larger cover

Add To My Wish List

Register your product to gain access to bonus material or receive a coupon.

CCNA Cybersecurity Operations Course Booklet


  • Sorry, this book is no longer in print.
Not for Sale
  • About
  • Description
  • Sample Content
  • Updates


  • The text is extracted directly, word-for-word, from the online course so students can highlight important points and take notes in the “Your Chapter Notes” section.
  • Headings with the exact page correlations provide a quick reference to the online course for classroom discussions and exam preparation.
  • An icon system directs students to the online curriculum to take full advantage of the images embedded within the Networking Academy online course interface and reminds them to perform the labs, Class Activities, interactive activities, Packet Tracer activities, watch videos, and take the chapter quizzes and exams.

  • Copyright 2018
  • Dimensions: 8-1/2" x 10-7/8"
  • Pages: 336
  • Edition: 1st
  • Book
  • ISBN-10: 1-58713-437-3
  • ISBN-13: 978-1-58713-437-1

Your Cisco Networking Academy Course Booklet is designed as a study resource you can easily read, highlight, and review on the go, wherever the Internet is not available or practical:

·         The text is extracted directly, word-for-word, from the online course so you can highlight important points and take notes in the “Your Chapter Notes” section.

·         Headings with the exact page correlations provide a quick reference to the online course for your classroom discussions and exam preparation.

·         An icon system directs you to the online curriculum to take full advantage of the images embedded within the Networking Academy online course interface and reminds you to perform the labs, Class Activities, interactive activities, Packet Tracer activities, watch videos, and take the chapter quizzes and exams.

The Course Booklet is a basic, economical paper-based resource to help you succeed with the Cisco Networking Academy online course.

Table of Contents

Chapter 0 Course Introduction 1

0.0 Welcome to CCNA: Cybersecurity Operations 1

    0.0.1 Message to the Student 1

Chapter 1 Cybersecurity and the Security Operations Center 5

1.0 Introduction 5

1.1 The Danger 5

    1.1.1 War Stories 5 Hijacked People 5 Ransomed Companies 5 Targeted Nations 6 Lab - Installing the CyberOps Workstation Virtual Machine 6 Lab - Cybersecurity Case Studies 6

    1.1.2 Threat Actors 6 Amateurs 6 Hacktivists 7 Financial Gain 7 Trade Secrets and Global Politics 7 How Secure is the Internet of Things? 7 Lab - Learning the Details of Attacks 7

    1.1.3 Threat Impact 8 PII and PHI 8 Lost Competitive Advantage 8 Politics and National Security 8 Lab - Visualizing the Black Hats 9

1.2 Fighters in the War Against Cybercrime 9

    1.2.1 The Modern Security Operations Center 9 Elements of a SOC 9 People in the SOC 9 Process in the SOC 10 Technologies in the SOC 10 Enterprise and Managed Security 10 Security vs. Availability 11 Activity - Identify the SOC Terminology 11

    1.2.2 Becoming a Defender 11 Certifications 11 Further Education 12 Sources of Career Information 12 Getting Experience 13 Lab - Becoming a Defender 13

1.3 Summary 13

Chapter 2 Windows Operating System 17

2.0 Introduction 17

2.1 Windows Overview 17

    2.1.1 Windows History 17 Disk Operating System 17 Windows Versions 18 Windows GUI 19 Operating System Vulnerabilities 19

    2.1.2 Windows Architecture and Operations 20 Hardware Abstraction Layer 20 User Mode and Kernel Mode 21 Windows File Systems 21 Windows Boot Process 23 Windows Startup and Shutdown 24 Processes, Threads, and Services 25 Memory Allocation and Handles 25 The Windows Registry 26 Activity - Identify the Windows Registry Hive 27 Lab - Exploring Processes, Threads, Handles, and Windows Registry 27

