Free Practice Questions for Cisco 200-201 Exam

Indicators of Attack (IoA) refer to observable behaviors or artifacts that suggest a security breach or ongoing attack.

When internal hosts communicate with countries outside the business range, it may indicate data exfiltration or command-and-control communication to an external threat actor.

Unlike Indicators of Compromise (IoC) which indicate that a system has already been compromised, IoAs are often used to identify malicious activity in its early stages.

Monitoring for unusual outbound connections is a crucial aspect of detecting advanced persistent threats (APTs) and other sophisticated attacks.

References

Difference Between Indicators of Compromise and Indicators of Attack

Cyber Threat Detection Using Indicators of Attack

Network Monitoring for Anomalous Behavior

The exhibit shows an HTTP GET request with a parameter that includes; /bin/sh -c id.

This indicates a command injection attempt, where the attacker is trying to execute shell commands on the server.

Command injection vulnerabilities allow an attacker to execute arbitrary commands on the host operating system via a vulnerable application.

The use of/bin/shand the-cflag is typical in command injection exploits to run shell commands, such asid, which returns user identity information.

References

OWASP Command Injection

Analyzing HTTP Requests for Injection Attacks

Web Application Security Testing Guidelines

Delivery: This step involves transmitting the weapon to the target.

Weaponization: In this step, the intruder creates a malware weapon like a virus, worm or such in order to exploit the vulnerabilities of the target. Depending on the target and thepurpose of the attacker, this malware can exploit new, undetected vulnerabilities (also known as the zero-day exploits) or it can focus on a combination of different vulnerabilities.

Reconnaissance: In this step, the attacker / intruder chooses their target. Then they conduct an in-depth research on this target to identify its vulnerabilities that can be exploited.

 The virtual address space for a Windows process is the set of virtual memory addresses that can be used by the process. Each process has its own virtual address space that is isolated from other processes. The virtual address space is divided into regions that have different attributes, such as read-only, read-write, execute, and so on. The virtual address space is mapped to the physical memory by the operating system using a data structure called a page table. References:

Understanding Cisco Cybersecurity Operations Fundamentals (CBROPS) v1.0, Module 4: Host-Based Analysis, Lesson 4.1: Windows Operating System

Virtual Address Space

A botnet is a network of compromised computers controlled by an attacker. Botnets are often used to carry out Distributed Denial of Service (DDoS) attacks, where the compromised machines are directed to flood a target with traffic, rendering it inaccessible. References: Cisco Cybersecurity Operations Fundamentals, Module 1: Security Concepts, Lesson 1.3: Common Network Application Operations and Attacks, Topic 1.3.4: Denial-of-Service Attacks

Statistical detection involves collecting data over time to define what is considered normal behavior or legitimate data for users or systems. It then uses statistical analysis to identify abnormal behavior that could indicate a security incident. Rule-based detection uses predefined rules or patterns that are based on known threats or vulnerabilities - it operates on an IF/THEN basis where if certain conditions are met then an alert is triggered. References := Cisco Cybersecurity Operations Fundamentals

X.509 certificates are used in conjunction with secure data transfer protocols to ensure the confidentiality and integrity of communication. They are part of a public keyinfrastructure (PKI) that authenticates the identity of entities and encrypts data in transit. References: Implementing X.509 certificates along with secure data transfer protocols like SFTP, HTTPS, FTPS, and IPSec can help secure data sharing with third-party companies