Cisco 350-701 Implementing and Operating Cisco Security Core Technologies (SCOR 350-701) Exam Practice Test

Posture is a service in Cisco ISE that checks the compliance of endpoints with corporate security policies before allowing them to connect to the network. Posture policies define the requirements that endpoints must meet to be compliant, such as having antivirus software installed and updated, or having a specific registry key value. If an endpoint is compliant, Cisco ISE can apply a Change of Authorization (CoA) to grant it access to the network resources. CoA is a mechanism that allows Cisco ISE to dynamically change the authorization attributes of an existing session, such as VLAN, dACL, or SGT, without requiring the user to reauthenticate. CoA can be triggered by various events, such as posture assessment results, profiling changes, or manual actions by the administrator. CoA can also be used to quarantine or disconnect non-compliant endpoints. Therefore, ensuring that an endpoint is compliant with a posture policy configured in Cisco ISE provides the benefit of allowing CoA to be applied if the endpoint status is compliant. References :=

• Cisco Identity Services Engine Administrator Guide, Release 2.2 - Configure Client Posture Policies
• Cisco Identity Services Engine Administrator Guide, Release 2.2 - Change of Authorization

ExplanationThe profiling service issues the change of authorization in the following cases:– Endpoint deleted—When an endpoint is deleted from the Endpoints page and the endpoint is disconnectedor removed from the network.An exception action is configured—If you have an exception action configured per profile that leads to anunusual or an unacceptable event from that endpoint. The profiling service moves the endpoint to thecorresponding static profile by issuing a CoA.– An endpoint is profiled for the first time—When an endpoint is not statically assigned and profiled for the first time; for example, the profile changes from an unknown to a known profile.+ An endpoint identity group has changed—When an endpoint is added or removed from an endpoint identity group that is used by an authorization policy.The profiling service issues a CoA when there is any change in an endpoint identity group, and the endpoint identity group is used in the authorization policy for the following:

One of the main reasons why a user would choose an on-premises ESA versus the CES solution is to have more control over the sensitive data that flows through the email system. With an on-premises ESA, the user can ensure that the data is stored and processed within their own network and data center, and that they comply with any regulatory or organizational requirements for data security and privacy. With a CES solution, the user would have to trust Cisco to handle the data in their cloud infrastructure, and to adhere to the service level agreements and security policies that are agreed upon. Some users may not be comfortable with this level of outsourcing, especially if they have strict data governance or compliance needs12. References: 1: Physical ESA vs Cloud ESA - Cisco Community 2: Cisco Email Security Appliance - Data Sheet

ExplanationPhishing attacks are the practice of sending fraudulent communications that appear to come from a reputablesource. It is usually done through email. The goal is to steal sensitive data like credit card and login information,or to install malware on the victim’s machine.

In order to send web traffic transparently to the Web Security Appliance (WSA), the system administrator can use one of these two methods:

• Policy-based routing (PBR) on the network infrastructure: This method allows the administrator to define routing policies based on the source or destination IP address, port number, protocol, or other criteria of the web traffic. The administrator can then apply these policies to the network interfaces or subinterfaces and redirect the matching traffic to the WSA. This method does not require any configuration on the client side and can be applied to any type of web traffic, including HTTPS and FTP. However, this method may require additional network resources and maintenance, as well as coordination with other network administrators.
• Web Cache Communication Protocol (WCCP) on the WSA and the network device: This method allows the administrator to configure the WSA and the network device (such as a router, switch, or firewall) to communicate with each other using WCCP, a Cisco proprietary protocol. The network device acts as a WCCP router and redirects the web traffic to the WSA, which acts as a WCCP client. The WSA then processes the traffic and returns it to the network device, which forwards it to the original destination. This method does not require any configuration on the client side and can be applied to HTTP, HTTPS, and native FTP traffic. However, this method requires that the network device supports WCCP and that the WSA and the network device are in the same Layer 2 domain.

References:

ExplanationCisco Cloudlock is a cloud-native cloud access security broker (CASB) that helps you move to the cloud safely. It protects your cloud users, data, and apps. Cisco Cloudlock provides visibility and compliance checks, protects data against misuse and exfiltration, and provides threat protections against malware like ransomware.

Proxy caching is a method that enables a proxy server to save recent and frequent website/webpage requests and data requested by one or more client machines. It reduces latency, eases bandwidth consumption, and ensures content is served more swiftly to the end-user12. WSA (Web Security Appliance) is a Cisco product that provides proxy caching functionality, along with other web security features such as malware protection, URL filtering, and data loss prevention3. Firepower, FireSIGHT, and ASA are other Cisco products that do not provide proxy caching, but rather focus on different aspects of network security, such as threat detection, management, and firewall . References:

• What is Proxy Caching? | StackPath
• What Is Proxy Caching? | Definition & Overview | NinjaOne
• Cisco Web Security Appliance Data Sheet
• [Cisco Firepower NGFW Data Sheet]
• [Cisco FireSIGHT Management Center Data Sheet]
• [Cisco ASA 5500-X Series Firewalls Data Sheet]

 A private cloud is a cloud deployment model that is dedicated to a single organization and provides exclusive access to its resources and services. A private cloud can be hosted on-premises or off-premises by a third-party provider, but in either case, the organization has full control and visibility over the security, privacy, and compliance of its data and applications. A private cloud can also leverage the security features and best practices of the public cloud service provider, if applicable, while maintaining a higher degree of isolation and customization. A private cloud is the most secure deployment model when considering risks to cloud adoption, as it minimizes the exposure of sensitive data to external threats, reduces the dependency on the security posture of the cloud service provider, and enables the organization to meet its specific security and regulatory requirements123. References: 1: Best Practices to Manage Risks in the Cloud - ISACA 2: Security in the Microsoft Cloud Adoption Framework for Azure 3: Five challenges to cloud adoption and how to overcome them - PwC Middle East

ExplanationStateful failover for IP Security (IPsec) enables a router to continue processing and forwarding IPsec packetsafter a planned or unplanned outage occurs. Customers employ a backup (secondary) router that automaticallytakes over the tasks of the active (primary) router if the active router loses connectivity for any reason. Thisfailover process is transparent to users and does not require adjustment or reconfiguration of any remote peer.Stateful failover for IPsec requires that your network contains two identical routers that are available to be eitherthe primary or secondary device. Both routers should be the same type of device, have the same CPU andmemory, and have either no encryption accelerator or identical encryption accelerators.Prerequisites for Stateful Failover for IPsec

ExplanationDynamic ARP inspection (DAI) is a security feature that validates ARP packets in a network. It intercepts, logs, and discards ARP packets with invalid IP-to-MAC address bindings. This capability protects the network from certain man-in-the-middle attacks. After enabling DAI, all ports become untrusted ports.

the routing of traffic through the Cisco Umbrella network is to browse to http://welcome.umbrella.com/ . This URL will display a message that confirms whether the new network identity is working or not. If the message says “You’re protected by Cisco Umbrella”, then the traffic is being routed correctly. If the message says “You’re not using Cisco Umbrella”, then the traffic is not being routed correctly and the configuration needs to be checked. The other options are not valid actions to test the routing. Option A is incorrect because the client computers should point to the Cisco Umbrella DNS servers, not the on-premises DNS servers. Option B is incorrect because the Intelligent Proxy is a feature that selectively intercepts and proxies web requests for deeper inspection, not a tool to test the routing. Option C is incorrect because adding the public IP address to a Core Identity is a way to identify the network, not a way to test the routing. References:

• How To: Successfully test to ensure you’re running Umbrella correctly
• Add a Network Identity

Cisco AMP (Advanced Malware Protection) is a product that provides proactive endpoint protection and allows administrators to centrally manage the deployment. AMP uses cloud-based intelligence, sandboxing, and continuous analysis to detect and block advanced threats before they reach the endpoints. AMP also provides retrospective security, which means that it can alert and remediate endpoints if a file that was previously deemed benign is later found to be malicious. AMP can be integrated with other Cisco products, such as Firepower, Meraki, and Email Security Appliance, to provide comprehensive security across the network. AMP is available for Windows, Mac, Linux, Android, and iOS devices. References :=

Some possible references are:

• Endpoint Protection Platform (EPP) Definition - Cisco: This page defines what an endpoint protection platform (EPP) is and how it differs from traditional antivirus solutions. It also explains the benefits of using Cisco Secure Endpoint, formerly known as AMP for Endpoints.
• Cisco Secure Endpoint (Formerly AMP for Endpoints) - Cisco: This page provides an overview of the features and capabilities of Cisco Secure Endpoint, such as cloud-based intelligence, endpoint isolation, file trajectory, device flow correlation, and more. It also offers resources for getting started, deploying, and managing Cisco Secure Endpoint.
• SCOR 350-701 Flashcards | Quizlet: This page contains flashcards for the SCOR 350-701 exam, which covers the topics of implementing and operating Cisco security core technologies. One of the flashcards is the same question as the one asked by the user, and it provides the correct answer and a brief explanation.

ExplanationSQL injection usually occurs when you ask a user for input, like their username/userid, but the user gives(“injects”) you an SQL statement that you will unknowingly run on your database. For example:Look at the following example, which creates a SELECT statement by adding a variable (txtUserId) to a selectstring. The variable is fetched from user input (getRequestString):txtUserId = getRequestString(“UserId”);txtSQL = “SELECT * FROM Users WHERE UserId = ” + txtUserId;If user enter something like this: “100 OR 1=1” then the SzQL statement will look like this:SELECT * FROM Users WHERE UserId = 100 OR 1=1;The SQL above is valid and will return ALL rows from the “Users” table, since OR 1=1 is always TRUE. Ahacker might get access to all the user names and passwords in this database.

Endpoint Protection Platform (EPP) and Endpoint Detection and Response (EDR) are both important components of an endpoint security strategy, but they have different goals and capabilities. EPP is designed to act as a preventive security measure, blocking known and unknown malware and malicious activity on endpoint devices using various techniques such as antivirus, data encryption, and data loss prevention. EPP solutions are mainly cloud-managed and assisted by cloud data, and use multiple detection engines such as signature-based, machine learning, and behavioral analysis. EPP solutions prevent breaches by leveraging threat intelligence and sandboxing capabilities to continuously protect endpoints from emerging threats12.

EDR, on the other hand, focuses on detecting and responding to advanced threats that have already evaded the front-line defenses and infiltrated the environment. EDR solutions provide continuous and comprehensive visibility into endpoint activity in real time, allowing security teams to quickly and effectively identify and remediate cyberattacks such as ransomware and fileless malware. EDR solutions offer advanced threat detection, investigation, and response capabilities, including incident data search and investigation, alert triage, suspicious activity validation, threat hunting, and malicious activity detection and containment. EDR solutions serve as a safety net to capture threats that go undetected by traditional antivirus software and uncover incidents that would otherwise remain invisible34.

Therefore, the primary difference between an EPP and an EDR is that EPP focuses on prevention, and EDR focuses on advanced threats that evade perimeter defenses. References: 1: Endpoint Protection Platform (EPP) Definition - Cisco 2: EPP vs. EDR: Why You Need Both - CrowdStrike 3: Endpoint Detection and Response (EDR) Definition - Cisco 4: EDR vs EPP: Why Should You Have to Choose? - Check Point Software

 NetFlow is a protocol that collects and exports information about network traffic flows. NetFlow Version 9 is the latest version supported by the Cisco ASA 5500 Series firewall. To enable NetFlow on the ASA, you need to perform two main tasks: define a NetFlow collector and apply NetFlow exporter to an interface. A NetFlow collector is a device or application that receives and processes the NetFlow records sent by the ASA. You can define a NetFlow collector by using the flow-export command, which specifies the IP address, port number, and interface of the collector. A NetFlow exporter is a configuration that determines which traffic flows are monitored and exported by the ASA. You can apply NetFlow exporter to an interface by using the Modular Policy Framework (MPF), which allows you to create class maps and policy maps to match and act on interesting traffic. You can use the flow-export event-type option in the policy map to select the NetFlow events that you want to export. The other options (B, C, and D) are not required or correct for enabling NetFlow on the ASA. You do not need to create an ACL to allow UDP traffic on port 9996, because the ASA uses a random high port number to send NetFlow records to the collector. You do not need to apply NetFlow exporter to the outside interface in the inbound direction, because you can apply it to any interface and direction that you want to monitor. You do not need to create a class map to match interesting traffic, because the ASA monitors all traffic flows by default, unless you filter them by using the flow-export filters command. References:

• Cisco Secure Firewall ASA NetFlow Implementation Guide, section “About NSEL”
• Cisco Secure Firewall ASA NetFlow Implementation Guide, section “Configure NSEL Collectors (CLI)”
• Cisco Secure Firewall ASA NetFlow Implementation Guide, section “Configure Flow-Export Actions Through Modular Policy Framework”
• Configuring NetFlow on ASA with ASDM, section “Enabling NetFlow on ASA”

SQL injection attacks are a type of code injection technique that exploit the use of dynamic SQL queries in web applications. Attackers can inject malicious SQL statements into user input fields, such as login forms, search boxes, or URLs, and execute them on the underlying database. This can result in unauthorized access, data theft, data corruption, or denial of service.

To prevent SQL injection attacks, web developers should use the following techniques:

• Use prepared statements and parameterized queries: Prepared statements are SQL queries that are precompiled and executed with user-supplied parameters. Parameterized queries are SQL queries that use placeholders for user input and bind them to actual values at runtime. Both techniques separate the SQL code from the user input, making it impossible for attackers to inject SQL commands into the query. For example, in Java, PreparedStatement is a class that implements parameterized queries. In PHP, PDO and mysqli are extensions that support prepared statements.
• Block SQL code execution in the web application database login: Web applications should use a dedicated database user account with limited privileges to connect to the database. This account should only have the permissions necessary to perform the required operations, such as select, insert, update, or delete. It should not have the permissions to execute arbitrary SQL commands, such as create, drop, alter, grant, or revoke. This way, even if an attacker manages to inject SQL code into the query, the database will reject it due to insufficient privileges.

References:

• [Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0], Module 5: Securing the Cloud, Lesson 5.2: Cloud Application Security, Topic 5.2.2: SQL Injection
• SQL Injection Prevention - OWASP Cheat Sheet Series
• How to Prevent SQL Injection: 5 Key Prevention Methods - eSecurityPlanet
• How to Protect Against SQL Injection Attacks

Explanation

Spero analysis is a feature of Cisco AMP for Networks that examines structural characteristics such as metadata and header information in executable files. After generating a Spero signature based on this information, if the file is an eligible executable file, the device submits it to the Spero heuristic engine in the AMP cloud for analysis1. Spero analysis can detect malware based on the file’s structure and behavior, without requiring a full file upload2. Spero analysis is different from dynamic analysis, sandbox analysis, and malware analysis, which are other features of Cisco AMP for Networks that perform different types of file inspection and analysis3. References: 1: How to configure Firepower AMP to not upload files to … - Cisco Community 2: File Policies - Network Direction 3: Cisco AMP for Networks - Cisco

ExplanationOnly in On-site (on-premises) and IaaS we (tenant) manage O/S (Operating System).

