book

CCNA Cybersecurity Operations Companion Guide, First Edition

Name: CCNA Cybersecurity Operations Companion Guide, First Edition
Author: Cisco Networking Academy
ISBN: 9780135166253

by Cisco Networking Academy

June 2018

Intermediate to advanced

720 pages

21h 15m

English

Cisco Press

Read now

Unlock full access

Cover Page
Title Page
Copyright Page
About the Contributing Author
Contents at a Glance
Contents
Command Syntax Conventions
Introduction
Chapter 1 Cybersecurity and the Security Operations Center
ObjectivesKey TermsIntroduction (1.0)The Danger (1.1)War Stories (1.1.1)Hijacked People (1.1.1.1)Ransomed Companies (1.1.1.2)Nations (1.1.1.3)Threat Actors (1.1.2)Amateurs (1.1.2.1)Hacktivists (1.1.2.2)Financial Gain (1.1.2.3)Trade Secrets and Global Politics (1.1.2.4)How Secure Is the Internet of Things? (1.1.2.5)Threat Impact (1.1.3)PII and PHI (1.1.3.1)Lost Competitive Advantage (1.1.3.2)Politics and National Security (1.1.3.3)Fighters in the War Against Cybercrime (1.2)The Modern Security Operations Center (1.2.1)Elements of an SOC (1.2.1.1)People in the SOC (1.2.1.2)Process in the SOC (1.2.1.3)Technologies in the SOC (1.2.1.4)Enterprise and Managed Security (1.2.1.5)Security vs. Availability (1.2.1.6)Becoming a Defender (1.2.2)Certifications (1.2.2.1)Further Education (1.2.2.2)Sources of Career Information (1.2.2.3)Getting Experience (1.2.2.4)Summary (1.3)PracticeCheck Your Understanding
Chapter 2 Windows Operating System
ObjectivesKey TermsIntroduction (2.0)Windows Overview (2.1)Windows History (2.1.1)Disk Operating System (2.1.1.1)Windows Versions (2.1.1.2)Windows GUI (2.1.1.3)Operating System Vulnerabilities (2.1.1.4)Windows Architecture and Operations (2.1.2)Hardware Abstraction Layer (2.1.2.1)User Mode and Kernel Mode (2.1.2.2)Windows File Systems (2.1.2.3)Windows Boot Process (2.1.2.4)Windows Startup and Shutdown (2.1.2.5)Processes, Threads, and Services (2.1.2.6)Memory Allocation and Handles (2.1.2.7)The Windows Registry (2.1.2.8)Windows Administration (2.2)Windows Configuration and Monitoring (2.2.1)Run as Administrator (2.2.1.1)Local Users and Domains (2.2.1.2)CLI and PowerShell (2.2.1.3)Windows Management Instrumentation (2.2.1.4)The net Command (2.2.1.5)Task Manager and Resource Monitor (2.2.1.6)Networking (2.2.1.7)Accessing Network Resources (2.2.1.8)Windows Server (2.2.1.9)Windows Security (2.2.2)The netstat Command (2.2.2.1)Event Viewer (2.2.2.2)Windows Update Management (2.2.2.3)Local Security Policy (2.2.2.4)Windows Defender (2.2.2.5)Windows Firewall (2.2.2.6)Summary (2.3)PracticeCheck Your Understanding

Chapter 3 Linux Operating System
ObjectivesKey TermsIntroduction (3.0)Linux Overview (3.1)Linux Basics (3.1.1)What is Linux? (3.1.1.1)The Value of Linux (3.1.1.2)Linux in the SOC (3.1.1.3)Linux Tools (3.1.1.4)Working in the Linux Shell (3.1.2)The Linux Shell (3.1.2.1)Basic Commands (3.1.2.2)File and Directory Commands (3.1.2.3)Working with Text Files (3.1.2.4)The Importance of Text Files in Linux (3.1.2.5)Linux Servers and Clients (3.1.3)An Introduction to Client-Server Communications (3.1.3.1)Servers, Services, and Their Ports (3.1.3.2)Clients (3.1.3.3)Linux Administration (3.2)Basic Server Administration (3.2.1)Service Configuration Files (3.2.1.1)Hardening Devices (3.2.1.2)Monitoring Service Logs (3.2.1.3)The Linux File System (3.2.2)The File System Types in Linux (3.2.2.1)Linux Roles and File Permissions (3.2.2.2)Hard Links and Symbolic Links (3.2.2.3)Linux Hosts (3.3)Working with the Linux GUI (3.3.1)X Window System (3.3.1.1)The Linux GUI (3.3.1.2)Working on a Linux Host (3.3.2)Installing and Running Applications on a Linux Host (3.3.2.1)Keeping the System Up to Date (3.3.2.2)Processes and Forks (3.3.2.3)Malware on a Linux Host (3.3.2.4)Rootkit Check (3.3.2.5)Piping Commands (3.3.2.6)Summary (3.4)PracticeCheck Your Understanding
Chapter 4 Network Protocols and Services
ObjectivesKey TermsIntroduction (4.0)Network Protocols (4.1)Network Communications Process (4.1.1)Views of the Network (4.1.1.1)Client-Server Communications (4.1.1.2)A Typical Session: Student (4.1.1.3)A Typical Session: Gamer (4.1.1.4)A Typical Session: Surgeon (4.1.1.5)Tracing the Path (4.1.1.6)Communications Protocols (4.1.2)What Are Protocols? (4.1.2.1)Network Protocol Suites (4.1.2.2)The TCP/IP Protocol Suite (4.1.2.3)Format, Size, and Timing (4.1.2.4)Unicast, Multicast, and Broadcast (4.1.2.5)Reference Models (4.1.2.6)Three Addresses (4.1.2.7)Encapsulation (4.1.2.8)Scenario: Sending and Receiving a Web Page (4.1.2.9)Ethernet and Internet Protocol (IP) (4.2)Ethernet (4.2.1)The Ethernet Protocol (4.2.1.1)The Ethernet Frame (4.2.1.2)MAC Address Format (4.2.1.3)IPv4 (4.2.2)IPv4 Encapsulation (4.2.2.1)IPv4 Characteristics (4.2.2.2)The IPv4 Packet (4.2.2.4)IPv4 Addressing Basics (4.2.3)IPv4 Address Notation (4.2.3.1)IPv4 Host Address Structure (4.2.3.2)IPv4 Subnet Mask and Network Address (4.2.3.3)Subnetting Broadcast Domains (4.2.3.4)Types of IPv4 Addresses (4.2.4)IPv4 Address Classes and Default Subnet Masks (4.2.4.1)Reserved Private Addresses (4.2.4.2)The Default Gateway (4.2.5)Host Forwarding Decision (4.2.5.1)Default Gateway (4.2.5.2)Using the Default Gateway (4.2.5.3)IPv6 (4.2.6)Need for IPv6 (4.2.6.1)IPv6 Size and Representation (4.2.6.2)IPv6 Address Formatting (4.2.6.3)IPv6 Prefix Length (4.2.6.4)Connectivity Verification (4.3)ICMP (4.3.1)ICMPv4 Messages (4.3.1.1)ICMPv6 RS and RA Messages (4.3.1.2)Ping and Traceroute Utilities (4.3.2)Ping: Testing the Local Stack (4.3.2.1)Ping: Testing Connectivity to the Local LAN (4.3.2.2)Ping: Testing Connectivity to Remote Host (4.3.2.3)Traceroute: Testing the Path (4.3.2.4)ICMP Packet Format (4.3.2.5)Address Resolution Protocol (4.4)MAC and IP (4.4.1)Destination on the Same Network (4.4.1.1)Destination on a Remote Network (4.4.1.2)ARP (4.4.2)Introduction to ARP (4.4.2.1)ARP Functions (4.4.2.2)Removing Entries from an ARP Table (4.4.2.6)ARP Tables on Networking Devices (4.4.2.7)ARP Issues (4.4.3)ARP Broadcasts (4.4.3.1)ARP Spoofing (4.4.3.2)The Transport Layer (4.5)Transport Layer Characteristics (4.5.1)Transport Layer Protocol Role in Network Communication (4.5.1.1)Transport Layer Mechanisms (4.5.1.2)TCP Local and Remote Ports (4.5.1.3)Socket Pairs (4.5.1.4)TCP vs. UDP (4.5.1.5)TCP and UDP Headers (4.5.1.6)Transport Layer Operation (4.5.2)TCP Port Allocation (4.5.2.1)A TCP Session Part I: Connection Establishment and Termination (4.5.2.2)A TCP Session Part II: Data Transfer (4.5.2.6)A UDP Session (4.5.2.9)Network Services (4.6)DHCP (4.6.1)DHCP Overview (4.6.1.1)DHCPv4 Message Format (4.6.1.2)DNS (4.6.2)DNS Overview (4.6.2.1)The DNS Domain Hierarchy (4.6.2.2)The DNS Lookup Process (4.6.2.3)DNS Message Format (4.6.2.4)Dynamic DNS (4.6.2.5)The WHOIS Protocol (4.6.2.6)NAT (4.6.3)NAT Overview (4.6.3.1)NAT-Enabled Routers (4.6.3.2)Port Address Translation (4.6.3.3)File Transfer and Sharing Services (4.6.4)FTP and TFTP (4.6.4.1)SMB (4.6.4.2)Email (4.6.5)Email Overview (4.6.5.1)SMTP (4.6.5.2)POP3 (4.6.5.3)IMAP (4.6.5.4)HTTP (4.6.6)HTTP Overview (4.6.6.1)The HTTP URL (4.6.6.2)The HTTP Protocol (4.6.6.3)HTTP Status Codes (4.6.6.4)Summary (4.7)PracticeCheck Your Understanding
Chapter 5 Network Infrastructure
ObjectivesKey TermsIntroduction (5.0)Network Communication Devices (5.1)Network Devices (5.1.1)End Devices (5.1.1.1)Routers (5.1.1.3)Router Operation (5.1.1.5)Routing Information (5.1.1.6)Hubs, Bridges, LAN Switches (5.1.1.8)Switching Operation (5.1.1.9)VLANs (5.1.1.11)STP (5.1.1.12)Multilayer Switching (5.1.1.13)Wireless Communications (5.1.2)Protocols and Features (5.1.2.2)Wireless Network Operations (5.1.2.3)The Client to AP Association Process (5.1.2.4)Wireless Devices: AP, LWAP, WLC (5.1.2.6)Network Security Infrastructure (5.2)Security Devices (5.2.1)Firewalls (5.2.1.2)Firewall Type Descriptions (5.2.1.3)Packet Filtering Firewalls (5.2.1.4)Stateful Firewalls (5.2.1.5)Next-Generation Firewalls (5.2.1.6)Intrusion Protection and Detection Devices (5.2.1.8)Advantages and Disadvantages of IDS and IPS (5.2.1.9)Types of IPS (5.2.1.10)Specialized Security Appliances (5.2.1.11)Security Services (5.2.2)Traffic Control with ACLs (5.2.2.2)ACLs: Important Features (5.2.2.3)SNMP (5.2.2.5)NetFlow (5.2.2.6)Port Mirroring (5.2.2.7)Syslog Servers (5.2.2.8)NTP (5.2.2.9)AAA Servers (5.2.2.10)VPN (5.2.2.11)Network Representations (5.3)Network Topologies (5.3.1)Overview of Network Components (5.3.1.1)Physical and Logical Topologies (5.3.1.2)WAN Topologies (5.3.1.3)LAN Topologies (5.3.1.4)The Three-Layer Network Design Model (5.3.1.5)Common Security Architectures (5.3.1.7)Summary (5.4)PracticeCheck Your Understanding
Chapter 6 Principles of Network Security
ObjectivesKey TermsIntroduction (6.0)Attackers and Their Tools (6.1)Who Is Attacking Our Network (6.1.1)Threat, Vulnerability, and Risk (6.1.1.1)Hacker vs. Threat Actor (6.1.1.2)Evolution of Threat Actors (6.1.1.3)Cybercriminals (6.1.1.4)Cybersecurity Tasks (6.1.1.5)Cyber Threat Indicators (6.1.1.6)Threat Actor Tools (6.1.2)Introduction of Attack Tools (6.1.2.1)Evolution of Security Tools (6.1.2.2)Categories of Attacks (6.1.2.3)Common Threats and Attacks (6.2)Malware (6.2.1)Types of Malware (6.2.1.1)Viruses (6.2.1.2)Trojan Horses (6.2.1.3)Trojan Horse Classification (6.2.1.4)Worms (6.2.1.5)Worm Components (6.2.1.6)Ransomware (6.2.1.7)Other Malware (6.2.1.8)Common Malware Behaviors (6.2.1.9)Common Network Attacks (6.2.2)Types of Network Attacks (6.2.2.1)Reconnaissance Attacks (6.2.2.2)Sample Reconnaissance Attacks (6.2.2.3)Access Attacks (6.2.2.4)Types of Access Attacks (6.2.2.5)Social Engineering Attacks (6.2.2.6)Phishing Social Engineering Attacks (6.2.2.7)Strengthening the Weakest Link (6.2.2.8)Denial-of-Service Attacks (6.2.2.10)DDoS Attacks (6.2.2.11)Example DDoS Attack (6.2.2.12)Buffer Overflow Attack (6.2.2.13)Evasion Methods (6.2.2.14)Summary (6.3)PracticeCheck Your Understanding
Chapter 7 Network Attacks: A Deeper Look
ObjectivesKey TermsIntroduction (7.0)Network Monitoring and Tools (7.1)Introduction to Network Monitoring (7.1.1)Network Security Topology (7.1.1.1)Monitoring the Network (7.1.1.2)Network TAPs (7.1.1.3)Traffic Mirroring and SPAN (7.1.1.4)Introduction to Network Monitoring Tools (7.1.2)Network Security Monitoring Tools (7.1.2.1)Network Protocol Analyzers (7.1.2.2)NetFlow (7.1.2.3)SIEM (7.1.2.4)SIEM Systems (7.1.2.5)Attacking the Foundation (7.2)IP Vulnerabilities and Threats (7.2.1)IPv4 and IPv6 (7.2.1.1)The IPv4 Packet Header (7.2.1.2)The IPv6 Packet Header (7.2.1.3)IP Vulnerabilities (7.2.1.4)ICMP Attacks (7.2.1.5)DoS Attacks (7.2.1.6)Amplification and Reflection Attacks (7.2.1.7)DDoS Attacks (7.2.1.8)Address Spoofing Attacks (7.2.1.9)TCP and UDP Vulnerabilities (7.2.2)TCP (7.2.2.1)TCP Attacks (7.2.2.2)UDP and UDP Attacks (7.2.2.3)Attacking What We Do (7.3)IP Services (7.3.1)ARP Vulnerabilities (7.3.1.1)ARP Cache Poisoning (7.3.1.2)DNS Attacks (7.3.1.3)DNS Tunneling (7.3.1.4)DHCP (7.3.1.5)Enterprise Services (7.3.2)HTTP and HTTPS (7.3.2.1)Email (7.3.2.2)Web-Exposed Databases (7.3.2.3)Summary (7.4)PracticeCheck Your Understanding
Chapter 8 Protecting the Network
ObjectivesKey TermsIntroduction (8.0)Understanding Defense (8.1)Defense-in-Depth (8.1.1)Assets, Vulnerabilities, Threats (8.1.1.1)Identify Assets (8.1.1.2)Identify Vulnerabilities (8.1.1.3)Identify Threats (8.1.1.4)Security Onion and Security Artichoke Approaches (8.1.1.5)Security Policies (8.1.2)Business Policies (8.1.2.1)Security Policy (8.1.2.2)BYOD Policies (8.1.2.3)Regulatory and Standard Compliance (8.1.2.4)Access Control (8.2)Access Control Concepts (8.2.1)Communications Security: CIA (8.2.1.1)Access Control Models (8.2.1.2)AAA Usage and Operation (8.2.2)AAA Operation (8.2.2.1)AAA Authentication (8.2.2.2)AAA Accounting Logs (8.2.2.3)Threat Intelligence (8.3)Information Sources (8.3.1)Network Intelligence Communities (8.3.1.1)Cisco Cybersecurity Reports (8.3.1.2)Security Blogs and Podcasts (8.3.1.3)Threat Intelligence Services (8.3.2)Cisco Talos (8.3.2.1)FireEye (8.3.2.2)Automated Indicator Sharing (8.3.2.3)Common Vulnerabilities and Exposures Database (8.3.2.4)Threat Intelligence Communication Standards (8.3.2.5)Summary (8.4)PracticeCheck Your Understanding Questions
Chapter 9 Cryptography and the Public Key Infrastructure
ObjectivesKey TermsIntroduction (9.0)Cryptography (9.1)What Is Cryptography? (9.1.1)Securing Communications (9.1.1.1)Cryptology (9.1.1.2)Cryptography: Ciphers (9.1.1.3)Cryptanalysis: Code Breaking (9.1.1.4)Keys (9.1.1.5)Integrity and Authenticity (9.1.2)Cryptographic Hash Functions (9.1.2.1)Cryptographic Hash Operation (9.1.2.2)MD5 and SHA (9.1.2.3)Hash Message Authentication Code (9.1.2.4)Confidentiality (9.1.3)Encryption (9.1.3.1)Symmetric Encryption (9.1.3.2)Symmetric Encryption Algorithms (9.1.3.3)Asymmetric Encryption Algorithms (9.1.3.4)Asymmetric Encryption: Confidentiality (9.1.3.5)Asymmetric Encryption: Authentication (9.1.3.6)Asymmetric Encryption: Integrity (9.1.3.7)Diffie-Hellman (9.1.3.8)Public Key Infrastructure (9.2)Public Key Cryptography (9.2.1)Using Digital Signatures (9.2.1.1)Digital Signatures for Code Signing (9.2.1.2)Digital Signatures for Digital Certificates (9.2.1.3)Authorities and the PKI Trust System (9.2.2)Public Key Management (9.2.2.1)The Public Key Infrastructure (9.2.2.2)The PKI Authorities System (9.2.2.3)The PKI Trust System (9.2.2.4)Interoperability of Different PKI Vendors (9.2.2.5)Certificate Enrollment, Authentication, and Revocation (9.2.2.6)Applications and Impacts of Cryptography (9.2.3)PKI Applications (9.2.3.1)Encrypting Network Transactions (9.2.3.2)Encryption and Security Monitoring (9.2.3.3)Summary (9.3)PracticeCheck Your Understanding
Chapter 10 Endpoint Security and Analysis
ObjectivesKey TermsIntroduction (10.0)Endpoint Protection (10.1)Antimalware Protection (10.1.1)Endpoint Threats (10.1.1.1)Endpoint Security (10.1.1.2)Host-Based Malware Protection (10.1.1.3)Network-Based Malware Protection (10.1.1.4)Cisco Advanced Malware Protection (AMP) (10.1.1.5)Host-Based Intrusion Protection (10.1.2)Host-Based Firewalls (10.1.2.1)Host-Based Intrusion Detection (10.1.2.2)HIDS Operation (10.1.2.3)HIDS Products (10.1.2.4)Application Security (10.1.3)Attack Surface (10.1.3.1)Application Blacklisting and Whitelisting (10.1.3.2)System-Based Sandboxing (10.1.3.3)Endpoint Vulnerability Assessment (10.2)Network and Server Profiling (10.2.1)Network Profiling (10.2.1.1)Server Profiling (10.2.1.2)Network Anomaly Detection (10.2.1.3)Network Vulnerability Testing (10.2.1.4)Common Vulnerability Scoring System (CVSS) (10.2.2)CVSS Overview (10.2.2.1)CVSS Metric Groups (10.2.2.2)CVSS Base Metric Group (10.2.2.3)The CVSS Process (10.2.2.4)CVSS Reports (10.2.2.5)Other Vulnerability Information Sources (10.2.2.6)Compliance Frameworks (10.2.3)Compliance Regulations (10.2.3.1)Overview of Regulatory Standards (10.2.3.2)Secure Device Management (10.2.4)Risk Management (10.2.4.1)Vulnerability Management (10.2.4.3)Asset Management (10.2.4.4)Mobile Device Management (10.2.4.5)Configuration Management (10.2.4.6)Enterprise Patch Management (10.2.4.7)Patch Management Techniques (10.2.4.8)Information Security Management Systems (10.2.5)Security Management Systems (10.2.5.1)ISO-27001 (10.2.5.2)NIST Cybersecurity Framework (10.2.5.3)Summary (10.3)PracticeCheck Your Understanding
Chapter 11 Security Monitoring
ObjectivesKey TermsIntroduction (11.0)Technologies and Protocols (11.1)Monitoring Common Protocols (11.1.1)Syslog and NTP (11.1.1.1)NTP (11.1.1.2)DNS (11.1.1.3)HTTP and HTTPS (11.1.1.4)Email Protocols (11.1.1.5)ICMP (11.1.1.6)Security Technologies (11.1.2)ACLs (11.1.2.1)NAT and PAT (11.1.2.2)Encryption, Encapsulation, and Tunneling (11.1.2.3)Peer-to-Peer Networking and Tor (11.1.2.4)Load Balancing (11.1.2.5)Log Files (11.2)Types of Security Data (11.2.1)Alert Data (11.2.1.1)Session and Transaction Data (11.2.1.2)Full Packet Captures (11.2.1.3)Statistical Data (11.2.1.4)End Device Logs (11.2.2)Host Logs (11.2.2.1)Syslog (11.2.2.2)Server Logs (11.2.2.3)Apache HTTP Server Access Logs (11.2.2.4)IIS Access Logs (11.2.2.5)SIEM and Log Collection (11.2.2.6)Network Logs (11.2.3)Tcpdump (11.2.3.1)NetFlow (11.2.3.2)Application Visibility and Control (11.2.3.3)Content Filter Logs (11.2.3.4)Logging from Cisco Devices (11.2.3.5)Proxy Logs (11.2.3.6)NextGen IPS (11.2.3.7)Summary (11.3)PracticeCheck Your Understanding
Chapter 12 Intrusion Data Analysis
ObjectivesKey TermsIntroduction (12.0)Evaluating Alerts (12.1)Sources of Alerts (12.1.1)Security Onion (12.1.1.1)Detection Tools for Collecting Alert Data (12.1.1.2)Analysis Tools (12.1.1.3)Alert Generation (12.1.1.4)Rules and Alerts (12.1.1.5)Snort Rule Structure (12.1.1.6)Overview of Alert Evaluation (12.1.2)The Need for Alert Evaluation (12.1.2.1)Evaluating Alerts (12.1.2.2)Deterministic Analysis and Probabilistic Analysis (12.1.2.3)Working with Network Security Data (12.2)A Common Data Platform (12.2.1)ELSA (12.2.1.1)Data Reduction (12.2.1.2)Data Normalization (12.2.1.3)Data Archiving (12.2.1.4)Investigating Network Data (12.2.2)Working in Sguil (12.2.2.1)Sguil Queries (12.2.2.2)Pivoting from Sguil (12.2.2.3)Event Handling in Sguil (12.2.2.4)Working in ELSA (12.2.2.5)Queries in ELSA (12.2.2.6)Investigating Process or API Calls (12.2.2.7)Investigating File Details (12.2.2.8)Enhancing the Work of the Cybersecurity Analyst (12.2.3)Dashboards and Visualizations (12.2.3.1)Workflow Management (12.2.3.2)Digital Forensics (12.3)Evidence Handling and Attack Attribution (12.3.1)Digital Forensics (12.3.1.1)The Digital Forensics Process (12.3.1.2)Types of Evidence (12.3.1.3)Evidence Collection Order (12.3.1.4)Chain of Custody (12.3.1.5)Data Integrity and Preservation (12.3.1.6)Attack Attribution (12.3.1.7)Summary (12.4)PracticeCheck Your Understanding
Chapter 13 Incident Response and Handling
ObjectivesKey TermsIntroduction (13.0)Incident Response Models (13.1)The Cyber Kill Chain (13.1.1)Steps of the Cyber Kill Chain (13.1.1.1)Reconnaissance (13.1.1.2)Weaponization (13.1.1.3)Delivery (13.1.1.4)Exploitation (13.1.1.5)Installation (13.1.1.6)Command and Control (13.1.1.7)Actions on Objectives (13.1.1.8)The Diamond Model of Intrusion (13.1.2)Diamond Model Overview (13.1.2.1)Pivoting Across the Diamond Model (13.1.2.2)The Diamond Model and the Cyber Kill Chain (13.1.2.3)The VERIS Schema (13.1.3)What Is the VERIS Schema? (13.1.3.1)Create a VERIS Record (13.1.3.2)Top-Level and Second-Level Elements (13.1.3.3)The VERIS Community Database (13.1.3.4)Incident Handling (13.2)CSIRTs (13.2.1)CSIRT Overview (13.2.1.1)Types of CSIRTs (13.2.1.2)CERT (13.2.1.3)NIST 800-61r2 (13.2.2)Establishing an Incident Response Capability (13.2.2.1)Incident Response Stakeholders (13.2.2.2)NIST Incident Response Life Cycle (13.2.2.3)Preparation (13.2.2.4)Detection and Analysis (13.2.2.5)Containment, Eradication, and Recovery (13.2.2.6)Post-Incident Activities (13.2.2.7)Incident Data Collection and Retention (13.2.2.8)Reporting Requirements and Information Sharing (13.2.2.9)Summary (13.3)PracticeCheck Your Understanding
Appendix A Answers to the “Check Your Understanding” Questions
Glossary
Index
Code Snippets

Content preview from CCNA Cybersecurity Operations Companion Guide, First Edition

CHAPTER 12Intrusion Data Analysis

Objectives

Upon completion of this chapter, you will be able to answer the following questions:

What is the structure of alerts?
How are alerts classified?
How is data prepared for use in a network security monitoring (NSM) system?
How do you use Security Onion tools to investigate network security events?
Which network monitoring tools enhance workflow management?
What is the role of the digital forensic processes?

Key Terms

This chapter uses the following key terms. You can find the definitions in the Glossary.

true positive page 551

false positive page 551

true negative page 552

false negative page 552

deterministic analysis page 553

probabilistic ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

CCNP and CCIE Data Center Core DCCOR 350-601 Official Cert Guide

Publisher Resources

ISBN: 9780135166253

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

CCNA Cybersecurity Operations Companion Guide, First Edition

by Cisco Networking Academy