2.2 Windows Administration 27

    2.2.1 Windows Configuration and Monitoring 27 Run as Administrator 27 Local Users and Domains 27 CLI and PowerShell 28 Windows Management Instrumentation 29 The net Command 30 Task Manager and Resource Monitor 30 Networking 31 Accessing Network Resources 33 Windows Server 33 Lab - Create User Accounts 34 Lab - Using Windows PowerShell 34 Lab - Windows Task Manager 34 Lab - Monitor and Manage System Resources in Windows 34

    2.2.2 Windows Security 34 The netstat Command 34 Event Viewer 35 Windows Update Management 35 Local Security Policy 35 Windows Defender 36 Windows Firewall 37 Activity - Identify the Windows Command 37 Activity - Identify the Windows Tool 37

2.3 Summary 37

Chapter 3 Linux Operating System 41

3.0 Introduction 41

3.1 Linux Overview 41

    3.1.1 Linux Basics 41 What is Linux? 41 The Value of Linux 42 Linux in the SOC 42 Linux Tools 43

    3.1.2 Working in the Linux Shell 43 The Linux Shell 43 Basic Commands 43 File and Directory Commands 44 Working with Text Files 44 The Importance of Text Files in Linux 44 Lab - Working with Text Files in the CLI 45 Lab - Getting Familiar with the Linux Shell 45

    3.1.3 Linux Servers and Clients 45 An Introduction to Client-Server Communications 45 Servers, Services, and Their Ports 45 Clients 45 Lab - Linux Servers 45

3.2 Linux Administration 46

    3.2.1 Basic Server Administration 46 Service Configuration Files 46 Hardening Devices 46 Monitoring Service Logs 47 Lab - Locating Log Files 48

    3.2.2 The Linux File System 48 The File System Types in Linux 48 Linux Roles and File Permissions 49 Hard Links and Symbolic Links 50 Lab - Navigating the Linux Filesystem and Permission Settings 50

3.3 Linux Hosts 51

    3.3.1 Working with the Linux GUI 51 X Window System 51 The Linux GUI 51

    3.3.2 Working on a Linux Host 52 Installing and Running Applications on a Linux Host 52 Keeping the System Up To Date 52 Processes and Forks 52 Malware on a Linux Host 53 Rootkit Check 54 Piping Commands 54 Video Demonstration - Applications, Rootkits, and Piping Commands 55

3.4 Summary 55

Chapter 4 Network Protocols and Services 59

4.0 Introduction 59

4.1 Network Protocols 59

    4.1.1 Network Communications Process 59 Views of the Network 59 Client-Server Communications 60 A Typical Session: Student 60 A Typical Session: Gamer 61 A Typical Session: Surgeon 61 Tracing the Path 62 Lab - Tracing a Route 62

    4.1.2 Communications Protocols 62 What are Protocols? 62 Network Protocol Suites 63 The TCP/IP Protocol Suite 63 Format, Size, and Timing 64 Unicast, Multicast, and Broadcast 64 Reference Models 65 Three Addresses 65 Encapsulation 65 Scenario: Sending and Receiving a Web Page 66 Lab - Introduction to Wireshark 67

4.2 Ethernet and Internet Protocol (IP) 67

    4.2.1 Ethernet 67 The Ethernet Protocol 67 The Ethernet Frame 68 MAC Address Format 68 Activity - Ethernet Frame Fields 68

    4.2.2 IPv4 68 IPv4 Encapsulation 68 IPv4 Characteristics 69 Activity - IPv4 Characteristics 70 The IPv4 Packet 70 Video Demonstration - Sample IPv4 Headers in Wireshark 70

    4.2.3 IPv4 Addressing Basics 70 IPv4 Address Notation 70 IPv4 Host Address Structure 70 IPv4 Subnet Mask and Network Address 71 Subnetting Broadcast Domains 71 Video Demonstration - Network, Host, and Broadcast Addresses 72

    4.2.4 Types of IPv4 Addresses 72 IPv4 Address Classes and Default Subnet Masks 72 Reserved Private Addresses 73

    4.2.5 The Default Gateway 73 Host Forwarding Decision 73 Default Gateway 74 Using the Default Gateway 74

    4.2.6 IPv6 75 Need for IPv6 75 IPv6 Size and Representation 75 IPv6 Address Formatting 75 IPv6 Prefix Length 76 Activity - IPv6 Address Notation 76 Video Tutorial - Layer 2 and Layer 3 Addressing 76

