Pass the Cisco CCNP Security 350-701 Questions and answers with CertsForce

Explanation

Phishing is a form of social engineering. Phishing attacks use email or malicious web sites to solicit personal,

often financial, information. Attackers may send email seemingly from a reputable credit card company or

financial institution that requests account information, often suggesting that there is a problem.

sfr {fail-open | fail-close [monitor-only]} <- There's a couple different options here. The first one is fail-open which means that if the Firepower software module is unavailable, the ASA will continue to forward traffic. fail-close means that if the Firepower module fails, the traffic will stop flowing. While this doesn't seem ideal, there might be a use case for it when securing highly regulated environments. The monitor-only switch can be used with both and basically puts the Firepower services into IDS-mode only. This might be useful for initial testing or setup.

 GET VPN (Group Encrypted Transport VPN) is a tunnel-less VPN technology that uses a single security association (SA) for all routers in a group. This allows GET VPN to natively support MPLS and private IP networks, without requiring any additional encapsulation or tunneling protocols. GET VPN also supports multicast traffic without GRE, which reduces overhead and improves performance. FlexVPN is a newer VPN solution that covers all VPN types, such as site-to-site, hub and spoke, and remote access. FlexVPN uses IKEv2 for all VPN types, which offers some advantages over IKEv1, such as resiliency and fewer messages. However, FlexVPN requires newer hardware and software versions to support its features. FlexVPN also relies on GRE or static and dynamic point-to-point interfaces to support MPLS and private IP networks, which adds complexity and overhead. Therefore, a benefit of using GET VPN over FlexVPN within a VPN deployment is that GET VPN natively supports MPLS and private IP networks, without requiring any additional encapsulation or tunneling protocols. References:

Group Encrypted Transport VPN (GETVPN)

Introduction to FlexVPN

what is the difference between dmvpn and flexvpn

The Cisco Endpoint IoC feature is a powerful incident response tool for scanning of post-compromise indicators across multiple computers. Endpoint IoCs are imported through the console from OpenIOC-based files written to trigger on file properties such as name, size, hash, and other attributes and system properties such as process information, running services, and Windows Registry entries. The IoC syntax can be used by incident responders to find specific artifacts or use logic to create sophisticated, correlated detections for families of malware. Endpoint IoCs have the advantage of being portable to share within your organization or in industry vertical forums and mailing lists. The Endpoint IoC scanner is available in AMP for Endpoints Windows Connector versions 4 and higher. Running Endpoint IoC scans may require up to 1 GB of free drive space. The Endpoint IoC feature is based on the openioc.com framework, which is an open standard for sharing threat intelligence. References:

Cisco Endpoint IOC Attributes, User Guide

What Are Indicators of Compromise (IOC)? - Cisco, Security Indicators of Compromise

General questions about AMP - Cisco Community, Post by Cisco Employee

The Cisco DNA Center API provides the ability to program and monitor networks from somewhere other than the DNAC GUI. The API is a set of RESTful web services that allow users to interact with Cisco DNA Center programmatically. The API can be used to automate tasks, integrate with third-party applications, or create custom applications. The API exposes the same functionality as the DNAC GUI, such as design, provision, policy, assurance, and platform1. The API also provides documentation, examples, and testing tools for each API call1. References :=

Cisco DNA Center User Guide, Release 2.3.3

Cisco DNA Center User Guide, Release 2.2.2

DNAC Tour Part 1: Introduction to Cisco DNA Center

Cisco DNA Center Platform User Guide, Release 2.2.2

Cisco AMP for Endpoints is a solution that enables protection, detection, and response on the endpoint against known and unknown threats. It provides continuous visibility and analysis of endpoint activity, as well as automated threat prevention and response capabilities. It leverages cloud-based intelligence, sandboxing, and machine learning to block malware, fileless attacks, ransomware, and other advanced threats. It also allows security teams to quickly investigate and remediate incidents, as well as hunt for indicators of compromise across all endpoints. Cisco AMP for Endpoints is part of the Cisco SecureX platform, which integrates with other Cisco security solutions to provide a unified and simplified security experience. The other options are not correct because they do not offer the same level of endpoint protection, detection, and response as Cisco AMP for Endpoints. Cisco AnyConnect is a VPN solution that provides secure access to the network for remote workers, but it does not monitor or respond to endpoint threats. Cisco Umbrella is a DNS security solution that blocks malicious domains, IPs, and URLs, but it does not analyze or remediate endpoint activity. Cisco Duo is a multi-factor authentication solution that verifies the identity of users and devices, but it does not protect or detect endpoint attacks. References :=