 Mobile Device Management (MDM) is a solution that allows an organization to manage, monitor, and secure mobile devices such as smartphones, tablets, and laptops. MDM provides two main advantages to an organization with regards to device management:

• Asset inventory management: MDM helps an organization keep track of all the mobile devices that are connected to its network, including their location, status, configuration, and usage. MDM also enables an organization to remotely wipe or lock devices that are lost, stolen, or compromised, preventing data loss and unauthorized access. Asset inventory management helps an organization optimize its resources, reduce costs, and comply with regulations12.
• Allowed application management: MDM allows an organization to control what applications can be installed and run on the mobile devices, as well as how they can access and share data. MDM can also push updates and patches to the devices, ensuring that they are always running the latest and most secure versions of the applications. Allowed application management helps an organization enhance security, productivity, and performance of the mobile devices34.

References: 1: 7 Advantages and Disadvantages of Mobile Device Management [2024] 2: 5 Benefits of Mobile Device Management - ESET 3: Top 10 Benefits of Mobile Device Management (MDM) - TechFunnel 4: Benefits of Mobile Device Management (MDM) for Businesses

 Multi-factor authentication (MFA) is a method of verifying a user’s identity by requiring two or more factors, such as something the user knows (e.g. password), something the user has (e.g. token), or something the user is (e.g. biometric). MFA can prevent or mitigate some common types of cyberattacks that rely on stealing or guessing a user’s credentials, such as phishing and brute force attacks12

• Phishing is an attack where an attacker sends a fraudulent email or message that appears to come from a legitimate source, such as a bank or a government agency, and tries to trick the user into clicking on a malicious link or attachment, or providing their credentials or personal information34 MFA can prevent phishing attacks by requiring an additional factor of authentication that the attacker cannot obtain from the phishing email or message, such as a one-time password (OTP) sent to the user’s phone or email, or a biometric verification such as a fingerprint or face scan56

• Brute force is an attack where an attacker tries to guess a user’s password by systematically trying different combinations of characters, words, or phrases until they find the correct one. MFA can prevent brute force attacks by requiring an additional factor of authentication that the attacker cannot guess, such as a physical token or a push notification that the user has to approve.

References: 1: Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0 course overview 2: What Type of Attacks Does MFA Prevent? | OneLogin 3: 5 Multi-Factor Authentication Vulnerabilities and How to Resolve Them 4: FBI warns about attacks that bypass multi-factor authentication (MFA) 5: Defend your users from MFA fatigue attacks - Microsoft Community Hub 6: What type of attacks does Multi-Factor Authentication prevent? : How to Prevent Brute Force Attacks | Cloudflare : Brute Force Attack - an overview | ScienceDirect Topics : Multi-factor authentication - Wikipedia : Multi-factor authentication fatigue attacks are on the rise: How to defend against them | CSO Online

 Cisco Identity Services Engine (ISE) and AnyConnect Posture module are the best solution to ensure that all endpoints are compliant before users are allowed access on the corporate network. ISE is a policy-based platform that provides secure network access, identity management, and endpoint compliance. AnyConnect Posture module is a component of the AnyConnect Secure Mobility Client that performs posture assessment and remediation on the endpoints. Together, they can enforce policies based on the endpoint’s compliance status, such as the presence and update of the corporate antivirus application and the Windows 10 build version. The administrator can configure posture requirements, profiles, and policies on ISE, and deploy them to the endpoints through AnyConnect. The endpoints will then report their posture status to ISE, which will grant or deny network access accordingly, or redirect them to a remediation portal if needed. References :

ExplanationA botnet is a collection of internet-connected devices infected by malware that allow hackers to control them.Cyber criminals use botnets to instigate botnet attacks, which include malicious activities such as credentialsleaks, unauthorized access, data theft and DDoS attacks.

To share data between multiple security products, you must use Cisco Platform Exchange Grid (pxGrid). pxGrid is an open and scalable framework that allows for bi-directional any-to-any partner platform integrations. pxGrid uses REST and WebSocket interfaces to exchange intelligence and obtain contextual information from Cisco Identity Services Engine (ISE) and other security products. pxGrid can also direct ISE to contain threats by setting network policies. pxGrid enables cross-platform network system collaboration across your IT infrastructure and helps you monitor security, detect threats, and manage assets, configuration, identity, and access. References: Introduction to the Cisco Platform Exchange Grid (pxGrid) in ISE, Cisco Identity Services Engine Administrator Guide, Release 3.3

ExplanationThis command uses RADIUS which combines authentication and authorization in one function (packet).

ExplanationAdvanced Malware Protection (AMP) for Endpoints offers a variety of lists, referred to as Outbreak Control, that allow you to customize it to your needs. The main lists are: Simple Custom Detections, Blocked Applications, Allowed Applications, Advanced Custom Detections, and IP Blocked and Allowed Lists.A Simple Custom Detection list is similar to a blocked list. These are files that you want to detect andquarantine.Allowed applications lists are for files you never want to convict. Some examples are a custom application that is detected by a generic engine or a standard image that you use throughout the company Reference: https://docs.amp.cisco.com/AMP%20for%20Endpoints%20User%20Guide.pdf

MAB is a fallback mechanism for IEEE 802.1X that allows network access based on the MAC address of the endpoint. However, MAB does not prevent MAC address spoofing, which is a technique used by attackers to impersonate authorized devices and bypass authentication. To mitigate this risk, two catalyst switch security features can be used in conjunction with MAB: 802.1AE MacSec and port security.

802.1AE MacSec is a standard that provides encryption and integrity protection for data frames between two MACsec-capable devices. MacSec also uses a secure key exchange protocol called MKA (MACsec Key Agreement) to establish and maintain cryptographic keys between the peers. By enabling MacSec on the switch ports, the switch can verify the identity and authenticity of the endpoints and prevent unauthorized access or tampering with the data frames.

Port security is a feature that allows the switch to limit the number and type of MAC addresses that can access a port. Port security can be configured to allow only a specific MAC address or a maximum number of MAC addresses per port. Port security can also be configured to take an action when a violation occurs, such as shutting down the port, sending a trap, or dropping packets. By enabling port security on the switch ports, the switch can prevent multiple devices from accessing the same port or deny access to devices with spoofed MAC addresses.

References:

• Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 2: Network Security, Lesson 2.2: Implementing Network Access Control
• MAC Authentication Bypass Deployment Guide, MAB Benefits and Limitations, MAB Feature Interaction

Configure a Crypto ISAKMP Key

In order to configure a preshared authentication key, enter the crypto isakmp key command in global configuration mode:

crypto isakmp key cisco123 address 172.16.1.1

https://community.cisco.com/t5/vpn/isakmp-with-0-0-0-0-dmvpn/td-p/4312380

It is a bad practice but it is valid. 172.16.0.0/16 the full range will be accepted as possible PEER

https://www.examtopics.com/discussions/cisco/ view/46191-exam-350-701-topic-1-question-71-discussion/#:~:text=Command%20reference%20is%20not%20decisive,172.16.1.128%20cisco123%0ACSR%2D1(config)%23

Testing without a netmask shows that command interpretation has a preference for /16 and /24. CSR-1(config)#crypto isakmp key cisco123 address 172.16.0.0

CSR-1(config)#do show crypto isakmp key | i cisco

default 172.16.0.0 [255.255.0.0] cisco123

CSR-1(config)#no crypto isakmp key cisco123 address 172.16.0.0

CSR-1(config)#crypto isakmp key cisco123 address 172.16.1.0

CSR-1(config)#do show crypto isakmp key | i cisco

default 172.16.1.0 [255.255.255.0] cisco123

CSR-1(config)#no crypto isakmp key cisco123 address 172.16.1.0

CSR-1(config)#crypto isakmp key cisco123 address 172.16.1.128

CSR-1(config)#do show crypto isakmp key | i cisco default 172.16.1.128 cisco123

CSR-1(config)#

Wired 802.1X authentication is a port-based network access control that uses the physical characteristics of the switched LAN infrastructure to authenticate devices attached to a LAN port1. Wired 802.1X authentication requires three components: a supplicant, an authenticator, and an authentication server2. The supplicant is the client device that requests access to the network. The authenticator is the switch port that controls the access to the network based on the authentication result. The authentication server is the server that validates the credentials of the supplicant and sends the authentication result to the authenticator3.

In this question, option A is correct because Cisco Identity Service Engine (ISE) is an example of an authentication server that supports wired 802.1X authentication4. Option C is correct because Cisco Catalyst switch is an example of an authenticator that supports wired 802.1X authentication5. Option B is incorrect because Cisco AnyConnect ISE Posture module is not a supplicant, but a software component that checks the compliance status of the supplicant. Option D is incorrect because Cisco ISE is not an authenticator, but an authentication server. Option E is incorrect because Cisco Prime Infrastructure is not an authentication server, but a network management tool.

References: 1: Wired 802.1X Deployment Guide - Cisco 2: 802.1X Authenticated Wired Access Overview | Microsoft Learn 3: About 802.1X Authentication - Aruba 4: Cisco Identity Services Engine - Products & Services - Cisco 5: Cisco Catalyst 2960-X Series Switches - Products & Services - Cisco : Cisco AnyConnect Secure Mobility Client Administrator Guide, Release 4.9 - Configure Posture [Cisco AnyConnect Secure Mobility Client] - Cisco : Cisco Prime Infrastructure - Products & Services - Cisco

The command show authen sess int gi0/1 displays the authentication session information for the interface gi0/1, such as the MAC address, the authentication method, the authentication state, the session timeout, and the VLAN assignment. This command is useful for verifying the status of an 802.1X connection on a specific interface. The other commands are not related to 802.1X authentication. The command show authorization status displays the authorization status for the current user. The command show connection status gi0/1 is not a valid Cisco command. The command show ver gi0/1 displays the version information for the interface gi0/1. References: 802.1X Authentication Commands, Configuring IEEE 802.1x Port-Based Authentication, What Cisco command shows you the status of an 802.1X connection on interface gi0/1?

ExplanationTwo-factor authentication adds a second layer of security to your online accounts. Verifying your identity using asecond factor (like your phone or other mobile device) prevents anyone but you from logging in, even if theyknow your password.Note: Single sign-on (SSO) is a property of identity and access management that enables users to securelyauthenticate with multiple applications and websites by logging in only once with just one set of credentials(username and password). With SSO, the application or website that the user is trying to access relies on atrusted third party to verify that users are who they say they are.

Cisco ASA NetFlow v9 Secure Event Logging (NSEL) is a security logging mechanism that is built on NetFlow Version 9 technology and provides stateful, IP flow tracking for significant events in a flow. NSEL requires a collector to receive and process the exported data records. To configure NSEL, you need to define a flow-export event type under a policy using the Modular Policy Framework (MPF). The event type specifies which events to export, such as flow-create, flow-denied, flow-teardown, flow-update, or all. You also need to configure the NSEL collectors, the template timeout intervals, and the flow-update interval. Optionally, you can disable the redundant syslog messages and reset the runtime counters.

The other statements are false because:

• To view bandwidth usage for NetFlow records, the QoS feature is not required. You can use a NetFlow collector or analyzer to view the bandwidth usage and other statistics from the exported data records.
• A sysopt command cannot be used to enable NSEL on a specific interface. NSEL is enabled globally on all interfaces by default when you configure a flow-export event type under a policy.
• NSEL cannot be used without a collector configured. NSEL exports data records to the configured collectors using NetFlow over UDP. If no collector is configured, the data records are discarded.

References:

• NetFlow Secure Event Logging (NSEL) - Cisco, Topic: Configuring NSEL, page 48-5
• Cisco Secure Firewall ASA NetFlow Implementation Guide, Topic: Configure NSEL Collectors (CLI), Configure Flow-Export Actions Through Modular Policy Framework, Configure Template Timeout Intervals, Change the Time Interval for Sending Flow-Update Events to a Collector, Disable and Reenable NetFlow-related Syslog Messages, Reset Runtime Counters
• Configuring NetFlow on ASA with ASDM - Cisco Community, Topic: Enable NetFlow (ASDM)

 Cisco AMP Threat Grid is a cloud-based or on-premises solution that provides advanced malware analysis and threat intelligence. It combines static and dynamic analysis techniques to examine the behavior of malware samples and correlate them with global and historical context. It also produces detailed reports, threat scores, and behavioral indicators that help security teams prioritize and respond to threats faster and more effectively12. References: 1: Cisco Secure Malware Analytics (Threat Grid) - Cisco 2: Products - Cisco Threat Grid Cloud Data Sheet - Cisco

Multiple context mode allows you to partition a single ASA into multiple virtual firewalls, each with its own security policy, interfaces, and management IP address. This mode is useful for providing security services to different customers or tenants on a shared appliance, while maintaining separation of management and configuration. Each context acts as an independent device and can be in either routed or transparent mode. You can also assign different administrators to each context and limit their access to specific commands and features. Multiple context mode is supported in Cisco ACI with the ASA device package version 1.2 or later. References: 

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/1-x/L4-L7_Service_Graph_Deployment_Guide/b_L4L7_Service_Graph_Deploy_ver122g/b_L4L7_Service_Graph_Deploy_ver122x_chapter_0110.pdf

https://www.cisco.com/c/en/us/td/docs/security/asa/asa96/configuration/general/asa-96-general-config/intro-fw.html

 Suppression is a feature of Cisco Next Generation Intrusion Prevention System (NGIPS) that allows you to reduce false positives and unwanted alerts by filtering out specific traffic from the intrusion detection and prevention process. You can configure suppression based on different criteria, such as port, rule, source, destination, and network. The two valid suppression types for this question are port and rule. Port suppression allows you to exclude traffic based on the source or destination port number, or both. For example, you can suppress alerts for port 80 (HTTP) traffic if you are not interested in web-based attacks. Rule suppression allows you to exclude traffic based on the rule ID (SID) or the rule category. For example, you can suppress alerts for rules that belong to the policy-violations category if you are not concerned about them. You can also suppress alerts for specific rules that are not relevant to your network or generate too many false positives. References

Time synchronization is one of the features that can be configured for managed devices in the device platform settings of the Firepower Management Center (FMC). Time synchronization ensures that the FMC and its managed devices have the same date and time settings, which is important for accurate event logging and reporting. The FMC can act as a Network Time Protocol (NTP) server for its managed devices, or it can use an external NTP server as a time source1. The FMC can also synchronize its time with the system clock of the device where it is installed2. References := 1: Firepower Management Center Device Configuration Guide, 7.1 - Platform Settings 2: Firepower Management Center Configuration Guide, Version 6.6 - Device Management Basics

 ICMP is a protocol that is used to send diagnostic messages between hosts on a network. It is not designed to carry any data, but it can be abused by attackers to exfiltrate data from a compromised host. By encrypting the payload in an ICMP packet, the attacker can hide the data from network monitoring tools and firewalls that may not inspect ICMP traffic. The attacker can then use another tool to decrypt the data from the ICMP packets on a remote host. This technique is known as ICMP tunneling and it is a form of protocol tunneling (MITRE T1572: Protocol Tunneling1). References:

• 1: https://attack.mitre.org/techniques/T1572/
• 2: https://www.cynet.com/attack-techniques-hands-on/how-hackers-use-icmp-tunneling-to-own-your-network/
• 3: https://digital-security.quodagis.fr/ressources/ressource/exfiltration-de-donnees-les-techniques-icmp-et-dns-tunneling-855

ExplanationPing of Death (PoD) is a type of Denial of Service (DoS) attack in which an attacker attempts to crash,destabilize, or freeze the targeted computer or service by sending malformed or oversized packets using a simple ping command.A correctly-formed ping packet is typically 56 bytes in size, or 64 bytes when the ICMP header is considered,and 84 including Internet Protocol version 4 header. However, any IPv4 packet (including pings) may be as large as 65,535 bytes. Some computer systems were never designed to properly handle a ping packet larger than the maximum packet size because it violates the Internet Protocol documentedLike other large but well-formed packets, a ping of death is fragmented into groups of 8 octets beforetransmission. However, when the target computer reassembles the malformed packet, a buffer overflow can occur, causing a system crash and potentially allowing the injection of malicious code.

