CCNA - Cyber Ops Intro

CCNA Cyber Ops
James Risler – Manager Security Content Development

BRKCRT-2207
Agenda
• Introduction
• Job Role of a Security Analyst
• CCNA Cyber Ops
• Highlights of SECFND Course
• Highlights of SECOPS Course
• Exam Prep Information
• Conclusion
The Problem
The Problem…
Anthem
Target
Mossack Fonseca
Ebay
JP Morgan Chase
Voter Database
Univ. of MD
Neiman Marcus
TJ Maxx
Sony
Zappos
LinkedIn
Citigroup
http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
BRKCRT-2207 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
Threat Landscape is Evolving…
Enterprise Antivirus IDS/IPS Reputation (Global) Intelligence and
Response (Host-Based) (Network Perimeter) and Sandboxing Analytics (Cloud)
Spyware APTS Increased

Worms and Rootkits Cyberwar Attack Surface
2000 2005 2010 Tomorrow
The History of Hacking and Examples
Sophisticated Attacks,
Complex Landscape
Hacking Becomes
an Industry
Phishing, Low
Shamoon2
Sophistication Botnets
Aurora GRIZZLY STEPPE
Nimda Tedroo
ILOVEYOU Angler
SQL Slammer Rustock Shady Rat
Melissa
Conficker Conficker v2 Duqu
Anna Kournikova
1990 1995 2000 2005 2010 2015 2020
Viruses Worms Spyware and Rootkits APTs Cyberware
1990–2000 2000–2005 2005–Today Today +
How Industrial Hackers Monetize the Opportunity
Mobile Malware Exploits

$150 $100k-$300K
Spam
Credit $50/500K emails
Social Card Data
Security $0.25−$60
$1 Medical Global
Record Cybercrime
>$50
DDoS $ Market:
$450B-$1T Facebook Account
Malware $1 for an account
Bank Account Info Development
DDoS >$1000 with 15 friends
as a Service $2500
depending on account (commercial malware)
~$7/hour type and balance
Welcome to the Hackers’ Economy
BRKCRT-2207 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Source: CNBC
Job Role of a Security Analyst
Challenges Facing Organizations
• Detecting Advanced Persistent Threats. Malware that makes it
past perimeter security can remain in the enterprise waiting to strike
as lurking threats. These may be zero day threats that do not yet
have an antivirus signature or be hard to detect for other reasons.
• Uncovering Network Reconnaissance. Some attacks will probe

the network looking for attack vectors to be utilized by custom-
crafted Cyber threats.
• Finding Internally Spread Malware. Network interior malware
proliferation can occur across hosts for the purpose gathering
security reconnaissance data, data exfiltration or network
backdoors.
• Identifying Botnet Command & Control Activity. Botnets are

implanted in the enterprise to execute commands to send SPAM,
Denial of Service attacks, or other malicious acts.
New Focus - Attack Continuum
BEFORE DURING AFTER

Discover Detect Scope
Enforce Block Contain
Harden Defend Remediate
Monitoring Identification Impact Mitigation
Visibility and Context

Mission Critical Business Systems and Solutions
Policies, Process Response Policy Communication

and People and Detection Strategy
National Institute for Standards & Technology
Objective:
• Framework
• Job Role Alignment
• Students have clear job
prospects & opportunities
• Help Policy Makers promote
job growth
• Assist Employers with job skill
hire and development
Continue: Security Analyst Challenges
Customized Threat
Bypasses Security Customized Threat
Gateways Enters from Inside
Firewall Threat Spreads

Inside Perimeter
IPS
N-AV Threat
Spreads to
Web Sec Devices
Email Sec
Perimeter security stops many threats but

sophisticated Cyber threats evade existing security constructs
Fingerprints of threats are often found in network fabric
Security Investigation Process
Start Playbook – Process and Procedures End
Goals/Objectives SOC Solutions Components
1 2
Prevent Detect Collect Analyze Mitigate Foundations
Functional Model for Security Analyst
Prevent Security Analyst
Network SOC Solution Components
Host IPS
IPS Detect
Email/Web Network IDS Adv. Malware
Firewall
Proxy
Behavioral NetFlow
Spam
Antivirus
Prevention
anomaly anomaly
Collect Analyze Mitigate

