CCNA Cyber Ops FAQ: Network and Host Telemetry

CCNA Cyber Ops FAQ: Network and Host Telemetry

Q1. Why you should enable Network Time Protocol (NTP) when you collect logs from network devices?
A. To make sure that network and server logs are collected faster.

B. Syslog data is useless if it shows the wrong date and time. Using NTP ensures that the correct time is set and that all devices within the network are synchronized.

C. By using NTP, network devices can record the time for certificate management.

D. NTP is not supported when collecting logs from network infrastructure devices.

Answer: B. Syslog data is useless if it shows the wrong date and time. As a best practice, you should configure all network devices to use the Network Time Protocol (NTP). Using NTP ensures that the correct time is set and that all devices within the network are synchronized.

Q2. Cisco ASA supports which of the following types of logging? (Select all that apply.)
A. Console logging
B. Terminal logging
C. ASDM logging
D. Email logging
E. External syslog server logging

Answer: A, B, C, D, E. All of these logging capabilities are supported in Cisco ASA.

Q3. Which of the following are examples of scalable, commercial, and open source log-collection and -analysis platforms? (Select all that apply.)
A. Splunk
B. Spark
C. Graylog
D. Elasticsearch, Logstash, and Kibana (ELK) Stack

Answer: A, C, D. Splunk, Graylog, and ELK Stack are examples of commercial and open source logcollection and -analysis platforms.

Q4. Host-based firewalls are often referred to as which of the following?
A. Next-generation firewalls
B. Personal firewalls
C. Host-based intrusion detection systems
D. Antivirus software

Answer: B. Host-based firewalls are often referred to as “personal firewalls.”

Q5. What are some of the characteristics of next-generation firewall and next-generation IPS logging capabilities? (Select all that apply.)
A. With next-generation firewalls, you can only monitor malware activity and not access control policies.

B. With next-generation firewalls, you can monitor events for traffic that does not conform with your access control policies. Access control policies allow you to specify, inspect, and log the traffic that can traverse your network. An access control policy determines how the system handles traffic on your network.

C. Next-generation firewalls and next-generation IPSs help you identify and mitigate the effects of malware. The FMC file control, network file trajectory, and Advanced Malware Protection (AMP) can detect, track, capture, analyze, log, and optionally block the transmission of files, including malware files and nested files inside archive files.

D. AMP is supported by Cisco next-generation firewalls, but not by IPS devices.

Answer: B and C. You can monitor events for traffic that does not conform with your access control policies. Access control policies allow you to specify, inspect, and log the traffic that can traverse your network. An access control policy determines how the system handles traffic on your network. To help you identify and mitigate the effects of malware, the FMC file control, network file trajectory, and Advanced Malware Protection (AMP) can detect, track, capture, analyze, log, and optionally block the transmission of files, including malware files and nested files inside archive files.

Q6. Which of the following are characteristics of next-generation firewalls and the Cisco Firepower Management Center (FMC) in relation to incident management? (Select all that apply.)
A. They provide a list of separate things, such as hosts, applications, email addresses, and services, that are authorized to be installed or active on a system in accordance with a predetermined baseline.

B. These platforms support an incident life cycle, allowing you to change an incident’s status as you progress through your response to an attack.

C. You can create your own event classifications and then apply them in a way that best describes the vulnerabilities on your network.

D. You cannot create your own event classifications and then apply them in a way that best describes the vulnerabilities on your network

Answer: B and C. Next-generation firewalls and next-generation IPS systems via the FMC support an incident lifecycle, allowing you to change an incident’s status as you progress through your response to an attack. When you close an incident, you can note any changes you have made to your security policies as a result of any lessons learned. Generally, an incident is defined as one or more intrusion events that you suspect are involved in a possible violation of your security policies. The FMC and next-generation firewalls and IPS systems are particularly well suited to supporting the investigation and qualification procedures of the incident response process. You can create your own event classifications and then apply them in a way that best describes the vulnerabilities on your network.

Q7. Which of the following are true regarding full packet capture?
A. Full packet capture demands great system resources and engineering efforts, not only to collect the data and store it, but also to be able to analyze it. That is why, in many cases, it is better to obtain network metadata by using NetFlow.

B. Full packet captures can be discarded within seconds of being collected because they are not needed for forensic activities.

