Professional Documents
Culture Documents
Specialist Certification
James Risler, CCIE #15412
@JimRisler
jarisler@cisco.com
Agenda
• Understanding the Problem
• Why a Cyber Security Analyst Specialist Certification
• Understanding the Job Role of a Security Analyst
• Topics included on the Exam
• How to Prepare for the Certification Exam
• Conclusion
The Problem…
Ebay
Anthem
JP Morgan Chase
Target
Univ. of MD
Neiman Marcus
TJ Maxx
Sony
Zappos
LinkedIn
Citigroup
http://www.informationisbeautiful.net/visualisations/worlds-biggest-data-breaches-hacks/
Threat Landscape is Evolving…
Enterprise Antivirus IDS/IPS Reputation (Global) Intelligence and
Response (Host-Based) (Network Perimeter) and Sandboxing Analytics (Cloud)
N-AV Threat
Spreads to
Web Sec Devices
Email Sec
• Context is Critical
• No single system provides all data to decipher an attack
• Related threats, identity, reputation, vulnerability, device type…
Data
Intel & Research
Analysis Investigate
SIEM, Packet Data Analysis,
Capture & Collaboration,
Flow Tools & Case Tools
Tools Evidence & Information
Security Analyst Skills
What Skills to Develop?
• Four Key Areas of Competency
1. Monitoring
2. Data & Traffic Analysis
3. Event and Alarm Handling
4. Incident Response
• Foundation/Background
• Network infrastructure knowledge
• Diverse device configuration ability
• Security configuration knowledge
• Data management & teamwork
Start End
Skill
Foundation Device Traffic Performance Device
Config Capture Monitoring Monitoring
Example: Security Analyst Tool
Monitor, collect and analyse network traffic, establish a baseline,
NetFlow Telemetry and alarm on anomalies and behaviour changes
Cisco Switches, Routers, and ASA 5500-x
IP Address
Suspicious activity
that triggered the alarm
Exam Preparation
• How to Prepare for the Exam
• Exam Blueprint:
http://www.cisco.com/web/learning/exams/list/spec_scyber.html#~Topics
• Resources
• Books
• Publically available resources
• Cisco Learning Network
• Labs “Build your own”
How to Prepare
• Where to Start?
• Blueprint
• Create a study plan
• Study Group on Cisco Learning Network
• Cyber Security Study Group
• Posted documents
• Example of Resources
• NIST Documents
• http://csrc.nist.gov/publications/PubsSPs.html
• csrc.nist.gov/publications/nistpubs/800-61rev2/SP800-61rev2.pdf
• NetFlow Overview (see links at end of slide deck)
• Wireshark Usage
• www.wireshark.org/docs/wsug_html_chunked
600-199 (SCYBER) Securing Cisco Networks with
Threat Detection and Analysis—Topics and Weighting
SCYBER (600-199) Exam—Topics and Weighting
4.2 – Describe TCP and UDP Header information 6.1 – Describe the communication vehicles related to post-threat
remediation
4.3 – Analyse network traces or TCP Dumps and trace back actual 6.2 – Generate incident reports and interpret the information to
activities determine the direction of the escalation
4.4 – Describe packet analysis in IOS 6.3 – Describe the different types of available metrics and
4.5 – Describe access packets in IOS 6.4 – Process incident handling communications and provide
4.6 – Acquire network traces context awareness for stakeholders
4.7 – Configure packet captures 6.5 – Articulate details of problems to remediating teams
5.0 Incident Response 6.6 – Maintain awareness of vulnerabilities and critical security
patches as a result from incident handling
5.1 – Describe standard corporate incident response 6.7 – Communicate recurring issues based on incident
5.2 – Identify necessary changes to enhance the existing procedure, handling and provide recommendations for architectural
policy, and decision tree changes or modifications.
