CCNA Cyber Ops SECOPS – Certification Guide 210-255 E-Book

CCNA Cyber Ops SECOPS – Certification Guide 210-255

Copyright © 2019 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

Commissioning Editor: Karan SadawnaAcquisition Editor: Shrilekha InaniContent Development Editor: Ronn KurienSenior Editor: Rahul DsouzaTechnical Editor: Mohd Riyan KhanCopy Editor: Safis EditingProject Coordinator: Jagdish PrabhuProofreader: Safis EditingIndexer: Pratik ShirodkarProduction Designer: Alishon Mendonsa

First published: July 2019

Production reference: 1030719

Published by Packt Publishing Ltd. Livery Place 35 Livery Street Birmingham B3 2PB, UK.

ISBN 978-1-83855-986-1

www.packtpub.com

Packt.com

Subscribe to our online digital library for full access to over 7,000 books and videos, as well as industry leading tools to help you plan your personal development and advance your career. For more information, please visit our website.

Why subscribe?

Spend less time learning and more time coding with practical eBooks and Videos from over 4,000 industry professionals

Improve your learning with Skill Plans built especially for you

Get a free eBook or video every month

Fully searchable for easy access to vital information

Copy and paste, print, and bookmark content

Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at www.packt.com and as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at [email protected] for more details.

At www.packt.com, you can also read a collection of free technical articles, sign up for a range of free newsletters, and receive exclusive discounts and offers on Packt books and eBooks. 

Contributors

About the author

Andrew Chu is a networking and cybersecurity lecturer at London Metropolitan University (LMU). LMU is a Cisco Academy, Academy Support Center, and Instructor Training Center.

He has a postgraduate certificate in computer science education, and teaches CCNA routing and switching, as well as CCNA Cyber Ops, through LMU. A former military engineer, he enjoys testing systems to destruction, and learning from this and sharing the results.

He has over 10 years' experience of working in physical and electronic systems security, including advising on and authoring security policies and risk assessments. This includes creating a community-owned ISP; working in government service; and training industry professionals, career changers, and new students.

About the reviewers

Rishalin Pillay has over 12 years' cybersecurity experience, and has acquired a vast number of skills consulting for Fortune 500 companies while taking part in projects performing tasks in network security design, implementation, and vulnerability analysis. He has reviewed several books, and has authored the book Learn Penetration Testing. He holds many certifications that demonstrate his knowledge and expertise in the cybersecurity field from vendors such as (ISC)2, Cisco, Juniper, Checkpoint, Microsoft, and CompTIA. Rishalin currently works at a large software company as a senior cybersecurity engineer.

Darragh Merrick is a sergeant in the Irish Defense Forces. In 2005, he joined the Communications and Information Services (CIS) Corps. He graduated in 2008 from IT Carlow with a BEng in electronic engineering and military communications systems. He worked in a network operations center (NOC) until 2013, when he graduated from University College Dublin with an MSc in forensic computing and cybercrime investigation. He has worked as a network security engineer in computer forensics and investigations in a security operations center (SOC). During his time with the army, he served with the United Nations on missions in Lebanon, Liberia, Kosovo, and Syria. Darragh has also completed the following programs: Certified Ethical Hacker – CEH V9, Associate Android Developer, CCNA Cyber Ops – 210-250 SECFND, and 210-255 SECOPS exams.

Packt is searching for authors like you

If you're interested in becoming an author for Packt, please visit authors.packtpub.com and apply today. We have worked with thousands of developers and tech professionals, just like you, to help them share their insight with the global tech community. You can make a general application, apply for a specific hot topic that we are recruiting an author for, or submit your own idea.

Table of Contents

Title Page

Copyright and Credits

CCNA Cyber Ops SECOPS – Certification Guide 210-255

About Packt

Why subscribe?

