Book Image

Cisco Certified CyberOps Associate 200-201 Certification Guide

By : Glen D. Singh
Book Image

Cisco Certified CyberOps Associate 200-201 Certification Guide

By: Glen D. Singh

Overview of this book

Achieving the Cisco Certified CyberOps Associate 200-201 certification helps you to kickstart your career in cybersecurity operations. This book offers up-to-date coverage of 200-201 exam resources to fully equip you to pass on your first attempt. The book covers the essentials of network security concepts and shows you how to perform security threat monitoring. You'll begin by gaining an in-depth understanding of cryptography and exploring the methodology for performing both host and network-based intrusion analysis. Next, you'll learn about the importance of implementing security management and incident response strategies in an enterprise organization. As you advance, you'll see why implementing defenses is necessary by taking an in-depth approach, and then perform security monitoring and packet analysis on a network. You'll also discover the need for computer forensics and get to grips with the components used to identify network intrusions. Finally, the book will not only help you to learn the theory but also enable you to gain much-needed practical experience for the cybersecurity industry. By the end of this Cisco cybersecurity book, you'll have covered everything you need to pass the Cisco Certified CyberOps Associate 200-201 certification exam, and have a handy, on-the-job desktop reference guide.

Related Content you might be interested in

Current Title:

Small book image
Cisco Certified CyberOps Associate 200-201 Certification Guide
Glen D. Singh
Jun, 2021 | 660 pages
Small book image
Implementing and Administering Cisco Solutions: 200-301 CCNA Exam Guide
Glen D Singh
Nov, 2020 | 764 pages
Small book image
CompTIA Network+ N10-008 Certification Guide
Glen D Singh
Nov, 2022 | 692 pages
Small book image
CCNA Security 210-260 Certification Guide
Glen D Singh | Vijay Anandh | Michael Vinod
Jun, 2018 | 518 pages
Table of Contents (25 chapters)
Preface
Preface
Who this book is for
What this book covers
To get the most out of this book
Download the example code files
Code in Action
Download the color images
Conventions used
Get in touch
Reviews
1
Section 1: Network and Security Concepts
Section 1: Network and Security Concepts
Free Chapter
2
Chapter 1: Exploring Networking Concepts
Chapter 1: Exploring Networking Concepts
Technical requirements
The functions of the network layers
Understanding the purpose of various network protocols
Summary
Questions
Further reading
3
Chapter 2: Exploring Network Components and Security Systems
Chapter 2: Exploring Network Components and Security Systems
Technical requirements
Exploring various network services
Discovering the role and operations of network devices
Describing the functions of Cisco network security systems
Summary
Questions
Further reading
4
Chapter 3: Discovering Security Concepts
Chapter 3: Discovering Security Concepts
Introducing the principles of defense in depth
Exploring security terminologies
Exploring access control models
Understanding security deployment
Summary
Questions
5
Section 2: Principles of Security Monitoring
Section 2: Principles of Security Monitoring
6
Chapter 4: Understanding Security Principles
Chapter 4: Understanding Security Principles
Technical requirements
Understanding a security operation center
Understanding the security tools used to inspect data types on a network
Understanding the impact of data visibility through networking technologies
Understanding how threat actors transport malicious code
Delving into data types used during security monitoring
Summary
Questions
Further reading
7
Chapter 5: Identifying Attack Methods
Chapter 5: Identifying Attack Methods
Understanding network-based attacks
Exploring web application attacks
Delving into social engineering attacks
Understanding endpoint-based attacks
Interpreting evasion and obfuscation techniques
Summary
Questions
Further reading
8
Chapter 6: Working with Cryptography and PKI
Chapter 6: Working with Cryptography and PKI
Technical requirements
Understanding the need for cryptography
Types of ciphers
Understanding cryptanalysis
Understanding the hashing process
Exploring symmetric encryption algorithms
