packet Header (7.2.1.3)
IP Vulnerabilities (7.2.1.4)
ICMP Attacks (7.2.1.5)
DoS Attacks (7.2.1.6)
Amplification and Reflection Attacks (7.2.1.7)
DDoS Attacks (7.2.1.8)
Address Spoofing Attacks (7.2.1.9)
TCP and UDP Vulnerabilities (7.2.2)
TCP (7.2.2.1)
TCP Attacks (7.2.2.2)
UDP and UDP Attacks (7.2.2.3)
Attacking What We Do (7.3)
IP Services (7.3.1)
ARP Vulnerabilities (7.3.1.1)
ARP Cache Poisoning (7.3.1.2)
DNS Attacks (7.3.1.3)
DNS Tunneling (7.3.1.4)
DHCP (7.3.1.5)
Enterprise Services (7.3.2)
HTTP and HTTPS (7.3.2.1)
Email (7.3.2.2)
Web-Exposed Databases (7.3.2.3)
Summary (7.4)
Practice
Check Your Understanding
Chapter 8 Protecting the Network
Objectives
Key Terms
Introduction (8.0)
Understanding Defense (8.1)
Defense-in-Depth (8.1.1)
Assets, Vulnerabilities, Threats (8.1.1.1)
Identify Assets (8.1.1.2)
Identify Vulnerabilities (8.1.1.3)
Identify Threats (8.1.1.4)
Security Onion and Security Artichoke Approaches (8.1.1.5)
Security Policies (8.1.2)
Business Policies (8.1.2.1)
Security Policy (8.1.2.2)
BYOD Policies (8.1.2.3)
Regulatory and Standard Compliance (8.1.2.4)
Access Control (8.2)
Access Control Concepts (8.2.1)
Communications Security: CIA (8.2.1.1)
Access Control Models (8.2.1.2)
AAA Usage and Operation (8.2.2)
AAA Operation (8.2.2.1)
AAA Authentication (8.2.2.2)
AAA Accounting Logs (8.2.2.3)
Threat Intelligence (8.3)
Information Sources (8.3.1)
Network Intelligence Communities (8.3.1.1)
Cisco Cybersecurity Reports (8.3.1.2)
Security Blogs and Podcasts (8.3.1.3)
Threat Intelligence Services (8.3.2)
Cisco Talos (8.3.2.1)
FireEye (8.3.2.2)
Automated Indicator Sharing (8.3.2.3)
Common Vulnerabilities and Exposures Database (8.3.2.4)
Threat Intelligence Communication Standards (8.3.2.5)
Summary (8.4)
Practice
Check Your Understanding Questions
Chapter 9 Cryptography and the Public Key Infrastructure
Objectives
Key Terms
Introduction (9.0)
Cryptography (9.1)
What Is Cryptography? (9.1.1)
Securing Communications (9.1.1.1)
Cryptology (9.1.1.2)
Cryptography: Ciphers (9.1.1.3)
Cryptanalysis: Code Breaking (9.1.1.4)
Keys (9.1.1.5)
Integrity and Authenticity (9.1.2)
Cryptographic Hash Functions (9.1.2.1)
Cryptographic Hash Operation (9.1.2.2)
MD5 and SHA (9.1.2.3)
Hash Message Authentication Code (9.1.2.4)
Confidentiality (9.1.3)
Encryption (9.1.3.1)
Symmetric Encryption (9.1.3.2)
Symmetric Encryption Algorithms (9.1.3.3)
Asymmetric Encryption Algorithms (9.1.3.4)
Asymmetric Encryption: Confidentiality (9.1.3.5)
Asymmetric Encryption: Authentication (9.1.3.6)
Asymmetric Encryption: Integrity (9.1.3.7)
Diffie-Hellman (9.1.3.8)
Public Key Infrastructure (9.2)
Public Key Cryptography (9.2.1)
Using Digital Signatures (9.2.1.1)
Digital Signatures for Code Signing (9.2.1.2)
Digital Signatures for Digital Certificates (9.2.1.3)
Authorities and the PKI Trust System (9.2.2)
Public Key Management (9.2.2.1)
The Public Key Infrastructure (9.2.2.2)
The PKI Authorities System (9.2.2.3)
The PKI Trust System (9.2.2.4)