Contributors

About the author

About the reviewers

Packt is searching for authors like you

Preface

Who this book is for

What this book covers

To get the most out of this book

Conventions used

Get in touch

Reviews

Section 1: Endpoint Threat Analysis and Forensics

Classifying Threats

Categorizing and communicating threats

AMP Threat Grid

Cuckoo Sandbox

Requirements for CVSS

Exploitability metrics

Attack vector

Attack complexity

Privileges required

User interaction

Impact metrics

Confidentiality

Integrity

Availability

Scope

Summary

Questions

Further reading

Operating System Families

Starting the operating system

Basic Input Output System

Master Boot Record

Unified Extensible Firmware Interface

GUID Partition Table

Booting Windows and Linux

Filesystems

File Allocation Table 32

New Technology Filesystem

Extended Filesystem 4

Making, finding, accessing, and editing data

Creating files

Locating files

Reading files

Changes to files and properties

Deleting files

Summary

Questions

Further reading

Computer Forensics and Evidence Handling

Types of evidence

Digital forensics versus cybersecurity forensics

Best evidence

Direct versus indirect evidence

Corroborative evidence

Maintaining evidential value

Altered disk image

Unaltered disk image

Chain of custody

Attribution

Asset attribution

Threat actor attribution

Summary

Questions

Further reading

Section 2: Intrusion Analysis

Identifying Rogue Data from a Dataset

Using regexes to find normal characters

Using regexes to find characters in a set

Using regexes to extract groups of characters

Using regex logical operators

Summary

Questions

Further reading

Warning Signs from Network Data

Physical and data link layer (Ethernet) frame headers

Layer 1

Preamble

Start frame delimiter

Interframe separation

Layer 2

Addressing

VLAN tagging

Type/Length fields

Cyclic redundancy checking

Network layer (IPv4, IPv6, and ICMP) packet headers

Internet Protocol (IPv4 and IPv6)

Version

IPv4: Internet Header Length, options, and padding

IPv4 – Type of Service and IPv6 – Traffic Class

IPv4 – Total Length and IPv6 – Payload Length

IPv4 – Time-to-Live and IPv6 – Hop Limit

IPv4 – Protocol and IPv6 – Next Header

IPv4 – identification and flags

Source and destination addresses

ICMP

Transport layer (TCP and UDP) segment and datagram headers

TCP

Source and destination ports

Sequence and acknowledgment numbers

Header length

Flags

Window

Checksum

Urgent pointer

UDP

Source and destination port

Length

Checksum

Application layer (HTTP) headers

Request header

Request method name

URI

HTTP version

User-Agent

Response header

Summary

Questions

Further reading

Network Security Data Analysis

PCAP files and Wireshark

Viewing packet details

Extracting data using Wireshark

Alert identification

Network indicators

IP address (source/destination)

Client and server port identity

URI/URL

Payload indicators

Process (file or registry)

System (API calls)

Hashes

Security technologies and their reports

Network indicators

NetFlow

Proxy logs

Payload indicators

Antivirus

Intrusion Detection Systems/Intrusion Prevention Systems

Firewall

Network application control

Evaluating alerts

Impact flags

Firepower Management Center priorities

Analyzing a network and host profile

Decisions and errors

True Positive (red and hatched)/True Negative (green and unhatched)

False Positives (green and hatched)

False Negatives (red and unhatched)

Summary

Questions

Further reading

Section 3: Incident Response

Roles and Responsibilities During an Incident

The incident response plan

Organizational priorities

Incident response requirement and capability

Command-and-control

The stages of an incident

Preparation

Detection and analysis

Containment, eradication, and recovery

Post-incident analysis (lessons learned)

Incident response teams

Internal CSIRT

Coordination centers

National CSIRT

Analysis centers

Vendor teams

Managed Security Service Providers

Summary

Questions

Further reading

Network and Server Profiling

Network profiling

Total throughput

Session duration

Ports used

Critical asset address space

Server profiling

Listening ports

Logged in users/service accounts

Which users are present?

Where are users located?

What privileges and access rights are available?