 The application blocking list is an outbreak control method that allows the administrator to block certain files from executing on the endpoints based on their SHA values. This can prevent malware from running on the endpoints and causing damage. The other options are not outbreak control methods, but rather different features of AMP for endpoints. Device flow correlation is a network analysis feature that monitors connections and detects malicious activity. Simple detections and advanced custom detections are custom rules that can be created by the administrator to detect and block files based on signatures or other criteria. References:

• Configure Windows Policy in AMP for Endpoints - Cisco
• Prevent, Detect and Respond with Cisco AMP for Endpoints

The Talos IP and Domain Reputation Center is the world’s most comprehensive real-time threat detection network. It collects and analyzes data from millions of web requests, emails, malware samples, open-source data sets, endpoint intelligence, and network intrusions. It assigns a reputation score to IP addresses and domains based on their observed malicious activity and behavior. The reputation score can range from -10 (very malicious) to +10 (very benign). The reputation score can be used to block or allow traffic, or to trigger further inspection or analysis. The Talos IP and Domain Reputation Center allows you to track the reputation of IP addresses for email and web traffic, as well as to look up the category, volume, and history of any IP address or domain. You can also submit feedback or request a change of reputation for any IP address or domain. References 

https://talosintelligence.com/reputation_center/

https://bing.com/search?q=Talos+reputation+center+IP+addresses+email+web+traffic

A SQL injection attack is a type of attack that exploits a vulnerability in a web application that uses user-supplied data to construct SQL statements that interact with a database. By inserting malicious commands into the database, an attacker can execute arbitrary SQL queries or commands on the database server, which may result in data theft, data manipulation, or command execution. Machine 1 is vulnerable to SQL injection because it does not properly validate or sanitize the user input before using it in a SQL statement. Therefore, inserting malicious commands into the database would allow the attacker to gain access to machine 1.

A buffer overflow attack is a type of attack that exploits a vulnerability in a program that does not check the boundaries of a buffer (a temporary storage area for data) before copying data into it. By overflowing the buffer’s memory, an attacker can overwrite adjacent memory locations, which may result in corrupting data, crashing the program, or executing malicious code. Machine 2 is vulnerable to buffer overflow because it does not properly handle the size or length of the data that it receives from the user or another source. Therefore, overflowing the buffer’s memory would allow the attacker to gain access to machine 2.

Sniffing the packets between the two hosts is a passive attack that involves capturing and analyzing the network traffic that flows between the two machines. This attack may reveal sensitive information, such as credentials, session tokens, or database queries, but it does not directly allow the attacker to gain access to either machine. Sending continuous pings is a type of denial-of-service attack that involves flooding the target machine with ICMP echo request packets, which may consume its network bandwidth or processing resources, but it does not directly allow the attacker to gain access to either machine. Therefore, neither sniffing the packets nor sending continuous pings would allow the attacker to gain access to machine 1 but not machine 2. References :=

• Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 3: Web Security, SQL Injection Attacks
• Understanding SQL Injection - Cisco, SQL Injection Explained
• Buffer Overflow and SQL Injection: To Remotely Attack and … - Springer, Buffer Overflow and SQL Injection Attacks

ExplanationDNS Tunneling is a method of cyber attack that encodes the data of other programs or protocols in DNSqueries and responses. DNS tunneling often includes data payloads that can be added to an attacked DNSserver and used to control a remote server and applications.

ExplanationCisco Stealthwatch Cloud: Available as an SaaS product offer to provide visibility and threat detection within public cloud infrastructures such as Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP).

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_8021x/configuration/xe-3se/3850/sec-user-8021x-xe-3se-3850-book/config-ieee-802x-pba.html

DevSecOps is a development practice that integrates security into all phases of the software development lifecycle, from initial design through integration, testing, deployment, and software delivery. DevSecOps focuses on application development, as it aims to deliver secure and robust applications that meet the customers’ needs and expectations. DevSecOps also makes security a shared responsibility of development, security, and operations teams, rather than a separate silo. DevSecOps enables faster and safer software delivery by automating security processes and tools, and addressing security issues as they emerge, rather than at the end of the cycle.

References :=

• Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 6: Securing the Data Center, Lesson 6.2: DevSecOps
• What Is DevSecOps? Definition and Best Practices | Microsoft Security
• What is DevSecOps? | IBM
• What is DevSecOps? | DevSecOps vs. DevOps | VMware

To enable malware file scanning for the Secure Internet Gateway (SIG), you need to enable Intelligent Proxy, which is a feature of Cisco Umbrella that provides selective proxying of web requests based on the risk level of the domain1. Intelligent Proxy allows SIG to inspect the content of potentially malicious web requests and block or allow them based on the configured policies2. Intelligent Proxy also enables SSL decryption, which is necessary to scan encrypted web traffic for malware3. Enabling IP Layer enforcement, activating the Advanced Malware Protection license, and activating SSL decryption are not required prerequisites to enable malware file scanning for the SIG, although they may provide additional security benefits45. References: 1: Intelligent Proxy - Cisco Umbrella 2: Cisco Umbrella SIG Advantage - Cisco Umbrella 3: [SSL Decryption - Cisco Umbrella] 4: [IP Layer Enforcement - Cisco Umbrella] 5: [Advanced Malware Protection - Cisco Umbrella]

Endpoint security is the process of protecting devices like workstations, servers, and other devices from malicious threats and cyberattacks. Endpoint security enables businesses to secure endpoints that employees use for work purposes or servers that are either on a network or in the cloud. Endpoint security is important because every device that connects to the corporate network is a potential vulnerability, providing a possible entry point for cyber criminals. Therefore, every device an employee uses to connect to any business system or resource carries the risk of becoming the chosen route for hacking into an organization. These devices can be exploited by malware that could leak or steal sensitive data from the business12.

One of the benefits of endpoint security is that it allows the organization to detect and mitigate threats that the perimeter security devices do not detect. Perimeter security devices, such as firewalls and intrusion prevention systems, are designed to protect the network from external attacks. However, they may not be able to prevent or detect attacks that originate from within the network, such as insider threats, compromised devices, or lateral movement. Endpoint security solutions can provide visibility and control over the devices that connect to the network, and can monitor, analyze, and respond to suspicious or malicious activities on the endpoints. Endpoint security solutions can also leverage threat intelligence and advanced analytics to identify and block known and unknown threats, such as ransomware, zero-day exploits, and targeted attacks13. References := 1: What is Endpoint Security? How Does It Work? | Fortinet 2: Microsoft Defender for Endpoint | Microsoft Security 3: Endpoint Security - Check Point Software

ExplanationExplanationIn this question, the engineer was trying to secure the connection so maybe he was trying to allow SSH to the device. But maybe something went wrong so the connection was failing (the connection used to be good). So maybe he was missing the “crypto key generate rsa” command.

In transparent mode, the WSA can handle both explicit and transparent HTTP requests, depending on how the client browser is configured. The WSA must pretend to be the origin content server for transparent requests, since the client is unaware of the existence of a proxy1. WCCP v2 is a protocol that allows a WCCP-enabled device (such as a router or a switch) to redirect traffic to the WSA based on certain criteria, such as destination port 802. This way, the client does not need to configure a proxy or a PAC file in the browser. The other options are false because they are either required for explicit mode or not supported by the WSA. References :=

• What is the difference between transparent and forward proxy mode?
• Configure Transparent Redirection With WCCP in Order to Support HTTP, HTTPS, and Native FTP Traffic

Cisco Identity Services Engine (ISE) uses various probes to collect attributes of connected endpoints, such as device type, operating system, IP address, MAC address, and so on. These attributes are used to profile the endpoints and assign them to appropriate identity groups and policies. Two of the probes that can be configured to gather attributes of connected endpoints using Cisco ISE are RADIUS and DHCP.

• RADIUS probe: The RADIUS probe collects attributes from the RADIUS packets that are exchanged between the network access devices (NADs) and the ISE Policy Service Nodes (PSNs) during the authentication and authorization process. The RADIUS probe can extract attributes such as username, calling-station-ID, NAS-IP-address, NAS-port-type, service-type, and so on. The RADIUS probe can also collect attributes from the RADIUS accounting packets that are sent by the NADs to the ISE PSNs after the session is established. The RADIUS probe can extract attributes such as session-ID, framed-IP-address, acct-session-time, and so on. The RADIUS probe is enabled by default and does not require any additional configuration on the NADs or the ISE PSNs.
• DHCP probe: The DHCP probe collects attributes from the DHCP packets that are exchanged between the endpoints and the DHCP server during the IP address assignment process. The DHCP probe can extract attributes such as hostname, vendor-class-identifier, client-identifier, parameter-request-list, and so on. The DHCP probe can also collect attributes from the DHCP relay packets that are forwarded by the NADs to the ISE PSNs. The DHCP probe can extract attributes such as relay-agent-information and subscriber-ID. The DHCP probe requires some configuration on the NADs and the ISE PSNs. The NADs must be configured to relay or copy the DHCP packets to the ISE PSNs, and the ISE PSNs must be configured to receive the DHCP packets on a specific interface.

References: 

https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ISE_admin_guide_24/m_assetvisibility_endpointprofiler.html

https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/admin_guide/b_ise_admin_guide_22/b_ise_admin_guide_22_chapter_00.html

ExplanationExplanationCryptographic algorithms defined for use with IPsec include:+ HMAC-SHA1/SHA2 for integrity protection and authenticity.+ TripleDES-CBC for confidentiality+ AES-CBC and AES-CTR for confidentiality.+ AES-GCM and ChaCha20-Poly1305 providing confidentiality and authentication together efficiently.

The main difference between an on-premise solution and a cloud-based solution is the distribution of responsibilities between the customer and the provider. With an on-premise solution, the customer has full control over the installation, configuration, maintenance, and security of the product, but also bears the costs and risks associated with it. With a cloud-based solution, the provider takes care of most of these aspects, while the customer pays a subscription fee and accesses the product over the internet. Therefore, when choosing between the two options, the customer must consider factors such as cost, scalability, performance, availability, security, compliance, and customization. For example, an on-premise solution may be preferred if the customer has strict security or regulatory requirements, or needs a high level of customization. A cloud-based solution may be preferred if the customer wants to reduce capital expenditure, or needs a flexible and scalable solution that can adapt to changing demands. References :=

Some possible references are:

• Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 1: Security Concepts, Lesson 1: Describing Information Security Concepts, Topic: Cloud Security
• 350-701 SCOR - Cisco, Exam Topics, 1.0 Security Concepts, 1.6 Compare and contrast the characteristics of a data center and the cloud
• Cloud vs. On-Premise Software Comparison

ExplanationExplanationHow To Troubleshoot ISE Failed Authentications & AuthorizationsCheck the ISE Live LogsLogin to the primary ISE Policy Administration Node (PAN).Go to Operations > RADIUS > Live Logs(Optional) If the event is not present in the RADIUS Live Logs, go to Operations > Reports > Reports >Endpoints and Users > RADIUS AuthenticationsCheck for Any Failed Authentication Attempts in the Log

ExplanationExplanationSouthbound APIs enable SDN controllers to dynamically make changes based on real-time demands andscalability needs.

ExplanationTo understand DHCP snooping we need to learn about DHCP spoofing attack first.

DHCP spoofing is a type of attack in that the attacker listens for DHCP Requests from clients and answers them with fake DHCP Response before the authorized DHCP Response comes to the clients. The fake DHCP Response often gives its IP address as the client default gateway -> all the traffic sent from the client will go through the attacker computer, the attacker becomes a “man-in-the-middle”.The attacker can have some ways to make sure its fake DHCP Response arrives first. In fact, if the attacker is “closer” than the DHCP Server then he doesn’t need to do anything. Or he can DoS the DHCP Server so that it can’t send the DHCP Response.DHCP snooping can prevent DHCP spoofing attacks. DHCP snooping is a Cisco Catalyst feature thatdetermines which switch ports can respond to DHCP requests. Ports are identified as trusted and untrusted.

Only ports that connect to an authorized DHCP server are trusted, and allowed to send all types of DHCPmessages. All other ports on the switch are untrusted and can send only DHCP requests. If a DHCP responseis seen on an untrusted port, the port is shut down.

ExplanationSymmetric encryption uses a single key that needs to be shared among the people who need to receive the message while asymmetric encryption uses a pair of public key and a private key to encrypt and decrypt messages when communicating.Asymmetric encryption takes relatively more time than the symmetric encryption.Diffie Hellman algorithm is an asymmetric algorithm used to establish a shared secret for a symmetric keyalgorithm. Nowadays most of the people uses hybrid crypto system i.e, combination of symmetric andasymmetric encryption. Asymmetric Encryption is used as a technique in key exchange mechanism to share secret key and after the key is shared between sender and receiver, the communication will take place using symmetric encryption. The shared secret key will be used to encrypt the communication.Triple DES (3DES), a symmetric-key algorithm for the encryption of electronic data, is the successor of DES (Data Encryption Standard) and provides more secure encryption then DES.Note: Although “requires secret keys” option in this question is a bit unclear but it can only be assigned toSymmetric algorithm.

PFS stands for Perfect Forward Secrecy, which is a property of some cryptographic protocols that ensures that the compromise of a long-term key does not affect the security of past or future sessions. PFS provides the highest level of protection against brute-force attacks, because even if an attacker manages to break the long-term key, they cannot decrypt the previous or subsequent communications that use different session keys. PFS is achieved by using ephemeral or temporary keys that are derived from a Diffie-Hellman key exchange, and are not based on the long-term key. Therefore, each session has a unique and independent key that is not stored or reused. PFS is supported by some protocols such as TLS, SSH, and IPsec123. References := 1: Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 4: Securing Networks with Cisco Firepower Next Generation IPS, Lesson 4.1: Deploying Cisco Firepower Next-Generation IPS, Topic 4.1.2: Cisco Firepower NGIPS Device Management 2: What is Perfect Forward Secrecy? | Baeldung on Computer Science4 3: Perfect Forward Secrecy - an overview | ScienceDirect Topics5

Cisco AMP for Endpoints is a cloud-based endpoint security solution that provides advanced malware protection, threat detection and response, and endpoint isolation. It protects endpoint systems through application control and real-time scanning, which are two of its multifaceted prevention techniques. Application control allows administrators to define and enforce policies on which applications can run on the endpoints, while real-time scanning continuously monitors files and processes for malicious activity. These features help stop threats from compromising the endpoints and reduce the attack surface. Cisco Secure Endpoint (Formerly AMP for Endpoints) - CiscoMalware Protection - Cisco AMP Advanced Malware Protection References:

• Cisco Secure Endpoint (Formerly AMP for Endpoints) - Cisco
• Malware Protection - Cisco AMP Advanced Malware Protection
• Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 3: Endpoint Protection and Detection, Lesson 3.1: Cisco AMP for Endpoints, Topic 3.1.1: Introduction to Cisco AMP for Endpoints
• Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 3: Endpoint Protection and Detection, Lesson 3.1: Cisco AMP for Endpoints, Topic 3.1.2: Cisco AMP for Endpoints Architecture
• Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 3: Endpoint Protection and Detection, Lesson 3.1: Cisco AMP for Endpoints, Topic 3.1.3: Cisco AMP for Endpoints Features

ExplanationExplanationTo configure an NTP enabled router to require authentication when other devices connect to it, use thefollowing commands:NTP_Server(config)#ntp authentication-key 2 md5 securitytutNTP_Server(config)#ntp authenticateNTP_Server(config)#ntp trusted-key 2Then you must configure the same authentication-key on the client router:NTP_Client(config)#ntp authentication-key 2 md5 securitytutNTP_Client(config)#ntp authenticateNTP_Client(config)#ntp trusted-key 2NTP_Client(config)#ntp server 10.10.10.1 key 2Note: To configure a Cisco device as a NTP client, use the command ntp server . For example:Router(config)#ntp server 10.10.10.1. This command will instruct the router to query 10.10.10.1 for the time.