Some possible references are:

Cisco AMP for Endpoints

Cisco SecureX

Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0 - Module 5: Endpoint Protection and Detection

The login block-for command sets a limit on the maximum number of failed login attempts allowed within a defined period of time. If this limit is exceeded, no further logins are allowed for the specified period of time. This feature is designed to protect the router from denial-of-service and dictionary attacks. The syntax of the command is as follows:

login block-for attempts within

The  parameter specifies the duration of the quiet period in seconds. The  parameter specifies the number of failed attempts that trigger the quiet period. The  parameter specifies the time window in seconds for counting the failed attempts.

In this question, the command login block-for 100 attempts 4 within 60 means that if four failures occur in 60 seconds, the router goes to quiet mode for 100 seconds. During the quiet period, no login attempts are accepted, and the router responds with the message “Login disabled for seconds due to too many failed login attempts.” After the quiet period expires, the router resumes normal login operations.

The other options are incorrect because they do not match the command syntax or the expected behavior of the login block-for feature.

References :=

Some possible references for this question are:

User Security Configuration Guide - Cisco IOS Login Enhancements-Login Block

Configuring Login Block

Restrict login attempts : login block-for command

When applied to a router, which command would help mitigate brute-force password attacks against the router?

Cisco Stealthwatch Cloud is a network detection and response (NDR) solution that leverages pre-existing infrastructure to offer enterprise-wide, contextual visibility of network traffic from the private network to the public cloud1. It uses advanced analytics and machine learning to detect threats and anomalies across on-premises and cloud environments, and provides actionable alerts and recommendations to remediate them2. Cisco Stealthwatch Cloud is part of Cisco’s XDR strategy, which converges its deep expertise and visibility across the network and endpoints into one turnkey, risk-based solution3. References: 3: Cisco Unveils New Solution to Rapidly Detect Advanced Cyber Threats and Automate Response 2: Cisco Secure Network Analytics - Cisco 1: Cisco Stealthwatch and Cisco Tetration Workload Security

 The Python script accomplishes the following tasks:

It imports the required libraries for HTTP, base64, SSL, and sys modules.

It takes the host, user, and password information from the command line arguments and assigns them to variables.

It creates an HTTPS connection object using the host and port 9060, and specifies the SSL protocol as TLSv1_2.

It encodes the user and password information in base64 format for basic HTTP authentication.

It sets the headers for the HTTP request, including the accept, authorization, and cache-control fields.

It sends a GET request to the Cisco ISE server to retrieve information from the “/ers/config/internaluser/” endpoint, which returns the list of internal users configured on Cisco ISE.

It reads the response from the server and prints the status, headers, and body in a human-readable format.

The script authenticates to the Cisco ISE server using the username of ersad and the password of Password1, and retrieves the internal user information from the server.

Explanation

Domain name system (DNS) is the protocol that translates human-friendly URLs, such as securitytut.com, into IP addresses, such as 183.33.24.13. Because DNS messages are only used as the beginning of each communication and they are not intended for data transfer, many organizations do not monitor their DNS traffic for malicious activity. As a result, DNS-based attacks can be effective if launched against their networks. DNS tunneling is one such attack.