Running processes, tasks, and applications

Summary

Questions

Further reading

Compliance Frameworks

Payment Card Industry Data Security Standard

Protected data elements

Required actions

Health Insurance Portability and Accountability Act, 1996

Protected health information and covered entities

Safeguards

Administrative safeguards

Physical safeguards

Technical safeguards

Sarbanes Oxley Act, 2002

Summary

Questions

Further reading

Section 4: Data and Event Analysis

Data Normalization and Exploitation

Creating commonality

Standardized formatting

Normalizing data

Original data

First normal form

Second normal form

Third normal form

Criticisms

The IP 5-tuple

5-tuple correlation

Isolating compromised hosts

Pinpointing threats and victims

Malicious file identification

Host identification

Summary

Questions

Further reading

Drawing Conclusions from the Data

Finding a threat actor

Deterministic and probabilistic analysis

Data required

Scope

Results

Examples

Distinguishing and prioritizing significant alerts

Summary

Questions

Further reading

Section 5: Incident Handling

The Cyber Kill Chain Model

Planning

Reconnaissance

Technology

Personnel

Defenses

Weaponization

Preparation

Delivery

Exploitation

Execution

Installation

Command and control

Action on objectives

Summary

Questions

Further reading

Incident-Handling Activities

VERIS

Asset

Actors

Actions

Attributes

The phases of incident handling

Identification

Scoping

Containment

Remediation

Lesson-based hardening

Reporting

Conducting an investigation

Evidential collection order

Data integrity and preservation

Volatile data collection

Summary

Questions

Further reading

Section 6: Mock Exams

Mock Exam 1

Mock Exam 2

Assessments

Chapter 1: Classifying Threats

Chapter 2: Operating System Families

Chapter 3: Computer Forensics and Evidence Handling

Chapter 4: Identifying Rogue Data from a Dataset

Chapter 5: Warning Signs from Network Data

Chapter 6: Network Security Data Analysis

Chapter 7: Roles and Responsibilities During an Incident

Chapter 8: Network and Server Profiling

Chapter 9: Compliance Frameworks

Chapter 10: Data Normalization and Exploitation

Chapter 11: Drawing Conclusions from the Data

Chapter 12: The Cyber Kill Chain Model

Chapter 13: Incident-Handling Activities

Chapter 14 – Mock Exam 1

Chapter 15 – Mock Exam 2

Other Books You May Enjoy

Leave a review - let other readers know what you think

Preface

Since the emergence of computer networks (for example, the internet) about 50 years ago, it is estimated that 50 billion devices will be connected to the internet by 2020.

Businesses now, more often than not, are run as online services; host sensitive databases; have several different office locations; and share large quantities of sensitive data. Cyber attacks, in several forms, are increasing in frequency, complexity, and impact. Cyber incidents (for example, cybercrime, IT failure, and data breaches) are considered the second biggest global risk to business. The world is currently short of 3 million cybersecurity experts.

The CCNA Cybersecurity Operations certification demonstrates candidates' knowledge and abilities. This book equips readers with the skills required to succeed at the SECOPS 210-255 exam, and, for those resitting, to understand their score report and quickly identify the appropriate sections to concentrate on.

The book will step readers through threat analysis and forensics in computers, the fundamentals of intrusion analysis, and various approaches to incident response. These skills underpin operations in cybersecurity, and will allow readers to showcase their skills at interview, as well as through the mock tests (with answers) at the end of each chapter.

By reading this book and applying the knowledge it provides, readers should go forward to the SECOPS 210-255 exam with confidence in their knowledge to recall and apply real-world cybersecurity skills, including threat analysis, event correlation, and malicious activity identification.

Who this book is for

This book is designed for everyone who wants to prepare for the Cisco 210-255 (CCNA Cyber Ops – SECOPS) certification exam. You may have noticed the cybersecurity market as an opportunity to change careers; you may have already completed cybersecurity training as part of formal education, or you may already work in cyber operations and just require a new certification; or you may even just have a general interest in all things digital.

This book looks at cyber operations from the ground up, consolidating concepts you may or may not have heard about before, to help you become the operator you are capable of becoming.

What this book covers

Chapter 1, Classifying Threats, looks at the Common Vulnerability Scoring System (CVSS v3.0) to introduce common terminology, as well as split the substantial topic of cyber threat into three areas of impact, and five areas of vulnerability. You must be able to define the common terminology for the purpose of the exam.

