📘Cisco Certified CyberOps Associate (200-201 CBROPS)

---

PART 1: Impact of Certificates on Security (PKI, Asymmetric/Symmetric, Public/Private Keys)

1. What Is a Digital Certificate?

A digital certificate is an electronic file that proves the identity of a system, server, or user.

It is used to:

• Prove identity (authentication)
• Encrypt communication (confidentiality)
• Ensure data is not modified (integrity)

Digital certificates are commonly used in:

• HTTPS websites
• Email security
• VPN connections
• Code signing
• Authentication systems

Without certificates, systems cannot securely trust each other.

---

2. Public Key Infrastructure (PKI)

What Is PKI?

Public Key Infrastructure (PKI) is the system that creates, manages, distributes, and revokes digital certificates.

It includes:

• Certificate Authorities (CA)
• Registration Authorities (RA)
• Digital certificates
• Public and private keys
• Certificate Revocation Lists (CRL)

PKI provides trust in a network.

---

2.1 Certificate Authority (CA)

A Certificate Authority (CA) is a trusted organization that issues digital certificates.

Examples:

• DigiCert
• Let’s Encrypt
• GlobalSign

The CA verifies identity and signs certificates.

If a certificate is signed by a trusted CA, systems will trust it.

---

2.2 Registration Authority (RA)

The RA verifies identity before the CA issues a certificate.

It acts as a verifier for the CA.

---

2.3 Root CA and Intermediate CA

• Root CA – Top-level trusted authority
• Intermediate CA – Issued by Root CA and signs end-user certificates

This creates a chain of trust.

The chain of trust must be valid for a certificate to be trusted.

---

3. Public Key and Private Key (Asymmetric Cryptography)

Certificates use asymmetric encryption.

Asymmetric encryption uses:

• Public key
• Private key

How It Works

• Public key = Shared with everyone
• Private key = Kept secret

If data is encrypted with:

• Public key → Only private key can decrypt
• Private key → Public key can verify

---

3.1 Asymmetric vs Symmetric Encryption

Asymmetric Encryption

Uses two keys (public/private).

Advantages:

• Secure key exchange
• Used in certificates
• Used for authentication

Disadvantages:

• Slower than symmetric encryption

Examples:

• RSA
• ECC

---

Symmetric Encryption

Uses one shared key.

Advantages:

• Fast
• Efficient for large data

Disadvantages:

• Key must be securely shared

Examples:

• AES

---

How They Work Together

In HTTPS connections:

1. Asymmetric encryption is used to securely exchange a symmetric key.
2. Symmetric encryption is used for the rest of the session.

This provides:

• Security
• Performance

---

4. Public/Private Keys Crossing the Network

Important exam concept:

• Public key crosses the network
• Private key NEVER crosses the network

If the private key is exposed:

• Attackers can impersonate the server
• Encrypted traffic can be decrypted
• Trust is broken

Private key protection is critical.

---

5. Certificate Components

A digital certificate contains:

• Subject (who it belongs to)
• Public key
• Issuer (CA)
• Validity period
• Serial number
• Digital signature of CA

---

6. Impact of Certificates on Security

6.1 Authentication

Certificates prove identity of:

• Servers
• Users
• Applications

Prevents impersonation attacks.

---

6.2 Confidentiality

Used to encrypt communication.

Prevents:

• Packet sniffing
• Data interception

---

6.3 Integrity

Certificates ensure data has not been altered.

If altered:

• Signature verification fails.

---

6.4 Non-Repudiation

Digital signatures prevent users from denying actions.

Used in:

• Email signing
• Code signing

---

7. Certificate Issues (Exam Important)

7.1 Expired Certificates

If expired:

• Systems may refuse connection
• Security warnings appear

---

7.2 Revoked Certificates

A certificate can be revoked if:

• Private key compromised
• Issued incorrectly

Checked using:

• CRL (Certificate Revocation List)
• OCSP (Online Certificate Status Protocol)

---

7.3 Self-Signed Certificates

Created by the organization itself.