Interoperability of Different PKI Vendors (9.2.2.5)
Certificate Enrollment, Authentication, and Revocation (9.2.2.6)
Applications and Impacts of Cryptography (9.2.3)
PKI Applications (9.2.3.1)
Encrypting Network Transactions (9.2.3.2)
Encryption and Security Monitoring (9.2.3.3)
Summary (9.3)
Practice
Check Your Understanding
Chapter 10 Endpoint Security and Analysis
Objectives
Key Terms
Introduction (10.0)
Endpoint Protection (10.1)
Antimalware Protection (10.1.1)
Endpoint Threats (10.1.1.1)
Endpoint Security (10.1.1.2)
Host-Based Malware Protection (10.1.1.3)
Network-Based Malware Protection (10.1.1.4)
Cisco Advanced Malware Protection (AMP) (10.1.1.5)
Host-Based Intrusion Protection (10.1.2)
Host-Based Firewalls (10.1.2.1)
Host-Based Intrusion Detection (10.1.2.2)
HIDS Operation (10.1.2.3)
HIDS Products (10.1.2.4)
Application Security (10.1.3)
Attack Surface (10.1.3.1)
Application Blacklisting and Whitelisting (10.1.3.2)
System-Based Sandboxing (10.1.3.3)
Endpoint Vulnerability Assessment (10.2)
Network and Server Profiling (10.2.1)
Network Profiling (10.2.1.1)
Server Profiling (10.2.1.2)
Network Anomaly Detection (10.2.1.3)
Network Vulnerability Testing (10.2.1.4)
Common Vulnerability Scoring System (CVSS) (10.2.2)
CVSS Overview (10.2.2.1)
CVSS Metric Groups (10.2.2.2)
CVSS Base Metric Group (10.2.2.3)
The CVSS Process (10.2.2.4)
CVSS Reports (10.2.2.5)
Other Vulnerability Information Sources (10.2.2.6)
Compliance Frameworks (10.2.3)
Compliance Regulations (10.2.3.1)
Overview of Regulatory Standards (10.2.3.2)
Secure Device Management (10.2.4)
Risk Management (10.2.4.1)
Vulnerability Management (10.2.4.3)
Asset Management (10.2.4.4)
Mobile Device Management (10.2.4.5)
Configuration Management (10.2.4.6)
Enterprise Patch Management (10.2.4.7)
Patch Management Techniques (10.2.4.8)
Information Security Management Systems (10.2.5)
Security Management Systems (10.2.5.1)
ISO-27001 (10.2.5.2)
NIST Cybersecurity Framework (10.2.5.3)
Summary (10.3)
Practice
Check Your Understanding
Chapter 11 Security Monitoring
Objectives
Key Terms
Introduction (11.0)
Technologies and Protocols (11.1)
Monitoring Common Protocols (11.1.1)
Syslog and NTP (11.1.1.1)
NTP (11.1.1.2)
DNS (11.1.1.3)
HTTP and HTTPS (11.1.1.4)
Email Protocols (11.1.1.5)
ICMP (11.1.1.6)
Security Technologies (11.1.2)
ACLs (11.1.2.1)
NAT and PAT (11.1.2.2)
Encryption, Encapsulation, and Tunneling (11.1.2.3)
Peer-to-Peer Networking and Tor (11.1.2.4)
Load Balancing (11.1.2.5)
Log Files (11.2)
Types of Security Data (11.2.1)
Alert Data (11.2.1.1)
Session and Transaction Data (11.2.1.2)
Full Packet Captures (11.2.1.3)
Statistical Data (11.2.1.4)
End Device Logs (11.2.2)
Host Logs (11.2.2.1)
Syslog (11.2.2.2)
Server Logs (11.2.2.3)
Apache HTTP Server Access Logs (11.2.2.4)
IIS Access Logs (11.2.2.5)
SIEM and Log Collection (11.2.2.6)
Network Logs (11.2.3)
Tcpdump (11.2.3.1)
NetFlow (11.2.3.2)
Application Visibility and Control (11.2.3.3)
Content Filter Logs (11.2.3.4)
