CISSP Cyber Training Podcast - CISSP Training Program
Join Shon Gerber on his weekly CISSP Cyber Training podcast, where his extensive 23-year background in cybersecurity shines through. With a rich history spanning corporate sectors, government roles, and academic positions, Shon imparts the essential insights and advice necessary to conquer the CISSP exam. His expertise is not just theoretical; as a CISSP credential holder since 2009, Shon translates his deep understanding into actionable training. Each episode is packed with invaluable security strategies and tips that you can implement right away, giving you an edge in the cybersecurity realm. Tune in and take the reins of your cybersecurity journey—let’s ride into excellence together! 🚀
CISSP Cyber Training Podcast - CISSP Training Program
CCT 253: Practice CISSP Questions - Conduct logging and monitoring activities (Domain 7.2)
Security professionals face a constant battle to keep up with evolving threats, and our latest CISSP Question Thursday podcast delivers critical insights into one of the most fundamental cybersecurity capabilities: effective logging and monitoring.
The episode begins with a warning about a sophisticated attack campaign targeting recruiters. The hacker group FIN6 (Skeleton Spiders) has been creating fake candidate profiles with malware-laced resume attachments, tricking HR professionals into downloading zip files containing the "More Eggs" JavaScript backdoor. This social engineering tactic exploits normal recruiting workflows to steal credentials and gain network access. We discuss why security teams must partner with recruitment departments to develop specialized awareness training and technical controls to address this growing threat.
Diving into CISSP Domain 7.2, we explore fifteen practical questions about logging and monitoring implementations. We cover critical distinctions between detection and prevention technologies, explaining why deep packet inspection is essential for identifying encrypted command and control communications over HTTPS. We examine why log integrity and non-repudiation are paramount when logs may serve as legal evidence, and why HR data provides crucial context for User and Entity Behavior Analytics (UEBA) systems trying to identify insider threats.
For those implementing Network Intrusion Prevention Systems, we emphasize the importance of deployment in detection-only mode for extended tuning periods before enabling blocking capabilities. We examine why mean time to respond (MTTR) to critical incidents provides the most holistic metric for evaluating security operations effectiveness, and why automated ingestion of threat intelligence feeds delivers the most value for continuous monitoring objectives.
This episode balances technical depth with practical implementation guidance, making it valuable for both CISSP candidates preparing for the exam and practicing security professionals looking to strengthen their monitoring capabilities. Visit CISSP Cyber Training for access to all our training materials and sign up for 360 free practice questions to accelerate your certification journey.
Gain exclusive access to 360 FREE CISSP Practice Questions delivered directly to your inbox! Sign up at FreeCISSPQuestions.com and receive 30 expertly crafted practice questions every 15 days for the next 6 months—completely free! Don’t miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success. Join now and start your journey toward CISSP mastery today!
Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Sean Gerber and I'm your host for this action-packed, informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge. All right, let's get started. Let's go.
Speaker 2:Let's go. Cybersecurity knowledge. All right, let's get started. Hey all, sean Gerber, with CISSP Cyber Training and hope you all are having a beautifully blessed day today.
Speaker 2:Today is yes, you guessed it CISSP Question Thursday, and this is the follow-on to what we talk about on the Monday podcast related to Domain 7.2. And this was around logging and monitoring. So if you listen to the podcast on Monday, a lot of the questions that we talk about today are going to be related to that specific content in general. So that's the benefit of it, right, you get Mondays, you get the training, thursdays, you get podcasts, or you actually should say you get questions. So questions follow on after the overall training. So it good stuff. So, that being said, you know, obviously cissp cyber training has got all the content you could want. If you just head on over to cissp cyber training, you can get all of that and get it all. Everything I'm talking about can be all accessed available to you.
Speaker 2:But before we talk about the questions for today, we are going to talk about, real quickly, an article that I saw in the Register and what it is. It was kind of actually interesting. It's interesting in a sad way, these hackers, basically from the group FIN6, right, which is Skeleton Spiders the name of them, and they are using various capabilities to go and target, as you could possibly guess, recruiters. Right, because recruiters are looking for candidates to be able to fill these job roles. Well, what do these guys do? Yeah, they basically set up fake locations for these recruiters to go to to download a air quotes, resume or other kind of documentation, of which it then has laced with some level of malware. In this case, here they're using a zip file that contains a basically a shortcut that executes the more eggs JavaScript backdoor and it's basically ends up going adding credential theft from those systems. So, as you know, you have a recruiter, a recruiter goes out hey, I've got this portfolio, I've got some resumes. They go to it, they download got this portfolio, I've got some resumes. They go to it, they download those resumes, they open up the zip file and the executable kicks off. So it's a bit of a challenge, right? So if you're a recruiter, you're just going. What in the world is going on? And this, unfortunately, they're stealing these recruiters' information and then from there they go and they go after the company that the recruiter works for. So a lot of interesting things that are happening in security.