Cisco DNA Center APIs are RESTful APIs that allow you to automate and operate your network at scale, using Python scripts or other tools. They are not Cisco proprietary, as they follow the OpenAPI specification and can be accessed by any client that supports HTTP requests. They do not require Postman, although Postman is a useful tool to test and explore the API endpoints. They can quickly provision new devices by applying predefined templates and workflows, and they can view the overall health of the network by retrieving metrics and alerts from various sources. References :=

• Cisco DNA Center Platform - Cisco DevNet
• Introduction to Cisco DNA Center REST APIs - Cisco DevNet Learning Labs
• Cisco DNA Center Platform User Guide, Release 2.3.4

DNS tunneling is a technique that exploits the DNS protocol to tunnel malware and other data through a client-server model. DNS tunneling can be used for data exfiltration, command and control, or IP-over-DNS tunneling. DNS tunneling works by encoding the information of other protocols or programs in DNS queries and responses. An attacker registers a domain, such as badsite.com, and sets up a malicious DNS server that can interpret the encoded data. The attacker then infects a client with malware that can send and receive DNS queries to the attacker’s domain. The malware can use DNS queries to request commands from the attacker, or to send sensitive data to the attacker. The DNS queries and responses look like normal DNS traffic, but they contain hidden data that can bypass network defenses123. References := 1: What Is DNS Tunneling? - Palo Alto Networks 2: What is DNS Tunneling? - Check Point Software 3: What Is DNS Tunneling and How to Detect and Prevent Attacks

ExplanationExplanationDevSecOps (development, security, and operations) is a concept used in recent years to describe how to movesecurity activities to the start of the development life cycle and have built-in security practices in the continuousintegration/continuous deployment (CI/CD) pipeline. Thus minimizing vulnerabilities and bringing security closerto IT and business objectives.Three key things make a real DevSecOps environment:+ Security testing is done by the development team.+ Issues found during that testing is managed by the development team.+ Fixing those issues stays within the development team.

Graphical user interface Description automatically generated with low confidence

 Multi-factor authentication (MFA) is an authentication method that requires the user to provide two or more verification factors to gain access to a resource such as an application, online account, or a VPN. MFA is a core component of a strong identity and access management (IAM) policy1. MFA is important to implement inside of an organization because it can prevent brute force attacks from being successful. A brute force attack is a type of cyberattack that tries to guess the user’s password or PIN by trying different combinations until it finds the correct one. This can be done manually or with automated tools. MFA can stop brute force attacks by requiring an additional factor of authentication that the attacker does not have, such as a phone, a token, a biometric, or a location. MFA can also reduce the risk of other types of attacks that rely on stealing or compromising the user’s credentials, such as phishing, keylogging, or credential stuffing. References := 1: What is Multi-Factor Authentication (MFA)? | OneLogin

ExplanationIn this IaaS model, cloud providers offer resources to users/machines that include computers as virtualmachines, raw (block) storage, firewalls, load balancers, and network devices.Note: Cloud access security broker (CASB) provides visibility and compliance checks, protects data against misuse and exfiltration, and provides threat protections against malware such as ransomware.

Explanation CoA Messages are sent on two different udp ports depending on the platform. Cisco standardizes on UDP port1700, while the actual RFC calls out using UDP port 3799.

Cisco Stealthwatch - rapidly collects and analyzes netflow and telementy data to deliver in-depth visibility and understanding of network traffic

Cisco ISE – obtains contextual identity and profiles for all users and device

Cisco TrustSec – software defined segmentation that uses SGTs

Cisco Umbrella – secure internet gateway ion the cloud that provides a security solution

 The product that allows Cisco FMC to push security intelligence observable to its sensors from other products is Threat Intelligence Director (TID). TID is a feature of Cisco FMC that enables you to integrate third-party threat intelligence feeds into your security policies. TID collects, aggregates, and correlates observables from multiple sources, such as Cisco Talos Intelligence, Cisco Umbrella, and other external providers. TID then pushes the observables to the sensors that are managed by FMC, such as Firepower Threat Defense (FTD) devices, Firepower appliances, and Cisco Secure Firewall Cloud Native. The sensors can then use the observables to block or monitor traffic based on the reputation and threat level of the IP addresses, URLs, and domains12.

References: 1: Firepower Management Center Configuration Guide, Version 6.6 - Threat Intelligence Director [Cisco Secure Firewall Management Center] - Cisco 2: Cisco Firepower Threat Defense Configuration Guide for Firepower Device Manager, Version 6.6 - Threat Intelligence Director [Cisco Firepower NGFW] - Cisco

ExplanationIn explicit proxy mode, users are configured to use a web proxy and the web traffic is sent directly to the Cisco WSA. In contrast, in transparent proxy mode the Cisco WSA intercepts user's web traffic redirected from other network devices, such as switches, routers, or firewalls.

The Cisco ASA and the Cisco IOS router with Zone-Based Policy Firewall (ZFW) have different default behaviors when it comes to traffic filtering. The Cisco ASA follows a default deny-all policy that prohibits traffic between firewall security zones until an explicit policy is applied to allow desirable traffic1. The Cisco IOS router with ZFW, on the other hand, starts out by allowing all traffic, even on untrusted interfaces, until a zone-pair policy is applied to restrict or inspect traffic2. This means that the Cisco ASA provides a higher level of security by default, while the Cisco IOS router with ZFW requires more configuration to harden the router. However, the Cisco IOS router with ZFW also offers more flexibility and granularity in defining firewall policies, as well as more advanced features such as DMVPN, GET VPN, and Policy-Based Routing, which are not supported by the Cisco ASA23. References:

• 2: IOS Firewall vs. ASA - Cisco Community
• 1: Understand the Zone-Based Policy Firewall Design - Cisco
• 4: What is a functional difference between a Cisco ASA and a Cisco IOS router with Zone-based policy firewall?
• 5: What is a functional difference between a Cisco ASA and Cisco IOS router with Zone-based policy firewall?
• 3: Cisco Zone-Based Firewall Reporting – Plixer

The mechanism that the engineer should configure to accomplish the goal of sending telemetry using the cloud provider’s mechanisms to a security device is VPC flow logs. VPC flow logs are a feature of Google Cloud that capture and record information about the network flows sent from and received by the virtual machines (VMs) inside a VPC network1. VPC flow logs can provide network telemetry data such as source and destination IP addresses, ports, protocols, bytes sent and received, and connection state1. VPC flow logs can be exported to Cloud Logging, Pub/Sub, or Cloud Storage for further analysis by security devices or tools1. VPC flow logs can help the engineer to perform behavioral analysis to detect malicious activity on the hosts, such as network scans, port sweeps, brute force attacks, data exfiltration, or lateral movement2.

The other options are not correct mechanisms to send telemetry using the cloud provider’s mechanisms to a security device. Option A is incorrect because mirror port is not a feature of Google Cloud, but rather a network device configuration that copies traffic from one port to another for monitoring purposes3. Option B is incorrect because flow is not a specific mechanism, but rather a generic term that refers to a sequence of packets between a source and a destination4. Option C is incorrect because NetFlow is not a feature of Google Cloud, but rather a network protocol developed by Cisco that collects and aggregates information about network flows5. NetFlow is not compatible with VPC flow logs, which use a different format6. References:

• VPC flow logs overview
• When to use 5 telemetry types in security threat monitoring
• What is a Mirror Port?
• What is a Network Flow?
• What is NetFlow?
• Exporting VPC flow logs to Pub/Sub

ExplanationYou can configure discovery rules to tailor the discovery of host and application data to your needs.The Firepower System can use data from NetFlow exporters to generate connection and discovery events, and to add host and application data to the network map.A network analysis policy governs how traffic is decoded and preprocessed so it can be further evaluated, especially for anomalous traffic that might signal an intrusion attempt -> Answer D is not correct.

 ESP (Encapsulating Security Payload) is a cryptographic process that provides origin confidentiality, integrity, and origin authentication for packets. ESP encrypts the payload of an IP packet with a symmetric key, and adds a header and a trailer to the packet. The header contains a security parameter index (SPI) and a sequence number, which are used to identify the security association (SA) and prevent replay attacks. The trailer contains padding and a next header field, which are used to align the packet and indicate the type of the original payload. ESP also adds an authentication data field at the end of the packet, which contains a message authentication code (MAC) that is computed over the entire ESP packet (except for the authentication data field itself) using a secret key and a hash function. The MAC provides data integrity and origin authentication for the packet. ESP can operate in two modes: tunnel mode and transport mode. In tunnel mode, ESP encapsulates the entire original IP packet, including the IP header, and adds a new IP header. This mode provides protection for the entire packet, but adds more overhead. In transport mode, ESP only encapsulates the payload of the original IP packet, and leaves the IP header intact. This mode provides protection only for the payload, but preserves the original IP header information. ESP is one of the two main protocols of IPsec, along with AH (Authentication Header). AH only provides data integrity and origin authentication, but not confidentiality. AH adds a header to the IP packet, which contains a MAC that is computed over the immutable fields of the IP header and the entire payload. AH does not encrypt the payload, and therefore does not protect it from eavesdropping. AH can also operate in tunnel mode or transport mode, but it is incompatible with NAT devices, which modify the IP header fields. IKE (Internet Key Exchange) is a protocol that is used to establish and manage SAs for IPsec. IKE negotiates the security parameters, such as the encryption and authentication algorithms, the keys, and the SPIs, for the IPsec protocols. IKE also performs mutual authentication between the IPsec peers, and establishes a secure channel for exchanging keying material. IKE has two versions: IKEv1 and IKEv2. IKEv1 consists of two phases: phase 1 and phase 2. In phase 1, IKEv1 establishes an IKE SA, which is a secure channel for phase 2. In phase 2, IKEv1 negotiates one or more IPsec SAs, which are used to protect the IPsec traffic. IKEv2 simplifies the IKE protocol by combining the two phases of IKEv1 into a single exchange. IKEv2 also supports more features, such as NAT traversal, EAP authentication, and MOBIKE. References :=

• Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 3: VPN Technologies, Lesson 3.1: Site-to-Site VPNs, Topic 3.1.1: IPsec VPNs
• IPsec - Wikipedia
• AH and ESP protocols - IBM
• How TLS provides identification, authentication, confidentiality, and integrity - IBM

Explanation Cisco Cloudlock is a cloud-native cloud access security broker (CASB) that helps you move to the cloud safely.It protects your cloud users, data, and apps. Cisco Cloudlock provides visibility and compliance checks,protects data against misuse and exfiltration, and provides threat protections against malware like ransomware.

DMVPN and sVTI are both VPN technologies that use IPsec to secure the tunnel traffic. However, they differ in how they establish and manage the tunnels. DMVPN supports dynamic tunnel establishment, which means that the VPN endpoints can create and delete tunnels on demand, based on the routing information. This allows for a scalable and flexible VPN topology, where the endpoints can communicate directly with each other without going through a central hub. sVTI, on the other hand, supports static tunnel establishment, which means that the VPN endpoints have to manually configure the tunnel source and destination addresses. This requires a one-to-one mapping between the endpoints, and limits the VPN topology to a hub-and-spoke model, where the endpoints can only communicate with the hub. Therefore, DMVPN is more suitable for large and dynamic VPN networks, while sVTI is more suitable for small and stable VPN networks. References:

• [Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0], Module 5: Secure Connectivity, Lesson 5.2: Implementing Site-to-Site VPNs, Topic 5.2.3: Dynamic Multipoint VPN (DMVPN)
• what is difference between svti and DVTI? - Cisco Community

The Python script in the exhibit uses the Cisco AMP for Endpoints API to get information about the computers in the deployment. It imports the requests library, which allows it to make HTTP requests. It then defines three variables: client_id, api_key, and url. These are used to authenticate and access the API endpoint. The url is set to ‘1’, which returns a list of computers in JSON format. The script then makes a GET request using the requests.get() method, passing the url and the authentication details as parameters. The response from the API is stored in the response variable, and converted to JSON using the response.json() method. The script then loops over each computer in the ‘data’ field of the JSON response, using a for loop. Inside the loop, it extracts the hostname of each computer using the ‘hostname’ key, and prints it using the print() function. Therefore, the script will pull all computer hostnames and print them, which is option C. References:

• Overview of the Cisco AMP for Endpoints API
• Secure Endpoint API - Cisco DevNet
• Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0

ExplanationWe choose “Chat and Instant Messaging” category in “URL Category”:

To block certain URLs we need to choose URL Reputation from 6 to 10.

Stateful failover means that the connection state information is replicated from the active ASA to the standby ASA, so that in the event of a failover, the connections are preserved and do not need to be reestablished. Stateless failover means that the connection state information is not replicated, so that in the event of a failover, the connections are dropped and need to be reestablished by the end hosts. Stateful failover provides a smoother transition and less disruption to the network traffic, while stateless failover is simpler and less resource-intensive. References:

• Failover for High Availability - Cisco
• Failover Types / ASA Failover Addresses / Failover Requirements | Cisco …

A Trojan malware attack is a type of malicious code or software that disguises itself as a legitimate program or file to trick users into executing it. Once executed, the Trojan can perform various harmful actions on the infected system or network, such as stealing data, deleting files, or installing other malware. There are different types of Trojan malware attacks, depending on their purpose and behavior. Two common types are:

• Rootkit: A rootkit is a type of Trojan that hides itself and other malware from detection and removal by antivirus software or system tools. A rootkit can modify the operating system or the firmware of the device to gain persistent and privileged access to the system. A rootkit can also intercept and manipulate system calls, network traffic, or user input to conceal its activities or redirect them to malicious servers.
• Backdoor: A backdoor is a type of Trojan that creates a secret or unauthorized access point to the infected system or network. A backdoor can allow an attacker to remotely control the system, execute commands, upload or download files, or monitor the system activity. A backdoor can also be used to install other malware or launch further attacks on other systems or networks.

References:

• [Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0], Module 1: Malware Threats, Lesson 1: Identifying Malware Threats, Topic: Trojan Horse
• What is a Trojan? Is it a virus or is it malware? - Norton™
• Trojan Horse Examples (2024): The 6 Worst Attacks Ever - SoftwareLab

The best way to prevent the session during the initial TCP communication is to configure policies to stop and reject communication from the known malicious domain. This will prevent the ESA from accepting any messages from that domain and send a negative SMTP response code back to the sender. This will also save the ESA’s resources and bandwidth, as it will not have to process or store the malicious emails. This can be done by creating a sender group in the Host Access Table (HAT) that matches the malicious domain and setting the mail flow policy to “Reject” or “Throttle”. Alternatively, a message filter can be created that checks the envelope sender against the malicious domain and applies the “stop_connection” or “reject_connection” action12.