4.3 Connectivity Verification 76

    4.3.1 ICMP 76 ICMPv4 Messages 76 ICMPv6 RS and RA Messages 77

    4.3.2 Ping and Traceroute Utilities 78 Ping - Testing the Local Stack 78 Ping - Testing Connectivity to the Local LAN 79 Ping - Testing Connectivity to Remote Host 79 Traceroute - Testing the Path 80 ICMP Packet Format 80

4.4 Address Resolution Protocol 81

    4.4.1 MAC and IP 81 Destination on Same Network 81 Destination on Remote Network 82

    4.4.2 ARP 82 Introduction to ARP 82 ARP Functions 82 Video - ARP Operation - ARP Request 83 Video - ARP Operation - ARP Reply 84 Video - ARP Role in Remote Communication 84 Removing Entries from an ARP Table 85 ARP Tables on Networking Devices 85 Lab - Using Wireshark to Examine Ethernet Frames 85

    4.4.3 ARP Issues 85 ARP Broadcasts 85 ARP Spoofing 86

4.5 The Transport Layer 86

    4.5.1 Transport Layer Characteristics 86 Transport Layer Protocol Role in Network Communication 86 Transport Layer Mechanisms 87 TCP Local and Remote Ports 87 Socket Pairs 88 TCP vs UDP 88 TCP and UDP Headers 89 Activity - Compare TCP and UDP Characteristics 90

    4.5.2 Transport Layer Operation 90 TCP Port Allocation 90 A TCP Session Part I: Connection Establishment and Termination 91 Video Demonstration - TCP 3-Way Handshake 92 Lab - Using Wireshark to Observe the TCP 3-Way Handshake 92 Activity - TCP Connection and Termination Process 92 A TCP Session Part II: Data Transfer 92 Video Demonstration - Sequence Numbers and Acknowledgments 94 Video Demonstration - Data Loss and Retransmission 94 A UDP Session 94 Lab - Exploring Nmap 95

4.6 Network Services 95

    4.6.1 DHCP 95 DHCP Overview 95 DHCPv4 Message Format 96

    4.6.2 DNS 97 DNS Overview 97 The DNS Domain Hierarchy 97 The DNS Lookup Process 97 DNS Message Format 98 Dynamic DNS 99 The WHOIS Protocol 99 Lab - Using Wireshark to Examine a UDP DNS Capture 100

    4.6.3 NAT 100 NAT Overview 100 NAT-Enabled Routers 100 Port Address Translation 100

    4.6.4 File Transfer and Sharing Services 101 FTP and TFTP 101 SMB 102 Lab - Using Wireshark to Examine TCP and UDP Captures 102

    4.6.5 Email 102 Email Overview 102 SMTP 102 POP3 103 IMAP 103

    4.6.6 HTTP 103 HTTP Overview 103 The HTTP URL 104 The HTTP Protocol 104 HTTP Status Codes 105 Lab - Using Wireshark to Examine HTTP and HTTPS Traffic 105

4.7 Summary 105

Chapter 5 Network Infrastructure 109

5.0 Introduction 109

5.1 Network Communication Devices 109

    5.1.1 Network Devices 109 End Devices 109 Video Tutorial - End Devices 109 Routers 110 Activity - Match Layer 2 and Layer 3 Addressing 110 Router Operation 110 Routing Information 111 Video Tutorial - Static and Dynamic Routing 112 Hubs, Bridges, LAN Switches 112 Switching Operation 113 Video Tutorial - MAC Address Tables on Connected Switches 114 VLANs 114 STP 114 Multilayer Switching 115

    5.1.2 Wireless Communications 116 Video Tutorial - Wireless Communications 116 Protocols and Features 116 Wireless Network Operations 117 The Client to AP Association Process 118 Activity - Order the Steps in the Client and AP Association Process 119 Wireless Devices - AP, LWAP, WLC 119 Activity - Identify the LAN Device 119