Risks:

• Not trusted by default
• Can be used in internal systems
• Dangerous if used publicly

---

7.4 Weak Cryptography

Older algorithms like:

• SHA-1
• Weak RSA key sizes

May fail compliance and be vulnerable.

---

8. Certificate Attacks (Exam Concept)

You should understand:

• Man-in-the-Middle (MITM) using fake certificates
• Certificate spoofing
• Compromised CA
• Private key theft

If trust in CA is broken → entire PKI trust collapses.

---

PART 2: Evasion and Obfuscation Techniques (2.9)

Attackers use evasion and obfuscation to:

• Avoid detection
• Bypass security controls
• Hide malicious traffic

---

1. Tunneling

What Is Tunneling?

Tunneling hides one protocol inside another protocol.

It allows attackers to:

• Bypass firewalls
• Hide command-and-control traffic
• Transfer data secretly

---

Common Tunneling Methods

DNS Tunneling

Uses DNS queries to send data.

Security issue:
DNS traffic is usually allowed through firewalls.

---

HTTPS Tunneling

Malicious traffic hidden inside HTTPS.

Security tools cannot inspect without SSL inspection.

---

ICMP Tunneling

Uses ping traffic to transfer data.

Often allowed internally.

---

2. Encryption as Evasion

Encryption protects data, but attackers use it to:

• Hide malware traffic
• Hide data exfiltration
• Bypass IDS inspection

Security tools cannot inspect encrypted traffic without decryption.

---

TLS/SSL Abuse

Attackers use valid TLS certificates to:

• Appear legitimate
• Avoid detection

Encrypted traffic is harder to analyze.

---

3. Proxies

What Is a Proxy?

A proxy is a system that forwards traffic.

Attackers use proxies to:

• Hide IP address
• Obfuscate origin
• Bypass filtering

---

Types of Proxies

Forward Proxy

Hides client identity.

Reverse Proxy

Sits in front of servers.

Anonymous Proxy

Hides source identity.

TOR Network

Example:

• Tor

Used for anonymity.

Security concern:

• Hard to trace traffic origin.

---

4. Obfuscation Techniques

Obfuscation means hiding the real intent of code or traffic.

---

4.1 Code Obfuscation

Malware changes:

• Variable names
• Code structure
• Encoding format

Purpose:
Avoid signature detection.

---

4.2 Fileless Malware

Runs in memory instead of files.

Difficult to detect.

---

4.3 Polymorphic Malware

Changes code every time it runs.

Avoids signature-based detection.

---

4.4 Steganography

Hides malicious data inside:

• Images
• Audio files
• Documents

Security tools may not detect hidden data.

---

5. Evasion of Security Controls

Attackers try to bypass:

• Firewalls
• IDS/IPS
• Antivirus
• Sandboxes
• SIEM systems

Methods include:

• Fragmented packets
• Randomized traffic patterns
• Slow data exfiltration
• Living-off-the-land techniques (using built-in system tools)

---

6. Indicators of Evasion

Security analysts should look for:

• Unusual DNS traffic volume
• Encrypted outbound traffic to unknown domains
• Long-lived HTTPS sessions
• Suspicious certificate usage
• Traffic to anonymization networks
• Abnormal user-agent strings

---

7. Defensive Measures (Exam Focus)

To detect evasion:

• SSL/TLS inspection
• Deep Packet Inspection (DPI)
• DNS monitoring
• Proxy logs analysis
• Endpoint Detection and Response (EDR)
• Network segmentation
• Behavior-based detection
• Threat intelligence feeds

---

Key Exam Summary

For the exam, remember:

Certificates

• PKI builds trust
• CA signs certificates
• Public key crosses network
• Private key must remain secret
• Asymmetric = key exchange
• Symmetric = session encryption
• Certificates provide authentication, integrity, confidentiality
• Revocation and expiration are critical
• Weak cryptography is a risk

---

Evasion and Obfuscation

• Tunneling hides traffic inside allowed protocols
• Encryption can hide malicious traffic
• Proxies hide origin
• Malware uses obfuscation to avoid detection
• Analysts must monitor abnormal patterns