The other options are not as effective as stopping and rejecting the communication at the TCP level. Configuring the Cisco ESA to drop the malicious emails (option A) will still allow the ESA to accept the messages and then silently discard them, which will consume the ESA’s resources and bandwidth, and also not notify the sender of the rejection. Configuring policies to quarantine malicious emails (option B) will also require the ESA to accept and store the messages, which will take up disk space and require manual or automated management of the quarantine. Configuring the Cisco ESA to reset the TCP connection (option D) will abruptly terminate the connection without sending a proper SMTP response code, which may cause the sender to retry the delivery and generate more traffic. Resetting the TCP connection is also considered a less polite and less compliant way of rejecting messages than sending a negative SMTP response code34. References: 1: How to Block a Sender Domain on the Email Security Appliance 2: Message Filters on the Cisco Email Security Appliance 3: How to Configure the Cisco Email Security Appliance to Reject or Drop Messages 4: Cisco Email Security Appliance User Guide - Configuring Mail Policies

 A security application that notifies a controller within a software-defined network architecture about a specific security threat is using a northbound API. A northbound API is an interface that enables communication between the SDN controller and the applications or management systems that use the network services1. A security application can use a northbound API to send alerts, requests, or commands to the SDN controller, which can then take appropriate actions on the network devices or policies2. For example, a security application can use a northbound API to inform the SDN controller about a malicious traffic pattern, and the SDN controller can then block or redirect the traffic using a southbound API3.

References: 1: What is Software-Defined Networking (SDN)? | VMware Glossary 2: Intent-Based Networking’s Next Evolution: The DNA Center Platform - Cisco Blogs 3: Cisco SDN Security: Securing the Software Defined Network - Cisco

ExplanationExplanationYou can also bring up the port by using these commands:+ The “shutdown” interface configuration command followed by the “no shutdown” interface configurationcommand restarts the disabled port.+ The “errdisable recovery cause …” global configuration command enables the timer to automatically recover error-disabled state, and the “errdisable recovery interval interval” global configuration command specifies the time to recover error-disabled state.

Graphical user interface, text, application Description automatically generated

https://www.cisco.com/c/en/us/td/docs/security/wsa/wsa11-0/user_guide/b_WSA_UserGuide/b_WSA_UserGuide_chapter_01101.html Policy Order The order in which policies are listed in a policy table determines the priority with which they are applied to Web requests. Web requests are checked against policies beginning at the top of the table and ending at the first policy matched. Any policies below that point in the table are not processed. If no user-defined policy is matched against a Web request, then the global policy for that policy type is applied. Global policies are always positioned last in Policy tables and cannot be re-ordered.

 Secret key cryptography, also known as symmetric key cryptography, is a type of encryption where a single secret key is used for both encryption and decryption of a message. The cryptographic key is kept secret between the sender and receiver, making it difficult for anyone else to decipher the message. Some of the functions of secret key cryptography are:

• Key selection without integer factorization: Secret key cryptography does not rely on complex mathematical problems such as integer factorization or discrete logarithms to generate keys. Instead, the keys are chosen randomly or derived from a passphrase or a shared secret. This makes the key generation process faster and simpler than in public key cryptography.
• Utilization of less memory: Secret key cryptography uses less memory than public key cryptography, as it only requires one key to be stored and managed. Public key cryptography, on the other hand, requires two keys (public and private) for each user, which increases the memory overhead and complexity of key management.

The other options are not functions of secret key cryptography, but rather characteristics of public key cryptography or asymmetric cryptography, which is a different type of encryption where different keys are used for encryption and decryption. Public key cryptography has the following features:

• Utilization of different keys for encryption and decryption: Public key cryptography uses a pair of keys, one public and one private, for each user. The public key can be shared with anyone, while the private key must be kept secret. The public key is used to encrypt messages, while the private key is used to decrypt them. This allows users to communicate securely without having to exchange a secret key beforehand.
• Utilization of large prime number iterations: Public key cryptography relies on hard mathematical problems such as integer factorization or discrete logarithms to generate keys. These problems involve finding the prime factors of large numbers or finding the discrete logarithms of numbers in a finite field. These problems are easy to solve in one direction, but hard to solve in the reverse direction. For example, it is easy to multiply two large prime numbers, but hard to find the prime factors of the product. This makes the keys hard to break by brute force or other methods.
• Provides the capability to only know the key on one side: Public key cryptography enables users to encrypt messages without knowing the recipient’s key, and vice versa. This is possible because the encryption and decryption keys are different and mathematically related. For example, Alice can encrypt a message with Bob’s public key, and only Bob can decrypt it with his private key. Alice does not need to know Bob’s private key, and Bob does not need to know Alice’s key. This also enables public key cryptography to support digital signatures, which are a way of verifying the identity and integrity of a message.

References :=

• What Is Secret Key Cryptography? A Complete Guide - Helenix
• Definition of Secret-key Cryptography - Gartner

Explanation To understand DHCP snooping we need to learn about DHCP spoofing attack first.

DHCP spoofing is a type of attack in that the attacker listens for DHCP Requests from clients and answers them with fake DHCP Response before the authorized DHCP Response comes to the clients. The fake DHCP Response often gives its IP address as the client default gateway -> all the traffic sent from the client will go through the attacker computer, the attacker becomes a “man-in-the-middle”.The attacker can have some ways to make sure its fake DHCP Response arrives first. In fact, if the attacker is “closer” than the DHCP Server then he doesn’t need to do anything. Or he can DoS the DHCP Server so that it can’t send the DHCP Response.DHCP snooping can prevent DHCP spoofing attacks. DHCP snooping is a Cisco Catalyst feature thatdetermines which switch ports can respond to DHCP requests. Ports are identified as trusted and untrusted.

Only ports that connect to an authorized DHCP server are trusted, and allowed to send all types of DHCP

messages. All other ports on the switch are untrusted and can send only DHCP requests. If a DHCP response is seen on an untrusted port, the port is shut down.

The port connected to a DHCP server should be configured as trusted port with the “ip dhcp snooping trust” command. Other ports connecting to hosts are untrusted ports by default.

In this question, we need to configure the uplink to “trust” (under interface Gi1/0/1) as shown below.

ExplanationA posture policy is a collection of posture requirements, which are associated with one or more identity groups, and operating systems. We can configure ISE to check for the Windows patch at Work Centers > Posture > Posture Elements > Conditions > File.In this example, we are going to use the predefined file check to ensure that our Windows 10 clients have the critical security patch installed to prevent the Wanna Cry malware; and we can also configure ISE to update the client with this patch.

A passphrase is a type of protection that encrypts RSA keys when they are exported and imported. A passphrase is a sequence of characters that the user enters to decrypt the key. The passphrase acts as a symmetric key that is used to encrypt and decrypt the RSA key with a symmetric algorithm, such as AES. This way, the RSA key is protected from unauthorized access or tampering when it is transferred or stored. A passphrase can also provide additional security by adding entropy to the RSA key generation process. A file, NGE, and nonexportable are not types of protection that encrypt RSA keys when they are exported and imported. A file is a container that stores the RSA key, but does not encrypt it. NGE stands for Next Generation Encryption, which is a set of cryptographic standards and algorithms that Cisco recommends, but it is not a specific type of protection. Nonexportable is a property that prevents the RSA key from being exported at all, but it does not encrypt it. References: RSA/Schannel Key BLOBs, Common Encryption Types, Protocols and Algorithms Explained, Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0 (Module 5: Implementing Secure Communications with VPNs, Lesson 5.1: Implementing Site-to-Site VPNs, Topic 5.1.2: Implementing Site-to-Site VPNs with Pre-Shared Keys)

Cisco Umbrella is a cloud-delivered and SaaS-based solution that provides DNS-layer security and web filtering for internet traffic. It blocks requests to malicious domains or IPs before a connection is even established, and logs and inspects all web traffic for greater transparency, control, and protection1.

However, not all domains or IPs are clearly malicious or benign. Some of them may be risky, meaning that they host both legitimate and malicious content, or that they have a low reputation score based on various factors. For these domains or IPs, Cisco Umbrella offers the option to proxy the traffic through the intelligent proxy, which is a selective web proxy that performs deeper inspection and analysis of the web content2.

The intelligent proxy can apply URL filtering, file inspection, and file type control to the proxied traffic, and block or allow it based on the policy settings. The intelligent proxy can also leverage Cisco Advanced Malware Protection (AMP) and antivirus engines to scan files for malware and threats3.

Therefore, by using the intelligent proxy, Cisco Umbrella can manage traffic that is directed toward risky domains more effectively, and provide an additional layer of security and visibility for the organization.

References :=

• Manage the Intelligent Proxy
• Manage File Inspection
• Cisco Umbrella At a Glance

Cisco Umbrella allows you to create custom destination lists that contain specific domains or IP addresses that you want to allow or block. You can then apply these destination lists to your policies to override the default behavior of Umbrella. For example, if you want to block specific addresses using Cisco Umbrella, you can create a destination list with those addresses and set the action to block. Then, you can assign this destination list to the policy that you want to modify. This way, any request to those addresses will be blocked by Umbrella, regardless of the content category or application settings12 References := 1: Manage Policies - Umbrella User Guide 2: Understanding Destination lists supported entries and error messages - Cisco Umbrella

sfr {fail-open | fail-close [monitor-only]} <- There's a couple different options here. The first one is fail-open which means that if the Firepower software module is unavailable, the ASA will continue to forward traffic. fail-close means that if the Firepower module fails, the traffic will stop flowing. While this doesn't seem ideal, there might be a use case for it when securing highly regulated environments. The monitor-only switch can be used with both and basically puts the Firepower services into IDS-mode only. This might be useful for initial testing or setup.

Device compliance checks are used to verify that the devices managed by Intune meet the security and configuration requirements defined by the organization. Device compliance checks can use various parameters to evaluate the device state, such as:

• Endpoint protection software version: This parameter checks if the device has a valid and up-to-date antivirus or antimalware software installed and running. This parameter helps to protect the device from malicious software and network attacks.
• Device operating system version: This parameter checks if the device has the minimum or maximum operating system version supported by the organization. This parameter helps to ensure that the device has the latest security patches and features available.
• Windows registry values: This parameter checks if the device has specific registry values configured or not. This parameter helps to enforce custom settings or policies on the device that are not covered by other parameters.
• DHCP snooping checks: This parameter checks if the device is connected to a trusted network that uses DHCP snooping to prevent rogue DHCP servers from assigning IP addresses to the device. This parameter helps to prevent man-in-the-middle attacks and network spoofing.
• DNS integrity checks: This parameter checks if the device is using a secure and reliable DNS server that can resolve domain names correctly and prevent DNS hijacking or poisoning. This parameter helps to prevent phishing and redirection attacks.

References :=

Some possible references are:

• Device compliance policies in Microsoft Intune | Microsoft Learn, Microsoft
• Monitor results of your device compliance policies in Microsoft Intune | Microsoft Learn, Microsoft
• Check device access | Microsoft Learn, Microsoft
• Ensure device compliance - Configuration Manager | Microsoft Learn, Microsoft

The exhibit shows an access rule for URL filtering that has the following conditions:

• The action is Block
• The URL category is Botnets
• The URL reputation is 3
• The URL list is empty

This means that the rule will block any URL that matches the category and reputation criteria, regardless of the individual URL. According to the Cisco documentation1, the URL reputation is a score from 1 to 5 that indicates the risk level of a URL, where 1 is the most risky and 5 is the least risky. Therefore, a reputation score of 3 means a moderate risk level. The rule will not block URLs for botnets with reputation scores of 1, 2, 4, or 5, nor will it block any other URL category or list. The rule will also not allow any URL, as the action is Block, not Allow.

References := 1: Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 4: Securing the Cloud, Lesson 4.3: Cloud Application Security, Topic 4.3.2: Cisco Umbrella, page 4-58.

 To configure a flow-export action on a Cisco ASA, you need to use the flow-export event-type command and the policy-map command. The flow-export event-type command specifies the type of events that trigger the export of NetFlow Security Event Logging (NSEL) records to a collector. The policy-map command creates or modifies a policy map that can be applied to one or more interfaces to specify a service policy. A service policy consists of a traffic class and one or more actions to be applied to the traffic class. One of the actions can be a flow-export action that matches the NSEL events and sends them to a collector. The other commands are not required for configuring a flow-export action. The access-list command creates or modifies an access list that can be used to filter traffic or match traffic classes, but it is not mandatory for a flow-export action. The flow-export template timeout-rate command specifies how often the ASA sends the template to the collector, but it is not part of the flow-export action configuration. The access-group command applies an access list to an interface, but it is not related to the flow-export action. References:

• Cisco ASA 5500 Series Configuration Guide using the CLI, 8.4 and 8.6 - Configuring Network Secure Event Logging (NSEL)
• Solved: Flow-Export problem - Cisco Community
• How to configure NetFlow on Cisco ASA firewalls - Auvik Support
• Configuring Cisco’s ASA for NSEL Export to the StealthWatch System

A serverless application is one that does not require the developer to manage the underlying infrastructure or servers. Instead, the application code is executed by a cloud provider in response to events or triggers, such as HTTP requests, database changes, or messages. The cloud provider automatically provisions, scales, and manages the resources needed to run the code, and charges only for the time and resources consumed by the execution. A serverless application runs from an ephemeral, event-triggered, and stateless container that is fully managed by a cloud provider. This means that the container is created on demand when an event occurs, and is destroyed when the execution is completed. The container does not store any persistent state or data, and is isolated from other containers. The cloud provider handles the load balancing, fault tolerance, security, and monitoring of the container. A serverless application can leverage various cloud services, such as databases, storage, messaging, analytics, and machine learning, to perform complex tasks and functionalities. Serverless computing is a cloud-native development model that enables developers to focus on the business logic and deliver faster and more scalable applications. References:

• Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 8: Cloud and Virtual Network Security, Lesson 8.1: Cloud Computing Concepts
• What is serverless? - Red Hat
• Serverless computing and applications | Microsoft Azure

Trusted Automated Exchange of Indicator Information (TAXII) is a standard that defines how to exchange cyber threat intelligence (CTI) over HTTPS. CTI includes indicators of compromise (IOCs), such as malware hashes, IP addresses, URLs, and domains, that can be used to detect and respond to cyberattacks. TAXII enables the sharing of CTI in a secure, automated, and interoperable way among different organizations and tools. Structured Threat Information Expression (STIX) is a standard that defines how to represent and structure CTI in a common language. STIX and TAXII are often used together to facilitate the exchange of CTI. Advanced Persistent Threat (APT) is not a standard, but a term used to describe a sophisticated and stealthy cyberattack that persists over a long period of time, often targeting specific organizations or sectors. Open Command and Control (OpenC2) is a standard that defines how to communicate and execute cyber defense actions across different technologies and domains. OpenC2 enables the orchestration and automation of cyber defense actions, such as blocking, isolating, or redirecting malicious traffic or devices. References :=

Some possible references are:

• [Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0], Module 4: Content Security, Lesson 4.3: Cisco Umbrella, Topic 4.3.1: Cisco Umbrella Investigate
• 350-701 SCOR - Cisco, Exam Topics, 4.0 Content Security, 4.3 Describe the components, capabilities, and benefits of Cisco Umbrella, 4.3.a Investigate
• TAXII - OASIS Cyber Threat Intelligence Technical Committee, Overview, Introduction
• STIX - OASIS Cyber Threat Intelligence Technical Committee, Overview, Introduction
• OpenC2 - OASIS Open Command and Control Technical Committee, Overview, Introduction
• What is an Advanced Persistent Threat (APT)? | Fortinet, Definition, What is an APT?

