350-701 Exam Dumps - Implementing and Operating Cisco Security Core Technologies (SCOR 350-701)

The intelligent proxy is a feature of Cisco Umbrella that allows it to selectively inspect and proxy web requests for domains that are classified as risky or potentially malicious. These domains may contain both safe and harmful content, and the intelligent proxy can filter out the malicious files or URLs while allowing the benign ones to pass through. The intelligent proxy can also apply SSL decryption to inspect encrypted traffic and enforce policies based on the content or destination of the web requests. To enable the intelligent proxy, an engineer needs to configure it within the Cisco Umbrella dashboard and select the categories of domains that should be proxied. The categories are based on the domain reputation and security risk, and range from High Risk to Low Risk. The engineer can also customize the list of domains to include or exclude from the intelligent proxy. By configuring the intelligent proxy, the engineer can achieve the objectives of identifying and proxying traffic that is categorized as risky domains and may contain safe and malicious content. References :=

Some possible references are:

• Enable the Intelligent Proxy - Umbrella User Guide, Cisco
• Manage the Intelligent Proxy - Umbrella User Guide, Cisco
• Intelligent Proxy in Cisco Umbrella how it works, Cisco Learning Network
• What is the Intelligent Proxy? - MSP User Guide, Cisco
• Cisco Umbrella Intelligent Proxy and SSL Decryption implementation, Cisco Community

Data is sent out to the attacker during a DNS tunneling attack as part of the domain name. DNS tunneling is a technique that encodes the data of other protocols or programs in DNS queries and responses. The attacker registers a domain, such as badsite.com, and points it to a server under their control, where a tunneling program is installed. The attacker infects a device with malware, which sends DNS queries to the attacker’s server, using subdomains of badsite.com to encode the data. For example, the malware could send a query for 1234.badsite.com, where 1234 is the encoded data. The attacker’s server decodes the data from the subdomain and sends back a DNS response, which may also contain encoded data in the answer section12. The other options are not correct, because they do not use the domain name to encode the data. The UDP/53 and TCP/53 packet payload and header are used to transport the DNS query and response, but they are not modified by the tunneling technique. The DNS response packet contains the answer to the query, but it is not the only way to send data to the attacker3. References:

• 1: DNS Tunneling attack - What is it, and how to protect ourselves?
• 2: What Is DNS Tunneling? - Palo Alto Networks
• 3: What Are DNS Attacks? - Palo Alto Networks

Sandboxing is a feature that is leveraged by advanced antimalware capabilities to be an effective endpoint protection platform. Sandboxing allows an endpoint protection platform to isolate suspect files in a safe environment and analyze their behavior and impact without affecting the rest of the system. Sandboxing can help detect and prevent unknown or zero-day malware that may evade traditional signature-based detection methods. Sandboxing can also provide valuable threat intelligence and forensic data for further investigation and response.

Big data, storm centers, and blocklisting are not features that are leveraged by advanced antimalware capabilities to be an effective endpoint protection platform. Big data refers to the large volume, variety, and velocity of data that can be used for various purposes, such as analytics, machine learning, or business intelligence. Storm centers are centralized hubs that monitor and respond to cyber incidents and threats. Blocklisting is a method of preventing access to malicious or unwanted domains, IP addresses, or files by adding them to a list of blocked entities. References:

• Endpoint Protection Platform (EPP) Definition
• Cisco Advanced Malware Protection (AMP) for Endpoints
• Cisco AMP for Endpoints: Sandboxing

Dynamic Multipoint VPN (DMVPN) is a Cisco IOS Software-based security solution for building scalable enterprise VPNs that support distributed applications such as voice and video. DMVPN provides scalability for organizations with many remote sites by using a hub-and-spoke topology with dynamic tunnels between spokes. This reduces the number of static tunnels required and simplifies the configuration and management of the VPN. DMVPN also supports dynamic routing protocols, multicast traffic, and quality of service (QoS) features, making it suitable for various network scenarios and requirements12 References := 1: Cisco Dynamic Multipoint VPN: Simple and Secure Branch-to-Branch Communications 2: Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0