An example of DNS Tunneling is shown below:

The attacker incorporates one of many open-source DNS tunneling kits into an authoritative DNSnameserver (NS) and malicious payload.2. An IP address (e.g. 1.2.3.4) is allocated from the attacker’s infrastructure and a domain name (e.g. attackerdomain.com) is registered or reused. The registrar informs the top-level domain (.com) nameservers to refer requests for attackerdomain.com to ns.attackerdomain.com, which has a DNS record mapped to 1.2.3.43. The attacker compromises a system with the malicious payload. Once the desired data is obtained, the payload encodes the data as a series of 32 characters (0-9, A-Z) broken into short strings (3KJ242AIE9, P028X977W,…).4. The payload initiates thousands of unique DNS record requests to the attacker’s domain with each string as

Network telemetry is the collection, measurement, and analysis of data related to the behavior and performance of a network1. It involves gathering information about routers, switches, servers, and applications to gain insights into how they function and how data moves through them. To correlate different sources of network telemetry data, it is important to enable Network Time Protocol (NTP) across all network infrastructure devices. NTP is a protocol that synchronizes the clocks of network devices to a common reference time source2. This ensures that the network telemetry data has consistent timestamps and can be compared and correlated accurately. NTP also helps with troubleshooting network issues, as it allows network administrators to pinpoint the exact time of events and anomalies. NTP is a core security technology that is covered in the Implementing and Operating Cisco Security Core Technologies (SCOR) course3, which helps you prepare for the Cisco CCNP Security and CCIE Security certifications and for senior-level security roles. References: 1: Network Telemetry Explained: Frameworks, Applications & Standards - Splunk 2: [Network Time Protocol (NTP) - Cisco] 3: Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0

Retrospective detection is a feature of Cisco Advanced Malware Protection (AMP) for Endpoints that performs correlation of telemetry, files, and intrusion events that are flagged as possible active breaches. Retrospective detection allows AMP to continuously analyze file activity across the network and identify malicious behavior that was previously undetected. Retrospective detection can also trigger alerts and remediation actions when a file’s disposition changes from clean to malicious12. References: 1: Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 4: Endpoint Protection and Detection, Lesson 4.1: Cisco AMP for Endpoints Overview, Topic 4.1.3: Retrospective Detection 2: Cisco AMP for Endpoints User Guide, Chapter: Retrospective Detection, URL: 3

Explanation

Explanation

The following are the prerequisites to integrate Active Directory with Cisco ISE.

+ Use the Network Time Protocol (NTP) server settings to synchronize the time between the Cisco ISE server

and Active Directory. You can configure NTP settings from Cisco ISE CLI.

+ If your Active Directory structure has multidomain forest or is divided into multiple forests, ensure that trust

relationships exist between the domain to which Cisco ISE is connected and the other domains that have user

and machine information to which you need access. For more information on establishing trust relationships,

refer to Microsoft Active Directory documentation.

+ You must have at least one global catalog server operational and accessible by Cisco ISE, in the domain to

which you are joining Cisco ISE.

To create an access control list (ACL) on a Cisco Adaptive Security Appliance (ASA) firewall, you need to use the access-list command followed by the name of the ACL, the action (permit or deny), the protocol, the source address and mask, and the destination address and mask. For example, to permit HTTP traffic from the inside network 192.168.1.0/24 to any destination on the internet, you can use this command:

access-list inside_access_in permit tcp 192.168.1.0 255.255.255.0 any eq www

This command creates an ACL named inside_access_in that permits TCP traffic from the source network 192.168.1.0/24 to any destination with the destination port equal to 80 (www). The eq keyword is used to specify the port number or name. You can also use the range keyword to specify a range of ports.

To apply the ACL to an interface, you need to use the access-group command followed by the name of the ACL and the direction (in or out). For example, to apply the ACL to the inside interface in the inbound direction, you can use this command:

access-group inside_access_in in interface inside

This command applies the ACL inside_access_in to the interface named inside in the inbound direction. This means that the ACL will filter the traffic that enters the firewall through the inside interface.

Option D is the only option that matches the syntax of the access-list command for the ASA firewall. Option A is incorrect because it uses the ip keyword instead of the tcp keyword. Option B is incorrect because it uses the any keyword for both the source and destination addresses. Option C is incorrect because it uses the host keyword for the source address, which is not valid for a network address.