5.3 – Describe the basic emergency mitigation of high-level threats, 6.8 – Describe the post-mortem process
exploits, and vulnerabilities
5.4 – Evaluate and recommend responses to vulnerabilities to ensure
adequate monitoring response and mitigations
5.5 – Assist the level 2 incident response team
5.6 - Describe best practices for post-event investigation
5.7 – Describe common legal and compliance issues in security
event handling
More Resources…
Books
• Crafting the InfoSec Playbook by Cisco’s Jeff Bollinger
• The Tao of Network Security Monitoring – by Richard Bejtlich
http://www.amazon.com/The-Tao-Network-Security-Monitoring/dp/0321246772
• Extrusion Detection: Security Monitoring for Internal Intrusions
• Incident Response with NetFlow for Dummies
http://www.lancope.com/blog/incident-response-for-dummies/
• Real Digital Forensics: Computer Security and Incident Response
• Security Monitoring by Chris Fry and Martin Nystrom
Labs – Strategy is to Learn Through Hands-on
• Lab 1-1: Case Study – Understanding a SOC • Lab 7-1: Manually Correlate Events
• Lab 2-1: Configure AAA and TACACS+ logging • Lab 7-2: Automatically Correlate Events
• Lab 3-1: Capturing Packets (Wireshark, SPAN, • Lab 7-3: Identifying a Security Incident
TCPDump)
• Lab 8-1: Understanding Flow Data
• Lab 4-1: Understanding Log Data
• Lab 8-2: NetFlow Practical Activity
• Lab 4-2: Correlating Event Logs
• Lab 9-1: ACL and CBAC Configuration
• Lab 5-1: Mapping a Monitored Network Topology
• Lab 9-2: Multiple Mitigation Deployment
• Lab 5-2: Retrieving Event Data
• Lab 10-1: Documenting an Incident
• Lab 5-3: Understanding Log Data Fields
• Lab 10-2: Recommending Remediation
• Lab 6-1: Assessing Current Security Controls
• Lab 6-2: Assessing Current Monitoring Systems
Detecting Potential Incidents
Preparation SIEM Tools
Containment
and Security
Eradication Engineer
Lab 1-1: Security Operations Centre
• National Institute of Standards and Technology (NIST) SP 800-61
(csrc.nist.gov/publications/nistpubs/800-61rev2/SP800-61rev2.pdf)
Accomplish Goal
Understanding Attacks
• Infecting Systems
• Trojan Dropper – DLL library against Windows 7
• Disable Firewall
• Communication
• Command and control Bot done through a Bulgarian web-based free email server
8. Attack SQL Server – Steal 70 Million PII records (no credit cards
because PCI compliant)
• Osql.exe
• Isql.exe
• Bcp.exe
Phases of Attack – cont.
9. Download POS Malware and install on POS (“Kaptoxa” Malware)
10. Send stolen Credit Card info to network share (FTP transfer)
Reference
https://aroundcyber.files.wordpress.com/2014/09/aorato-target-
report.pdf
Example of a Type of Exam Question
Lab 3
• Download Wireshark or TCPDump (Linux)
• Capture packets – Learn to decode and understand payload
• Critical skill
http://packetlife.net/blog/2010/jun/7/understanding-tcp-sequence-
acknowledgment-numbers/
Packet Data – Follow the Packet
Wireshark
Packet list
Packet details
Packet bytes
Attack Example – SQL Injection
Tcpdump
• linux@ubuntu:~$ sudo tcpdump -i eth0 -n
• tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
• listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
• 10:06:57.246670 IP 192.168.28.1.137 > 192.168.28.255.137: NBT UDP PACKET(137):
QUERY; REQUEST; BROADCAST
• 10:06:57.665021 ARP, Request who-has 192.168.28.128 (00:0c:29:66:4d:29) tell
192.168.28.1, length 46
• 10:06:57.665041 ARP, Reply 192.168.28.128 is-at 00:0c:29:66:4d:29, length 28
• 10:06:57.996116 IP 192.168.28.1.137 > 192.168.28.255.137: NBT UDP PACKET(137):
QUERY; REQUEST; BROADCAST
• 10:06:58.746225 IP 192.168.28.1.137 > 192.168.28.255.137: NBT UDP PACKET(137):
QUERY; REQUEST; BROADCAST
• 5 packets captured
• 5 packets received by filter
• 0 packets dropped by kernel
• linux@ubuntu:~$
Lab 4
• Use Free Syslog server (turn on timestamp)
• Server logs, DNS logs, DHCP logs – Attempt to correlate
http://www.openxtra.co.uk/blog/top-5-open-source-event-correlation-tools/
Syslog Levels and Elements
Element Description
Stamps log messages with a sequence number only if
Sequence Number
“service sequence-numbers global” is part of the configuration.
Date and time of the event. Requires “service timestamps log”.
Timestamp
Formatted as mm/dd hh:mm:ss, or hh:mm:ss, or d h.
Facility The facility to which generated the message (for example, SNMP or SYS).
Severity Single-digit code from 0 to 7 that is the severity of the message.
Mnemonic A unique identifier associated with the category of the event.
Description Detailed information about the event.