Speaker 2:So one of the main takeaways on all this is, if you are a recruiter looking for anybody, it doesn't even have to be an IT. If you're looking for someone to basically be a welder, you want to make sure that you are paying attention to who is actually providing you this information. You need to avoid as much as you can unsolicited requests and going hey, here's my resume, check it out. You need to be very careful with those kinds of aspects. You also need to make sure that if you're a recruiter, or if you're a security professional that has recruiters that work with you guys, you need to make sure you talk to them about how can they protect themselves through some level of security awareness training, and you could provide that to them. Around what are some fake candidates? What would this look like? What are some telltale signs around that? And you may not know as a security professional. So you may have to work with HR and your recruiter folks to understand what is the typical process by which they would normally reach out to IT professionals or any professional of that in general. So something really important to think on that. The other aspect is ensuring that you have email filtering and your malware defenses are also up and operational.
Speaker 2:So that's kind of the whole big thing that came out of that article. I think you should go check it out and read it. If anything, I would send it on to your recruiters within your organization and just say, hey, let's have a conversation about this and see what we can come up with together. Again, I talk about this in CISSP cyber training. A lot it really truly comes down to is building those relationships with individuals within your organization, within your company, around cybersecurity. They don't understand it. You are the expert, but you can't get done anything you need to get done without their assistance. So this is a really good opportunity for you to be able to reach out to them and say, hey, how can we partner together to fix this problem? So just something to consider. Great, I think it's a great article to ship to them HR recruiters, all of those folks and say, hey, again, let's have a conversation and see what we can do about this together. Okay, so let's get on to the questions for this week. Okay, again, this is group nine.
Speaker 2:At CISSP Cyber Training, you can get access to all these questions Again. Just purchase the products that we have out there and they will be available to you. Or you can go check out the free stuff. Right, I've got all this content is available in some form or fashion in a free format. May free stuff right, I've got all this content is available in some form or fashion in a free format. May not be exactly what you need, but a lot of it is out there and available. So you can go to CISSP Cyber Training, go to my blog. Lots of free stuff that will be there. This will be posted out there at some point in time here in the near future. So, again, that's another good place you can get this information. You can also get it from YouTube as well. So lots of places that you can get all this. The bottom line is I want to provide you with the tools you need so that you can be successful in passing the CISSP and the fact that you understand cybersecurity as a whole. Okay, so let's get into question one Question one a financial institution aims to detect sophisticated unknown malware attempting to establish outbound command and control, or C2, communications using common ports, ie HTTPS as an example.
Speaker 2:Which combination of continuous monitoring capabilities offers the most again, key term most effective detection strategy for this particular threat. Okay, so you've got some looking for command and control over HTTPS. So what is the most effective detection strategy? A signature-based IDSs with real-time log aggregation, periodic vulnerability scans and threat intelligence on indicators of compromise feeds, or IOCs egress monitoring with deep packet inspection, dpi and behavioral analysis. Or the last one is user and entity behavior analysis or ueba with active directory change logs. Again, so you're looking command and control https. Https is a key giveaway there and the answer is c egress monitoring with deep packet inspection and behavioral analytics. You're going to have to have the ability to decrypt that traffic and you're going to need DPI or deep packet inspection to make that happen.
Speaker 2:Question two A security operations center relies heavily on its SIEM, or the Security Incident Event Manager, for threat detection. To enhance the SIEM's ability to identify previously unseen or polymorphic malware, which of the following threat intelligence types would be most valuable for developing a new correlation rules? Okay, there's a lot of a mouthful in there. There's a lot of stuff going on. But you got a sim you want to figure out. It's looking for polymorphic I can't say the word morphic malware, and then you're also looking to develop what are the correlation rules. So what are the feeds? You're looking for A tactical threat intelligence on adversary tactics, techniques and procedures, or TTPs. B strategic threat intelligence on geopolitical motivations. C raw indicator on indicators of compromise feeds such as IP addresses and domains, or D open source intelligence on recent data breaches. Again, we're focused on something very specific polymorphic malware and the answer would be a tactical threat intelligence on adversary ttps. This would be the main one you would want to go after.
