Config Router

You are here: Home / Cisco / CCNA Cyber Ops FAQ: Security Evasion Techniques

CCNA Cyber Ops FAQ: Security Evasion Techniques

by

CCNA Cyber Ops FAQ: Security Evasion Techniques

Q1. Which of the following is when the attacker sends traffic slower than normal, not exceeding thresholds inside the time windows the signatures use to correlate different packets together?
A. Traffic insertion
B. Protocol manipulation
C. Traffic fragmentation
D. Timing attack

Answer: D. This example represents adjusting the timing of traffic, which is a timing attack.

Q2. Which of the following would give an IPS the most trouble?
A. Jumbo packets
B. Encryption
C. Throughput
D. Updates

Answer: B. Encryption would be the biggest challenge because traffic cannot be evaluated by the IPS for threats.

Q3. Which type of attack is when an IPS receives a lot of traffic/packets?
A. Resource exhaustion
B. DoS (denial of service)
C. Smoke and mirrors
D. Timing attack

Answer: A. Resource exhaustion is when the attacker sends a ton of traffic with the goal of consuming available resources. This could generate a bunch of alarms and render the system useless.

Q4. Which of the following is not an example of traffic fragmentation?
A. Modifying routing tables
B. Modifying the TCP/IP in a way that is unexpected by security detection devices
C. Modifying IP headers to cause fragments to overlap
D. TCP segmentation

Answer: A. Modifying routing would not cause a traffic fragmentation error on a security detection device.

Q5. What is the best defense for traffic fragmentation attacks?
A. Deploying a passive security solution that monitors internal traffic for unusual traffic and traffic fragmentation

B. Deploying a next-generation application layer firewall

C. Configuring fragmentation limits on a security solution

D. Deploying a proxy or inline security solution

Answer: D. Proxies and inline security devices can help prevent traffic fragmentation attacks. Protocols can be manipulated to confuse security devices from properly evaluating traffic. TCP Checksum and Time-to-Live protocols can be manipulated to first look like one thing and then later look like something else, with the goal of tricking the security defenses.

Q6. Which of the following is a TCP-injection attack?
A. Forging a TCP packet over an HTTPS session
B. Replacing legitimate TCP traffic with forged TCP packets
C. The addition of a forged TCP packet to an existing TCP session
D. Modifying the TCP/IP in a way that is unexpected by security detection

Answer: C. Answer C is correct because this does not modify the legitimate traffic and act over HTTP. Answer A is incorrect because this doesn’t work over HTTPS. Answer B is incorrect because this attack doesn’t modify the legitimate traffic. Answer D doesn’t provide enough detail.

Q7. A traffic substitution and insertion attack does which of the following?
A. Substitutes the traffic with data in a different format but with the same meaning

B. Substitutes the payload with data in the same format but with a different meaning, providing a new payload

C. Substitutes the payload with data in a different format but with the same meaning, not modifying the payload

D. Substitutes the traffic with data in the same format but with a different meaning

Answer: C. Answer C is the best answer. Answers A and D do not include a payload, meaning there isn’t an associated attack. Answer B is incorrect because if the same payload is used, it will be detected by most security solutions. Answer C would be formatted to bypass detection but not modify the attacker payload.

Q8. Which of the following is not a defense against a traffic substitution and insertion attack?
A. Unicode de-obfuscation
B. Using Unicode instead of ASCII
C. Adopting the format changes
D. Properly processing extended characters

Answer: B. Using Unicode instead ofASCII can cause a traffic substitution and insertion attack.

Q9. Which of the following is not a defense against a pivot attack?
A. Content filtering
B. Proper patch management
C. Network segmentation
D. Access control

Answer: A. Content filtering is a method for controlling what type of content is available to users. This is not a method of preventing a pivot attack. Answer B is a way to harden systems to avoid lateral movement through system exploitation. Answers C and D both represent methods to control what can access other systems on the network and lateral movement.

Q10. Which security technology would be best for detecting a pivot attack?
A. Virtual private network (VPN)
B. Host-based antivirus
C. NetFlow solution looking for anomalies within the network
D. Application layer firewalls

Answer: C. NetFlow can be used to detect unusual network patterns such as internal pivoting. Answer A is an encryption technology that can be used once a pivot has occurred. Answer B is typically a signature-based security solution that can prevent a host from exploiting another host, but this is not the best answer. Answer D could help but is typically used for controlling what traffic can and can’t pass. Answer D, in its current state, is too vague, but it would be a good defense using segmentation. However, this doesn’t necessarily mean it is the best solution for pivot detection.