Logging from Cisco Devices (11.2.3.5)
Proxy Logs (11.2.3.6)
NextGen IPS (11.2.3.7)
Summary (11.3)
Practice
Check Your Understanding
Chapter 12 Intrusion Data Analysis
Objectives
Key Terms
Introduction (12.0)
Evaluating Alerts (12.1)
Sources of Alerts (12.1.1)
Security Onion (12.1.1.1)
Detection Tools for Collecting Alert Data (12.1.1.2)
Analysis Tools (12.1.1.3)
Alert Generation (12.1.1.4)
Rules and Alerts (12.1.1.5)
Snort Rule Structure (12.1.1.6)
Overview of Alert Evaluation (12.1.2)
The Need for Alert Evaluation (12.1.2.1)
Evaluating Alerts (12.1.2.2)
Deterministic Analysis and Probabilistic Analysis (12.1.2.3)
Working with Network Security Data (12.2)
A Common Data Platform (12.2.1)
ELSA (12.2.1.1)
Data Reduction (12.2.1.2)
Data Normalization (12.2.1.3)
Data Archiving (12.2.1.4)
Investigating Network Data (12.2.2)
Working in Sguil (12.2.2.1)
Sguil Queries (12.2.2.2)
Pivoting from Sguil (12.2.2.3)
Event Handling in Sguil (12.2.2.4)
Working in ELSA (12.2.2.5)
Queries in ELSA (12.2.2.6)
Investigating Process or API Calls (12.2.2.7)
Investigating File Details (12.2.2.8)
Enhancing the Work of the Cybersecurity Analyst (12.2.3)
Dashboards and Visualizations (12.2.3.1)
Workflow Management (12.2.3.2)
Digital Forensics (12.3)
Evidence Handling and Attack Attribution (12.3.1)
Digital Forensics (12.3.1.1)
The Digital Forensics Process (12.3.1.2)
Types of Evidence (12.3.1.3)
Evidence Collection Order (12.3.1.4)
Chain of Custody (12.3.1.5)
Data Integrity and Preservation (12.3.1.6)
Attack Attribution (12.3.1.7)
Summary (12.4)
Practice
Check Your Understanding
Chapter 13 Incident Response and Handling
Objectives
Key Terms
Introduction (13.0)
Incident Response Models (13.1)
The Cyber Kill Chain (13.1.1)
Steps of the Cyber Kill Chain (13.1.1.1)
Reconnaissance (13.1.1.2)
Weaponization (13.1.1.3)
Delivery (13.1.1.4)
Exploitation (13.1.1.5)
Installation (13.1.1.6)
Command and Control (13.1.1.7)
Actions on Objectives (13.1.1.8)
The Diamond Model of Intrusion (13.1.2)
Diamond Model Overview (13.1.2.1)
Pivoting Across the Diamond Model (13.1.2.2)
The Diamond Model and the Cyber Kill Chain (13.1.2.3)
The VERIS Schema (13.1.3)
What Is the VERIS Schema? (13.1.3.1)
Create a VERIS Record (13.1.3.2)
Top-Level and Second-Level Elements (13.1.3.3)
The VERIS Community Database (13.1.3.4)
Incident Handling (13.2)
CSIRTs (13.2.1)
CSIRT Overview (13.2.1.1)
Types of CSIRTs (13.2.1.2)
CERT (13.2.1.3)
NIST 800-61r2 (13.2.2)
Establishing an Incident Response Capability (13.2.2.1)
Incident Response Stakeholders (13.2.2.2)
NIST Incident Response Life Cycle (13.2.2.3)
Preparation (13.2.2.4)
Detection and Analysis (13.2.2.5)
Containment, Eradication, and Recovery (13.2.2.6)
Post-Incident Activities (13.2.2.7)
Incident Data Collection and Retention (13.2.2.8)
Reporting Requirements and Information Sharing (13.2.2.9)
Summary (13.3)
Practice
Check Your Understanding
Appendix A Answers to the “Check Your Understanding” Questions
Glossary
9781587134395 TOC 5/3/2018