Cisco CCNA Cyber Ops

This course is designed to teach you fundamental knowledge for the core skills needed in a cyber security environment including basic security principles and concepts. The second half of this course will guide students through the principles of working in a Security Operations Centre.

SECFND Exam 210-250: Understanding Cisco Cybersecurity Fundamentals

Module 1: Network Concepts

• Describe the function of the network layers as specified by the OSI and the TCP/IP  network models
• Describe the operation of the following
• IP
• TCP
• UDP
• ICMP
• Describe the operation of these network services
• ARP
• DNS
• DHCP
• Describe the basic operation of these network device types
• Router
• Switch
• Hub
• Bridge
• Wireless access point (WAP)
• Wireless LAN controller (WLC)
• Describe the functions of these network security systems as deployed on the host, network, or the cloud:
• Firewall
• Cisco Intrusion Prevention System (IPS)
• Cisco Advanced Malware Protection (AMP)
• Web Security Appliance (WSA) / Cisco Cloud Web Security (CWS)
• Email Security Appliance (ESA) / Cisco Cloud Email Security (CES)
• Describe IP subnets and communication within an IP subnet and between IP subnets
• Describe the relationship between VLANs and data visibility
• Describe the operation of ACLs applied as packet filters on the interfaces of network devices
• Compare and contrast deep packet inspection with packet filtering and stateful firewall operation
• Compare and contrast inline traffic interrogation and taps or traffic mirroring
• Compare and contrast the characteristics of data obtained from taps or traffic mirroring and NetFlow in the analysis of network traffic
• Identify potential data loss from provided traffic profiles

Module 2: Security Concepts

• Describe the principles of the defense in depth strategy
• Compare and contrast these concepts:
• Risk
• Threat
• Vulnerability
• Exploit
• Describe these terms:
• Threat actor
• Run book automation (RBA)
• Chain of custody (evidentiary)
• Reverse engineering
• Sliding window anomaly detection
• PII
• PHI
• Describe these security terms:
• Principle of least privilege
• Risk scoring/risk weighting
• Risk reduction
• Risk assessment
• Compare and contrast these access control models:
• Discretionary access control
• Mandatory access control
• Nondiscretionary access control
• Compare and contrast these terms:
• Network and host antivirus
• Agentless and agent-based protections
• SIEM and log collection
• Describe these concepts:
• Asset management
• Configuration management
• Mobile device management
• Patch management
• Vulnerability management

Module 3: Cryptography

• Describe the uses of a hash algorithm
• Describe the uses of encryption algorithms
• Compare and contrast symmetric and asymmetric encryption algorithms
• Describe the processes of digital signature creation and verification
• Describe the operation of a PKI
• Describe the security impact of these commonly used hash algorithms:
• MD5
• SHA-1
• SHA-256
• SHA-512
• Describe the security impact of these commonly used encryption algorithms and secure communications protocols:
• DES
• 3DES
• AES
• AES256-CTR
• RSA
• DSA
• SSH
• SSL/TLS
• Describe how the success or failure of a cryptographic exchange impacts security investigation
• Describe these items in regards to SSL/TLS:
• Cipher-suite
• 509 certificates
• Key exchange
• Protocol version
• PKCS

Module 4: Host-Based Analysis

• Define these terms as they pertain to Microsoft Windows
• Processes
• Threads
• Memory allocation
• Windows Registry
• WMI
• Handles
• Services
• Define these terms as they pertain to Linux
• Processes
• Forks
• Permissions
• Symlinks
• Daemon
• Describe the functionality of these endpoint technologies in regards to security monitoring
• Host-based intrusion detection
• Antimalware and antivirus
• Host-based firewall
• Application-level whitelisting/blacklisting
• Systems-based sandboxing (such as Chrome, Java, Adobe reader)
• Interpret these operating system log data to identify an event
• Windows security event logs
• Unix-based syslog
• Apache access logs
• IIS access logs

Module 5: Security Monitoring

• Identify the types of data provided by these technologies
• TCP Dump
• NetFlow
• Next-Gen firewall
• Traditional stateful firewall
• Application visibility and control
• Web content filtering
• Email content filtering
• Describe these types of data used in security monitoring
• Full packet capture
• Session data
• Transaction data
• Statistical data
• Extracted content
• Alert data
• Describe these concepts as they relate to security monitoring
• Access control list
• NAT/PAT
• Tunneling
• TOR
• Encryption
• P2P
• Encapsulation
• Load balancing
• Describe these NextGen IPS event types
• Connection event
• Intrusion event
• Host or endpoint event
• Network discovery event
• NetFlow event
• Describe the function of these protocols in the context of security monitoring
• DNS
• NTP
• SMTP/POP/IMAP
• HTTP/HTTPS

Module 6: Attack Methods

• Compare and contrast an attack surface and vulnerability
• Describe these network attacks
• Denial of service
• Distributed denial of service
• Man-in-the-middle
• Describe these web application attacks
• SQL injection
• Command injections
• Cross-site scripting
• Describe these attacks
• Social engineering
• Phishing
• Evasion methods
• Describe these endpoint-based attacks
• Buffer overflows
• Command and control (C2)
• Malware
• Rootkit
• Port scanning
• Host profiling
• Describe these evasion methods
• Encryption and tunneling
• Resource exhaustion
• Traffic fragmentation
• Protocol-level misinterpretation
• Traffic substitution and insertion
• Pivot
• Define privilege escalation
• Compare and contrast remote exploit and a local exploit

SECOPS Exam 210-255: Implementing Cisco Cybersecurity Operations

The exam modules are as follows, below. Your Certified Cisco Systems Instructor will provide you with Cisco-recommended digital and printed content which will be used as preparation for the SECOPS exam. The instructor will facilitate study sessions, designed to best prepare you for the exam.