Speaker 2:Question three an organization's compliance framework mandates strong audit trails for all critical systems. Which log management principle is most essential to ensure that logs can be used reliably for forensics analysis and to stand up in a court of law? Okay, so again we're talking about a compliance framework. Which log management principle is most essential when you're looking for reliability of forensics analysis? A log aggregation to a central repository. B long-term log retention. C log normalization or D log integrity and non-repudiation, and the answer is D. Right, so the main point around this is that when you're dealing with log integrity and non-repudiation, it needs to be admissible in a court, and so, therefore, the evidence must be non-repudiated. They must be able to say it's without whatever happened with it. No one tampered with it, no, had any issues with it. That is the key term that you're going to be focused on, especially when you're dealing with analysis, to stand up in a court of law.
Speaker 2:Question four UEBA solution flags and executives account for high risk behavior, showing logins from unusual locations, followed by access to sensitive financial data and then attempts to access dormant accounts. That does not seem right. Okay, not good. The executive claims these are legitimate actions. What is the most crucial follow-up action for the security team beyond the direct communication with the executive? Beyond the direct communication with the executive? A block the executive's account immediately and globally. B cross-reference UEBA alerts with other security logs, such as your SIM, your network, even. What's HR? And why would HR be important? Yeah, maybe because they're getting fired, or for contextual validation. C conduct a forensics image of the executive's endpoint. Or D adjust the UEBA baseline for executives to reduce the false positives. Okay, and which one is the most crucial follow-up? It would be B. Right, you want to double check with all the other log sources to make sure that, yes, this person is doing what they're supposed to be doing, and HR, I believe, is a very crucial part in all of this.
Speaker 2:Again, you're going to have to have most likely the cone of silence when you talk about this but you don't know. I've dealt with it myself where I've had executives senior level executives be let go and when they're let go, what happens? Their accounts are terminated very quickly. But before we let them go, what did we do? We did a little bit of snooping to make sure that they're not. They didn't send stuff home and because they were in touch with a lot of very sensitive information.
Speaker 2:Okay, question five which of the following is a primary characteristic that distinguishes a network-based intrusion prevention system, or NIPS, from a network-based intrusion detection system, nids, in its deployment and capability? So you got a NIPS versus a NIDS. Right Prevention versus detection. A NIPS operates in a promiscuous mode to analyze traffic. B NIPS can actively block or modify malicious traffic in line. C NIPS is designed to detect known attack signatures only. Or, d NIPS generates alerts for suspicious activity without taking action. And the answer is B right NIPS. Nips can actively block or modify malicious traffic in line. That's one of the benefits of having an intrusion prevention system. Right Prevention is a key point. It can block it in line. Now the bad side of all that is, you can DOS yourself or, when it comes down to it, you can denial of service yourself because it starts blocking stuff that you don't want it to block. So before you kick it into block mode, you better make sure that Hal understands what he or she is doing. And if you get an Odyssey 2001 movie reference of Hal, yeah, then you're old like me.
Speaker 2:Question six a company implements a continuous monitoring using GRC or governance, risk and compliance platform. Which benefit is most directly achieved by mapping the technical security control data patch levels, access logs, etc. To the compliance requirements within this platform? Again, so a company implements a continuous monitoring using GRC, and what benefit is most directly achieved by mapping the technical security control data to the overall program itself? A elimination of security vulnerabilities. B real-time automated incident response. C automated generation of regulatory compliance reports and continuous auditing. And. D prediction of future cyber attacks using machine learning. That's pretty cool if you can do that, but no, it's definitely not D and the answer is C automated generation of regulatory compliance reports and continuous monitoring.
Speaker 2:The ultimate goal of putting it in a GRC is your governance, risk and compliance A lot of that stuff. You're dealing with regulatory aspects and so therefore having it into that platform helps a lot with dealing with your regulators, and I know a lot of the guys that listen to this program know one thing is that you probably are very tactical in nature and a lot of them don't really want to deal with the GRC aspects. However, if you're taking your CISSP and you want to become a senior professional in this field, you're going to have to learn and deal with GRC. It's an important part and it's there. It's here to stay. It's not going anywhere. So just embrace the change. You can do it. Just embrace it All right. Question seven An organization is concerned about adversaries using DNS tunneling for data exfiltration.