5.2 Network Security Infrastructure 120

    5.2.1 Security Devices 120 Video Tutorial - Security Devices 120 Firewalls 120 Firewall Type Descriptions 120 Packet Filtering Firewalls 121 Stateful Firewalls 121 Next-Generation Firewalls 121 Activity - Identify the Type of Firewall 122 Intrusion Protection and Detection Devices 122 Advantages and Disadvantages of IDS and IPS 122 Types of IPS 123 Specialized Security Appliances 124 Activity - Compare IDS and IPS Characteristics 125

    5.2.2 Security Services 125 Video Tutorial - Security Services 125 Traffic Control with ACLs 125 ACLs: Important Features 126 Packet Tracer - ACL Demonstration 126 SNMP 126 NetFlow 127 Port Mirroring 127 Syslog Servers 128 NTP 128 AAA Servers 129 VPN 130 Activity - Identify the Network Security Device or Service 130

5.3 Network Representations 130

    5.3.1 Network Topologies 130 Overview of Network Components 130 Physical and Logical Topologies 131 WAN Topologies 131 LAN Topologies 131 The Three-Layer Network Design Model 132 Video Tutorial - Three-Layer Network Design 132 Common Security Architectures 133 Activity - Identify the Network Topology 134 Activity - Identify the Network Design Terminology 134 Packet Tracer - Identify Packet Flow 134

5.4 Summary 134

Chapter 6 Principles of Network Security 137

6.0 Introduction 137

6.1 Attackers and Their Tools 137

    6.1.1 Who is Attacking Our Network? 137 Threat, Vulnerability, and Risk 137 Hacker vs. Threat Actor 138 Evolution of Threat Actors 138 Cybercriminals 139 Cybersecurity Tasks 139 Cyber Threat Indicators 139 Activity - What Color is my Hat? 140

    6.1.2 Threat Actor Tools 140 Introduction of Attack Tools 140 Evolution of Security Tools 140 Categories of Attacks 141 Activity - Classify Hacking Tools 141

6.2 Common Threats and Attacks 141

    6.2.1 Malware 141 Types of Malware 141 Viruses 141 Trojan Horses 141 Trojan Horse Classification 142 Worms 142 Worm Components 143 Ransomware 143 Other Malware 144 Common Malware Behaviors 144 Activity - Identify the Malware Type 145 Lab - Anatomy of Malware 145

    6.2.2 Common Network Attacks 145 Types of Network Attacks 145 Reconnaissance Attacks 145 Sample Reconnaissance Attacks 146 Access Attacks 146 Types of Access Attacks 147 Social Engineering Attacks 147 Phishing Social Engineering Attacks 148 Strengthening the Weakest Link 149 Lab - Social Engineering 149 Denial of Service Attacks 149 DDoS Attacks 149 Example DDoS Attack 150 Buffer Overflow Attack 150 Evasion Methods 151 Activity - Identify the Types of Network Attack 151 Activity - Components of a DDoS Attack 151

6.3 Summary 152

Chapter 7 Network Attacks: A Deeper Look 155

7.0 Introduction 155

7.1 Attackers and Their Tools 155

    7.1.1 Who is Attacking Our Network? 155 Network Security Topology 155 Monitoring the Network 156 Network Taps 156 Traffic Mirroring and SPAN 156

    7.1.2 Introduction to Network Monitoring Tools 157 Network Security Monitoring Tools 157 Network Protocol Analyzers 157 NetFlow 158 SIEM 159 SIEM Systems 159 Activity - Identify the Network Monitoring Tool 159 Packet Tracer - Logging Network Activity 159

7.2 Attacking the Foundation 160

    7.2.1 IP Vulnerabilities and Threats 160 IPv4 and IPv6 160 The IPv4 Packet Header 160 The IPv6 Packet Header 161 IP Vulnerabilities 161 ICMP Attacks 162 DoS Attacks 163 Amplification and Reflection Attacks 163 DDoS Attacks 163 Address Spoofing Attacks 164 Activity - Identify the IP Vulnerability 164 Lab - Observing a DDoS Attack 164

