URI / URL

4.9 Interpret common artifact elements from an event to identify an alert

📘Cisco Certified CyberOps Associate (200-201 CBROPS)

1. What is a URL and URI?

  • URL (Uniform Resource Locator):
    A URL is the address you use to reach a resource on the internet or an internal network. It tells you where the resource is located and how to access it. Example: https://www.company.com/login
    • https → Protocol (how to communicate, e.g., secure HTTP)
    • www.company.com → Domain name or server where the resource is hosted
    • /login → Path to a specific resource (here, the login page)
  • URI (Uniform Resource Identifier):
    A URI is a more general term. A URL is a type of URI. A URI identifies a resource either by location, by name, or both. Key point: All URLs are URIs, but not all URIs are URLs. Example of URI that’s not a URL: urn:isbn:0451450523
    • This identifies a book by its ISBN but doesn’t tell you where to find it.

Why this matters in CyberOps:
When analyzing network logs or alerts, you will often see URLs or URIs in web traffic, emails, or threat intelligence feeds. Knowing how to interpret them helps identify suspicious activity.

2. Components of a URL/URI

When analyzing events, the exam expects you to understand the key parts of a URL:

  1. Scheme / Protocol
    • Examples: http, https, ftp, smtp
    • Indicates how data is transferred
    • Security note: https is encrypted; http is not
  2. Domain / Host
    • Example: example.com or internal.company.local
    • Shows which server the request is targeting
    • Can reveal suspicious or malicious domains
  3. Port (Optional)
    • Example: :443 or :80
    • Default ports: 80 for HTTP, 443 for HTTPS
    • Non-standard ports can indicate unusual activity
  4. Path
    • Example: /admin/login or /files/report.pdf
    • Shows which resource on the server is being accessed
    • Malicious paths may try to exploit vulnerabilities
  5. Query Parameters
    • Example: ?id=123&type=report
    • Used to pass data to web applications
    • Can be used in attacks like SQL injection or XSS
  6. Fragment (Optional)
    • Example: #section2
    • Refers to a section within a page
    • Usually harmless in security analysis

3. Why URIs/URLs are Important in Cybersecurity

When investigating events, URLs and URIs can provide clues about:

  1. Malware Communication:
    • Malware often contacts a URL to download additional files or send stolen data.
  2. Phishing Attacks:
    • Malicious emails often include URLs that look legitimate but redirect to fake login pages.
  3. Command and Control (C2) Servers:
    • Suspicious URIs in network logs may show communication with a C2 server.
  4. Indicators of Compromise (IOCs):
    • Security teams use specific URLs as IOCs to detect malicious activity.

4. How to Analyze URLs/URIs in Logs and Alerts

When you see a URL in an alert, follow these steps:

  1. Check the protocol:
    • Is it using HTTP (unencrypted) or HTTPS (encrypted)?
    • Unexpected protocols can indicate suspicious activity.
  2. Examine the domain/host:
    • Is it an internal server or an unknown external domain?
    • Look for typosquatting (domains that mimic legitimate ones).
  3. Inspect the path and query parameters:
    • Unusual paths like /wp-admin.php?id=xyz may indicate exploitation attempts.
  4. Check for fragments (optional):
    • Usually low risk but can indicate targeted sections of a page.
  5. Look up threat intelligence:
    • Search the domain or full URL in security databases to see if it’s known malicious.

5. Tips for the Exam

  • Remember the difference: URL = location + protocol; URI = general identifier.
  • Always break down URLs into scheme, host, port, path, query, fragment.
  • Identify anomalies:
    • Strange domains
    • Non-standard ports
    • Suspicious paths or query parameters
  • Be aware that malware and phishing frequently use URLs to interact with users or systems.

6. Quick Example for Practice

Suppose you see this URL in an alert:

http://malicious.example.com:8080/download?file=payload.exe
  • http → Unencrypted protocol
  • malicious.example.com → External domain (suspicious)
  • :8080 → Non-standard port for HTTP
  • /download → Path to a file
  • ?file=payload.exe → Parameter specifying a file, likely malware

Analysis: This is suspicious; likely malware trying to download a payload.

Key Exam Takeaways:

  • Know the components of a URL/URI.
  • Understand the difference between URL and URI.
  • Be able to analyze URLs for suspicious patterns in logs, alerts, and network traffic.
  • Recognize common signs of malicious URLs used in attacks.
Buy Me a Coffee

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by