Speaker 2:Which of the following egress monitoring techniques would be most effective for detecting this specific covert channel? So again, an organization is concerned about adversaries using DNS tunneling for data exfiltration, basically using DNS to get data out. Which of the following egress monitoring techniques would be most effective? A blocking all outbound traffic on UDP port 53. That would be a bad idea.
Speaker 2:B deep packet inspection on outbound DNS queries for unusual large payloads or non-DNS characters Deep packet inspection. C monitoring firewall logs for unknown external IP addresses Possible. C analyzing NetFlow records for high volumes of outbound TCP traffic. Okay, so the one that's the most effective would be B deep packet inspection of outbound DNS queries for unusually large payloads right. So blocking it would be bad. Right, that would break your dns. Unknown ips are too general and then high volume tcp. It's not related to dns tunneling. So what is the most important? Dns tunneling using your packet inspection around. That is probably the best way that you can find this situation. But to do that you're going to make sure that you're going to have to have these. Put your inspectors in various locations where the data is going to be crossing, basically their sensors. It's very important from an architectural standpoint on where you put these sensors that are going to be basically shunting off the data and then decrypting it, doing whatever they're going to be doing with it. So you need to have a plan around that and work with your enterprise architects on that specific thing.
Speaker 2:Question eight a SOC analyst receives a high priority alert from a SIM indicating a brute force attack against an external facing web app. After initial investigation, the analyst determines the source IP is from an unknown malicious botnet listed in a commercial threat intelligence feed. Which of the incident response playbooks would leverage this threat intelligence most directly? So you're looking for a playbook, right, and you've got IPs from a known malicious botnet. What should you do? A long-term strategy planning playbooks? You need to grab those B threat hunting playbooks. C recovery and restoration playbooks. Or D containment and blocking playbooks. So again, we're looking here. We got initial investigation determines the source of it from a known botnet listed for commercial threat intelligence. They're trying to do a brute force attack and the answer would be d containment. Right, it's knowing that the botnet exists and so therefore you want to have a containment action. You want to be able to try to stop it from doing what it's doing to you. So you'd want to pull out any containment and blocking playbooks you may have.
Speaker 2:Question 9, which of the following is a key advantage of utilizing a centralized log management system in a large enterprise over distributed logging across individual servers? There's a lot of words in there, sorry, so again, key advantage of a central spot over versus having it all distributed across many, many servers. A enhanced visibility of cross-system correlation and simplifies compliance auditing. B reduces the overall volume of logs generated. C eliminates the need for strong access controls on logs. Or d guarantees real-time detection for all events. So real-time event detection for all events. Yeah, throw that one out the window. Events. So real-time event detection for all events. Yeah, throw that one out the window. And the answer is a enhances visibility for cross-system correlation and simplifies compliance auditing. Again, you want to have it in one large area. You have it centralized. It gives you much more flexibility and much more capability.
Speaker 2:Question 10 an organization decides to implement a network intrusion detection in passive, promiscuous mode. What is the primary operational consequence of this deployment choice? So again, nids in promiscuous mode. A NIDS will actively block detected attacks. B the NIDS will not interfere with the network traffic flow. C the NIDS can only detect attacks from a network perimeter. Or D NIDS require dedicated network segments for deployment. So again, you decide to deploy it in promiscuous mode. The primary operational consequence is it won't interfere with your network traffic flows. That's one of the big benefits. Right, it's promiscuous, it's just listening, that's all it is doing. It's in a passive mode and so therefore it allows all that data off of, usually off a span or a network tap, and then it'll be done, dumped into a central spot for logging and monitoring capabilities. So I've worked on many different types of these types of situations, from very large enterprises to smaller organizations, but they work really, really well.
Speaker 2:Question 11 a security team is deploying ueba solution To maximize its effectiveness in detecting insider threats? Which data source provides unique context about the user's legitimate authority and potential motivations, often missed by purely technical logs? So, okay, so UEBA. You're deploying UEBA. How do you maximize it? How do you make it work as best as you possibly can? A DNS query logs. B firewall connection logs. C human resources system data. D application error logs. And again, you're looking at UEBA. Okay, you're dealing with user behavior analytics. Which one is it? It is C. Using HR to help you is a very important part in all of this, and having them give them some context about the UEBA deployment big, big deal.
