Free Practice Questions for Cisco 200-201 Exam

TCP injection is an attack where the attacker sends crafted packets into an existing TCP session. These packets appear to be part of the session.

The presence of many SYN packets with the same sequence number, source, and destination IP but different payloads indicates that an attacker might be injecting packets into the session.

This method can be used to disrupt communication, inject malicious commands, or manipulate the data being transmitted.

References

Understanding TCP Injection Attacks

Analyzing Packet Captures for Injection Attacks

Network Security Monitoring Techniques

 The discrepancy described suggests that the system had a Host Intrusion Detection System (HIDS) installed. HIDS are designed to monitor and analyze the internals of a computing system for signs of intrusion and policy violations. While they can detect unauthorized activities, they do not take direct action to stop an attack; this is typically the role of an intrusion prevention system. Therefore, the alert was generated, but no mitigation action was taken because the HIDS does not have the capability to intervene.

References := The Understanding Cisco Cybersecurity Operations Fundamentals (CBROPS) course material covers the functions and limitations of various security systems, including HIDS, and their role within a Security Operations Center (SOC)1.

The event where a breached workstation is trying to connect to a known malicious domain suggests that the attacker is moving towards their end goals, which typically involves actions on objectives.

In the Cyber Kill Chain framework, "Action on objectives" refers to the steps taken by an attacker to achieve their intended outcomes, such as data exfiltration, destruction, or ransom demands.

This phase involves the attacker executing their final mission within the target environment, leveraging access gained in earlier stages of the attack.

References

Lockheed Martin Cyber Kill Chain

Understanding the Stages of Cyber Attacks

Incident Response and the Cyber Kill Chain

 According to the NIST Computer Security Incident Handling Guide, the next step in handling an event after confirming a potential indicator of compromise on an endpoint is to collect public information on the malware behavior. This step involves searching for information from various sources, such as antivirus vendors, security blogs, threat intelligence feeds, and online forums, to learn more about the characteristics, capabilities, and impact of the malware. This information can help the SOC team to identify the type, severity, andscope of the incident, as well as to determine the appropriate response actions and mitigation strategies. Isolating the infected endpoint, performing forensics analysis, and prioritizing incident handling are subsequent steps that follow after collecting public information on the malware behavior. References:

Computer Security Incident Handling Guide

SP 800-61 Rev. 2, Computer Security Incident Handling Guide

Privileges required is a metric in the Common Vulnerability Scoring System (CVSS) that measures the level of access needed to launch a successful attack. The higher the privileges required, the lower the severity of the vulnerability. The privileges required metric has three possible values: none, low, and high. None means that the attacker does not need any privileges to exploit the vulnerability. Low means that the attacker needs privileges that provide basic user capabilities. High means that the attacker needs privileges that provide significant or administrative control over the target. References: Understanding Cisco Cybersecurity Operations Fundamentals (CBROPS) - Cisco, page 2-17; 200-201 CBROPS - Cisco, exam topic 1.3.c

Security operations teams must balance visibility, storage efficiency, and investigative speed when selecting long-term monitoring data sources. NetFlow is specifically designed to meet these requirements by providing summarized metadata about network traffic rather than capturing full packet contents.

NetFlow records information such as source and destination IP addresses, ports, protocols, byte counts, and timestamps. This allows analysts to quickly identify communication patterns, unusual data transfers, and the scope of an incident without storing large volumes of raw packet data. Because NetFlow stores metadata instead of payloads, it consumes significantly less storage space, making it suitable for long-term retention over periods such as 12 months.

SPAN ports and traffic mirroring continuously copy raw network traffic, which generates massive data volumes and requires substantial storage and processing resources. These methods are effective for short-term deep packet analysis but are not practical for long-term retention. Packet capture (.pcap) files provide the most detailed visibility but consume the most storage and are typically used only for targeted, short-duration investigations.

Cybersecurity operations documentation emphasizes NetFlow as a foundational telemetry source for incident scoping, threat hunting, and anomaly detection. It enables rapid identification of compromised hosts, data exfiltration paths, and lateral movement while maintaining storage efficiency.

Therefore, NetFlow is the most appropriate source of information given the stated requirements.

When analyzing Wireshark traffic for potential attacks, an engineer should look for patterns that indicate abnormal behavior, such as:

Excessive Requests: A high number of requests over a short period could suggest an attempt to overwhelm the server, known as an HTTP flood.

Status Codes: Repeated 403 Forbidden responses may indicate that the server is rejecting requests due to a security rule being triggered.

Request Types: A mix of GET and POST requests could be used in various attack scenarios, including bandwidth flooding or cache bypassing.