CCNA Cyber Ops FAQ: The Art of Data and Event Analysis

CCNA Cyber Ops FAQ: The Art of Data and Event Analysis

Q1. Which of the following is the process of capturing, storing, and analyzing data so that it exists in only one form?
A. Data normalization
B. Data correlation
C. Big data analytics
D. Retrospective analysis

Answer: A. Data normalization is the process of capturing, storing, and analyzing data (security-related events, in this case) so that it exists in only one form.

Q2 Which of the following is not a data normalization method used in the industry?
A. First normal form (1NF)
B. First data ingest (FDI)
C. Second normal form (2NF)
D. Third normal form (3NF)

Answer: B. First normal form (1NF), second normal form (2NF), and third normal form (3NF) are data normalization categories used in the industry.

Q3. Which of the following is not an element in the 5-tuple?
A. Source IP address
B. Source port
C. Protocol
D. IP option

Answer: D. IP option is not part of the 5-tuple.

Q4. Which of the following describes the security event log shown here?
A. NetFlow record
B. Traditional firewall syslog
C. WSA log
D. Intrusion prevention system (IPS) or intrusion detection system (IDS) log

Answer: D. The event shown is an IPS/IDS log. One key field in recognizing this is the presence of a signature ID.

Q5. Which of the following statements is true about retrospective analysis?
A. Cisco Talos uses threat intelligence from Cisco to perform retrospective analysis and protection. Cisco AMP also provides device and file trajectory capabilities to allow the security administrator to analyze the full spectrum of an attack.

B. Cisco AMP for Endpoints uses threat intelligence from Cisco to perform retrospective analysis and protection. However, Cisco AMP for Networks does not support device and file trajectory capabilities to allow the security administrator to analyze the full spectrum of an attack.

C. Cisco AMP uses threat intelligence from Cisco Talos to perform retrospective analysis and protection. Cisco AMP also provides device and file trajectory capabilities to allow the security administrator to analyze the full spectrum of an attack.

D. Cisco AMP uses threat intelligence from Cisco WSA to perform retrospective analysis and protection. Cisco WSA also provides device and file trajectory capabilities to allow the security administrator to analyze the full spectrum of an attack.

Answer: C. Cisco AMP uses threat intelligence from Cisco to perform retrospective analysis and protection. Cisco AMP also provides device and file trajectory capabilities to allow the security administrator to analyze the full spectrum of an attack.

Q6. Which of the following can be combined with security event logs to identify compromised systems and communications to command and control (CnC) servers?
A. PII
B. PHI
C. AH/ESP
D. DNS

Answer: D. DNS intelligence and URL reputation are used in many security solutions like the Cisco Firepower appliances, Cisco Firepower Threat Defense (FTD), the Cisco Web and Email security appliances, and others. For instance, you can correlate security events based on threat intelligence to identify communications to known malicious command and control (CnC) servers based on DNS information.

Q7. In which type of analysis do you know and obtain “facts” about the incident, breach, and affected applications?
A. Probabilistic
B. Compound
C. Deterministic
D. Dynamic

Answer: C. In deterministic analysis, you know and obtain “facts” about the incident, breach, affected applications, and other information.

Q8. What is the type of security or event log or record described in the following table?
A. NetFlow record
B. IPS event
C. IDS event
D. Traditional firewall log

Answer: A. The table includes a NetFlow record. You can see information such as the 5-tuple and next-hop router information, as well as TCP flags, which are supported by NetFlow.

Q9. What type of security event log is the following?
9-2
A. A firewall syslog
B. IDS event
C. IPS event
D. NetFlow

Answer: A. The ASA syslog shown is an example of a firewall log.

Q10. Which of the following can be identified by correlating DNS intelligence and other security events? (Choose two.)
A. Communication to CnC servers
B. Configuration issues
C. Malicious domains based on reputation
D. Routing problems

Answer: A and C. You can identify communications to CnC servers and malicious domains based on reputation by correlating DNS intelligence and other security events.

Q11. Cisco Advanced Malware Protection (AMP) for Networks and AMP for Endpoints provide mitigation capabilities that go beyond point-in-time detection. Which of the following is an example of this capability?
A. Hashing
B. DLP
C. Using threat intelligence to perform retrospective analysis and protection
D. Encryption

Answer: C. AMP for Networks and AMP for Endpoints use threat intelligence to allow you to perform retrospective analysis and protection.

Q12. Which of the following is one of the main goals of data normalization?
A. To save duplicate logs for redundancy
B. To purge redundant data while maintaining data integrity
C. To correlate IPS and IDS logs with DNS
D. To correlate IPS/IDS logs with firewall logs

Answer: B. Purging redundant data while maintaining data integrity is one of the main goals of data normalization.

More Resources

About the author

Scott

Leave a Comment