Speaker 2:Question 12. Ciso is reviewing the long-term effectiveness of the organization's incident response program. Which continuous monitoring metric would provide the most holistic view of the overall ability to minimize the impact of a security incidence over time? A mean time to respond or MTTR to critical incidents. B number of vulnerabilities patched per month. C percentage of successful phishing attacks. Or D number of security alerts generated by the SIM? Again, most holistic would be A mean time to respond for all critical incidents. The ultimate point of this is that you want to be able to respond, to respond for all critical incidents. The ultimate point of this is that you want to be able to respond to an incident especially critical. That's the most holistic overall view of this and really, when it comes down to metrics, if you are in cybersecurity, you really need to consider how do you utilize metrics to the best of your abilities, and you need to utilize them as much as you possibly can.
Speaker 2:Question 13. A financial institution processes a very high volume of real-time transactions. To ensure compliance with audit trails for every transaction, which log management consideration is most paramount? A Log compression to minimize storage costs. B Redundant log forwarding pass to ensure no event loss. C Automated purging of logs older than 90 days. Or d manual review of logs by a dedicated audit team. And the answer is b redundant log forwarding pass to ensure no event loss. Okay, so again, to ensure compliance with audit trails of every transaction, you want to have redundancy. You can't't lose anything If you start losing data. It now gets into a situation where it's not audit. Your audit people will be having a fit over that, so you need to have a really good plan. From a security professional standpoint. What is completeness? Ensuring every single transaction is captured and logged? Again, redundant log forwarding will allow that to occur. So you need to kind of consider that.
Speaker 2:Question 14. An organization utilizes NIPS in inline mode to minimize false positives that could disrupt a critical business ops. Which operational strategy is most important during the initial deployment and ongoing maintenance? Again, you're deploying NIPS, it's inline. Okay, what's the most important thing you can do during deployment? A disabling all anomaly-based detection rules. B deploying the NIPS in detection only for an extended tuning period. C limiting all NIPS policies to only block high severity signatures. Or D outsourcing NIPS management to a managed security service or MSSP. Again, the most important thing during initial deployment B deploying the NIPS in detection-only mode for an extended tuning period. You got to tune it and if you go and just throw it on and let's see what happens, you're going to have all kinds of issues. So you got to tune it out and you got to figure out what is the most important part around, what's going on with it. So, again, tuning is a big, big factor on anything that you're putting in line, okay.
Speaker 2:Question 15. A security team wants to leverage threat intelligence to proactively identify compromised internal systems that are currently communicating with known malicious IP addresses or domains. Which type of threat intelligence consumption and integration model is best suited for this continuous monitoring objective? A manual download and analysis of PDF-based threat reports. B strategic intelligent briefings with executive leadership. C one-time penetration tests using latest threat actor techniques. Or, d automated ingestion of IOC feeds into the SIM or EDR platform. Again, ioc is indicators of compromise and, again, with the best suited for continuous monitoring. What would it be if you're dealing with malicious IP addresses? It would be. D automated ingestion of IOC feeds into the SIM or EDR. Again, these feeds are extremely important. They have that continuous basis. They're going to allow you to give the best kind of monitoring and capability to that situation. They're also going to give you your best chance of detecting these situations as well. So that is all I have for you today.
Speaker 2:Head on over to CISSP Cyber Training and get all of this content you could ever ask for. It's all there. All you got to do is you just buy one of my courses. You will have access to it. If you need mentorship, reach out to me. I can definitely help you with that as well. Lots of people out there will talk that they can help you in mentoring you into your whatever program to get a job, whatever it is.
Speaker 2:I'm sorry, but a lot of that is BS. There's a process. By doing that I can help you. I've got 20 some years of experience doing this stuff. I've hired people, I can tell. I've trained people. I have done pretty much all you can do in cybersecurity in different aspects for the past 20 some plus years. So I can help you with that, in what you might need. So again, reach out to me.
Speaker 2:Go to CISSP cyber training. There's three different tiers for you as a bronze, silver and gold. Each of those have different options. Check them out, out, see which one works best for you and I can help you get your what you want in your goals and dreams for your role. All right, that's all again. That's all I've got. Head on over to cissp cyber training and we'll catch you all on the flip side, see ya. Thanks so much for joining me today on my podcast. If you like what you heard, please leave a review on itunes, as I would greatly appreciate your feedback. Also, check out my videos that are on YouTube and just head to my channel at CISSP Cyber Training and you will find a plethora or a cornucopia of content to help you pass the CISSP exam the first time. Lastly, head to CISSP Cyber Training and sign up for 360 free CISSP questions to help you in your CISSP journey. Thanks again for listening.