Q11. What is SSH used for?
a. Remote access

b. To provide a client-based VPN solution for remote users

c. Managing network equipment remotely

d. Preventing man-in-the-middle attacks by securing traffic between the client and server

Answer: D. This example represents adjusting the timing of traffic, which is a timing attack.

Q12. Which of the following is a true statement?
A. A remote access VPN must include a host installed on the client.
B. A clientless VPN can connect multiple concentrators together.
C. A remote access VPN may include a host installed on the client.
D. A clientless VPN installs software on the host to establish the VPN connection.

Answer: B. Encryption would be the biggest challenge because traffic cannot be evaluated by the IPS for threats.

Q13. Which of the following is not a possible outcome of a resource exhaustion attack?
A. Corrupting applications by modifying their code
B. A denial of server on the target system
C. Bypassing access control security
D. Causing blackouts in network monitoring

Answer: A. Resource exhaustion is when the attacker sends a ton of traffic with the goal of consuming available resources. This could generate a bunch of alarms and render the system useless.

Q14. Which of the following is not a technique used to confuse an IPS from assembling fragmenting packets?
A. Encrypting traffic
B. TCP segmentation and reordering attack
C. Overlapping fragments
D. Sending traffic in very slow method

Answer: A. Modifying routing would not cause a traffic fragmentation error on a security detection device.

Q15. Which of the following is the best explanation of an overlapping fragment attack?
A. This attack works by setting the offset values in the IP header to match up, causing one fragment to overlap another.

B. This attack works by setting the TCP values in the IP header to not match up, causing one fragment to overlap another.

C. This attack works by setting the UDP values in the IP header to match up, causing one fragment to overlap another.

D. This attack works by setting the offset values in the IP header to not match up, causing one fragment to overlap another.

Answer: D. Proxies and inline security devices can help prevent traffic fragmentation attacks. Protocols can be manipulated to confuse security devices from properly evaluating traffic. TCP Checksum and Time-to-Live protocols can be manipulated to first look like one thing and then later look like something else, with the goal of tricking the security defenses.

Q16. Which of the following best describes a timing attack?
A. Sending a ton of traffic to render the system or data useless
B. Sending traffic in a method that is slower than the system can accept
C. Sending traffic slowly enough where the system can accept it but overlooks it
D. Sending the traffic over different protocols

Answer: C. Answer C is correct because this does not modify the legitimate traffic and act over HTTP. Answer A is incorrect because this doesn’t work over HTTPS. Answer B is incorrect because this attack doesn’t modify the legitimate traffic. Answer D doesn’t provide enough detail.

Q17. Which of the following is an example of a traffic substitution and insertion attack?
A. Inputting more characters than requested
B. Using functions and classes
C. Changing spaces with tabs
D. Inputting wildcard characters

Answer: C. Answer C is the best answer. Answers A and D do not include a payload, meaning there isn’t an associated attack. Answer B is incorrect because if the same payload is used, it will be detected by most security solutions. Answer C would be formatted to bypass detection but not modify the attacker payload.

Q18. Which of the following is not a method used to pivot a network?
A. Exploiting a host on the same network
B. Creating a back door to the network
C. VLAN hopping
D. Exploiting a network server

Answer: B. Using Unicode instead of ASCII can cause a traffic substitution and insertion attack.

Q19. Which is the best answer to explain why Cisco Identity Services Engine would reduce the risk of pivoting to a higher, trusted network?
A. ISE ensures systems have the latest antivirus updates prior to permitting access to the network.

B. ISE can unify and enforce the LAN, wireless, and VPN access control policies into one secure policy.

C. ISE can profile devices, providing greater detail on which ones can access what resources.

D. ISE enforces network segmentation

Answer: A. Content filtering is a method for controlling what type of content is available to users. This is not a method of preventing a pivot attack. Answer B is a way to harden systems to avoid lateral movement through system exploitation. Answers C and D both represent methods to control what can access other systems on the network and lateral movement.

Q20. Which of the following statements is not true about SSH?
A. SSH uses TCP port 22.
B. SSH is composed of an SSH server, clients, and keys.
C. SSH uses asymmetric encryption.
D. SSH encrypts traffic between a client and an SSH server.

Answer: C. NetFlow can be used to detect unusual network patterns such as internal pivoting. Answer A is an encryption technology that can be used once a pivot has occurred. Answer B is typically a signature-based security solution that can prevent a host from exploiting another host, but this is not the best answer. Answer D could help but is typically used for controlling what traffic can and can’t pass. Answer D, in its current state, is too vague, but it would be a good defense using segmentation. However, this doesn’t necessarily mean it is the best solution for pivot detection.

More Resources