Chapter 2, Operating System Families, does a side-by-side comparison of these factors, which differs from the CISCO approach. Terms of reference between Linux and Windows operating systems are easy marks in the 210-255 exam. Again, they only require definitions and memory. A knowledge of these factors is necessary for the next chapter.

Chapter 3, Computer Forensics and Evidence Handling, covers the standards of investigation required for catching criminals and bringing about prosecutions. Evidence – properly collected – also enables organizations to attribute blame, which can be important in maintaining compliance with government requirements, as well as maintaining customer confidence.

Chapter 4, Identifying Rogue Data from a Dataset, teaches regular expressions (Regex), which always appears as at least one of the questions in the 210-255 exam. Regex is a sequence of characters that define a search expression. Regex enables security professionals to quickly sift through large datasets, grouping data entries, highlighting signs of rogue data, and identifying patterns in it.

Chapter 5, Warning Signs from Network Data, teaches you how to differentiate normal header content from abnormal and rogue content to conduct an initial analysis of network intrusions.

Chapter 6, Network Security Data Analysis, looks at different network security files and identifies different bits of information. This is always a question in the 210-255 exam and an important part of the job of an SOC.

Chapter 7, Roles and Responsibilities During an Incident, teaches you to identify individual and team responsibilities during an incident response, in accordance with NIST guidelines. This section makes up 8-10% of the questions in 210-255, but applying a similar model based on your own national guidelines is the principal job of the operations center and, hence, of a cybersecurity professional.

Chapter 8, Network and Server Profiling, teaches you about network and server profiling, which is used to establish the 'normal' traffic on a network and server. Profiling allows administrators to identify any potential vulnerabilities, such as a lack of redundancy, or bottlenecks in the system, and deal with them ahead of time, and to detect abnormal behaviors that might indicate an incident in progress.

Chapter 9, Compliance Frameworks, teaches you about the requirements of three of the principal pieces of legislation and the industry requirements that affect IT and cybersecurity professionals. Each organization will be covered by one compliance framework or another and, frequently, many overlapping pieces of guidance. It is the fundamental role of a cybersecurity professional to ensure organizational compliance.

Chapter 10, Data Normalization and Exploitation, covers the process of collecting and organizing data from multiple different sources. You will also look at some of the fields that are useful for correlating incidents, including timestamps and the IP 5-tuple. 

Chapter 11, Drawing Conclusions from the Data, explains the different forms of data analysis, and some of the more detailed aims of this process. This will feed into how users can prioritize certain signs, and use Cisco products to generate alerts according to these priorities.

Chapter 12, The Cyber Kill Chain Model, teaches you about the adapted Cyber Kill Chain model. In this model, an attack is laid out in chronological sequence, which helps cybersecurity professionals to appreciate the maturity of an attack in progress. This model also helps to structure the response, guiding the security operations center (SOC) as to what actions are likely to have already occurred, and the ones that may be about to emerge.

Chapter 13, Incident Handling Activities, covers three guidance frameworks that guide incident handling. You will learn about the terminology used, the non-technical activities involved, and the forensic guidance for conducting incident handling. The questions for this chapter will draw heavily from all the previous chapters.

Chapter 14, Mock Exam 1, allows you to practice and analyze the style of Cisco exam questions and test your ability to apply the correct areas of your learning to answer them.

Chapter 15, Mock Exam 2, allows you to further practice and analyze the style of Cisco exam questions and test your ability to apply the correct areas of your learning to answer them.

To get the most out of this book

Before starting this book, you should be familiar with computers and networks from the point of view of a user. This should include knowledge of the home setup, as well as computer networks in a commercial setting. Familiarity with the technologies used to administer and maintain a network, particularly Cisco products, is helpful, but not essential. Knowing that switches, routers, and servers exist – and how they differ – is a requirement. 

This book follows on from the 210-250 (SECFND) syllabus, so support materials for those courses may be a useful start, and could be used as reference material if you feel that you are struggling with any of the topics found here. You will have to pass both the 210-250 and 210-255 certification exams for CCNA Cybersecurity Operations anyway, so the 210-250 certification book is a good investment regardless.

