*** Most important. Based on blueprint Flashcards
CAPWAP
Encapsulates data between LWAP and WLC. Routable. Wireless IPS. Much more
ARP
Operates between L2 and L3.
ARP Ethertype
0x0806
DNS Resolver
local client
DNS Recursor
Internal DNS
Bridges vs. Switches
Bridges use SW bridging logic. Switches use HW bridging logic.
Cisco AMP
Advanced Malware Protection. Applies before, during, and after attack continuum. Examines SHA hash. Cloud tests files. Machine learning. Trajectory. Intel feeds.
Cisco WSA
Web Security Appliance. URL Filtering. Websense type features.
Cisco CWS
Cloud Web Security. Basically, Websense in the cloud. Request goes from ASA to CWS where decision is made.
Cisco ESA
Email Security Appliance. Incoming reputation filter, outgoing DLP
Cisco CES
ESA in the cloud
Cisco Firepower
NGFW with VPN, IPS, AMP, DNS inspection, application visibility and control, reputation-based filtering, URL filtering, SSL decryption, and so on
Netflow
Collects/monitors network traffic flow data.
Audit trail.
Unidirectional series of packets bet. source and destination.
What does Netflow data contain?
Metadata 5 Tuple Interfaces Duration of comms Transmission rate Amount of data
Netflow vs. IPS
Netflow looks at headers. IPS does deep packet analysis.
Netflow is information about comms. IPS can drop packets.
Runbook automation
Automated reactions. Can minimize time bet. discovery and remediation.
Runbook parts
Tools, Workflows, Processes
Sliding Window
Relates to anomaly detection. Needs to be long enough to define normal traffic.
Non-discretionary access control
Role Based AC. Job function related.
Network vs. Host AV
Network AV takes action on files that are traversing the network.
Host AV is run by endpoints.
Agent vs. Agentless
Netflow is agentless
SIEM Capabilities
Monitoring IR Anomaly Detection Real time rule based alerts Correlation Logging and reporting Reports
New Syslog name
rsyslog (old was syslogd)
Syslog config file location
/etc/syslog.conf
27002:2013
provides guidelines for organizational information, security standards, and information security management practices,
Vulnerability management
identifying, classifying, remediating, and mitigating vulnerabilities in software, firmware, and hardware.
Configuration management
process for establishing and maintaining consistency of a product’s performance, functional requirements, and design throughout the product’s life cycle.
Digital signature creation
Hash the document
Encrypt the hash with private key of signer
Encrypted hash is appended to document
Digital signature verification
Recipient check public key of the signer
Recipient decrypts the signature using he public key leaving the hash
Recipient rehashes the document. Hash match means it’s authentic.
CSR contains
System name, organization, location, enrolling systems public key info.
TACACS+ Hashing algorithm
MD5
MD5 vs. SHA-1
128 bit vs. 160 bit digest.
NIST recommends avoiding both
ECDHE_ECDSA
Authentication and Key Exchange
DSA
Assymetric. Digital Signature Algorithm.
Creates digital sigs. (hashing)
PRF
Pseudorandom Function
Cipher Suite Contains…
Authentication Key Exchange Encryption Algorithm MAC (SHA) PRF
TLS 1.2
Defines mandatory cipher suites (RSA, AES, SHA)
TLS 1.2 Mandatory Cipher Squites
RSA, AES, SHA
PKCS
Public Key Crypto Standard.. Numbered standards for RSA, DH, PKI Syntax and more
Windows Process
Instance of an executing program
Windows thread
Basic unit that OS allocates processing time to. Can execute any part of the process code.
Windows object handle
Accesses resources (files, etc) on behalf of a process.
Processes can’t access resources directly. Must use handles.
Windows Memory allocated to which modes
Kernel mode and User mode
Transaction data
Log files for various services (HTTP, SMTP, Linux, etc.)
Includes client action and system own action).
Session data
Metadata similar to NetFlow or phone bill. 5 tuple info, time stamps, etc.
Summary of comms bet. 2 parties.
Extracted content
Mined from network traffic
Facility
application or process that submits the log message.
RFC 1918
Internal private addresses
NSA Suite B
RFC 6739 Crypto algorithms devices must support to meet federal standards. AES 128-256 (CTR-GCM) ECDSA, ECDH SHA256-384
Linux PS command
Get information about processes
ps -f
Full output
ps -e
Everyone (all users)
ps -f
Full output for everyone
ps aux
ps -ef for BSD
ps -fC sshd
-C used to filter by process
Alert data
Generally produced by IPS/IDS
packets, bytes, and bandwidth =
NetFlow
Process# for forked process
0
AV vs. Anti-Malware
AV: Signature/heuristics/behavior based. Low efficacy
AM: Anomaly, Big data, continuous analysis, advanced analytics
App visibility and control
Differentiating between parts of services (Allow IM, but not file transfer. Allow Facebook, but not facebook games)
NextGen FW Connection Event
Blocked connections based on rules.
Time, hosts, protocols, amount of data
IPS/Intrusion Event
Based on IPS rule that triggers event.
Packet level info. Time 5 tuple Country Triggering rule
NGFW Host event
Host profile
IOC’s
Category
Event type
Network discovery events
Triggered by changes on the network
Netflow event
Used to detect data loss using Cisco Stealthwatch.
Flows denied by access rule
NTP attacks
Amplification. Falsify time advertisement to throw off logs.
Possible to auth time source (NTP Server)
Web proxy log
Precise logging of browsing sessions and can help investigate web based attacks.
Attack surface vs. Vulnerabilty
Surface is “total sum of all the vulnerabilities”
Vulnerability is a defect in SW or HW.
Attack surfaces
Software, physical, network, human
SQL Injection
Can read, modify data, execute admin ops, and sometimes issue OS commands.
Input validation.
Command injection attacks (2)
SQL injection. XSS
Input validation and IPS
XSS
Injection of malicious scripts that run on client.
Caused by weakness in client scripting languages
XSS Countermeasures
Input validation, DNS block, web proxy, IPS, Education
IPS Evasion methods
Traffic fragmentation
Traffic substitution/insertion (Unicode characters)
Encryption/Tunneling
Traffic fragmentation
IP Fragmentation. Fragment all IP traffic if IPS doesn’t do fragment reassembly.
TCP fragmentation:
TCP fragmentation
Fragment a TCP stream to overwrite/overlap previous TCP segment with new data. Hides attack
Traffic substitution
Substitute payload with other data that has the same meaning.
Unicode, case sensitivity change, substitute spaces with tabs.
Evasion: Tunneling
Hide traffic over permitted protocol like DNS, HTTP.
Or combine encryption & tunneling: HTTPS
Protocol-level misinterpretation
Change aspects of packets to confuse IPS sensor.
TCP checksum
Big/Little Endian
Hard links
Directories (not really links)
Malware (3)
Virus, Work, Trojan)
Remote vs. Local Exploit
Remote works over the network without prior access.
Local exploit requires prior access (an account on the system). Lead to privilege escalation. (DOES NOT require physical access). Social engineering
AES CTR
Part of NSA Suite B, though GCM is more common
Both are counter mode