    7.2.2 TCP and UDP Vulnerabilities 165 TCP 165 TCP Attacks 165 UDP and UDP Attacks 166 Lab - Observing TCP Anomalies 166

7.3 Attacking What We Do 167

    7.3.1 IP Services 167 ARP Vulnerabilities 167 ARP Cache Poisoning 167 DNS Attacks 168 DNS Tunneling 169 DHCP 169 Lab - Exploring DNS Traffic 170

    7.3.2 Enterprise Services 170 HTTP and HTTPS 170 Email 173 Web-Exposed Databases 174 Lab - Attacking a MySQL Database 176 Lab - Reading Server Logs 176 Lab - Reading Server Logs 176

7.4 Summary 176

Chapter 8 Protecting the Network 179

8.0 Introduction 179

8.1 Understanding Defense 179

    8.1.1 Defense-in-Depth 179 Assets, Vulnerabilities, Threats 179 Identify Assets 179 Identify Vulnerabilities 180 Identify Threats 181 Security Onion and Security Artichoke Approaches 181

    8.1.2 Security Policies 182 Business Policies 182 Security Policy 182 BYOD Policies 183 Regulatory and Standard Compliance 184

8.2 Access Control 184

    8.2.1 Access Control Concepts 184 Communications Security: CIA 184 Access Control Models 185 Activity - Identify the Access Control Model 185

    8.2.2 AAA Usage and Operation 185 AAA Operation 185 AAA Authentication 186 AAA Accounting Logs 187 Activity - Identify the Characteristic of AAA 187

8.3 Threat Intelligence 187

    8.3.1 Information Sources 187 Network Intelligence Communities 187 Cisco Cybersecurity Reports 188 Security Blogs and Podcasts 188

    8.3.2 Threat Intelligence Services 188 Cisco Talos 188 FireEye 189 Automated Indicator Sharing 189 Common Vulnerabilities and Exposures Database 189 Threat Intelligence Communication Standards 189 Activity - Identify the Threat Intelligence Information Source 190

8.4 Summary 190

Chapter 9 Cryptography and the Public Key Infrastructure 193

9.0 Introduction 193

9.1 Cryptography 193

    9.1.1 What is Cryptography? 193 Securing Communications 193 Cryptology 194 Cryptography - Ciphers 195 Cryptanalysis - Code Breaking 195 Keys 196 Lab - Encrypting and Decrypting Data Using OpenSSL 197 Lab - Encrypting and Decrypting Data Using a Hacker Tool 197 Lab - Examining Telnet and SSH in Wireshark 197

    9.1.2 Integrity and Authenticity 197 Cryptographic Hash Functions 197 Cryptographic Hash Operation 198 MD5 and SHA 198 Hash Message Authentication Code 199 Lab - Hashing Things Out 200

    9.1.3 Confidentiality 200 Encryption 200 Symmetric Encryption 200 Symmetric Encryption Algorithms 201 Asymmetric Encryption Algorithms 202 Asymmetric Encryption - Confidentiality 202 Asymmetric Encryption - Authentication 203 Asymmetric Encryption - Integrity 203 Diffie-Hellman 204 Activity - Classify the Encryption Algorithms 204

9.2 Public Key Infrastructure 204

    9.2.1 Public Key Cryptography 204 Using Digital Signatures 204 Digital Signatures for Code Signing 206 Digital Signatures for Digital Certificates 206 Lab - Create a Linux Playground 206

    9.2.2 Authorities and the PKI Trust System 206 Public Key Management 206 The Public Key Infrastructure 207 The PKI Authorities System 207 The PKI Trust System 208 Interoperability of Different PKI Vendors 208 Certificate Enrollment, Authentication, and Revocation 209 Lab - Certificate Authority Stores 209