To get the most out of the course, you should try to engage with the teaching methods used. The content is broadly separated into three 3 elements – theory, formative questions (with reasoned answers), and testing questions. The theory sections contain a distilled version of the knowledge required – there is a direct correlation between the theory sections and the syllabus. Formative questions are included at the end of each chapter, and are designed to test your ability to recall information from the chapter, analyze a scenario, and apply the theory in practice. The back of the book includes the answers and, most importantly, the rationale. Finally, there are two mock exam papers. These will test your ability to apply the theory in practice, and to help prepare you for the certification exam. The answers, but not the rationale, are provided for these questions. If you are making mistakes, a good activity would be to try to reanalyze the question with the correct answer, and see whether you can generate the rationale retrospectively.

Conventions used

There are a number of text conventions used throughout this book.

CodeInText: Indicates code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles. Here is an example: "The only method of differentiation is that the legitimate csrss.exe process is run from the C:\Windows\System32 folder."

Any command-line input or output is written as follows:

$ tcpdump -ns 0 -eX -r dns.pcap

Bold: Indicates a new term, an important word, or words that you see on screen. For example, words in menus or dialog boxes appear in the text like this. Here is an example: "Select System info from the Administration panel."

Get in touch

Feedback from our readers is always welcome.

General feedback: If you have questions about any aspect of this book, mention the book title in the subject of your message and email us at [email protected].

Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packt.com/submit-errata, selecting your book, clicking on the Errata Submission Form link, and entering the details.

Piracy: If you come across any illegal copies of our works in any form on the internet, we would be grateful if you would provide us with the location address or website name. Please contact us at [email protected] with a link to the material.

If you are interested in becoming an author: If there is a topic that you have expertise in, and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.

Reviews

Please leave a review. Once you have read and used this book, why not leave a review on the site that you purchased it from? Potential readers can then see and use your unbiased opinion to make purchase decisions, we at Packt can understand what you think about our products, and our authors can see your feedback on their book. Thank you!

For more information about Packt, please visit packt.com.

Section 1: Endpoint Threat Analysis and Forensics

In this section, readers will learn how a single machine can be compromised and how to investigate it. In this section, which comprises 15% of the 210-255 exam, readers will learn how to categorize and communicate threats and vulnerabilities, understand how and why different vulnerabilities can affect different operating systems more or less severely, and explain the principles of computer forensics, evidence handling, and how to use that information.

This section builds heavily on prior knowledge, particularly from the 210-250 (SECFNDS) course, but will underpin the actions of cyber security operators as they carry out routine tasks, as well as responsive tasks. Evidence may be required from before the threat is identified.

The following chapters are included in this section:

Chapter 1

, 

Classifying Threats

Chapter 2

,

Operating System Families

Chapter 3

, 

Computer Forensics and Evidence Handling

Classifying Threats

This chapter looks at the Common Vulnerability Scoring System v3.0 (CVSS v3.0) in order to introduce common terminology, as well as to split the large topic of cyber-threat into three areas of impact, and five areas of vulnerability. Candidates for 210-255 must be able to define these terms.

CVSS 3.0 terms and definitions are 5% of the 210-255 certification exam, and they are marks which only require memory; no analysis is required. This will ease you into the book and provides a baseline that you can work from. CVSS 3.0 is also important because part of your future role in a SOC may involve briefing non-technical staff about CVSS reports.

The following topics will be covered in this chapter:

Categorizing and communicating threats

Exploitability metrics

Impact metrics

Scope

Categorizing and communicating threats

One of the primary roles of technical staff is to communicate threat severity to non-technical members of staff. This technical judgment informs operational decision-making, so it is important to have standard measurements and vocabulary. In this section, you will learn about the need for a common framework to describe threats; specifically, we will look at two important analysis tools to identify differences between their outputs.

All information systems carry inherent risks. Even paper-based systems have vulnerabilities (how is paper stored? What happens if there's a fire or flood? Can the records be lost?).  In cybersecurity, endpoint threat analysis covers all threats that affect a computer system that a user interacts with. Whilst this seems self-explanatory, it is important to dig down into the terms. Endpoint is specified as distinct from network elements; threat refers to potential, as well as known risks (that is, malware or known incidents); analysis covers both known and hypothetical effects. 