Description (continued)
Splunk for Cisco Security Suite
• Provides increased visibility across
Cisco device data such as Cisco
reputation data in real time
• Pre-defined dashboards, searches,
reports and alerts for all supported
devices
• Field definitions to make ad-hoc
investigations and custom dashboard
creation as simple as a few mouse clicks
• Geographic threat information and
visualisation
• Reputation trending and monitoring Supported Cisco Security
Devices: IronPort Web Security Agent (WSA)
ASA and PIX Firewalls IronPort E-mail Security Agent (ESA)
FWSM (Router firewall module) Sourcefire
Identity Services Engine (ISE)
DNS Logging: Windows DNS Output
Timestamp • 9/1/2013 5:46:23 PM 0E78 PACKET 00000000022F2A30 UDP
Snd 10.0.0.100 0003 R Q [8081 DR NOERROR]
Requesting
AAAA (3)www(6)google(3)com(0)
IP
• QUESTION SECTION:
• Offset = 0x000c, RR count = 0
Requested Domain • Name "(3)www(6)google(3)com(0)"
Request Type • QTYPE AAAA (28)
• QCLASS 1
• ANSWER SECTION:
• Offset = 0x0020, RR count = 0
• Name "[C00C](3)www(6)google(3)com(0)"
Response Type • TYPE AAAA (28)
• CLASS 1
Response Time-To-Live • TTL 145
• DLEN 16
Response IP Address • DATA 2607:f8b0:400c:c02::68
Lab 5 (Event Data) and Lab 6 (Security Controls)
Lab 5
• Download Observium
• Monitor some network devices
• Understand Event data vs. Log data fields
Lab 6
• Security Controls – Run Nmap against your perimeter devices
• Review output of logs
• Freeware Vulnerability scanners
Resource Monitoring with Observium
Lab 7 (Correlation Events) and Lab 8 (Flow Data)
Lab 7
• Read documents on manual correlation
• Download OSSIM
• Learn how to configure automatic correlation between different sources
Lab 8
• NetFlow – Configure Cisco Router or ASA with NetFlow
• Read on NetFlow and the fields
• Free Tools for retrieving NetFlow (link)
http://www.networkmanagementsoftware.com/5-free-netflow-analyser-
tools-for-windows
Example – Nmap Output
• Nmap Options
• TCP
• UDP
• OS Detection
Header
Version Service Type Packet Length
Length
Source Address
Destination Address
Internet Protocol Version 6 (IPv6) Headers
Byte 1 Byte 2 Byte 3 Byte 4
Version Traffic Class Flow Label
Source
(16 bytes)
Destination
(16 bytes)
User Datagram Protocol (UDP) Headers
Byte 1 Byte 2 Byte 3 Byte 4
Length Checksum
Data
Transmission Control Protocol (TCP) Headers
Byte 1 Byte 2 Byte 3 Byte 4
Sequence Number
Acknowledgement Number
Header Flags
Resv. Window Size
Length (RST, SYN, FIN, ...)
0 0 Echo Reply
0 Destination network unreachable
1 Destination host unreachable
2 Destination protocol unreachable
3 3 Destination port unreachable
4 Fragmentation required
9 Network administratively prohibited
10 Host administratively prohibited
8 0 Echo Request
11 0 Time-To-Live Expired in Transit
Embedded Packet Capture (EPC)
• Embedded packet capture allows IOS devices to perform basic packet analysis
on-board.
• Traffic may be displayed, saved, or exported as a PCAP file.
• Differs from SPAN ports or Router IP Traffic Export.
• Data is stored on the network device, not forwarded
• Data can be exported through a variety of paths, including:
• flash:
• tftp:
• ftp:
• scp:
Embedded Packet Capture (EPC)
router#
monitor capture buffer name [...]
router(config)#
[...]
router#
Embedded Packet Capture (EPC)
router#
monitor capture point ip cef name interface direction
router(config)#
[...]
Server
Log Correlation Engine - Tenable
Alienvault OSSIM
• Unified Security Management
Splunk
• Machine Data Search and Correlation Engine
High-Level Diagram
EXT-INET
ssid: Guest Cisco 1941
Aironet 2600i
BSSID: AA:DD:BB:01:23:45 DAL-ASA1 Building 1
Building 1
10.0.6.0/24 ASA5510 Room 30
Room 25 Ceiling
Building 1 Rack 1-1
Room 30 XYZ Internet
10.0.6 172.16.20.3
.1 Rack 2-01 .1 214-555-1234
10.0.5 G 0/1 ACCT: 123456
G 0/0
10.0.6 .2
.254 10.0.5
FE 1 G0
10
7.1 FE .0.3.1
LA
B .0.