 The monitoring agent uses the RTP (Real-time Transport Protocol) performance metric to collect and output packet loss and jitter information. RTP is a network protocol used for delivering audio and video over IP networks. It provides mechanisms for timestamping, sequence numbering, and delivery monitoring, which allow for the measurement of packet loss and jitter. RTP is specifically designed for real-time multimedia streaming applications, which are more sensitive to changes in the transmission characteristics of data networks than other applications. Therefore, RTP performance is a suitable metric for monitoring and collecting packet loss and jitter information.

The other options are not directly related to measuring packet loss and jitter. TCP (Transmission Control Protocol) is a transport protocol that ensures reliable and ordered delivery of data, but it is not typically used for real-time multimedia applications. WSAv (Web Security Virtual Appliance) is a Cisco solution for web security, but it does not measure packet loss and jitter. AVC (Application Visibility and Control) is a technology that monitors and controls network applications, but it does not focus on packet loss and jitter. References :=

• Measuring Delay, Jitter, and Packet Loss with Cisco IOS SAA and RTTMON1
• Implementing and Operating Cisco Security Core Technologies (SCOR) v1.02
• Cisco 350-701: Which metric used by monitoring agent to collect and output packet loss and jitter information?

 The error 403: Forbidden indicates that the web server denied access to the requested resource, which in this case is the PCAP file. One possible reason for this error is that the HTTPS server is not enabled for the device platform policy, which is a configuration that applies to the FTD devices managed by the FMC. The device platform policy defines the settings for the management interface, the SSH access, the SNMP, the NTP, the DNS, and the HTTPS server. The HTTPS server allows the FMC to access the FTD devices via HTTPS and perform tasks such as packet capture, packet tracer, and file transfer. If the HTTPS server is not enabled for the device platform policy, the FMC cannot access the PCAP file from the FTD device via HTTPS. Therefore, the engineer must enable the HTTPS server for the device platform policy in order to resolve this issue. To enable the HTTPS server for the device platform policy, the engineer must follow these steps:

• Log in to the FMC web interface and navigate to Devices > Platform Settings.
• Select the device platform policy that applies to the FTD device and click Edit.
• In the General tab, check the Enable HTTPS Server checkbox and click Save.
• Deploy the policy changes to the FTD device and wait for the deployment to complete.
• Try to access the PCAP file again from the FMC web browser using the same address.

Alternatively, the engineer can also enable the HTTPS server for the FTD device from the FTD CLI using the command configure network https-server enable. However, this method is not recommended because it may cause a configuration conflict with the FMC123

References := 1: Use Firepower Threat Defense Captures and Packet Tracer - Cisco 2: Cisco Firepower Threat Defense Configuration Guide for Firepower Device Manager, Version 6.6 - Device Management Basics [Cisco Firepower NGFW] - Cisco 3: Cisco Firepower Threat Defense Command Reference - C through D Commands [Cisco Firepower NGFW] - Cisco

The Cisco WSA supports two main authentication protocols: LDAP and NTLM. LDAP is a protocol for accessing and managing directory information over a network. NTLM is a Windows proprietary protocol that uses a challenge-response mechanism for authentication. The Cisco WSA can use both LDAP and NTLM to authenticate users and apply policies based on their identity. The Cisco WSA does not support WCCP, TLS, or SSL as authentication protocols, although it can use them for other purposes, such as traffic redirection or encryption. References:

• User Guide for AsyncOS 11.0 for Cisco Web Security Appliances, Chapter: Acquire End-User Credentials
• Cisco Web Security Appliance Best Practices Guidelines, Section: Active authentication
• Cisco WSA Authentication, Blog post by Kareem CCIE
• Authentication and Authorization, PDF document by Cisco

An application that does not validate user input is particularly susceptible to SQL injection attacks. In an SQL injection attack, an attacker can insert or "inject" a SQL query via the input data from the client to the application. Due to the lack of validation, the malicious SQL commands are executed by the database server, leading to unauthorized access or manipulation of the database.

Cisco AMP (Advanced Malware Protection) is a technology that provides a combination of endpoint protection, endpoint detection, and response. Cisco AMP protects endpoints from malware and other threats by using multiple prevention engines, including signatures, machine learning, and file reputation. Cisco AMP also continuously monitors and analyzes endpoint activity to detect malicious behavior and indicators of compromise. Cisco AMP can respond to threats by blocking, isolating, or removing malicious files, processes, or devices across the network. Cisco AMP leverages the cloud-based intelligence of Cisco Talos and Cisco Threat Grid to provide global threat visibility and analysis. Cisco AMP can also integrate with Cisco Umbrella and other security solutions to provide a comprehensive and unified approach to endpoint security. References:

• Cisco Secure Endpoint (Formerly AMP for Endpoints)
• Prevent, Detect and Respond with Cisco AMP for Endpoints
• Provide State-of-the-Art Endpoint Protection as a Managed Service

 Cisco Stealthwatch is the only solution that detects threats across your private network, public clouds, and encrypted traffic. It uses network telemetry and advanced behavioral analytics to monitor network activity and identify anomalies that indicate potential threats. It also leverages Cisco Encrypted Traffic Analytics (ETA) to detect malware in encrypted traffic without decryption. Cisco Stealthwatch provides visibility, threat detection, and response across your entire network and cloud environment1234 References := 1: Cisco Stealthwatch detects threats across private networks, public clouds, and encrypted traffic - Cisco Blogs 2: The XDR Solution to the Ransomware Problem - Cisco Blogs 3: Network Threat Detection and Response with Cisco Stealthwatch - Locuz 4: Cisco Secure Network Analytics (Stealthwatch) - Cisco

When a Cisco WSA receives a web request, it evaluates it against the policies in the policy table. Each policy type has a predefined, global policy, which maintains default actions for that policy type. If the web request does not match any user-defined policy, the WSA applies the global policy. The global policy can be configured to allow, block, or redirect the web request based on various criteria. The global policy acts as a catch-all policy for any web request that is not explicitly handled by a user-defined policy. References :=

• User Guide for AsyncOS 11.0 for Cisco Web Security Appliances - Create Policies to Control Internet Requests
• User Guide for AsyncOS 12.7 for Cisco Web Security Appliances - LD (Limited Deployment) - Acquire End-User Credentials

CoA-ACK is the CoA response code that is sent if an authorization state is changed successfully on a Cisco IOS device. CoA-ACK stands for CoA acknowledgment, which indicates that the device has received and processed the CoA request from the server and applied the new authorization settings to the session. The attributes returned within a CoA-ACK can vary based on the CoA request, such as session reauthentication, session termination, or session modification. The other options are not correct because they are not valid CoA response codes. CoA-NCL, CoA-NAK, and CoA-MAV are not defined in RFC 5176, which specifies the CoA protocol. CoA-NAK is the closest option, but it stands for CoA non-acknowledgment, which indicates that the device has rejected the CoA request from the server due to some error or inconsistency. References :=

Some possible references are:

• RADIUS Change of Authorization - Cisco
• Security and VPN Configuration Guide, Cisco IOS XE 17.x
• RFC 5176 - Dynamic Authorization Extensions to Remote Authentication Dial In User Service (RADIUS)

 TACACS+ is a protocol that provides authentication, authorization, and accounting (AAA) services for network devices. Unlike RADIUS, which only supports authorization at the user level, TACACS+ supports authorization at the command level. This means that TACACS+ can verify the permissions of the network administrator for every command that is entered, and allow or deny access accordingly. This provides more granular and secure control over network resources and operations. EAPOL, SSH, and RADIUS are not protocols that can provide command-level authorization for AAA. References :=

Some possible references are:

• Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 1: Security Concepts, Lesson 1.2: Network Security Devices and Cloud Services, Topic 1.2.3: AAA
• 350-701 SCOR - Cisco, Exam Topics, 1.0 Security Concepts, 1.2 Compare network security solutions, 1.2.a AAA
• What Is AAA Security? | Fortinet, Authentication, Authorization, and Accounting (AAA)

https://community.cisco.com/t5/endpoint-security/amp-endpoint-isolation/td-p/4086674#:~:text=Isolating%20an%20endpoint%20blocks%20all,your%20IP%20isolation%20allow%20list

Full Context Awareness - policy enforcement

NGIPS - threat prevention

AMP - real-time

Collective Sec Intel - Detection, blocking an remediation

In XSS, an attacker will try to inject his malicious code (usually malicious links) into a database. When other users follow his links, their web browsers are redirected to websites where attackers can steal data from them. In a SQL Injection, an attacker will try to inject SQL code (via his browser) into forms, cookies, or HTTP headers that do not use data sanitizing or validation methods of GET/POST parameters.

Joining Cisco WSAs to an appliance group simplifies the task of patching multiple appliances. An appliance group is a collection of WSAs that share the same configuration settings and software versions. Administrators can use appliance groups to apply configuration changes and software updates to multiple WSAs at once, instead of performing these tasks individually for each appliance12. This reduces the administrative overhead and ensures consistency across the WSAs. References:

• Appliance groups, section “Appliance Groups”.
• What is the purpose of joining Cisco WSAs to an appliance group?

The ip radius source-interface command is needed for this configuration because it forces RADIUS to use the IP address of a specified interface for all outgoing RADIUS packets. This ensures that the RADIUS server can identify the source of the requests and apply the appropriate policies. If this command is not used, RADIUS will use the IP address of the interface that is closest to the destination, which may not match the configured NAS IP on the RADIUS server. This can cause the RADIUS server to reject the requests as unauthorized12. References:

• 1: RADIUS source interface - Cisco Community
• 2: RADIUS Commands - Cisco

ExplanationAn example of configuring a NetFlow exporter is shown below:flow exporter Exporterdestination 192.168.100.22transport udp 2055

https://confluence.netvizura.com/display/NVUG/Traditional+vs.+Flexible+NetFlow

 Cisco Workload Optimization Manager (CWOM) is a decision-automation engine that provides workloads with the exact resources they need at the right time in accordance with business policies, freeing IT teams to focus on innovation rather than the maintenance of their IT environment1. CWOM is part of the Cisco SecureX platform, which integrates various security solutions, including endpoint protection platforms (EPPs), to provide a unified and simplified security experience2. CWOM does not deploy an AWS Lambda system, optimize a flow path, or set up a workload forensic score. These are not related to CWOM’s functionality or EPP solutions. CWOM automates resource resizing, which means it can dynamically adjust the CPU, memory, disk, and network resources allocated to each workload based on real-time demand and performance metrics1. This helps EPP solutions to solely address performance issues by ensuring that workloads have the optimal resources to run efficiently and securely, without overprovisioning or underutilizing resources3. References: 1: Cisco Workload Optimization Manager (CWOM) - Cisco, 2: Endpoint Protection Platform (EPP) Definition - Cisco, 3: Cisco Intersight Workload Optimizer Data Sheet

 The Python script accomplishes the following tasks:

• It imports the required libraries for HTTP, base64, SSL, and sys modules.
• It takes the host, user, and password information from the command line arguments and assigns them to variables.
• It creates an HTTPS connection object using the host and port 9060, and specifies the SSL protocol as TLSv1_2.
• It encodes the user and password information in base64 format for basic HTTP authentication.
• It sets the headers for the HTTP request, including the accept, authorization, and cache-control fields.
• It sends a GET request to the Cisco ISE server to retrieve information from the “/ers/config/internaluser/” endpoint, which returns the list of internal users configured on Cisco ISE.
• It reads the response from the server and prints the status, headers, and body in a human-readable format.

The script authenticates to the Cisco ISE server using the username of ersad and the password of Password1, and retrieves the internal user information from the server.

References:

• Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 5: Secure Network Access, Lesson 2: Cisco Identity Services Engine, Topic: Cisco ISE REST API
• Cisco Identity Services Engine API Reference Guide, Release 2.7 - Cisco ISE ERS API Overview [Cisco Identity Services Engine]
• Python 3 - HTTP Client - Tutorialspoint

The purpose of a Denial-of-Service (DoS) attack is to disrupt the normal operation of a targeted system, server, or network by overwhelming it with a flood of internet traffic. This is achieved by utilizing multiple compromised computer systems as sources of attack traffic. The overwhelming amount of traffic can cause the targeted system to slow down significantly or even crash and become unavailable to legitimate users, thereby denying service to intended users.

 To configure the Cisco ASA via ASDM for SNMPv3, the administrator needs to perform two main tasks: specify an SNMP user group and add an SNMP USM entry. An SNMP user group defines the access level and security model for a group of SNMP users. An SNMP USM entry defines the authentication and encryption parameters for a specific SNMP user. These two tasks are required for SNMPv3 because it uses a user-based security model (USM) that provides secure access to the MIB objects. SNMPv3 does not use a community string, which is a shared password used by SNMPv1 and SNMPv2c. The SNMP manager and UDP port are optional parameters that can be specified to customize the SNMP communication. The SNMP host access entry is also optional and can be used to restrict the access of SNMP hosts to specific interfaces or networks. References :=

Some possible references are:

• SNMP Configuration, Verification and Troubleshooting on ASA
• How to configure SNMP v3 on Cisco Switch, Router, ASA, Nexus
• SNMP Configuration Guide, Cisco IOS XE Release 3SE (Catalyst 3850 Switches)

Cisco Umbrella is a cloud-delivered security service that provides DNS-layer security, secure web gateway, firewall, cloud access security broker, and threat intelligence functions. It helps improve security visibility, detect compromised systems, and protect your users on and off the network by stopping threats over any port or protocol before they reach your network or endpoints1. One of the benefits of using Cisco Umbrella is that it can block threats before they launch, reducing response times, and delivering safe, secure internet with Umbrella’s cloud tools2. By intercepting DNS requests and applying security policies, Umbrella can prevent malicious connections from being established, and mitigate attacks before the application connection occurs3. This can also reduce bandwidth costs and improve performance by filtering out unwanted traffic1. References: 1: The Essential Benefits of Cisco Umbrella 2: 5 Reasons to Try Cisco Umbrella Now 3: Why choose Cisco Umbrella for cybersecurity protection

The kind of API that is used with Cisco DNA Center to provision SSIDs, QoS policies, and update software versions on switches is the Intent API. The Intent API is a category of APIs that allows users to express their desired network outcomes or intents, such as creating a site, adding a device, or deploying a network profile. The Intent API then translates these intents into specific network configurations and commands, and applies them to the relevant network devices and services. The Intent API simplifies and automates the network provisioning and management process, and enables users to focus on the business objectives rather than the technical details. Some examples of Intent APIs are:

• Site Management API: This API allows users to create, update, delete, and retrieve sites and buildings in Cisco DNA Center. A site is a logical grouping of network devices and services that share common characteristics, such as location, policies, or functions. A site can have one or more buildings, and a building can have one or more floors. Sites are used to organize and manage the network hierarchy and topology.
• Network Settings API: This API allows users to configure and manage network-wide settings, such as global credentials, network discovery, IP address pools, DHCP and DNS servers, and SNMP settings. These settings are applied to all network devices and services that are managed by Cisco DNA Center.
• Network Profile API: This API allows users to create, update, delete, and retrieve network profiles in Cisco DNA Center. A network profile is a collection of network settings and policies that define how a network segment or service should operate, such as SSIDs, QoS policies, security policies, and device roles. Network profiles are used to standardize and simplify the network configuration and deployment process, and to ensure consistency and compliance across the network.
• Software Image Management API: This API allows users to manage the software images and versions of network devices that are managed by Cisco DNA Center. Users can import, export, delete, and retrieve software images, as well as assign them to network devices or device groups. Users can also schedule and monitor software image updates, and view the software image compliance status of network devices.

References:

• Cisco DNA Center Platform User Guide, Release 2.3.7.0 and 2.3.7.3, Chapter 1: Introduction to Cisco DNA Center Platform, Topic: Intent APIs
• Introduction to Cisco DNA Center REST APIs, Learning Lab: Cisco DNA Center Platform - Network Devices
• Cisco DNA Center Platform - Cisco DevNet, APIs: Intent APIs

To block a website based on a custom list, the customer should add the websites to a blocked type destination list. A destination list is a custom list of domains or URLs that the customer wants to allow or block for their identities. The customer can create destination lists through the Policy Components > Destination Lists page, or within the policy wizard when creating or editing a policy. The custom URL destination block lists feature enables Umbrella to extend a domain level block list to encompass full and partial URLs. In turn, this allows the customer to block certain portions of a website based specifically on the full or partial URL. This feature requires the customer to enable the intelligent proxy and install a root certificate for SSL decryption. References:

• Configure Web Policies and Destination Lists - Cisco Umbrella
• Control Access to Custom URLs - Umbrella SIG User Guide
• Cisco 350-701: How should customer block websites based on custom list
• Umbrella Dashboard: New Features—Custom blocked URLs
• Understanding Destination lists supported entries and … - Cisco Umbrella

 Cisco Web Security Appliance (WSA) is the platform that automatically blocks risky sites, and tests unknown sites for hidden advanced threats before allowing users to click them, using Cisco Cognitive Threat Analytics. Cisco Cognitive Threat Analytics is a cloud-based solution that reduces the time to discovery of threats operating inside the network by analyzing web traffic and detecting anomalous behavior. Cisco WSA integrates with Cisco Cognitive Threat Analytics to provide enhanced web security and breach detection. Cisco WSA can also leverage other Cisco security solutions, such as Cisco Umbrella, Cisco Advanced Malware Protection (AMP), and Cisco Talos Intelligence Group, to provide comprehensive web security. References:

• Cisco Web Security Appliance (WSA)
• Cisco Cognitive Threat Analytics At-a-Glance
• Introducing Cisco Cognitive Threat Analytics
• Implementing and Operating Cisco Security Core Technologies (SCOR) - Module 3: Cloud and Content Security

Cisco Stealthwatch is a network security and visibility platform that provides an agentless solution to monitor network traffic and detect threats, including those in encrypted traffic. Stealthwatch uses Encrypted Traffic Analytics (ETA), a technology that leverages network telemetry and machine learning to identify malicious patterns and behaviors in encrypted traffic without decryption. ETA can also assess the cryptographic strength and compliance of the encryption protocols used in the network. Stealthwatch integrates with other Cisco security products, such as Cisco Identity Services Engine (ISE) and Cisco Advanced Malware Protection (AMP), to provide contextual information and threat intelligence for faster and more effective response. Stealthwatch is the only Cisco platform that offers ETA as a solution to provide visibility across the network, including encrypted traffic analytics, to detect malware in encrypted traffic without the need for decryption. References :=

Some possible references are:

• Cisco Secure Network Analytics (Stealthwatch) - Cisco, Cisco
• Encrypted Traffic Analytics > Security | Cisco Press, Cisco Press
• Solutions - Encrypted Traffic Analytics with the New Cisco Network and Secure Network Analytics At-a-Glance - Cisco, Cisco
• Cisco Encrypted Traffic Analytics White Paper, Cisco

 Cisco AMP for Endpoints provides next-generation protection by leveraging an endpoint protection platform (EPP) and endpoint detection and response (EDR) capabilities. EPP is a set of multifaceted prevention techniques that stop threats from compromising endpoints, such as behavioral analytics, machine learning, and signature-based methods. EDR is a set of powerful features that reduce the attack surface and remediate faster, such as advanced threat hunting, endpoint isolation, and dynamic malware analysis. Cisco AMP for Endpoints also integrates with SecureX, a built-in platform that offers extended detection and response (XDR) capabilities across multiple control points, such as network, cloud, email, and web. By combining EPP, EDR, and XDR, Cisco AMP for Endpoints delivers a comprehensive and resilient endpoint security solution that can detect, respond, and recover from sophisticated attacks. References:

• Cisco Secure Endpoint (Formerly AMP for Endpoints) - Cisco
• Cisco Secure Endpoint (Formerly AMP for Endpoints) - Cisco
• Cisco Secure Endpoint (Formerly AMP for Endpoints) - Cisco

A next-generation endpoint security solution is a modern approach of combining user and system behavior analytics with AI and machine learning to provide endpoint security12. These solutions are specifically designed to detect unknown malware and zero-day threats, which other non-next-generation solutions might fail to detect3. Two key deliverables that help justify the implementation of a next-generation endpoint security solution are:

• Continuous monitoring of all files that are located on connected endpoints. This feature allows the solution to scan and analyze all files on the endpoints, regardless of their origin or type, and identify any malicious or suspicious behavior. This helps to prevent malware from infecting the endpoints or spreading to other devices on the network4.
• Real-time feeds from global threat intelligence centers. This feature enables the solution to leverage the latest information and insights from various sources, such as security researchers, vendors, and customers, to detect and block new and emerging threats. This helps to keep the endpoints updated and protected from the most advanced and sophisticated attacks5.

References := 1: Overview of next-generation protection in Microsoft Defender for Endpoint 2: What Is Next-Generation Endpoint Security? 2024 Ultimate Guide - SelectHub 3: [Next

 Tools like Jenkins, Octopus Deploy, and Azure DevOps provide continuous integration and continuous deployment (CI/CD) capabilities for application and infrastructure automation. CI/CD is a process that enables developers to deliver code changes more frequently and reliably by automating the building, testing, and deployment stages. CI/CD tools help to integrate various components of the software delivery pipeline, such as source control, testing frameworks, configuration management, security scanning, and deployment platforms. By using CI/CD tools, developers can achieve faster feedback loops, improved quality, reduced errors, and increased efficiency123.

According to the Cisco course on Implementing and Operating Cisco Security Core Technologies (SCOR), CI/CD is one of the key concepts of DevSecOps, which is a culture and practice that aims to embed security into every stage of the software development lifecycle. DevSecOps requires collaboration and communication between development, security, and operations teams, as well as the use of automation tools and techniques to ensure security is integrated throughout the process45. References: 1: Configuring Jenkins in Azure and deploying with Octopus 2: Octopus Deploy vs. Azure DevOps (VSTS/TFS) 3: Building .NET Core Apps in Azure DevOps and integrating Octopus Deploy 4: Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0 5: 350-701 SCOR - Cisco

To create an access control list (ACL) on a Cisco Adaptive Security Appliance (ASA) firewall, you need to use the access-list command followed by the name of the ACL, the action (permit or deny), the protocol, the source address and mask, and the destination address and mask. For example, to permit HTTP traffic from the inside network 192.168.1.0/24 to any destination on the internet, you can use this command:

access-list inside_access_in permit tcp 192.168.1.0 255.255.255.0 any eq www

This command creates an ACL named inside_access_in that permits TCP traffic from the source network 192.168.1.0/24 to any destination with the destination port equal to 80 (www). The eq keyword is used to specify the port number or name. You can also use the range keyword to specify a range of ports.

To apply the ACL to an interface, you need to use the access-group command followed by the name of the ACL and the direction (in or out). For example, to apply the ACL to the inside interface in the inbound direction, you can use this command:

access-group inside_access_in in interface inside

This command applies the ACL inside_access_in to the interface named inside in the inbound direction. This means that the ACL will filter the traffic that enters the firewall through the inside interface.

Option D is the only option that matches the syntax of the access-list command for the ASA firewall. Option A is incorrect because it uses the ip keyword instead of the tcp keyword. Option B is incorrect because it uses the any keyword for both the source and destination addresses. Option C is incorrect because it uses the host keyword for the source address, which is not valid for a network address.

References:

• Configure ASA Access Control List for Various Scenarios
• Cisco ASA Access Lists Concepts and Configuration
• How to Configure Access Control Lists (ACL) on Cisco ASA 5500 Firewalls

The cause of this issue is that NTP authentication is not enabled on the router. The commands shown in the exhibit only define the authentication key and mark it as trusted, but they do not enable NTP authentication globally or on a per-peer basis. To enable NTP authentication globally, the command ntp authenticate must be used. To enable NTP authentication on a per-peer basis, the command ntp server ip-address key key-id or ntp peer ip-address key key-id must be used, where key-id is the same as the one defined by the ntp authentication-key command. Without enabling NTP authentication, any device can synchronize time with this router, regardless of whether it has the same authentication key or not.

The other options are incorrect because:

• The key was configured in plain text, but this is not the cause of the issue. Although it is recommended to use the ntp authentication-key key-id md5 key [encrypted] command to encrypt the key, using plain text does not prevent NTP authentication from working, as long as the same key is configured on both the router and the peer.
• The hashing algorithm that was used was MD5, which is supported by NTP. MD5 is the default algorithm for NTP authentication and it can be used with any key length from 1 to 16 characters. Other algorithms, such as SHA and SHA1, are also supported by NTP if the OpenSSL library is installed, but they are not required for NTP authentication to work.
• The router was not rebooted after the NTP configuration updated, but this is not necessary for NTP authentication to take effect. NTP authentication is applied immediately after the configuration commands are entered, and no reboot is required.

References:

• Configuring NTP
• Authentication Support
• NTP Authentication Explained

Northbound and southbound APIs are two types of interfaces that enable communication between different layers of the SDN architecture. Northbound APIs relay information between the controller and the applications or policy engines, while southbound APIs relay information between the controller and the network devices.

Northbound APIs allow applications to request network services or resources from the controller, such as bandwidth, latency, security, or routing. The controller then translates these requests into network configurations and applies them to the network devices via the southbound APIs. Northbound APIs typically use RESTful API methods such as GET, POST, and DELETE to communicate with the controller.

Southbound APIs allow the controller to program the network devices to perform forwarding and other functions. The controller can use different protocols or standards to communicate with the network devices, depending on their capabilities and vendor-specific features. Some common examples of southbound APIs are CLI, SNMP, RESTCONF, NETCONF, OpenFlow, and OpFlex.

References:

• Software-Defined Networking (SDN) Definition - Cisco
• Software-Defined Networking Security and Network … - Cisco Press
• Cisco SDN – Software Defined Networking Explained - Study-CCNA
• SDN Network - Cisco Community

Network telemetry is a technology for gaining network insight and facilitating efficient and automated network management. It encompasses various techniques for remote data generation, collection, correlation, and consumption1. Network telemetry can be used for various purposes, such as network performance monitoring, security analysis, troubleshooting, and optimization. One of the applications of network telemetry is Layer 2 device discovery, which allows network operators to discover and map the physical topology of the network, including switches, routers, hosts, and links. Layer 2 device discovery can be achieved by using protocols such as Link Layer Discovery Protocol (LLDP) or Cisco Discovery Protocol (CDP), which enable network devices to advertise their identity, capabilities, and neighbors to other devices on the same network segment. To enable Layer 2 device discovery, network telemetry must be enabled on the network devices, so that they can send and receive LLDP or CDP packets. This feature requires network telemetry to be enabled, because without it, the network devices would not be able to exchange information about their topology and configuration. Therefore, the correct answer is C. Layer 2 device discovery. References: 1: RFC 9232: Network Telemetry Framework - Internet Engineering Task Force

Retrospective detection is a feature of Cisco Advanced Malware Protection (AMP) for Endpoints that performs correlation of telemetry, files, and intrusion events that are flagged as possible active breaches. Retrospective detection allows AMP to continuously analyze file activity across the network and identify malicious behavior that was previously undetected. Retrospective detection can also trigger alerts and remediation actions when a file’s disposition changes from clean to malicious12. References: 1: Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 4: Endpoint Protection and Detection, Lesson 4.1: Cisco AMP for Endpoints Overview, Topic 4.1.3: Retrospective Detection 2: Cisco AMP for Endpoints User Guide, Chapter: Retrospective Detection, URL: 3

 OWASP stands for Open Web Application Security Project, a non-profit organization that provides resources for web application security. OWASP has developed a number of standards, projects, events, and news on topics such as web application security, supply chain security, and cyber risk mitigation1. One of the most widely recognized OWASP resources is the OWASP Top 10, a standard awareness document for developers and web application security. It represents a broad consensus about the most critical security risks to web applications, such as broken access control, cryptographic failures, injection, and insecure design2. The OWASP Top 10 is updated periodically based on data analysis and community feedback. The latest edition was released in 20213. By following the OWASP Top 10 and other OWASP resources, developers can build more secure applications that minimize these risks. References := 1: OWASP Foundation, the Open Source Foundation for Application Security 2: OWASP Top Ten | OWASP Foundation 3: OWASP Top 10:2021

A PAC file is a Proxy Auto-Configuration file that contains a JavaScript function that determines whether web browser requests go directly to the destination or are forwarded to a web proxy server. A PAC file allows the client desktop browsers to be configured to select when to connect direct or when to use the proxy based on the URL and the host name. A PAC file can be downloaded from a web server or a local file. A PAC file is more suitable for complex proxy configurations or multiple proxy servers12

A transparent mode is a proxy configuration where the client browsers do not need to be configured to use the proxy. The proxy intercepts the traffic and forwards it to the destination. A transparent mode does not allow the client browsers to select when to connect direct or when to use the proxy34

A forward file is not a valid proxy configuration method.