Two malware analysis tools are Cisco's Advanced Malware Protection (AMP) Threat Grid and Cuckoo Sandbox. In CISCO 210-255, candidates are required to interpret output reports from these systems.

AMP Threat Grid

Cisco Threat Grid is a tool that provides AMP for networks and endpoints. It is powered by Cisco's threat intelligence research group (Cisco TALOS), which uses data from around the World to produce reports and signatures for different threats. Cisco AMP is integrated into a number of Cisco products so that it can take preventative action and perform sandboxing and retrospective alerting (after an attack). Preventative action can be taken at the firewall or anti-malware package level. This is where a file matches a known threat signature.

Sandboxing allows an unknown file to be checked for dangerous behavior. This is run through AMP Cloud, but takes time to run and analyze. Reports from this process can be used to determine whether something is a threat or not. Retrospective alerting comes after sandboxing is complete. With the updated knowledge about the file, Cisco AMP can inform the organization or security operations center that a suspect file was able to enter the system, and where it has spread to.

AMP Cloud allows you to do submissions via manual file uploads, or through an OpenAPI. These files are then executed in a virtual machine on the cloud (the option to run locally is available, but the cloud is the quickest option). There are two modes of operation for Threat Grid: a black-box, which provides an overview of the analysis, and in-depth information regarding the file, with additional functionality to explore the activity further. Both modes (or a combination of both) are accessible through the same interface. For the exam, you will only be required to get the results and a very basic interpretation.

AMP Threat Grid provides a virtual machine environment to execute the submitted file. It provides the functionality to view a video feed of the environment running the file in order to further analyze the threat, although this is not examined in CCNA cybersecurity operations. The results are given as a threat score (out of 100) which combines severity and confidence measures (each out of 100) against over 500 other metrics regarding the file's behaviors (for example, what kinds of file are modified, what URLs it tries to communicate with, are there registry changes, and so on?).

A threat score of 95-100 is known malware, 75-90 is very dangerous, and 56 - 70 is suspicious. Obviously, there are gaps in-between these levels, and these should be considered alongside organizational priorities. The AMP Threat Grid analysis report for a given file lists the file name, type, date of analysis, and the score, which is given in the top line, which would be the headline if the report were analyzing multiple files. In the expanded view, which is shown in the following screenshot, details such as how often the threat signature has been seen and the behavioral indicators that have contributed to the score are shown. The following screenshot shows an analysis report for the file named setup.exe:

The file type is given in the middle of the top line (exe, as expected). The threat is rated as 56, which is suspicious. The file modified the files in the user directories, and also checked IsDebuggerPresent (a sign that it might be checking whether it is running in a virtual machine). This threat should be passed up for further investigation.

Network File Trajectory is an analysis tool which shows the path of a file through the system. This is shown by host IP addresses and timestamps. The following screenshot shows the Network File Trajectory output from Cisco AMP Threat Grid in Cisco's Firepower Management Console; this screen can be found by going to Analysis | Files | Network File Trajectory. It shows an unknown file entering the system at 10:57 on the 10.4.10.183 host. It spreads to three additional hosts before 18:10, where it is identified as Malware. At 18:14, it is quarantined by 10.5.11.8, and the original is blocked:

This type of activity log is particularly useful to cybersecurity researchers because it maps the path of the file through the system. This allows the operations team to verify that all instances of the file have been contained/quarantined/removed. Grouping events by file, in this case, allows the security operations center to better prioritize its workload so that people aren't concurrently working on the same problem.

Cuckoo Sandbox

Cuckoo Sandbox is an open source automated malware analysis tool. Unlike Cisco AMP Cloud, it is designed to be run locally. This means that any files to be uploaded are totally secure, but means that users don't benefit from signatures that are discovered by other users. It also means that virtualization software, with any licensing, must be run on the host system. This means that there can be speed and performance variations compared to the AMP Cloud virtual machine.

Cuckoo Sandbox analysis reports include details such as filehashes, Yara, and VirusTotal details for any threatening behaviors that are detected. It also has a maliciousness score out of 10, which can assist organizations in making decisions about what to do with the file.

