CCNA Cyber Ops – 4.0 Host-Based Analysis

This is part four of a series of posts about the CCNA Cyber Ops certification, you can find the third part here. We will jump out of the network and get into the application server or host.

4.1 Define these terms as they pertain to Microsoft Windows

4.1.a Processes: A process is an executing program.
4.1.b Thread: is the basic unit to which the operating system allocates processor time.
4.1.c Memory allocation: The task of fulfilling an allocation request consists of locating a block of unused memory of sufficient size. Memory requests are satisfied by allocating portions from a large pool of memory called the heap or free store.
4.1.d Windows Registry: Windows stores its configuration information in a database called the registry. The registry contains profiles for each user of the computer and information about system hardware, installed programs, and property settings. Windows continually reference this information during its operation.
4.1.e WMI: Windows Management Instrumentation (WMI) is a set of specifications from Microsoft for consolidating the management of devices and applications in a network from Windows computing systems. WMI is the Microsoft implementation of Web-Based Enterprise Management (WBEM), which is built on the Common Information Model (CIM), a computer industry standard for defining device and application characteristics so that system administrators and management programs can control devices and applications from multiple manufacturers or sources in the same way.
4.1.f Handles: An object is a data structure that represents a system resource, such as a file, thread, or graphic image. An application cannot directly access object data or the system resource that an object represents. Instead, an application must obtain an object handle, which it can use to examine or modify the system resource. Each handle has an entry in an internally maintained table. These entries contain the addresses of the resources and the means to identify the resource type.
4.1.g Services: Microsoft Windows services, formerly known as NT services, enable you to create long-running executable applications that run in their own Windows sessions. These services can be automatically started when the computer boots, can be paused and restarted, and do not show any user interface. These features make services ideal for use on a server or whenever you need long-running functionality that does not interfere with other users who are working on the same computer. You can also run services in the security context of a specific user account that is different from the logged-on user or the default computer account. For more information about services and Windows sessions, see the Windows SDK documentation in the MSDN Library. A Windows service is a computer program that operates in the background.
4.2 Define these terms as they pertain to Linux

4.2.a Processes: An instance of a program that is being executed. Each process has a unique PID, which is that process’s entry in the kernel’s process table.
4.2.b Fork: creates a new process by duplicating the calling process. The new process is referred to as the child process. The calling process is referred to as the parent process.
4.2.c Permissions: a system to control the ability of the users and processes to view or make changes to the contents of the filesystem.
4.2.d Symlink: is the nickname for any file that contains a reference to another file or directory in the form of an absolute or relative path and that affects pathname resolution.
4.2.e Daemon: In multitasking computer operating systems, a daemon is a computer program that runs as a background process, rather than being under the direct control of an interactive user.

4.3 Describe the functionality of these endpoint technologies in regards to security monitoring

4.3.a Host-based intrusion detection: Intrusion detection (or prevention) software installed on the endpoints as opposed to the network.
4.3.b Antimalware and antivirus: Let’s start with the differences between “viruses” and “malware.” Viruses are a specific type of malware (designed to replicate and spread), while malware is a broad term used to describe all sorts of unwanted or malicious code. Malware can include viruses, spyware, adware, nagware, trojans, worms, and more.
4.3.c Host-based firewall: A host-based firewall is a piece of software running on a single host that can restrict incoming and outgoing network activity for that host only. They can prevent a host from becoming infected and stop infected hosts from spreading malware to other hosts.
4.3.d Application-level whitelisting/blacklisting: In Windows, it is possible to configure two different methods that determine whether an application should be allowed to run. The first method, known as blacklisting, is when you allow all applications to run by default except for those you specifically do not allow. The other and more secure method is called whitelisting, which blocks every application from running by default, except for those you explicitly allow.
4.3.e Systems-based sandboxing (such as Chrome, Java, Adobe reader): Sandboxing is a technique for creating confined execution environments to protect sensitive resources from illegal access. A sandbox, as a container, limits or reduces the level of access its applications have.

4.4 Interpret these operating system log data to identify an event

4.4.a Windows security event logs: Event logs are special files that record significant events on your computer, such as when a user logs on to the computer or when a program encounters an error. Whenever these types of events occur, Windows records the event in an event log that you can read by using Event Viewer.The Security log is designed for use by the system. However, users can read and clear the Security log if they have been granted the SE_SECURITY_NAME privilege (the “manage auditing and security log” user right).
4.4.b Unix-based syslog: Syslog is a way for network devices to send event messages to a logging server – usually known as a Syslog server. The Syslog protocol is supported by a wide range of devices and can be used to log different types of events.

4.4.c Apache access logs: In order to effectively manage a web server, it is necessary to get feedback about the activity and performance of the server as well as any problems that may be occurring. The Apache HTTP Server provides very comprehensive and flexible logging capabilities.
4.4.d IIS access logs: IIS uses a flexible and efficient logging architecture. When a loggable event, usually an HTTP transaction, occurs, IIS calls the selected logging module, which then writes to one of the logs stored in %SystemRoot%\system32\Logfiles\<service_name>.


2 thoughts on “CCNA Cyber Ops – 4.0 Host-Based Analysis

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.