Implementing Cisco Cybersecurity Operations (SECOPS 210-255)

Overview

This section gives the information about Cisco Cybersecurity Operations exam. It also focuses on introductory-level skills of basic threat analysis, event correlation, identifying malicious activities and using a playbook for incident response.

Read Analysis Reports

This section discusses traditional malware detection and mitigation and the analyzing of reports. It shows using Cisco’s AMP ThreatGRID suite to gather information and generate reports for analysis.

Describe CVSS 3.0

This section introduces to the CVSS 3.0 scoring system. It describe what is CVSS and reasons for its development, how it is maintained, and its metrics. It also explores how to calculate a Base score, looking at Exploitability Metrics like Attack Vector(AV) and Attack Complexity(AC).

Understand Windows File Systems

This section discusses the importance of filesystems when it comes to computer security. It dives into filesystems supported by the Windows Operating System, which includes: File Allocation Table(FAT) and New Technology File System(NTFS), as well as how we handle them in a forensically sound way.

Understand Linux File Systems

This section discusses the importance of filesystems when it comes to computer security.It dives into filesystems supported by the Linux Operating System, such as EXT3, EXT4, ReiserFS, Journaling, MBR, Swap files, HFS, and UEFI vs BIOS.

Identify Forensic Evidence

This section explores how to identify, handle, and process digital forensic evidence. It also defines the terms like “Computer Forensics”, “Chain of Custody”, and “Order of Volatility”.

Interpret Basic Regular Expressions

This section explore interpreting basic Regular Expressions, aka RegEx. It explains common RegEx functions and operators. It shows how to use RegEx to filter configuration output in a Cisco router.

Describe Protocol Headers

This section explores ethernet headers and their importance as a security vector. It describes the different sections of the header, Layer 2’s lack of security measures, and types of common Layer 2 attacks such as DHCP Starvation, ARP Spoofing, and CAM Table Exhaustion.

Describe ICMP Intrusion

This section describes the use and importance of ICMP from a security standpoint. It defines what ICMP is and how it works. It covers the header information associated with ICMP, analyses a packet capture of a ping sweep, and talks about the ICMP types. It also explore attacks like Firewalking, OS Fingerprinting, and ICMP Route Redirects.

Describe HTTP Headers

This section describe HTTP Headers, HTTP Basics Review, GET, POST, HTTP Methods, HEAD, PUT, DELETE, TRACE, OPTIONS, CONNECT, content-type, user agent, referer field, Cookies, Cookie Components, Double Encoding, and common character used in web attacks.

Identify Netflow v5 Records

This section discusses what is NetFlow, identify the elements from a NetFlow v5 record security event, IP-5 Tuple information, NetFlow v5 fields, and what is a Flow Record. It also covers what is a Flow Exporter, what is a Flow Monitor, how we should want to cache the information, and what is Stealth Watch.

Examine Intrusion Events

This section explains common artifact elements from an event to identify an alert, identify key elements in an in intrusion from a given PCAP file, extract files from a TCP stream when given a PCAP file from Wireshark, and explains Wireshark File extract objects

Intrusion Event Technologies

This section covers intrusion event technologies, map the provided events to source technologies, explains DHCP Server/Exhaustion, DNS Server, NetFlow, StealthWatch, FMC (Cisco Firepower Management Center), and Statistical Data-Session Data.

Intrusion Impact Analysis

This section discusses Intrusion Impact Analysis. It compare contrast impact/no-impact for False Positive-False Negative-True Positive-True Negative, and defines Heuristics. It also explains what is Firepower Management Center (FMC).

Incident Response Elements

This section discusses incidence response plans. It describes what they are and its elements that should be included in them according to NIST.SP800-61 r2. It also explains how to identify the stake holders that belong in each analysis category.

Describe CSIRT Goals

This section describes CSIRT and the goals of CSIRT. It talks the 6 goals when given a CSIRT.

Identify Cybersec Elements and Frameworks

This section talks about how to identify server profiling elements and link data types to 3 compliance frameworks i.e. PCI, HIPPA and SOX. At the end it also identifies the elements  that must be protected according to PCI-DSS.

Describe Data Normalization

This section discusses the process of data normalization and its importance. It also discusses making data values into universal format for data analysis.

Describe 5 Tuple Correlation

This section describes what are 5 tuple, as well as how they correlate in events. It also show how the 5-tuple can help to isolate and identify a compromised host in logs.

FirePower Management Console

This section looks at a threat analysis report and show how to identify a possible compromised host. It shows indicators of compromise and how to drilldown to find information.

Compare and Contrast Analysis Methods

This section compares and contrast deterministic and probabilistic analysis methods to help with Data and events analysis.

Classify and Categorize Intrusions

This section describes the use of the Diamond Model of Intrusion and how it helps us to handle events. It also shows how the Kill Chain and Diamond Model work together for a complete security intelligence model.

Apply NIST.SP800-61 r2 To Events

This section looks at NIST.SP800-61 r2 incident handling process to an incident event. It explains the process and shows recommended process for incident handling.

NIST SP800-86 Evidence Handling

This section describes Evidence Handling as documented in NIST SP800-86. It explore it’s importance and key in forensics.

Apply VERIS Schema Categories

This section shows how to apply VERIS schema categories to incident handling events.