Delving into asymmetric encryption algorithms
Understanding PKI
Using cryptography in wireless security
Summary
Questions
Further reading
9
Section 3: Host and Network-Based Analysis
Section 3: Host and Network-Based Analysis
10
Chapter 7: Delving into Endpoint Threat Analysis
Chapter 7: Delving into Endpoint Threat Analysis
Technical requirements
Understanding endpoint security technologies
Understanding Microsoft Windows components
Exploring Linux components
Summary
Questions
Further reading
11
Chapter 8: Interpreting Endpoint Security
Chapter 8: Interpreting Endpoint Security
Technical requirements
Exploring the Microsoft Windows filesystem
Delving into the Linux filesystem
Understanding the CVSS
Working with malware analysis tools
Summary
Questions
12
Chapter 9: Exploring Computer Forensics
Chapter 9: Exploring Computer Forensics
Technical requirements
Understanding the need for computer forensics
Understanding types of evidence
Contrasting tampered and untampered disk images
Tools commonly used during a forensics investigation
Understanding the role of attribution in an investigation
Summary
Questions
Further reading
13
Chapter 10: Performing Intrusion Analysis
Chapter 10: Performing Intrusion Analysis
Technical requirements
Identifying intrusion events based on source technologies
Stateful and deep packet firewall operations
Comparing inline traffic interrogation techniques
Understanding impact and no impact on intrusion
Protocol headers in intrusion analysis
Packet analysis using a PCAP file and Wireshark
Summary
Questions
Further reading
14
Section 4: Security Policies and Procedures
Section 4: Security Policies and Procedures
15
Chapter 11: Security Management Techniques
Chapter 11: Security Management Techniques
Technical requirements
Identifying common artifact elements
Interpreting basic regular expressions
Understanding asset management
Delving into configuration and mobile device management
Exploring patch and vulnerability management
Summary
Questions
Further reading
16
Chapter 12: Dealing with Incident Response
Chapter 12: Dealing with Incident Response
Understanding the incident handling process
Exploring CSIRT teams and their responsibilities
Delving into network and server profiling
Comparing compliance frameworks
Summary
Questions
Further reading
17
Chapter 13: Implementing Incident Handling
Chapter 13: Implementing Incident Handling
Understanding the NIST SP 800-86 components
Sharing information using VERIS
Exploring the Cyber Kill Chain
Delving into the Diamond Model of Intrusion Analysis
Identifying protected data in a network
Summary
Questions
Further reading
18
Chapter 14: Implementing Cisco Security Solutions
Chapter 14: Implementing Cisco Security Solutions
Technical requirements
Implementing AAA in a Cisco environment
Deploying a zone-based firewall
Configuring an IPS
Summary
Further reading
19
Chapter 15: Working with Cisco Security Solutions
Chapter 15: Working with Cisco Security Solutions
Technical requirements
Implementing secure protocols on Cisco devices
Deploying Layer 2 security controls
Configuring a Cisco ASA firewall
Summary
20
Chapter 16: Real-World Implementation and Best Practices
Chapter 16: Real-World Implementation and Best Practices
Technical requirements
Implementing an open source SIEM tool
Implementing tools to perform the active scanning of assets
Using open source breach and attack simulation tools
Implementing an open source honeypot platform
Summary
21
Chapter 17: Mock Exam 1
Chapter 17: Mock Exam 1
22
Chapter 18: Mock Exam 2
Questions
23
Assessment
Chapter 1
Chapter 2
Chapter 3
Chapter 4
Chapter 5
Chapter 6
Chapter 7
Chapter 8
Chapter 9
Chapter 10
Chapter 11
Chapter 12
Chapter 13
Chapter 17
Chapter 18
Why subscribe?
24
Other Books You May Enjoy
Other Books You May Enjoy
Packt is searching for authors like you
Leave a review - let other readers know what you think

The functions of the network layers

Networking plays a vital role in everything we do on a daily basis. Whether your organization is using Slack or Microsoft Teams or traditional emails for internal communication between employees, your smartphone or computer is connected to a network. To fully understand how cyber-attacks and threats are able to infiltrate a system or network, you must first understand the fundamentals of networking.