The following screenshot shows a Cuckoo Sandbox report for a PDF file. This PDF file has some suspicious features, specifically an embedded Windows 32 executable, and the ability to detect whether it is running in a virtual machine. Although the executable file has not specifically matched any PEiD threat signatures, the Yara field lists the suspicious features for future analysis. The specific file is from a known threat, so the signature list might not be up to date:

Analysis tools are not 100% effective, so the PEiD has not matched the signature, but Yara analysis did. There were 14 systems that didn't detect the file as a virus, which could be a concern. This output underlines the importance of defense in depth, where a number of different systems and technologies are all employed with the aim of discovering and eradicating threats; if one system lets it through, the next might find it, or the one after that. This may well throw up high volumes of positive results – some of which will be false or hoaxes – but this is generally better than having threats fall through the gaps.

Exploitability metrics

Exploitability is a series of metrics in CVSS 3.0 that describe how difficult it would be for an attacker to exploit a vulnerability. In this section, you will learn how to define the four areas of vulnerability and how these relate to the ease of exploitation of the threat.

To understand the importance of exploitability, consider an example from the retail world. A generally acknowledged principle in retail is that shrinkage (or shoplifting) increases if it is easier to do. For most people, the value that's gained from an attack is rarely worth the effort or risk of being caught. In the same way, the easier it is to exploit a vulnerability and conduct an attack, the more likely it is to happen, and therefore the more dangerous the vulnerability is.

Attack vector

An attack vector (AV) refers to the logical and physical path through which a vulnerability can be exploited. The metric value increases with distance (or remoteness) because there are fewer potential attackers who have the means to be close to the target. There are four potential values (Physical, Local, Adjacent, or Network).

Physical (P) is defined as follows:

It is sometimes worth looking at information security in terms of a more physical example. When considering an attack vector, let's consider a company payroll. The HR team commands a vast budget, and makes payments to the workers based on a list given to them by management. If an attacker wanted to invent a fake persona to gain an extra paycheck, they would have to have physical access to the team or the payroll system.

Local (L) is defined as follows:

As the company is growing rapidly, it becomes the norm that if new recruits have come on board too late to get on the management list, middle managers make direct requests to the HR team to add a new employee. In this system, the attacker would no longer need to make the payment themselves. They could just ask the payroll department to make the payment on their behalf. This would count as a local vulnerability.

Adjacent (A) is defined as follows:

The company has continued to grow so much that payroll is on a different floor from everyone else. Rather than go upstairs to payroll themselves, middle managers have begun to send runners with new-starter details on pieces of paper to the HR team for processing and payment. An attacker would now only need to be able to intercept the runner and add their own details. This kind of attack vector would be adjacent as the attacker would still need to be in the building to intercept the runner.

Network (N) is defined as follows:

As the company grows further, they decide to contract out the payroll. Now, the pieces of paper are replaced with a telephone conversation with the payroll company. An attacker could now ring up from anywhere and instruct the payroll to add their non-existent employee. The attacker has gone from needing to be physically on the payroll machine to conducting the attack from his or her own home:

Access control is the principal method for increasing the proximity that's required by an attacker (hence reducing the risk to the company). Vetting employees further reduces this risk.

Attack complexity

Attack complexity refers to the conditions which must exist in order to exploit a vulnerability successfully. These conditions are beyond the attacker's control, so may require the attacker to conduct research on specific targets. The lower the attack complexity, the more dangerous the vulnerability.

High (H) is defined as follows:

An attack with high complexity relies on a number of other factors to be right in order to succeed. This measure takes into account both the number of things that must be correct, and the rarity of those events. Imagine that you are beginning a new job, and you are looking for the best way to get to work. You check online, and it takes one hour to get from one stop to the next by taking a series of trains. If the trains only come once an hour, and the timing between getting off one and getting on the next is small, there is a high level of complexity. If one train is slightly delayed, the whole plan fails.

Low (L) is defined as follows:

Instead, you can walk to work. Although it might take you longer to get there, you can expect repeated success since you are not relying on the trains being on time, or on any other factors.