To deploy Cisco WSA in transparent mode, the configuration component that must be used is WCCP on switch. WCCP stands for Web Cache Communication Protocol, which is a protocol that allows a network device (such as a switch) to redirect web traffic to a proxy server (such as Cisco WSA) transparently. This means that the client does not need to configure any proxy settings on the browser, and the proxy server can intercept and process the web requests and responses without the client’s knowledge. WCCP can also provide load balancing and failover capabilities for multiple proxy servers.

The other options are incorrect because they are not required or relevant for transparent mode deployment. Option A is incorrect because MDA (Multilink PPP Dial Access) is a feature that allows multiple physical links to be aggregated into a single logical link for dial-up connections. It has nothing to do with transparent mode. Option B is incorrect because PBR (Policy-Based Routing) is a feature that allows routing decisions to be based on criteria other than the destination IP address, such as source IP address, protocol, port, etc. It is not necessary for transparent mode, as WCCP can handle the traffic redirection. Option D is incorrect because DNS resolution on Cisco WSA is not a configuration component, but a function that allows the proxy server to resolve domain names to IP addresses. It is not specific to transparent mode, as it is also used in explicit mode. References:

• What is the difference between transparent and forward proxy mode?
• User Guide for AsyncOS 12.7 for Cisco Web Security Appliances - LD (Limited Deployment) - Acquire End-User Credentials
• Cisco WSA : Is it possible to use web proxy in transparent mode without WCCP?

A Simple Custom Detection List is a feature of Cisco AMP for Endpoints that allows administrators to create a list of SHA-256 hashes of files that they want to detect, block, and quarantine on their endpoints. The list can be applied to a policy and the connectors will synchronize with the latest changes. However, the list only works with the exact SHA-256 hashes that are provided, and it does not detect any variations or modifications of the files. Therefore, if the malicious file abc428565580xyz.exe has been altered in any way, such as by changing its name, size, or content, the Simple Custom Detection List will not be able to recognize it as a threat. To ensure detection of the malicious file, the administrator must upload the SHA-256 hash of the current version of the file to the Simple Custom Detection List, or use another method that can detect file variations, such as an Advanced Custom Detection List or Cisco Threat Grid. References :=

Some possible references are:

• Configure a Simple Custom Detection List on the AMP for Endpoints Portal
• Create an Advanced Custom Detection List in Cisco Secure Endpoint
• [Cisco AMP for Endpoints User Guide]

https://www.cisco.com/c/en/us/td/docs/security/firepower/amp/6-3/user-guide/amp-user-guide.pdf

The result of using this authentication protocol in the configuration is that the authentication and authorization requests are grouped in a single packet. This is because the configuration uses RADIUS as the AAA protocol, which combines both authentication and authorization functions in one process. RADIUS is facilitated through AAA and can be enabled only through AAA commands. The aaa new-model global configuration command enables AAA, and the radius-server host command specifies the IP address and the shared secret key of the RADIUS server. The aaa authentication command defines the method list for RADIUS authentication, and the aaa group server command defines the group name and the members of the group. The line and interface commands enable the defined method list to be used. When a user tries to access the router, the router sends a single Access-Request packet to the RADIUS server, which contains the user credentials and other attributes. The RADIUS server then verifies the credentials and returns either an Access-Accept packet, which grants access and may include authorization information, or an Access-Reject packet, which denies access. Therefore, the correct answer is D. References:

• Security Configuration Guide, Cisco IOS XE Everest 16.6.x (Catalyst …
• Configuring Basic AAA on an Access Server - Cisco
• AAA Server Priority explained with New Radius Server Command Line
• Configuring AAA on Cisco Devices – RADIUS and TACACS+ - Study-CCNA