Endpoint Protection & Detection Flashcards

1
Q

What are the 4 types of rules that can be configured on a Windows firewall?

A

Program rules: Rules that control connections for an application or program.

Port rules: Rules that control connections for specific ports and protocols.

Predefined rules: Rules that apply to specific Windows services and features.

Custom rules: Rules that combine several different parameters, including programs, protocols, ports, and services.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

True or False: IPtables is a type of firewall is implemented in the Linux kernel and typically works at the network layer.

A

True

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Which Linux security control should be used with a personal firewall to provide an additional layer of protection at the application layer and to permit or deny access to a specific service?

A

TCPwrappers is implemented in the Linux user space, works at the application layer, and is used to permit or deny access to a specific service. It can only be used with network services that are Xinetd-based. The TCPwrappers firewall enables you to specify which hosts can access which services.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is a weakness of this host based antivirus methodology? Most antivirus software uses signature-based detection. Antivirus software vendors analyze known malware and catalog the characteristics that are used to recognize them in a signature database. Scanning files and memory for these signatures reveals the malware.

A

The obvious shortcoming of this methodology is that it cannot protect against attacks that have not yet been recognized by the security industry—often called zero-day attacks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

How do heuristics detect malware?

A

Heuristics allow for recognition on imprecise signature matches. Often malware will mutate over time into different variants. Sometimes, the intent of the mutation is simply to evade detection. Other times, the mutation is the result of the malware author adding new capabilities into the malware. The use of heuristics can help antivirus software to recognize entire classes or families of malware.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Which detection technique can help protect against zero date threats?

A

Behavior based detection

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

True or False: HIPS can analyze encrypted traffic after it has been decrypted?

A

True

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Which 3 technologies does HIPS use to detect suspicious activity?

A

Signature-based IPS: Intrusive activity is detected by comparing traffic to a set of rules called signatures. When traffic matches a signature, the IPS takes an action, such as dropping packets, logging the event, or sending an alert. Signatures are developed by engineers who research known attacks and vulnerabilities and then develop signatures to detect those attacks and vulnerabilities. An IPS cannot detect a yet-unknown attack for which there is no signature in the database.

Anomaly based IPS: Intrusive activity is detected by comparing real-time traffic to traffic that is considered "normal." For this type of detection to work, a baseline must be established to define what is considered normal traffic.

Policy-based IPS: Intrusive activity is detected by comparing real-time traffic to preconfigured policies.

Any combination of the above.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

How is malware that is not on the allowed list able to execute?

A

by executing it in memory and injecting malicious code into a legitimate process that is currently running

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What features does Cisco Collective Security Intelligence Cloud offer for endpoints

A

Rapid detection of known malware by examining the file’s SHA.

Use of cloud resources to test files with unknown dispositions.

Use of machine learning techniques to constantly keep itself up to date.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What does the historical perspective in Cisco Collective Security Intelligence provide?

A

File trajectory: Shows you the hosts where files were seen.

Device trajectory: Shows you the actions that files performed on a given host.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

How does Cisco AMP for Endpoints block malicious network connections?

A

Security intelligence feeds (IP reputation).

Custom IP blacklists.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Cisco AMP for Endpoints consists of what elements?

A

Cisco Collective Security Intelligence (CSI) Cloud: Where the various malware detection and analytics engines reside

Client Connectors: Components that run on the endpoints. Client Connectors communicate with the cloud to send information about files and to receive file disposition information.

AMP for Networks: Gives Firepower Next-Generation Firewall (NGFW), Cisco Email Security Appliance (ESA), and Cisco Web Security Appliance (WSA) devices the ability to query the cloud to obtain file disposition information on files.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

The most critical component of the overall Cisco AMP for Endpoints architecture is the cloud. In general, the cloud is responsible for the following:

A

Detection Publishing
Large-scale data processing (big data)
Real time decision making
Reporting

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What are the specific attributes that sandboxes typically examine?

A

Antidebugging techniques
Keylogging
It also searches for other suspicious activity, such as accessing specific registry keys, specific system files, or dynamically linked libraries

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What are 3 deficiencies of Sandboxing?

A

Inherent efficacy: Running a file in a sandbox is no guarantee that the disposition will show the threat that it poses to your environment.

Evasion tactics: Malware authors deploy several techniques to bypass sandbox analysis. Malware detection only works if the observed file actually performs malicious operations during its analysis in sandbox. If no harmful operations are executed during the analysis, the sandbox concludes that the file under examination is benign. Malware authors are always looking for new, innovative ways to evade sandbox detection by concealing the real behavior of malware.

Means to an end, not an end itself: Sandboxing is a great tool for addressing malware in an environment, but sandboxing needs to be coupled with other capabilities to provide comprehensive malware protection.
17
Q

What is the Cisco product for sandboxing?

A

Cisco Threat Grid

18
Q

Which method is a permissive security control in which only specified applications can run on an end host, while all other applications are prevented?

A

application allowed list

19
Q

An end user’s host becomes infected with a virus because the end user browsed to a malicious website. Which endpoint security technology can be used to best prevent such an incident?

A

endpoint malware protection

20
Q

What does the AMP connector do when a file is moved on an endpoint?

A

calculates its hash, If the verdict is unknown, the AMP connector can be configured to send the whole file for the sandbox analysis. This process is called dynamic analysis.

21
Q

What is Ethos fuzzy fingerprinting?

A

Fuzzy fingerprinting is the ability to look at pieces of code, that might not have been recognized as malicious, and examine artifacts in that code. You can roughly equate an artifact as a code snippet, procedure, or subroutine. This snippet is a piece of code that does something specific, something that Cisco AMP for Endpoints has seen before. Cisco AMP for Endpoints might not have seen the new threat in its entirety, but it knows that the code contains “something bad.”

22
Q

Which AMP technologies use Ethos?

A

Only the endpoint

23
Q

Which security engine is the zero-day engine?

A

Spero Machine Learning

24
Q

What is the offline antivirus for AMP for endpoints?

A

TETRA antivirus - 1GB download for an initial download of approximately 500MB from the AMP Cloud to the AMP for Endpoints client and then consecutive maintenance downloads to maintain up-to-date local antivirus definitions.

25
Q

How does AMP4E Exploit Prevention work?

A

When a protected application launches, AMP for Endpoints reads the memory address that the operating system allocated to the application. Then AMP for Endpoints moves the data for the application to a new memory location and informs the application of the new memory allocation.

26
Q

An indicator of compromise (IOC) can be either an artifact or a behavior set (using and/or decision trees). Which framework does AMP4E use?

A

OpenIOC

27
Q

What is Device Flow Correlation (DFC)?

A

Device flow correlation (DFC) is a kernel-level view into network connections, initiated by monitored files and processes. DFC allows blocking or alerting on network activity based on IP address and port which traces back to the initiating process.

DFC performs four tasks:

Monitoring of internal and external networks.

Filtering based on IP reputation data, provided by Cisco Talos or custom-defined lists.

URL or domain logging.

Dropper detection and removal in unknown files.
28
Q

By what means is the retrospective security in AMP for Endpoints provided by?

A

Device Trajectory

29
Q

What are the overall policies for managing AMP4E clients?

A

Modes and engines: Identify the conviction modes of both file and network convictions. Conviction modes specify how the connector responds to suspicious files and network activity. Also specify which AMP detection engine will be used.

Exclusions: Lists of directories, file extensions, or threat names that you do not want the AMP for Endpoints Connector to scan or convict. Exclusions can be used to resolve conflicts with other security products or mitigate performance issues by excluding directories containing large files that are frequently written to, such as databases.

Custom detection lists: Used to specify files you want to detect and/or quarantine.

Application control lists: Similar to custom detection lists, but are used to block certain applications, and not to quarantine files. For example, you would use an application control list to prevent execution of an application that potentially has a vulnerability, until a patch is released to address the vulnerability.

Network allow or block lists: Used with device flow correlation (DFC) to define custom IP address detections.
30
Q

When should the AMP for Endpoints TETRA engine be enabled?

A

only if there are no other antivirus products on the endpoint, because enabling TETRA alongside another antivirus solution could cause serious degradation in the performance of the endpoint

31
Q

To provide file and device trajectory features, what is used by the AMP console to track AMP clients?

A

AMP connector client ID