The following diagram shows the attack complexity. The green route is more dangerous because it has fewer actions in the path. At each point (B-G), the attack could slow down or even be halted. The green route bypasses all these checks and balances:

Designing for increased complexity is double-edged. On the one hand, requiring an attacker to exploit a very complex vulnerability is useful for information security. However, this complexity is experienced by legitimate users every day. If the system becomes so complex that legitimate users are put off using it, the system/systems administrators have effectively attacked their own availability!

Privileges required

This metric describes the level of privileges an attacker must possess before successfully exploiting the vulnerability.

The metric has possible values of high, low, and none, with the most serious vulnerabilities being those that require the fewest privileges to be successful. It is important to note that this metric measures the privileges required to begin the attack. It is possible that an attacker could change their privileges during the attack, and this will be covered further in a later metric.

High (H) is defined as follows:

One of the best ways to think about this metric is to consider access to the CEO's office desk drawers. A vulnerability that leaves a desk drawer open would rank as high, as you still need to get into the office to exploit the system. Why is this the lowest exploitability situation? To exploit this vulnerability, an attacker would have to be either the CEO or his/her assistant!

Low (L) is defined as follows:

If the company were open-plan, or the CEO had an open door policy, the vulnerability would require only enough privileges to get into the building. An attacker could be anybody with access to the office. This is a much larger number of potential attackers, and is, therefore, more serious.

None (N) is defined as follows:

The most serious rating in this metric would be if the CEO's office were directly accessible to the public. An attacker in this instance could be any member of the public, at any time.

The following diagram presents the hierarchy of a company. Privileges required describes the level of access and privilege an attacker needs in order to exploit the vulnerability. If the attacker could access the system by pretending to be a store team member, but can subsequently elevate their profile so they appear to be an executive, the privileges that are required still come up as none since the attack really begins when they first start to access the system:

A classic defense against this kind of vulnerability is to layer defense systems. Having a series of locked doors which verify an individual's privilege levels limits exposure. A related technique is ensuring that other staff members are vigilant enough to question why someone they didn't know was trying to access the CEO's desk. Network monitoring and access control systems would provide this functionality in a digital system.

User interaction

User interaction refers to whether another user (other than the attacker) is required to participate in a successful attack. The metric has possible values of required or none.

Required (R) is defined as follows:

Imagine that a vulnerability exists which allows an attacker to print their own ID card so that they can pretend to be from the local utilities company. The attacker shows up at a victim's door and asks for access. The victim is required to open the door in order for the attacker to gain access.

None (N) is defined as follows:

If the system had automatic ID card recognition, an attacker could walk straight in.

The following diagram demonstrates the difference between complete automation and human interaction. A computerized (even AI) system allows choices based on rules rather than with any context or ability to question actions:

Two-factor authentication is the classic method of demanding user interaction in a security system. The person attempting to gain access has to provide a code for different means. From a home access point of view, the homeowner could ring the utility firm directly and ensure that they had sent someone with those credentials before opening the door, hence defeating the attack.

Impact metrics

The most common model that's used to understand a threat's impact on information security is the confidentiality, integrity, availability (CIA) triad. In this section, you will learn how to explain these three types of consequence that result from a threat. The CIA triad is very common across the whole industry.

In CVSS v3.0, these three components are referred to collectively as impact metrics. Each is scored independently as either high, low, or none to give the user an overview of how severe the effects of the threat would be if they were realized. If multiple components are vulnerable to the threat, the scores are taken from the component which suffers the most severe consequences.

Confidentiality

Confidentiality is often thought of in terms of privacy. In an ideal scenario, access to information should be granted to authorized users, and denied to unauthorized ones. Of course, access to some information is more important than others, and the metrics reflect this.

For confidentiality, imagine the security threat posed to a bank. For each of the examples given, imagine that a bank robber is able to gain access to the bank through some vulnerability.

None (N) is defined as follows:

So, in the bank robber analogy, imagine that the bank robber has gained access to the bank overnight, and has access only to the lobby. All the bank tellers have gone home, and the cash registers are empty. The robber steals all that they can, making off with a number of information leaflets and a pen. The bank hasn't really suffered any loss here.

Low (L) is defined as follows: