welcome and in this video course we are looking at the cyber ops associate version one course this course is going to cover the skills and knowledge needed for successfully handling the tasks and duties responsibilities of an associate level security analyst working at a security operations center the goal of this video series is to help prepare learners for the cisco 200-201 certification that's focusing on understanding the cisco cyber security operation fundamentals course known as c b r o p s module 24 technologies and protocols in this module we're looking at monitoring common protocols as well as security technology so monitoring common protocols is going to be more an in-depth review of those common protocols things like syslog or ntp for log management syslog is going to be how we centralize our log management ntp is network time protocol and both of these together actually are key or essential for the cyber security analyst one for logging one for time the reason that time is so crucial is because when you have multiple devices and they are spread out throughout the network as we're trying to analyze ac possible security event if they all have the same time makes analyzing the logs a lot easier and again the syslog is the standard for logging events from network devices endpoints and everything else the standard allows for system neutral means of both transmitting storing and analyzing our logs there are many different vendors for assist log but more often than not the typical syslog server listens on udp port 514 remember that logs are definitely a target for our attackers because they log things they monitor things they centralize everything so we're trying to when an attacker is trying to cover up their tracks targeting the logs becomes kind of crucial some exploits involve data equitation and that can take a long time due to slow what data so again being able to hire less lessen your footprint in the logs makes a little bit easier attackers again may attempt to block the transfer of data from the syslog clients to the server tampering with the logs that way they're harder to detect we have what's called the next generation or ng syslog implementation this sometimes is preferred in g syslog or syslog in gene they both are the kind of the same thing they offer enhancements that can help prevent exploiting the assist log server there are multiple forms of syslog servers and analytics tools that are used to actually review and look at threats and look at other events or possible attacks through the logging system and again as we're talking syslogs timing is crucial so they will have a timestamp timestamp is done via the ntp or network time protocol that uses udp port 123. threat actors may attempt to attack ntp infrastructure in order to corrupt the information of the events again if all of the endpoints that are logging the security events if they all have varying times it makes trying to track down the attacker that much harder so these types of attacks can disrupt network availability because how important time plays in network functions other key portions of network are things like dns or domain name services many types of malware look at targeting dns to communicate back to some type of cnc type server to exfiltrate data and normally you will disguise this type of filtration as a dns query to for to an example like a compromised dns server basically the dns lookup for a long string will be looking at a target or a specific dns server with the data being attached to the dns query that way you only see dns type traffic and you're not looking at the query itself so you don't see that it's actual data being the data leaving the network or being exfiltrated from the network there are many ways to disguise data as it leaves the network dns is definitely one of them and again this is going to use dns as a subdomain as we see in the figure so we can have a dns query some type of mass encoded text dot a subdomain of example.com and that being fed over to a compromised dns server the log that show this as a dns query the compromise dns server would be able to take all these queries and then we break it down collect the data and then actually then have a legitimate copy of the data that was leaked from the organization it's likely that the subdomain portion of each request is a lot longer than a normal request so that could be a red flag however most analysts aren't looking at that level of detail so they can use a long query in dns as a baseline and from there they can use that as an anomaly within our logging system dns queries from randomly generated domain names or extremely long domain names appear sub-domains are normally very suspicious especially if we see a larger spike in network traffic there are ways to actually combat this but a mitigation technique is definitely using like a dns proxy log that way that can be analyzed to detect the spikes and we go from there you can also use things like cisco umbrella which is a passive dns server that is used to block requests to suspected cnc and ex expected exploit based domains essentially domains that are odd or could be flagged as suspicious the cisco umbrella passive dns service will actually stop sending dns queries from outside from inside the network to outside possibly compromised dns type servers so the cisco umbrella passive dns service is actually more about how we can prevent the dns queries from leaving the network all right so after dns normally we'll talk about dhcp but that's a little bit later so let's go and let's talk about http and https backbone protocols for web-based traffic http and https again this is how we transfer hypertext information or web page content normally http is done via plain text it does not protect data from alteration or molestation all browser activity normally is classified as a risk when doing http so to mitigate that we can use other technologies a common exploit of http itself is called an iframe or inner inline frame a window a browser actually has multiple frames on a given website so an iframe injection is a threat after compromising the web server and it will plant malicious code in an invisible iframe on a commonly visited website where our network there are network appliances like cisco web reputation filter that can detect iframes but the this is a common issue when we look at a web page again multiple portions of the web page load from different locations so just because we are loading like google for example we may get one request coming from google but we may have other requests going from other locations so that makes it a little more vulnerable with http and https normally with s s is going to handle the ssl or the tls the encryption portion and that means the request will actually be done through an encryption layer so we view it as http over ssl also commonly referred to as http secure now remember http is not the mechanism for web server security it only secures the http based protocol meaning the contents of the http is what is secure not the web server unfortunately encrypting using https is more complicated and it makes monitoring the network a little more complicated but this is just the reality that we live in some security devices will include an ssl decryption and inspection however this normally is privacy concerns so https will add the complexity to packet capturing due to messages involving the establishing of the encryption process so there are pros and cons for http and https especially as it relates to the security analysts we have our email protocols smtp for ascending and we have our pop and imap for receiving all of them can be used by threat actors to spread malware to send or receive data to exfiltrate data or just a way to handle communication to a cnc type server again smtp sends data from the host to a mel server imap and pop are used to download or receive mel from the email server so securely security monitoring can identify malware attachments if we are looking at imap and pop3 as they come into the network we may actually have all pop and imap go through some type of milk filter looking at the attachments that way we could better understand what type of attachments are coming in and check them for possible malware before they even enter the network after email we have things like the icmp or ping protocol icmp is used to identify hosts on the network but it can do more than that it can also be used for data