C. NetFlow and full packet captures serve the same purpose.

D. Most sniffers do not support collecting broadcast and multicast traffic.

Answer: A. Full packet capture demands great system resources and engineering effort, not only to collect the data and store it, but also to be able to analyze it. That is why, in many cases, it is better to obtain network metadata by using NetFlow.

Q8. Which of the following are some useful attributes you should seek to collect from endpoints? (Select all that apply.)
A. IP address of the endpoint or DNS hostname
B. Application logs
C. Processes running on the machine
D. NetFlow data

Answer: A, B, C. IP address or DNS hostname, application logs, and processes running on the system are some useful attributes you should seek to collect from endpoint systems.

Q9. SIEM solutions can collect logs from popular host security products, including which of the following?
A. Antivirus or antimalware applications
B. Cloud logs
C. NetFlow data
D. Personal firewalls

Answer: A and D. Antivirus or anti malware applications and personal firewalls produce good security telemetry on endpoints.

Q10. Which of the following are some useful reports you can collect from Cisco ISE related to endpoints? (Select all that apply.)
A. Web Server Log reports
B. Top Application reports
C. RADIUS Authentication reports
D. Administrator Login reports

Answer: A, B, D. The Cisco ISE Administrator Logins report provides an audit trail of all administrator logins. The web server log reports and top application reports provide additional contextual information that you can collect from Cisco ISE to help you investigate security incidents.

Q11. Which of the following are open source packet-capture software? (Select all that apply.)
A. WireMark
B. Wireshark
C. tcpdump
D. udpdump

Answer: B and C. Wireshark and tcpdump are examples of open source packet capture software.

Q12. Which of the following is a big data analytics technology that’s used by several frameworks in security operation centers?
A. Hadoop
B. Next-generation firewalls
C. Next-generation IPS
D. IPFIX

Answer: A. Hadoop is a big data analytics technology that’s used by several frameworks in security operation centers and many scenarios.

Q13. Which of the following is not a host-based telemetry source?
A. Personal firewalls
B. Intrusion detection/prevention
C. Antivirus or antimalware
D. Router syslogs

Answer: D. Router syslogs are not a host-based telemetry source. Router syslogs are a network-based telemetry source.

Q14. Why can encryption cause problems when you’re analyzing data in packet captures?
A. Because encryption causes fragmentation

B. Because encryption causes packet loss

C. Because you cannot see the actual payload of the packet

D. Because encryption adds overhead to the network, and infrastructure devices cannot scale

Answer: C. Encryption can cause problems in an SOC because you cannot see the actual payload of the packet.

Q15. What is Cisco Prime Infrastructure?
A. A next-generation firewall

B. A network management platform you can use to configure and monitor many network infrastructure devices in your network

C. A NetFlow generation appliance

D. A next-generation IPS solution

Answer: B. Cisco Prime Infrastructure is a network management platform you can use to configure and monitor many network infrastructure devices in your network. It provides network administrators with a single solution for provisioning, monitoring, optimizing, and troubleshooting both wired and wireless devices.

Q16. In what location (directory) do Linux-based systems store most of their logs, including syslog?
A. /opt/logs
B. /var/log
C. /etc/log
D. /dev/log

Answer: B. Linux-based systems store most of their logs (including syslog) in /var/log.

Q17. Cisco AVC uses which of the following technologies to provide deep packet inspection (DPI) technology to identify a wide variety of applications within the network traffic flow, using Layer 3 to Layer 7 data?
A. Cisco NetFlow
B. IPFIX
C. Cisco AMP
D. Cisco Network-Based Application Recognition Version 2 (NBAR2)

Answer: D. NBAR2 is used by Cisco AVC to provide deep packet inspection.

Q18. NBAR works with which of the following technologies to help ensure that the network bandwidth is best used to fulfill its main primary objectives?
A. Quality ofService (QoS)
B. IPFIX
C. Snort
D. Antimalware software

Answer: A. QoS can be used with NBAR2 to help ensure that the network bandwidth is best used.

Q19. Traditional Cisco NetFlow records are usually exported via which of the following methods?
A. IPFIX records
B. TLS packets
C. UDP packets
D. HTTPS packets

Answer: C. Cisco NetFlow records are usually exported using UDP packets.

Q20. Which of the following is not a NetFlow version?
A. Version 5
B. Version 7
C. Version 9
D. IPFIX

Answer: D. IPFIX is not a NetFlow version, it is a flow based standard based on NetFlow version 9.

More Resources

About the author

Scott

Leave a Comment