Cisco 200-201 Practice Test - Questions Answers, Page 33

Data encapsulation is a process in networking where the protocol stack of the sending host adds headers (and sometimes trailers) to the data.

Each layer of the OSI or TCP/IP model adds its own header to the data as it passes down the layers, preparing it for transmission over the network.

For example, in the TCP/IP model, data starts at the application layer and is encapsulated at each subsequent layer (Transport, Internet, and Network Access) before being transmitted.

This encapsulation ensures that the data is correctly formatted and routed to its destination, where the headers are stripped off in reverse order by the receiving host.

Networking Fundamentals by Cisco

OSI Model and Data Encapsulation Process

Understanding TCP/IP Encapsulation

A Distributed Denial of Service (DDoS) attack involves multiple compromised devices (botnet) sending a large number of requests to a target server to overwhelm it.

In a specific type of DDoS attack known as an NTP amplification attack, the attacker exploits the Network Time Protocol (NTP) servers by sending small queries with a spoofed source IP address (the target's IP).

The NTP server responds with a much larger reply to the target's IP address, thereby amplifying the traffic directed at the target.

This reflection and amplification technique significantly increases the volume of traffic sent to the target, causing denial of service.

OWASP DDoS Attack Overview

NTP Amplification Attack Explained

Understanding Botnets and Distributed Attacks

Defense-in-depth is a layered security strategy that aims to protect information and resources through multiple security measures.

One of its key principles is the concept of least privilege, which means providing users and systems with the minimum level of access necessary to perform their job functions.

By assigning only the necessary permissions, the attack surface is reduced, and the potential damage from a compromised account or system is minimized.

This principle helps in mitigating the risk of unauthorized access and limits the capabilities of an attacker if they gain access to an account.

Defense-in-Depth Strategy by NIST

Principle of Least Privilege in Cybersecurity

Layered Security Approach Explained

Rule-based detection systems operate using predefined patterns and signatures to identify known threats. These patterns are based on prior knowledge of attack methods and vulnerabilities.

Behavioral detection systems, on the other hand, analyze the normal behavior of a network or system to establish a baseline. They then monitor for deviations from this baseline, which may indicate potential threats.

Rule-based systems are effective at detecting known threats but may struggle with novel or zero-day attacks that do not match existing signatures.

Behavioral systems can detect unknown threats by recognizing abnormal activities, making them useful in identifying zero-day exploits and other sophisticated attacks.

Comparison of Rule-based and Behavioral Detection Methods in IDS

Advantages of Behavioral Analysis in Network Security

Cybersecurity Detection Techniques

The exhibit shows a pcap file capturing multiple TCP SYN packets directed at the same destination IP address.

High volume of SYN packets with very little variance in time: This pattern is indicative of a SYN flood attack, a type of Denial of Service (DoS) attack where numerous SYN requests are sent to overwhelm the target system.

SYN packets acknowledged from several source IP addresses: This can be indicative of a Distributed Denial of Service (DDoS) attack where multiple compromised hosts (botnet) are used to generate traffic.

These characteristics suggest that the network is under a SYN flood or DDoS attack, aiming to exhaust the target's resources and disrupt service availability.

Understanding SYN Flood Attacks

Analysis of DDoS Attack Patterns

Wireshark Analysis Techniques for Intrusion Detection

Indicators of Attack (IoA) refer to observable behaviors or artifacts that suggest a security breach or ongoing attack.

When internal hosts communicate with countries outside the business range, it may indicate data exfiltration or command-and-control communication to an external threat actor.

Unlike Indicators of Compromise (IoC) which indicate that a system has already been compromised, IoAs are often used to identify malicious activity in its early stages.

Monitoring for unusual outbound connections is a crucial aspect of detecting advanced persistent threats (APTs) and other sophisticated attacks.

Difference Between Indicators of Compromise and Indicators of Attack

Cyber Threat Detection Using Indicators of Attack

Network Monitoring for Anomalous Behavior

SQL injection is a type of injection attack where malicious SQL statements are inserted into an entry field for execution.

The primary way to prevent SQL injection is by validating and sanitizing user input. This involves checking the input for malicious content and ensuring it adheres to expected patterns.

Prepared statements (parameterized queries) are also highly effective, as they treat user input as data rather than executable code.

Implementing these practices ensures that any input received from users does not manipulate SQL queries in a harmful way.

OWASP SQL Injection Prevention Cheat Sheet

Best Practices for Input Validation and Sanitization

Secure Coding Guidelines

According to NIST SP800-61, the incident response lifecycle consists of four phases: Preparation, Detection and Analysis, Containment, Eradication and Recovery, and Post-Incident Activity.

When a SOC team member checks the Cisco Firepower Manager dashboard for further isolation actions, they are working within the Eradication and Recovery phase.

This phase focuses on removing the threat from the environment and recovering affected systems to normal operations.

NIST SP800-61 Computer Security Incident Handling Guide

Incident Response Phases Explained

Role of SOC in Incident Response

The weaponization step in the Cyber Kill Chain Model involves the creation or use of a specific weapon (malware, exploit) designed to leverage a vulnerability.

This phase follows the reconnaissance phase where the attacker gathers information and precedes the delivery phase where the weapon is delivered to the target.

Developing specific malware to exploit a vulnerable server is a precise example of weaponization.

Lockheed Martin Cyber Kill Chain Model

Understanding the Weaponization Phase in Cyber Attacks

Steps in the Cyber Kill Chain