A bridge mode is a network configuration where a device connects two or more network segments and forwards traffic between them. A bridge mode is not a proxy configuration method5 References := 1: Proxy Auto-Configuration (PAC) file - HTTP | MDN 2: Proxy auto-config - Wikipedia 3: Explicit and Transparent Proxy - techdocs.broadcom.com 4: Configure Explicit Proxy - Palo Alto Networks | TechDocs 5: config web-proxy explicit | FortiGate / FortiOS 7.4.0

Application visibility and control (AVC) is a solution that leverages multiple technologies to recognize, analyze, and control over 1000 applications, including voice and video, email, file sharing, gaming, peer-to-peer (P2P), and cloud-based applications1. One of the key components of AVC is application recognition, which uses stateful deep packet inspection (DPI) to identify applications within the network traffic flow, using L3 to L7 data2. DPI is a technique that examines the content of packets beyond the header information, and can classify applications based on their signatures, protocols, ports, or other attributes3. DPI enables AVC to monitor and control application performance, bandwidth usage, quality of service, and security policies4. References := 1: Cisco Application Visibility and Control (AVC) - Cisco 2: Cisco Application Visibility and Control User Guide - Technology Overview 3: What is application visibility and control? | Juniper Networks US 4: Application visibility and control - Secure Internet Access Enterprise

Cisco Umbrella Investigate is a cloud-based service that provides interactive threat intelligence on domains, IPs, and files. It helps security analysts to uncover the attacker’s infrastructure and predict future threats by analyzing the relationships and evolution of internet domains, IPs, and files. It also integrates with other Cisco security solutions, such as Cisco Secure Network Analytics, Cisco Secure Cloud Analytics, and Cisco pxGrid, to provide a holistic view of the network and cloud security posture. Cisco Umbrella Investigate is based on the data collected by Cisco Umbrella, which processes more than 620 billion DNS requests per day from over 190 countries. Cisco Umbrella Investigate uses statistical and machine learning models to automatically score and classify the data, and provides a risk score for each domain, IP, and file, along with the contributing factors and historical context. Cisco Umbrella Investigate also allows security analysts to query the data using a web-based console or an API, and to visualize the results using graphs, tables, and maps. Cisco Umbrella Investigate is the most complete and interactive threat intelligence solution that helps to prevent cyber attacks before they happen. References :=

Some possible references are:

• Cisco Umbrella Investigate
• Cyber Attack Prevention - Cisco Umbrella
• Cisco Umbrella Investigate - Cisco Umbrella

MDM stands for Mobile Device Management, which is a system that performs compliance checks and remote wiping on mobile devices. MDM allows administrators to enforce security policies, monitor device status, and remotely manage devices in case of loss, theft, or compromise. MDM can also integrate with other Cisco security solutions, such as ISE, AMP, and Umbrella, to provide enhanced protection and visibility for mobile devices. References:

• Mobile Device Management (MDM) - Cisco
• Implementing and Operating Cisco Security Core Technologies (SCOR) - Module 5: Secure Network Access

 The Cisco Umbrella package that supports selective proxy for inspection of traffic from risky domains is SIG Advantage. SIG stands for Secure Internet Gateway, and it is a cloud-based service that provides comprehensive web security and threat intelligence. SIG Advantage includes all the features of DNS Security Advantage, such as DNS-layer protection, intelligent proxy, and cloud-delivered firewall, plus additional features such as full proxy, SSL decryption, advanced malware protection, and data loss prevention. Selective proxy is a feature that allows Umbrella to route risky domain requests to a proxy for deeper URL and file inspection, without impacting the performance or latency of legitimate traffic. Selective proxy is based on the reputation of the domains, which are classified into three categories: good, bad, and grey. Good domains are allowed without proxying, bad domains are blocked at the DNS layer, and grey domains are proxied for further inspection. Selective proxy is available in both DNS Security Advantage and SIG Advantage packages, but only SIG Advantage offers full proxy for all web traffic, which provides more granular control and visibility over web transactions and file types. References:

• Cisco Umbrella Packages
• Why Umbrella DNS Security?
• Manage the Intelligent Proxy
• Cisco Umbrella - Selected Proxy versus Full Proxy

IKEv1 has two modes of operation: main mode and aggressive mode. Main mode uses six messages to establish the IKE SA, while aggressive mode uses only three messages. Therefore, aggressive mode is faster than main mode, but less secure, as it exposes the identities of the peers in cleartext. This makes it vulnerable to man-in-the-middle attacks. IKEv2 does not have these modes, but uses a single four-message exchange to establish the IKE SA. IKEv2 also encrypts the identities of the peers, making it more secure than IKEv1 aggressive mode.

IKEv1 uses EAP authentication only for remote access VPNs, not for site-to-site VPNs. IKEv2 supports EAP authentication for both types of VPNs. EAP authentication allows the use of various authentication methods, such as certificates, tokens, or passwords.

IKEv1 conversations are initiated by the ISAKMP header, which contains the security parameters and the message type. IKEv2 conversations are initiated by the IKE_SA_INIT message, which contains the security parameters, the message type, and the message ID. The message ID is used to identify and order the messages in the IKEv2 exchange.

NAT-T is supported by both IKEv1 and IKEv2. NAT-T stands for Network Address Translation-Traversal, and it is a mechanism that allows IKE and IPsec traffic to pass through a NAT device. NAT-T detects the presence of NAT and encapsulates the IKE and IPsec packets in UDP headers, so that they can be translated by the NAT device. References:

• IKEv1 vs IKEv2 – What is the Difference?
• Comparison between IKEv1 and IKEv2
• IKEv2 vs IKEv1: What are the differences?

Cisco Stealthwatch is a security solution that uses NetFlow to provide visibility across the network, data center, branch offices, and cloud. NetFlow is a protocol that collects and exports statistics on network traffic flows from routers, switches, firewalls, and other devices. NetFlow data can be used to monitor network performance, troubleshoot issues, detect anomalies, and identify security threats. Cisco Stealthwatch analyzes NetFlow data from various sources and correlates it with other contextual information, such as identity, device, location, and threat intelligence. Cisco Stealthwatch then applies advanced behavioral analytics and machine learning to detect and respond to malicious activities, such as data exfiltration, malware infection, insider threats, and denial-of-service attacks. Cisco Stealthwatch also provides comprehensive network visibility and security across hybrid environments, including public cloud, private cloud, and on-premises networks. Cisco Stealthwatch can integrate with other Cisco security solutions, such as Cisco Identity Services Engine (ISE), Cisco Firepower, Cisco Umbrella, and Cisco Advanced Malware Protection (AMP), to enhance network security and incident response capabilities. References:

• Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 8: Cloud and Virtual Network Security, Lesson 8.2: Cisco Stealthwatch Cloud
• Cisco Stealthwatch
• NetFlow for Cybersecurity and Incident Response

B

DNS-layer security is a method of protecting users from cyberthreats by blocking malicious or risky domains before a connection is established. Cisco Umbrella is a cloud-based service that provides DNS-layer security by using Cisco Talos threat intelligence to filter DNS requests and prevent access to malicious domains. Cisco Umbrella also offers other security features, such as web filtering, cloud-delivered firewall, secure web gateway, and cloud access security broker. Cisco Umbrella can protect users on and off the corporate network, regardless of their location or device. Cisco Umbrella is compatible with other Cisco security solutions, such as Cisco ISE, Cisco FTD, and Cisco ASA, but it is the only one that offers DNS-layer security as a core capability. References:

• What Is DNS Security? How Does It Work? - Cisco Umbrella
• Why Umbrella DNS Security? - Cisco Umbrella

AAA stands for Authentication, Authorization, and Accounting. It is a framework that provides security to network resources by controlling who can access them (authentication), what they can do (authorization), and what actions they perform (accounting). AAA can be implemented by using the local database of the device or by using an external server such as Cisco ISE (Identity Services Engine).

The question asks which configuration item makes it possible to have the AAA session on the network. A session is a logical connection between a user and a network device. A session can be initiated by various methods, such as console, telnet, SSH, PPP, etc. Each session can have different AAA policies applied to it, depending on the method list configured for that session.

A method list is a set of rules that define the authentication, authorization, and accounting methods to be used for a particular session. A method list can be named or default. A named method list is applied to a specific session by using the login, authorization, or accounting keyword followed by the name of the method list. A default method list is applied to all sessions that do not have a named method list configured.

The configuration item that makes it possible to have the AAA session on the network is the aaa authorization network default group ise command. This command configures a default method list for network authorization, which is the process of determining the network services and attributes that a user is allowed to access after authentication. The command specifies that the network authorization method is group, which means that the device will use an external server (such as Cisco ISE) to obtain the authorization information for the user. The command also specifies that the name of the server group is ise, which means that the device will use the server group defined by the aaa group server radius ise command.

The other options are incorrect because they do not configure a default method list for network authorization. Option A configures a named method list for login authentication, which is the process of verifying the identity of the user. Option B configures a default method list for enable authentication, which is the process of verifying the identity of the user who wants to enter the privileged EXEC mode. Option D configures a default method list for exec authorization, which is the process of determining the commands and features that a user can access in the EXEC mode. References:

• Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 1: Security Concepts, Lesson 1: Describing Information Security Concepts
• Configure Basic AAA on an Access Server, General AAA Configuration, Authentication Configuration, Authorization Configuration
• AAA (Authentication, Authorization and Accounting) - GeeksforGeeks, AAA implementation, ACS server

To deploy Cisco WSA in transparent mode, the configuration component that must be used is WCCP on switch. WCCP stands for Web Cache Communication Protocol, which is a protocol that allows a network device (such as a switch) to redirect web traffic to a proxy server (such as Cisco WSA) transparently. This means that the client does not need to configure any proxy settings on the browser, and the proxy server can intercept and process the web requests and responses without the client’s knowledge. WCCP can also provide load balancing and failover capabilities for multiple proxy servers.

The other options are incorrect because they are not required or relevant for transparent mode deployment. Option A is incorrect because MDA (Multilink PPP Dial Access) is a feature that allows multiple physical links to be aggregated into a single logical link for dial-up connections. It has nothing to do with transparent mode. Option B is incorrect because PBR (Policy-Based Routing) is a feature that allows routing decisions to be based on criteria other than the destination IP address, such as source IP address, protocol, port, etc. It is not necessary for transparent mode, as WCCP can handle the traffic redirection. Option D is incorrect because DNS resolution on Cisco WSA is not a configuration component, but a function that allows the proxy server to resolve domain names to IP addresses. It is not specific to transparent mode, as it is also used in explicit mode. References:

• What is the difference between transparent and forward proxy mode?
• User Guide for AsyncOS 12.7 for Cisco Web Security Appliances - LD (Limited Deployment) - Acquire End-User Credentials
• Cisco WSA : Is it possible to use web proxy in transparent mode without WCCP?

WannaCry ransomware is a type of malware that encrypts the files on the infected devices and demands a ransom for their decryption. It exploits a vulnerability in the Windows SMB protocol that allows remote code execution. To prevent WannaCry ransomware from spreading to all clients, IT should take the following precautions:

• Ensure that noncompliant endpoints are segmented off to contain any potential damage. This means that any device that is not patched, managed, or compliant with the security policies should be isolated from the rest of the network and given limited access to resources. This can be done using Cisco Identity Services Engine (ISE) and Cisco TrustSec, which can enforce dynamic segmentation based on the device’s identity, posture, and context. This way, IT can prevent the ransomware from infecting other devices and reduce the impact of the attack12
• Perform a posture check to allow only network access to those Windows devices that are already patched. This means that IT should verify that the devices have installed the latest security updates from Microsoft that fix the SMB vulnerability. This can be done using Cisco AnyConnect Secure Mobility Client, which offers a VPN Posture/HostScan Module and an ISE Posture Module. Both modules can assess the endpoint’s compliance for things like operating system, patches, antivirus, antispyware, and firewall software. If the device is not patched, it can be denied access to the network or redirected to a remediation portal13

References: 1: Cisco AnyConnect Secure Mobility Client Administrator Guide, Release 4.0 - Configure Posture 2: Can We Trust Your Device? Checking Security Posture - Cisco 3: Cisco AnyConnect Secure Mobility Client Administrator Guide, Release 4.10 - Configure Posture

To block all subdomains of domain.com, the administrator should configure the domain.com address in the block list. This is because Umbrella automatically applies a left side and right side wildcard to every domain in a block or allow destination list. Therefore, adding domain.com to a block list will result in requests to domain.com or its subdomains, such as www.domain.com, being blocked. Adding a wildcard character (*) is not supported and will not work. Adding the *.com address in the block list will block all domains that end with .com, which is not the desired outcome.  References:

• Understanding Destination lists supported entries and error messages
• Wildcards and Destination Lists

The Cisco Endpoint IoC feature is a powerful incident response tool for scanning of post-compromise indicators across multiple computers. Endpoint IoCs are imported through the console from OpenIOC-based files written to trigger on file properties such as name, size, hash, and other attributes and system properties such as process information, running services, and Windows Registry entries. The IoC syntax can be used by incident responders to find specific artifacts or use logic to create sophisticated, correlated detections for families of malware. Endpoint IoCs have the advantage of being portable to share within your organization or in industry vertical forums and mailing lists. The Endpoint IoC scanner is available in AMP for Endpoints Windows Connector versions 4 and higher. Running Endpoint IoC scans may require up to 1 GB of free drive space. The Endpoint IoC feature is based on the openioc.com framework, which is an open standard for sharing threat intelligence. References:

• Cisco Endpoint IOC Attributes, User Guide
• What Are Indicators of Compromise (IOC)? - Cisco, Security Indicators of Compromise
• General questions about AMP - Cisco Community, Post by Cisco Employee

Workload security models refer to the ways of protecting applications, services, and capabilities that run on a cloud resource. There are different types of cloud deployment models, such as public, private, hybrid, and multicloud, and different types of cloud service models, such as IaaS, PaaS, and SaaS. However, these are not workload security models, but rather ways of describing the cloud environment and the level of abstraction. Workload security models are more focused on the location and ownership of the workloads, and how they are secured. The two main workload security models are off-premises and on-premises. Off-premises workload security model means that the workloads are hosted and managed by a third-party cloud service provider, such as AWS, Azure, or GCP. The cloud service provider is responsible for the security of the underlying infrastructure, such as the physical servers, network devices, storage systems, and hypervisors. The customer is responsible for the security of the workloads themselves, such as the guest operating systems, applications, data, and users. The customer can use various tools and techniques to secure their workloads, such as encryption, firewalls, identity and access management, vulnerability scanning, and logging and monitoring. On-premises workload security model means that the workloads are hosted and managed by the customer on their own data center or private cloud. The customer is responsible for the security of both the infrastructure and the workloads, and has full control and visibility over them. The customer can use similar tools and techniques as the off-premises model, but also has to deal with the physical security, network security, and compliance requirements of their own environment. References:

• What Is Workload Security? On-Premises, Cloud, Kubernetes, and More
• What is Cloud Workload Security? - CyberArk
• What is Cloud Workload Protection? | Workload Security | VMware
• What is Cloud Workload Security? - Check Point Software
• Introduction To Classic Security Models - GeeksforGeeks

Based on the configuration script in the image, the interface GigabitEthernet0/0/18 is configured for both 802.1X and MAB authentication. The command authentication port-control auto enables 802.1X authentication on the port, while the command dot1x pae authenticator enables the port to act as an authenticator. The command authentication host-mode multi-domain enables MAB authentication on the port, and allows two devices to be authenticated, one in the voice VLAN and one in the data VLAN. Therefore, when a device tries to connect to the port, the switch will first attempt 802.1X authentication, and if it fails, it will fall back to MAB authentication using the device’s MAC address. The switch will then contact the ISE server, which is configured as the RADIUS server group ise-group, to verify the device’s credentials and assign the appropriate access level based on the ISE policy. The ISE policy can also dynamically assign VLANs, ACLs, or service policies to the device based on its identity and posture. References :=

Some possible references are:

• [Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0], Module 6: Secure Connectivity, Lesson 6.2: Implementing Site-to-Site VPNs, Topic 6.2.2: Group Encrypted Transport VPN
• Cisco IOS Security Configuration Guide, Release 15M&T - Configuring IEEE 802.1x Port-Based Authentication
• Cisco IOS Security Configuration Guide, Release 15M&T - Configuring MAC Authentication Bypass
• Cisco Identity Services Engine Administrator Guide, Release 2.7 - Configure Wired 802.1X and MAB

https://learn-umbrella.cisco.com/i/802005-umbrella-security-report/3?

https://www.cisco.com/site/us/en/products/security/endpoint-security/secure-endpoint/index.html#:~:text=Powerful%20EDR%20capabilities,from%20Kenna%20Security.

Cisco Advanced Malware Protection (AMP) for endpoints can be seen as a replacement for the traditional antivirus solution. It is a next generation, cloud delivered endpoint protection platform (EPP), and advanced endpoint detection and response (EDR). Providing Protection – Detection Response

While Cisco Umbrella can enforce security at the DNS-, IP-, and HTTP/S-layer, this report does not require that blocking is enabled and only monitors your DNS activity. Any malicious domains requested and IPs resolved are indicators of compromise (IOC).

Any malicious domains requested and IPs resolved are indicators of compromise (IOC)