Hackers are cunning; they are always looking for the easiest way to gain access to a system or network. They look for vulnerabilities, which are security weaknesses in a system, application, coding, or design, and try to take advantage by exploiting them. You may be wondering, what does this have to do with networking? To answer this question in a simple sentence, there are many network protocols that were not designed with any security in mind, thus allowing hackers to exploit their vulnerabilities.

To get a better understanding of the bigger picture of network protocols and applications, let's take a look at what happens when a device such as a computer sends a message such as data to a web server. Built into each modern operating system, whether it's Microsoft Windows, Apple macOS, or even the Android operating system, you will find a protocol suite, which is responsible for the encoding, formatting, and transmission of messages between a source and destination.

During the pre-internet age and the early stages of computer networks, many computer vendors created their own protocol suite to enable their devices to communicate on a network. The downside to such ideas was that each vendor made a protocol suite proprietary to their devices only. This means Vendor A devices would not be able to communicate with Vendor B devices if they were connected to the same physical network.

This concept was not scalable or adaptive. Eventually, two emerging protocol suites surfaced with promises to be interoperable with any vendor devices and networks. These two well-known protocol suites are as follows:

  • The Open Systems Interconnection (OSI) reference model
  • The Transmission Control Protocol/Internet Protocol (TCP/IP) protocol suite

A protocol suite allows a device to format a message for delivery using a universal set of standards and protocols to ensure all devices along the path to the destination are able to read the addressing and data contents clearly. In other words, the protocol suite allows all devices to speak a common language on the network and the internet.

Each of these models has several layers that describe how a message is sent from one device to another and vice versa. In the following sub-sections, you will learn about the characteristics of both the OSI reference model and the TCP/IP protocol suite.

The OSI reference model

The OSI reference model was developed by the International Organization for Standardization (ISO) to be a protocol suite for operating systems in the 1970s. This model consisted of seven layers. Each layer was responsible for a unique role and function to help a device encode (format), send, and receive messages through a network.

The following diagram shows the OSI reference model with all its seven layers:

Figure 1.1 – OSI reference model

Figure 1.1 – OSI reference model

Tip

A simple method to always remember the layers of the OSI model from top to bottom is to learn this phrase, All People Seem To Need Data Processing, using the first letter of each layer to make an easy-to-remember sentence.

When a device such as a computer is sending a message, an application-layer protocol will create the message and pass it down to the lower layers until it is placed on the actual wired or wireless network. A sender creates the Protocol Data Unit (PDU) at Layer 7 – the application layer and works its way downward to Layer 1 – the physical layer where the message is sent on the network as an electrical, light, or radio-frequency signal. Keep in mind that when a device is receiving a message from a sender, the message enters Layer 1 – the physical layer and works its way upward to Layer 7 – the application layer.

In the following sections, you will learn about the role and function of each layer of the OSI reference model. Furthermore, you'll discover what happens to a message as it is created by an application-layer protocol and is passed down to the lower layers while it makes its way through the physical network to its destination.

Layer 7 – the application layer

The application layer exists closest to the user, such as yourself. Don't be mistaken – this is not the software or applications you are familiar with using on your computer, such as a web browser or email client such as Microsoft Outlook. The application layer contains many protocols, which allow the user to interact with network resources. A simple example is accessing Cisco's website to gather more information about this certification. You would open your favorite web browser and go to the www.cisco.com web address and the web page would be loaded onto your screen. In reality, your web browser (software) is able to interact with an application-layer protocol such as HyperText Transfer Protocol (HTTP) or HyperText Transfer Protocol Secure (HTTPS). Both HTTP and HTTPS are protocols that allow your computer to communicate with a web server.

Each application-layer protocol is unique in its role and function. When data is created by an application-layer protocol such as HTTPS, it can only be interpreted or understood by another device running the same protocol (HTTPS). Recall the previous example, where the web browser invokes the HTTPS protocol to exchange messages with a Cisco web server that is also using HTTPS.