    9.2.3 Applications and Impacts of Cryptography 210 PKI Applications 210 Encrypting Network Transactions 210 Encryption and Security Monitoring 211

9.3 Summary 212

Chapter 10 Endpoint Security and Analysis 215

10.0 Introduction 215

10.1 Endpoint Protection 215

    10.1.1 Antimalware Protection 215 Endpoint Threats 215 Endpoint Security 216 Host-Based Malware Protection 216 Network-Based Malware Protection 217 Cisco Advanced Malware Protection (AMP) 218 Activity - Identify Antimalware Terms and Concepts 218

    10.1.2 Host-Based Intrusion Protection 218 Host-Based Firewalls 218 Host-Based Intrusion Detection 219 HIDS Operation 220 HIDS Products 220 Activity - Identify the Host-Based Intrusion Protection Terminology 220

    10.1.3 Application Security 221 Attack Surface 221 Application Blacklisting and Whitelisting 221 System-Based Sandboxing 222 Video Demonstration - Using a Sandbox to Launch Malware 222

10.2 Endpoint Vulnerability Assessment 222

    10.2.1 Network and Server Profiling 222 Network Profiling 222 Server Profiling 223 Network Anomaly Detection 223 Network Vulnerability Testing 224 Activity - Identify the Elements of Network Profiling 225

    10.2.2 Common Vulnerability Scoring System (CVSS) 225 CVSS Overview 225 CVSS Metric Groups 225 CVSS Base Metric Group 226 The CVSS Process 226 CVSS Reports 227 Other Vulnerability Information Sources 227 Activity - Identify CVSS Metrics 228

    10.2.3 Compliance Frameworks 228 Compliance Regulations 228 Overview of Regulatory Standards 228 Activity - Identify Regulatory Standards 229

    10.2.4 Secure Device Management 230 Risk Management 230 Activity - Identify the Risk Response 231 Vulnerability Management 231 Asset Management 231 Mobile Device Management 232 Configuration Management 232 Enterprise Patch Management 233 Patch Management Techniques 233 Activity - Identify Device Management Activities 234

    10.2.5 Information Security Management Systems 234 Security Management Systems 234 ISO-27001 234 NIST Cybersecurity Framework 234 Activity - Identify the ISO 27001 Activity Cycle 235 Activity - Identify the Stages in the NIST Cybersecurity Framework 235

10.3 Summary 235

Chapter 11 Security Monitoring 239

11.0 Introduction 239

11.1 Technologies and Protocols 239

    11.1.1 Monitoring Common Protocols 239 Syslog and NTP 239 NTP 240 DNS 240 HTTP and HTTPS 241 Email Protocols 241 ICMP 242 Activity - Identify the Monitored Protocol 242

    11.1.2 Security Technologies 242 ACLs 242 NAT and PAT 242 Encryption, Encapsulation, and Tunneling 243 Peer-to-Peer Networking and Tor 243 Load Balancing 244 Activity - Identify the Impact of the Technology on Security and Monitoring 244

11.2 Log Files 244

    11.2.1 Types of Security Data 244 Alert Data 244 Session and Transaction Data 245 Full Packet Captures 245 Statistical Data 246 Activity - Identify Types of Network Monitoring Data 246

    11.2.2 End Device Logs 246 Host Logs 246 Syslog 247 Server Logs 248 Apache Webserver Access Logs 248 IIS Access Logs 249 SIEM and Log Collection 249 Activity - Identify Information in Logged Events 250

    11.2.3 Network Logs 250 Tcpdump 250 NetFlow 250 Application Visibility and Control 251 Content Filter Logs 251 Logging from Cisco Devices 252 Proxy Logs 252 NextGen IPS 253 Activity - Identify the Security Technology from the Data Description 254 Activity - Identify the NextGen IPS Event Type 254 Packet Tracer - Explore a NetFlow Implementation 254 Packet Tracer - Logging from Multiple Sources 254

