5.8 Identify these elements used for server profiling
📘Cisco Certified CyberOps Associate (200-201 CBROPS)
When cybersecurity analysts perform server profiling, they are essentially collecting information about a server to understand how it works and to detect unusual behavior. One key part of this is running tasks.
1. What are Running Tasks?
- Running tasks (sometimes called processes) are the programs or services that are currently active on a server.
- They can include:
- Operating system processes (like
svchost.exeon Windows) - Applications (like database services, web servers)
- Scheduled tasks that are currently executing
- Operating system processes (like
Think of running tasks as the list of things the server is actively doing at a given moment.
2. Why Are Running Tasks Important for Server Profiling?
Running tasks are critical because they help cybersecurity analysts:
- Detect malicious activity
- Unusual tasks may indicate malware or unauthorized software.
- Example: A server running a process that connects to unknown external IP addresses.
- Understand server functionality
- Identifying normal tasks helps establish a baseline of what “good” looks like.
- Example: A web server normally runs
httpdornginxprocesses. If another unexpected process runs, it might be suspicious.
- Troubleshoot performance issues
- High CPU or memory usage by a particular task can slow down the server.
- Audit for compliance
- Certain tasks may be required or forbidden based on company policies. Profiling helps check this.
3. Tools Used to View Running Tasks
Windows Servers:
- Task Manager
- Graphical interface to see active tasks, CPU, memory usage.
- PowerShell commands
Get-Process– lists all running processes.Get-Service– lists services, which are special long-running processes.
Linux Servers:
- Command-line tools
ps– lists running processes (ps auxshows all processes for all users)top– shows real-time resource usage of processeshtop– interactive version oftop(not always installed by default)
- Systemd Services
systemctl list-units --type=service– shows active services managed by systemd
4. Key Attributes of Running Tasks to Note
When profiling servers, analysts often collect the following info about running tasks:
| Attribute | Description | Why it Matters |
|---|---|---|
| Process Name | Name of the executable or service | Helps identify what the task is |
| Process ID (PID) | Unique number for the running process | Useful for monitoring or terminating a specific task |
| User/Owner | Which account is running the process | Unusual accounts may indicate a compromise |
| CPU & Memory Usage | Resources consumed by the process | Detects heavy or abnormal usage |
| Network Connections | IPs/ports that the process communicates with | Detects malware communicating externally |
| Start Time | When the process started | Long-running unknown processes may be suspicious |
5. Profiling Steps for Running Tasks
- Collect a list of all running tasks
- Use
ps auxon Linux orGet-Processon Windows.
- Use
- Compare against a baseline
- Identify tasks that normally run vs. tasks that are unusual.
- Check for unusual owners or privileges
- Tasks running as root or SYSTEM that shouldn’t be may indicate a compromise.
- Monitor resource usage
- CPU spikes or memory leaks can highlight abnormal behavior.
- Check network connections
- Running tasks that connect to unknown IPs could be malicious.
6. Key Points for the Exam
- Running tasks = currently active programs/services on a server.
- Server profiling includes reviewing all running tasks to detect:
- Malware
- Unauthorized software
- Misconfigured services
- Performance issues
- Use OS-specific tools to gather this information:
- Windows → Task Manager, PowerShell
- Linux → ps, top, htop, systemctl
- Important details to note: process name, PID, owner, CPU/memory usage, network connections, start time.
7. Quick Memory Tip for Exams
Think of server tasks like a server’s “activity log”:
- Normal tasks → expected work of the server
- Unknown tasks → potential threat
For the exam, you may be asked which tools to use or which information about running tasks is most important in server profiling.