Proxy NetFlow SIEM IP Adv.
NetFlow Blackhole ACL’s
Logs Analyze Analysis
Event Web Malware Other DNS
Logs Firewall Analyze Tools Poisoning
Skill
Foundation Device Traffic Performance Device
Config Capture Monitoring Monitoring
Example – Job Roles in a SOC
Data
Intel & Research
Analysis Investigate
SIEM, Packet Data Analysis,
Capture & Collaboration,
Flow Tools & Case Tools
Tools Evidence & Information
“Kimusky” Operation: A North Korean APT
• 4 Key South Korean Targets
• Phishing against Hyundai Merchant Marine
• Infecting Systems
• Trojan Dropper – DLL library against Windows 7
• Install Spying Modules

• Key Stroke Logger, Directory Listing, Remote Control & Execution, Remote Control Access
• Disable Firewall
• Communication
• Command and control Bot done through a Bulgarian web-based free email server
• Regular Reporting and RC4 Encryption and Exporting of Data
CCNA Cyber Operations
Certification
Simplified Security Team Model
Certifications Mapping
Secure Infrastructure
CSO / Manager
Architect & Engineers “Set Policy & Prioritize”
“Design and Secure”
Architect & Engineer
CCIE • CE Credits CISO, Manager
Legal/Compliance/Privacy
Cisco SAFE
Security • Cross-Training
Architecture • Product or Job- Threat Centric Model
Role Training
CCNP
Security
CCNA CCNA
Secure Infrastructure Security Operations Team
Engineers, Technicians Security Cyber Ops “Detect and Respond”
Security Analyst; First Responder; Network
& Administrators Auditor; Digital Forensics Investigator; SOC
“Build and Secure” Team Member
Engineer, Administrator, Technician
Curriculum Paths: Security Career Training
“Traditional” Mix Newer Areas
Core (Job) Skills
Product Training Secure Cybersecurity Applied Security
Infrastructure Operations
Product Deep Dive Definitive Job-Role Definitive Job-Role Elective/Specialized

Training on building Training for Security Training Applying
Secure Network Operations Jobs. Security Skills to
Infrastructure. Technologies or
Environments.
Install/Troubleshoot Build/Secure Detect/Respond Apply Security Skills

“Install/Run Product” “Build the Castle” “Guard the Castle”
Security Fundamentals Course
(SECFND)
Security Fundamentals Course
14 Sections in this course that cover:
• Fundamentals of TCP/IP 75% of the Course is on
Foundation Skills
• Fundamentals Cryptography
• Information Security Focused on knowledge
• Network Applications and Attacks needed for SECOPS
Course
• Windows and Linux OS Overview
• Endpoint Attacks and Security Data Collection and Event
• Security Data Collection ** Analysis key feeder
concepts
• Security Event Analysis **
Example Lifecycle of Detection
SIEM Tools &
Preparation Workflow
Management
Logs & Event

Lessons Notifications
Playbook Detection
Modification Learned based on
Policies
Communication Log & Flow

Recovery Analysis Correlation w/
& Defensive
measures PCAP files
Containment
and Security
Eradication Engineer
Attacker Methodology
Gather Info
• Understand what type of
Attackers there are. Scan
• What is the methodology an Gain Access

attacker will use
• Hacking Techniques Escalate
• Basic strategy
• Public Information Persist
• Map Information
• Short-term vs. Long-term attacker Expand
goals
Accomplish Goal
Understanding Attacks
Infected Workstation C&C

Servers
4 2 3
1
5 6
File Server External

Attacker
Step 1: Attacker sends email to victim
Step 2: Email infects victim, connects to C&C
Step 3: Attacker sends instructions to victim host
Step 4: Victim host copies and encrypts data Insecure
Step 5: Victim host uploads encrypted data to FTP FTP Server
Step 6: Attacker retrieves encrypted data from FTP
Malware and Attacker tools
• Distinguish between general purpose Malware and attacker tools

• Describe roles of each tool in an attacking toolset
• Attacker Exploits – (know the difference between each one of these)
• Backdoors
• Downloaders and droppers
• Rootkits
• Pivots Attacker
Exploits
• Keyloggers
• Exploits
• Payloads
Example of a Complex Threat Visibility Concept
Leveraging Netflow to investigate a potential IT policy violation investigation
Netflow at the access Automating Context Collection

layer provides greater Correlating Log data with flow
Attack bypasses
granularity information
perimeter and
traverses network ACTIVE FLOWS: 23,892
SRC/65.32.7.45
DST/165.1.4.9/Uzbekistan : FTP
SRC/65.32.7.45
DST/171.54.9.2/US : HTTP Context:
DST/34.1.5.78/China : HTTPS User /ORG = Pat Smith, R&D
DST/165.1.4.9/Uzbekistan : FTP
DST/123.21.2.5/US : AIM Client = Dell XYZ100
DST/91.25.1.1/US : FACEBOOK DST = Poor Reputation
Attack Example – SQL Injection
Kill Chain
• Understand what Attackers Do
• Attackers are not bound to this
• Used to prioritize events
• Set Escalation Levels
• Determine Defense Level Controls
• Measure Analytic Completeness