filtration remember that icmp is the internet control message protocol and it can be used to subveil or deny services from outside of the network icmp traffic from inside the network is often overlooked because it's normally seen as normal traffic but in some varieties of malware they can use a crafted icmp packet to transfer files from infected hosts to a threat actor this is known as icmp tunneling so those are some of the main protocols for this chapter moving past that we have our security technologies things like acls and ace i'm actually going to grab my pin this is an ace access control entry the list the group of them is an acl and acls are used to filter traffic here we have a permit icmp to any any source and destination so we can do a echo reply a source uh query an unreachable all of those are allowed because an acl is done line by line that will be allowed that will be allowed that will be allowed if they are not matched then this deny icmp will then be applied so if it's not an echo reply a source quench or an unreachable then this will actually take precedent this is all icmp this is permit ipip is separate from icmp so again within this list we are mitigating ways to control icmp and we've done this via our ace which built our acl attackers can determine which ip addresses protocols and ports are allowed via an acl so this can be done by port scanning or other pin test processes you can also the attacker can spoof source and destination ips or mac addresses to kind of bypass our acls applications can also establish the connection to arbitrary ports outside of the acl if they're not set up correctly so in order to detect and react to packet manipulation you have to have something more sophisticated in-depth planning in place cisco has things like the next generation firewall there's also the advanced malware protection or the amp we also have email and web content appliances application and appliances that are used to address some of these more rule-based security measures again with this firewalls ips's are layered to help mitigate this behavior but they're not a hundred percent they are additives to kind of help reduce the possibility of a security concern all right so after acls we have our nat and pat nat is network address translation pat is our port address translation that is the ability to take a private ip address and mask it to a public ip address so here we have our local network here we have our internet facing network or our wan side when lan so again inside outside so here we have our source address inside local that will be our local ip address we have it our destination address that will be our outside local that's going to be the destination address as it leaves our network nat will occur on our nat enabled router so our masking will take place our inside local will change to an inside global it will be masked to typically our exit interface of our router our destination address or outside global remains the same again source address destination address s-a-d-a the inside and outside local and inside and outside global are the big ones you need to know outside local and outside global is the destination inside local is the inside local ip the inside global is the ip address that we're being masked to so these two are the same in the sense of they are going to be the one that's originating the request the difference is the inside global is the masked ip address or the masked version of it so if pat is in effect it could be difficult to log specific inside devices unless you're logging the router as well and that means you have to receive the traffic when it enters the network or log everything on the router so that we can capture the log data you can also use netflow data and netflow is unidirectional and are to find the addresses and ports that are shared at a given time netflow is another type of logging apparatus on a cisco device for capturing log data we also have our encryption encapsulation and tunneling encryption encapsulation and tunneling can be used in vpn technology or point-to-point technology or variations encryption make the traffic unreadable by other devices but the end point or the destination malware can establish an encrypted tunnel that rides on common and trusted protocols to actually exfiltrate data from the network so sometimes encryption leaving the network could be a bad thing encryption does represent challenges for modern day monitoring because of the packet detail being unreadable there are technologies out there that could be used to dissect it but that will be a huge hit in performance on our network appliances assuming that it is even possible some point-to-point vpns are pretty brutal when it comes to its level of encryption and protection also have a peer-to-peer or p2p based network that is where everything all devices all nodes on the network are considered up here and they all share data a bittorrent for example every computer will share its resources on the network thus being able to get information from not just a single source but from multiple sources and again not all p to p networking is illegal torrenting is not illegal it's more of what you do with it you can have instant messaging that's also a p2p application there are some legitimate p2p applications for distributing data for a legitimate purpose but again can also be used for malicious reasons p2p does use dynamic port numbering it's not really tied so it can be very flexible tor is also classified as a p2p based network tor is specifically designed to use a random path through a network of tor relays or the dark nets so when the browsing begins the browser will construct a layered end-to-end path across the tor server network that's encrypted so here we just go through different machines to our destination it could be when the initial construction is done it may choose a different approach to get to our endpoint again this is done at the beginning of the browsing session each encrypted layer is peeled away when we are dealing with tours like an onion so the traffic transverses the turret relay the layers contain encrypted next top information so that you can slowly get through the data flow of the dark nets first tor is widely used by criminals on the dark nets tor has also been a communication channel for malware to back to cnc servers this does provide a layer of in encryption and protection from the browser it all depends on how you want to view this some legitimate people could use tor do ensure a certain level of privacy it can also be used as a negative or malicious content so how do we handle a load if we're not using a p2p type network well we have what's called a load balancer load balancers can actually be multiple different things so here's a load balancer for dns for example we could have a appliance or a piece of physical hardware that actually allows for multiple connections and then it will balance between multiple servers it normally allows for the use of redundant resources and there's an algorithm or device that will distribute the traffic between those resources again dns is one of the bigger options for load balancing but it's not limited to just dns there are called a load balancer manager and this is used to probe the network to see ways that they could actually balance traffic through multiple pathways distribution of network traffic over our layer 3 devices when implemented correctly can alleviate some heavy traffic loads but that means it's having to be done correctly and that's something that's not always reviewed and that's more of a network design standpoint as opposed to a network analyst all right so that wraps up this chapter we looked at major protocols syslog ntp http https our email protocols smtp pop and imap we looked at different forms of communication using icmp as well as our address translations using either network or port based and looking at some logging techniques like with netflow we finished it up with some p2p based traffic some encryption our encapsulation and tunneling based traffic as well as load balancers any questions or concerns definitely feel free to reach out thank you if you have any questions or anything please feel free to reach out again with this material being able to ask questions and discuss some of the topics in the lecture help build long-term retention so do not be afraid to communicate with this topic again i'm here if you need anything thank you you