10 2
LAB
e for FE
3
Cisco 1941
N Lin
HWIC-1GE-SFP G1/0 VP
Building 2 10 Corporate-RTR
.7 .2 .0 Cisco 1941
Room 3 .0 G 0 .3.3
10 /0
Rack 1-1 G0 /0 HWIC-1GE-SFP G1/0
10.0.9.2 10.0.9.1 10.0.8.1 10.0.8.2 Building 1
FE 2 G 0/1 Room 30
G 0/1 FE 3
Rack 1-2
10.0.3.3
G 1/0
G 1/0 10.0.3.4
10.0.5.1 10.0.5.1
vlan93
FE 1
DAL-ASA2
10.0.3.4
vlan912
G 1/0/1
ASA5510
G 1/0/24
Building 1
Room 30 DAL-SW2
Rack 2-02 10.01.4
3750/24 Stack (2)
DAL-SW1
3750/24 Stack (2) Building 1
Building 2 Room 30
10
Room 3 .0 Rack 1-3 & 1-4
G 1 .1.12
Rack 1-1 / 0/ 0
1
10.0.3.3
1
vl a 10 n9
G 0/1
n9 . 0. vl a
1 1 1.6
G1 .119 .0.
/1 10 G1/0
10.0.1.5 10.0.1.8
G0/0 vlan91
DAL-INT-RTR
Cisco 1941
EHWIC-4ESGP G1/0-G1/3 DAL-INT-SW
Building 1 3750/48
Building 1
Room 30
Room 26
Rack 1-5
Rack 1-1 Wall
• http://csrc.nist.gove/publications/nistpubs/800-92/SP800-92.pdf
• http://www.sans.org/security-resources/policies/info_sys_audit.pdf
• Microsoft Malware Protection Centre
• (www.microsoft.com/security/portal/mmpc/)
• Full Disclosure mailing list
• (seclists.org/fulldisclosure/)
Links and Must Reads
• NetFlow
www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6555/ps6601/prod_white
_paper0900aecd80406232.html
• Microsoft
windows.microsoft.com/en-us/windows7/what-information-appears-in-event-logs-
event-viewer
• What is a baseline?
www.quepublishing.com/articles/article.aspx?p=22306
• SIEM tools – Do’s and Don’ts
http://www.csoonline.com/article/print/509553
My Promise to You
• Add Documents to the Cisco Learning Network Cyber Security Study Group
• Over the next Month go through the exam blueprint and cover all of the topics
=
Participate in the “My Favourite Speaker” Contest
Promote Your Favorite Speaker and You Could Be a Winner
• Promote your favorite speaker through Twitter and you could win $200 of Cisco
Press products (@CiscoPress)
• Send a tweet and include
• Your favorite speaker’s Twitter handle @JimRisler
• Two hashtags: #CLUS #MyFavoriteSpeaker
• You can submit an entry for more than one of your “favorite” speakers
• Don’t forget to follow @CiscoLive and @CiscoPress
• View the official rules at http://bit.ly/CLUSwin
Continue Your Education
• Demos in the Cisco campus
• Walk-in Self-Paced Labs
• Table Topics
• Meet the Engineer 1:1 meetings
• Related sessions
Security Cisco Education Offerings
Course Description Cisco Certification
Implementing Cisco IOS Network Security (IINS) Focuses on the design, implementation, and monitoring of a comprehensive CCNA® Security
security policy, using Cisco IOS security features
Implementing Cisco Edge Network Security Solutions
(SENSS) Configure Cisco perimeter edge security solutions utilising Cisco Switches, Cisco
Routers, and Cisco Adaptive Security Appliance (ASA) Firewalls
Implementing Cisco Threat Control Solutions (SITCS)
Deploy Cisco’s Next Generation Firewall (NGFW) as well as Web Security, Email
Implementing Cisco Secure Access Solutions (SISAS) Security and Cloud Web Security
Implementing Cisco Secure Mobility Solutions Deploy Cisco’s Identity Services Engine and 802.1X secure network access
(SIMOS)
Protect data traversing a public or shared infrastructure such as the Internet by
implementing and maintaining Cisco VPN solutions
Securing Cisco Networks with Threat Detection and Designed for professional security analysts, the course covers essential areas of Cisco Cybersecurity Specialist
Analysis (SCYBER) competency including event monitoring, security event/alarm/traffic analysis, and
incident response
Network Security Product and Solutions Training For official product training on Cisco’s latest security products, including Adaptive
Security Appliances, NGIPS, Advanced Malware Protection, Identity Services
Engine, Email and Web Security Appliances see
www.cisco.com/go/securitytraining
Initial Compromise
54% of breaches to Discovery
0% 0% 2% 13% 29% 54% 2%
are not discovered for
months Discovery to
Containment/
Restoration 0% 1% 9% 32% 38% 17% 4%
Source: 2013 Data Breach Investigations Report, compiled by 18 organisations that contributed data
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 83