There are many application-layer protocols that are very common and are used frequently by our devices. Some of the well-known protocols are as follows:

  • File Transfer Protocol (FTP)
  • Secure Shell (SSH)
  • Secure Copy (SCP)
  • Telnet
  • Simple Mail Transfer Protocol (SMTP)
  • Domain Name System (DNS)
  • Dynamic Host Configuration Protocol (DHCP)
  • Trivial File Transfer Protocol (TFTP)

At this layer, the application-layer protocol creates raw data known as a datagram. However, in the networking world, this PDU is best referred to as data. Once the application layer has finished creating its message, it parses the data down to the presentation layer.

Layer 6 – the presentation layer

As you know, application-layer protocols will create their messages (data) such that they can only be interpreted by the same protocol that created it. If the PDU from the application layer is parsed to the lower layers, those lower layers will not be able to interpret what the message is about and why it's being sent to them.

This is where the presentation layer comes in to fill this gap. The presentation layer is responsible for the following functions in the OSI reference model:

  • Formatting
  • Compression
  • Encryption
  • Decryption

The presentation layer will format the PDU that it receives from the application layer in a uniform format, thus allowing the lower layers to interpret the message clearly. Additionally, the presentation layer is responsible for compressing data for transmission, data encryption, and decryption as well.

At this stage, the PDU is still referred to as data and now it's time for it to be sent to the session layer for further processing.

Layer 5 – the session layer

At the session layer, the PDU (data) is not modified in any way but rather, this layer is responsible for the sessions that are created between the source and destination of the message. You can think of the session layer as the logical module, which is responsible for creating, maintaining, and terminating the logical sessions between your computer and the destination, such as a web server.

At the session layer, the PDU maintains its integrity and is not changed in any way. At this layer, the PDU is commonly referred to as data and it's then passed down to the transport layer.

Layer 4 – the transport layer

The transport layer plays a vital role in helping datagrams or PDUs to reach their corresponding application-layer protocol. The transport layer is responsible for the delivery and transportation of messages (datagrams) from a source device to the destination.

It does this by using the following transport-layer protocols to help messages reach their destination:

  • Transmission Control Protocol (TCP)
  • User Datagram Protocol (UDP)

The application-layer protocols, such as HTTPS and DNS, rely on either of these transport-layer protocols to ensure their messages are delivered across the network.

Important note

In a later section of this chapter, Understanding the purpose of various network protocols, we will take a deeper look at the characteristics of both TCP and UDP.

Let's imagine that on a network, there is Device-A, which is providing two services to its users: email and web services. For each of these services, an email server and web server applications must be installed on Device-A and be running. You may be thinking about the following questions:

  • How is Device-A able to identify the email traffic from the web traffic?
  • How does Device-A know to send the email traffic to the email application-layer protocol SMTP and not the web server?

To put it simply, both TCP and UDP use logical network/service ports, which are built into all modern operating systems. There is a total of 65,535 logical network/service ports on any operating system, whether it's Linux, Windows, or even Android.

Important note

A service port can be either TCP or UDP. There are various application-layer protocols that use TCP over UDP.

These network ports operate as doorways for an operating system. If traffic is leaving a device, the operating system opens a doorway (source port) for the traffic to leave and to accept any returning messages. On a server running a web application (Apache, NGINX, or Microsoft IIS) or even an email server, these applications will open their corresponding default network ports for inbound traffic.

The following table shows the categories of service ports:

Figure 1.2 – Categories of service ports

Figure 1.2 – Categories of service ports

The following is a brief list of application-layer protocols and their service ports:

The transport layer will encapsulate the PDU with a Layer 4 header. This header will contain both source and destination service port details, and the PDU will be known as a segment. The destination service port is needed to ensure the receiving device forwards the PDU to its corresponding application-layer protocol. For example, if you are sending a web request such as an HTTP GET message to a web server, the web server will have port 80 open for HTTP by default. Therefore, the destination port on the segment will be port 80. When the segment is received by the web server, the transport layer will remove the Layer 4 header and forward the raw datagram to the HTTP protocol at the application layer.

The following is a diagram that shows a segment with its Layer 4 (transport) header:

Figure 1.3 – Segment

Figure 1.3 – Segment

Once the transport layer has completed its encapsulation process, it passes the segment down to the network layer for further processing.

Layer 3 – the network layer

The network layer is perhaps the most popular layer throughout the entire reference model. At this layer, devices insert a Layer 3 header into the PDU, which contains both source and destination Internet Protocol (IP) addresses. As you know, IP addresses are like street addresses for a network. Without IP addresses, devices will not be able to communicate with each other on remote or foreign networks. Once the network layer encapsulates the Layer 3 header onto the PDU, it is known as a packet.

Important note

In a later section of this chapter, Understanding the purpose of various network protocols, we will take a deeper look at the characteristics of the IP and its versions.

The network layer has the following functionality and roles in the OSI reference model:

  • Responsible for the logical IP version 4 (IPv4) and IP version 6 (IPv6) addressing on packets
  • The forwarding of packets between IP networks (routing)
  • Encapsulating Layer 3 headers onto PDUs as they are passed down the OSI model
  • De-encapsulating PDUs as they are passed upward to the application-layer protocols

The following diagram shows a packet with its Layer 3 header:

Figure 1.4 – Packet

Figure 1.4 – Packet

Once the network layer of the OSI model has finished its encapsulation process, it will pass the packet down to the next layer, the data link layer, as more details need to be attached before it's sent out on the actual physical network.

Layer 2 – the data link layer

The data link layer bridges the gap between the operating system of a device and the actual physical network, whether it's a wired or wireless network. It is at this layer that the operating system is able to control how messages are placed on the physical network and how errors are detected and handled on incoming messages.

The data link layer is made up of two sub-layers:

  • Logical Link Control (LLC)
  • Media Access Control (MAC)

The LLC and MAC work together to ensure datagrams that are outgoing contain all the necessary details to help them reach their destination successfully. Additionally, these two sub-layers are also responsible for handling any incoming messages for a system.

The LLC sub-layer will allow further encapsulation to the packets it has received from the network layer, simply by inserting a Layer 2 header that contains the source and destination MAC addresses. A trailer is inserted at the end of the datagram. This is used to check for any errors in incoming messages. The trailer contains a Frame Check Sequence (FCS) and inside the FCS, there's a Cyclic Redundancy Check (CRC). The CRC is a one-way cryptographic hash representation of the entire datagram. Devices that receive these datagrams use the CRC value to verify the integrity of the message, such as whether it was modified or corrupted during transmission. With the new Layer 2 header and trailer added to the datagram, the PDU is now known as a frame.

The MAC sub-layer is responsible for the actual Layer 2 addressing as well as the source and destination MAC address for the frame. The MAC address is considered to be a physical address that is embedded on a Network Interface Card (NIC). Sometimes, the MAC address is referred to as a Burned-In Address (BIA) because it cannot be changed conventionally.

The following is a simplified diagram that shows a frame with both its Layer 2 header and trailer:

Figure 1.5 – Contents of a frame

Figure 1.5 – Contents of a frame

Additionally, a Preamble is inserted at the beginning of the frame to indicate the start of the frame and sequencing details to help with the re-assembling of the message on the destination device. The preamble has a lot of significance. Before the data link layer passes the frame to the next layer, it cuts the raw data into smaller pieces called bits. Each bit will contain the Layer 2 header and trailer details, then the data link layer will send those bits to the physical layer.

The MAC address is 48 bits or 6 bytes in length, which is written in hexadecimal values. These values are 0 1 2 3 4 5 6 7 8 9 A B C D E F. Various operating system vendors usually present the MAC address value in one of the following formats:

  • 12:34:56:78:9A:BC
  • 12-34-56-78-9A-BC
  • 1234.568.9ABC

The first 24 bits in MAC addresses can be used to identify a vendor of a device. This portion of the MAC address is known as the Organization Unique Identifier (OUI). The last 24 bits, however, are unique and assigned by the vendor, therefore the entire 48-bit MAC address is unique globally.

To check the MAC address on a Cisco IOS router, use the show interfaces interface-ID command as shown here:

Figure 1.6 – Viewing the MAC address on a Cisco router

Figure 1.6 – Viewing the MAC address on a Cisco router

To view the MAC address on a Linux device, use the ifconfig command in the Linux Terminal as shown here:

Figure 1.7 – Viewing the MAC address on a Linux device

Figure 1.7 – Viewing the MAC address on a Linux device

On Linux-based devices, the ether field is used to indicate the MAC address of the interface, as seen in the previous screenshot.

To view the MAC address on a Windows device, use the ipconfig /all command in Windows Command Prompt as shown here:

Figure 1.8 – Viewing the MAC address on a Windows device

Figure 1.8 – Viewing the MAC address on a Windows device

To perform a MAC OUI lookup, use the following steps:

  1. Go to https://www.wireshark.org/tools/oui-lookup.html.
  2. Copy the MAC address from your device. For this exercise, you can copy this MAC address: 00-0C-29-A0-B0-6A.
  3. Enter it into the OUI search field and click on Find, as shown in the following screenshot:
Figure 1.9 – Performing a MAC vendor lookup

Figure 1.9 – Performing a MAC vendor lookup

The online tool was able to profile the first 24 bits of the MAC address and indicated the address belongs to a VMware device. Fortunately, this MAC address was taken from one of my demo virtual machines in my personal lab.

Important note

While networking professionals are taught that MAC addresses are unchangeable (burned-in), a cybersecurity professional or hacker is able to change the MAC address easily on their NIC to avoid detection.

Being able to quickly profile MAC addresses can help you eliminate rogue and unauthorized devices that are connected to your network.

Layer 1 – the physical layer

The physical layer is the actual wired and wireless network; it's the actual media that is used to transmit bits from one device to another. At this layer, you will find various types of cables, such as Cat 6 or even fiber optics, and wireless media such as radio frequency, whether it be Wi-Fi or 5G technologies that are used to transport the actual signals (bits) between a source and a destination.

Now that you have an idea about the OSI reference model, let's take a look at the importance of the TCP/IP protocol suite in the next section. The various layers of the OSI reference model are mapped to the layers of the TCP/IP protocol suite. It's important as a security professional that you have the knowledge to identify the characteristics of a datagram as it passes through each of these layers.

The TCP/IP protocol suite

TCP/IP was created by the United States Department of Defense (US DoD) and has been implemented in all operating systems to enable network connectivity. Unfortunately, the ISO OSI model did not get the traction it needed to be approved as an official protocol suite and therefore became a reference model where both network and security professionals use each layer for reference purposes.

TCP/IP is the universal language spoken on all computer-based networks; whether it's a Local Area Network (LAN) or the internet, all devices use TCP/IP to communicate. As mentioned earlier, the protocol suite simply defines how a system such as a computer is able to send and receive messages through a network.

With TCP/IP, there are five layers in this protocol suite. The following diagram shows how each layer of the OSI reference model maps directly to each layer of the TCP/IP protocol suite:

Figure 1.10 – TCP/IP protocol suite

Figure 1.10 – TCP/IP protocol suite

In comparison to both models, the top three layers of the OSI model (the application, presentation, and session layers) are mapped to the application layer of TCP/IP. This means the application layer in TCP/IP contains all the functions as described in the top three layers of the OSI reference model.

In this section, you have learned about the function of each network layer of the OSI reference model and how they are mapped to the TCP/IP protocol suite. This knowledge is useful when performing network traffic analysis on an enterprise network. In the next section, you will discover the purpose of various network protocols, such as IP, TCP, and UDP.

Previous Section
End of Section 3
Next Section