11.3 Summary 254

Chapter 12 Intrusion Data Analysis 257

12.0 Introduction 257

12.1 Evaluating Alerts 257

    12.1.1 Sources of Alerts 257 Security Onion 257 Detection Tools for Collecting Alert Data 257 Analysis Tools 258 Alert Generation 259 Rules and Alerts 260 Snort Rule Structure 260 Lab - Snort and Firewall Rules 261

    12.1.2 Overview of Alert Evaluation 262 The Need for Alert Evaluation 262 Evaluating Alerts 262 Deterministic Analysis and Probabilistic Analysis 263 Activity - Identify Deterministic and Probabilistic Scenarios 264 Activity - Identify the Alert Classification 264

12.2 Working with Network Security Data 264

    12.2.1 A Common Data Platform 264 ELSA 264 Data Reduction 264 Data Normalization 265 Data Archiving 265 Lab - Convert Data into a Universal Format 266 Investigating Process or API Calls 266

    12.2.2 Investigating Network Data 266 Working in Sguil 266 Sguil Queries 267 Pivoting from Sguil 267 Event Handling in Sguil 268 Working in ELSA 268 Queries in ELSA 269 Investigating Process or API Calls 269 Investigating File Details 270 Lab - Regular Expression Tutorial 270 Lab - Extract an Executable from a PCAP 270

    12.2.3 Enhancing the Work of the Cybersecurity Analyst 270 Dashboards and Visualizations 270 Workflow Management 271

12.3 Digital Forensics 271

    12.3.1 Evidence Handling and Attack Attribution 271 Digital Forensics 271 The Digital Forensics Process 272 Types of Evidence 272 Evidence Collection Order 273 Chain of Custody 273 Data Integrity and Preservation 274 Attack Attribution 274 Activity - Identify the Type of Evidence 275 Activity - Identify the Forensic Technique Terminology 275

12.4 Summary 275

Chapter 13 Incident Response and Handling 277

13.0 Introduction 277

13.1 Incident Response Models 277

    13.1.1 The Cyber Kill Chain 277 Steps of the Cyber Kill Chain 277 Reconnaissance 278 Weaponization 278 Delivery 278 Exploitation 279 Installation 279 Command and Control 279 Actions on Objectives 279 Activity - Identify the Kill Chain Step 279

    13.1.2 The Diamond Model of Intrusion 280 Diamond Model Overview 280 Pivoting Across the Diamond Model 280 The Diamond Model and the Cyber Kill Chain 281 Activity - Identify the Diamond Model Features 282

    13.1.3 The VERIS Schema 282 What is the VERIS Schema? 282 Create a VERIS Record 282 Top-Level and Second-Level Elements 283 The VERIS Community Database 285 Activity - Apply the VERIS Schema to an Incident 285

13.2 Incident Handling 285

    13.2.1 CSIRTs 285 CSIRT Overview 285 Types of CSIRTs 286 CERT 286 Activity - Match the CSIRT with the CSIRT Goal 287

    13.2.2 NIST 800-61r2 287 Establishing an Incident Response Capability 287 Incident Response Stakeholders 288 NIST Incident Response Life Cycle 288 Preparation 289 Detection and Analysis 290 Containment, Eradication, and Recovery 291 Post-Incident Activities 293 Incident Data Collection and Retention 294 Reporting Requirements and Information Sharing 295 Activity - Identify the Incident Response Plan Elements 296 Activity - Identify the Incident Handling Term 296 Activity - Identify the Incident Handling Step 296 Lab - Incident Handling 296

13.3 Summary 296

9781587134371   TOC   3/7/2018

Cisco Press Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from Cisco Press and its family of brands. I can unsubscribe at any time.


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about Cisco Press products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information

To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.


Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites; develop new products and services; conduct educational research; and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.


If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information

Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.


This site is not directed to children under the age of 13.


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information

If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at and we will process the deletion of a user's account.


Users can always make an informed choice as to whether they should proceed with certain services offered by Cisco Press. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive:

Sale of Personal Information

Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to

Supplemental Privacy Statement for California Residents

California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure

Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact

Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice

We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020