Module 1: Endpoint Threat Analysis and Computer Forensics

• Interpret the output report of a malware analysis tool such as AMP Threat Grid and Cuckoo Sandbox
• Describe these terms as they are defined in the CVSS 3.0:
• Attack vector
• Attack complexity
• Privileges required
• User interaction
• Scope
• Describe these terms as they are defined in the CVSS 3.0
• Confidentiality
• Integrity
• Availability
• Define these items as they pertain to the Microsoft Windows file system
• FAT32
• NTFS
• Alternative data streams
• MACE
• EFI
• Free space
• Timestamps on a file system
• Define these terms as they pertain to the Linux file system
• EXT4
• Journaling
• MBR
• Swap file system
• MAC
• Compare and contrast three types of evidence
• Best evidence
• Corroborative evidence
• Indirect evidence
• Compare and contrast two types of image
• Altered disk image
• Unaltered disk image
• Describe the role of attribution in an investigation
• Assets
• Threat actor

Module 2: Network Intrusion Analysis

• Interpret basic regular expressions
• Describe the fields in these protocol headers as they relate to intrusion analysis:
• Ethernet frame
• IPv4
• IPv6
• TCP
• UDP
• ICMP
• HTTP
• Identify the elements from a NetFlow v5 record from a security event
• Identify these key elements in an intrusion from a given PCAP file
• Source address
• Destination address
• Source port
• Destination port
• Protocols
• Payloads
• Extract files from a TCP stream when given a PCAP file and Wireshark
• Interpret common artifact elements from an event to identify an alert
• IP address (source / destination)
• Client and Server Port Identity
• Process (file or registry)
• System (API calls)
• Hashes
• URI / URL
• Map the provided events to these source technologies
• NetFlow
• IDS / IPS
• Firewall
• Network application control
• Proxy logs
• Antivirus
• Compare and contrast impact and no impact for these items
• False Positive
• False Negative
• True Positive
• True Negative
• Interpret a provided intrusion event and host profile to calculate the impact flag generated by Firepower Management Center (FMC)

Module 3: Incident Response

• Describe the elements that should be included in an incident response plan as stated in NIST.SP800-61 r2
• Map elements to these steps of analysis based on the NIST.SP800-61 r2
• Preparation
• Detection and analysis
• Containment, eradication, and recovery
• Post-incident analysis (lessons learned)
• Map the organisation stakeholders against the NIST IR categories (C2M2, SP800-61 r2)
• Preparation
• Detection and analysis
• Containment, eradication, and recovery
• Post-incident analysis (lessons learned)
• Describe the goals of the given CSIRT
• Internal CSIRT
• National CSIRT
• Coordination centers
• Analysis centers
• Vendor teams
• Incident response providers (MSSP)
• Identify these elements used for network profiling
• Total throughput
• Session duration
• Ports used
• Critical asset address space
• Identify these elements used for server profiling
• Listening ports
• Logged in users/service accounts
• Running processes
• Running tasks
• Applications
• Map data types to these compliance frameworks
• PCI
• HIPPA (Health Insurance Portability and Accountability Act)
• SOX
• Identify data elements that must be protected with regards to a specific standard (PCI-DSS)

Module 4: Data and Event Analysis

• Describe the process of data normalisation
• Interpret common data values into a universal format
• Describe 5-tuple correlation
• Describe the 5-tuple approach to isolate a compromised host in a grouped set of logs
• Describe the retrospective analysis method to find a malicious file, provided file analysis report
• Identify potentially compromised hosts within the network based on a threat analysis report containing malicious IP address or domains
• Map DNS logs and HTTP logs together to find a threat actor
• Map DNS, HTTP, and threat intelligence data together
• Identify a correlation rule to distinguish the most significant alert from a given set of events from multiple data sources using the firepower   management console
• Compare and contrast deterministic and probabilistic analysis

Module 5: Incident Handling

• Classify intrusion events into these categories as defined in the diamond model of intrusion
• Reconnaissance
• Weaponisation
• Delivery
• Exploitation
• Installation
• Command and control
• Action on objectives
• Apply the NIST.SP800-61 r2 incident handling process to an event
• Define these activities as they relate to incident handling
• Identification
• Scoping
• Containment
• Remediation
• Lesson-based hardening
• Reporting
• Describe these concepts as they are documented in NIST SP800-86
• Evidence collection order
• Data integrity
• Data preservation
• Volatile data collection
• Apply the VERIS schema categories to a given incident

Zie Exam Track...