APT Threat Life Cycle
APT’s can go undetected for years
APT1 report – Undetected for 4 years 10 Months (Avg. 356 days)
Source: Mandiant Report – APT1 Exposing One of China’s Cyber Espionage Units
Diamond Model
• Diamond Model was
developed to help derive order
from chaos.
• Systematic ways to analyze

events
• Supports “Critical Thinking” a

key skill by Security Analyst
• Example – Grouping Events

shows adversary’s capabilities
Security Operations Course
(SECOPS)
Security Operations Course
14 Sections plus some Appendix Information:
• Define a SOC and job roles in a SOC Course focuses on entry-
• SOC Infrastructure Tools and Systems
level Security Analyst skills
• Incident Analysis for a Threat Centric SOC
• Resources to Assist with an Investigation Solid Network Foundation
is Critical
• Event Correlation and Normalization
• Common Attack Vectors
Generic SOC Approach
• Identifying Malicious Activity
• Using the Playbook
• Incident Respond Handbook
• SOC Metrics/Threat Integration
• SOC Workflow and Automation
Types of SOC’s
• Analogy – Threat Centric SOC is like predicting the weather 100% correct all the
time
• One SOC does not fit all
• Threat-Centric – proactively hunts for threats on a network
• Telemetry and Data Analytics
• Versus Compliance-Based SOC
• Detection of unauthorized changes
• Policy violations
• Compliance with PCI or DSS 2.0
• Versus Operational-Based SOC
Generic SOC Architecture
Threat
Intelligence Applications & Analyst Tools
Feeds
Full Packet Capture
NetFlow
Protocol Metadata Parse Big Data

Alert Network Modeling
+ Log Mining
Application Logs Format & Analytics Packet &
Mining Statistical
Machine Logs Enrichment Analysis
Data
Telemetry Streams
External Resources
SOC Analyst Tier 1
Stages of Attack
Network Security Monitoring & Tools
• Analyst need data

• Tools are based on
requirements
• Tools - Security Onion
• Squil
• ELSA
• Bro
• Snort - NIDS
• OSSEC -HIDs
NetFlow Information
Example NetFlow Traffic Flow
Specific NetFlow Host Communications
DNS Record
Label TTL Internet Record Type Data
596-958849831234.id- 0 IN TXT "AAAAlAgfAAAA

10293839413421.up.sshdns. gQDKrd3sFmf8a
abc.tunnel.private. LX6FdU8ThUy3S
RWGhotR6EsAa
vqHgBzH2khqsQ
HQjEf355jS7c+4a
8kAmFVQ4mpEE
JeBE6IyDWbAQ9
a0rgOKcsaWwJ7
GdngGm9jpvReX
X7S/2oqAIUFCn0
M8="
"MHw9tR0kkDVZ
B7RCfCOpjfHrir7
yuiCbt7FpyX8AA
AABBQAAAAAA
AAAA"
Abnormal Traffic Indicators
DMZ servers scanning the
inside network
SOC Analyst
understanding “Well
Known Ports”
Log Data Search
Using ELSA to search

through large volumes of
log data
Critical to narrow data

down on search
because it will only show
you 100 records
Malware Site – Identify Malicious Payloads
SGUIL Log Analysis
Snort Feeds TCP/IP

Session events to
database
• Real Time Events
• Session Data
• Raw Packet
captures
Further Investigation
Squil Database Events
Output received from

Sensor – so-eth3-1 and
so-ossec
Consolidation of
messages on single
interface
Playbook
Playbook
• The playbook is a prescriptive collection of repeatable plays (reports or
methods) to elicit a specific response to a security event
SOC Playbook Example
What does this playbook example
show?
Repeatable Process – Play ID

Objective – Defined outcome
• Self Contained Scripts for Searching
• Data Query
Mitigation Action
Analysis – Bulk of the documentation
Workflow
Workflow Components in a SOC
Workflow Management Systems
• New Solution
• Software that tags and SIEM Ticketing System
identifies security events
Information Flow
• Tracks events Security Workflow Management System
• Supports playbook
process Security Devices
• Goal – Improve SOC

efficiency
• Vendors
• Cyberesponse
Workflow Tool
How to Prepare for the Exams
Exam Preparation
• How to Prepare for the Exams (SECFND 210-250 / SECOPS 210-255)
• Exam Blueprint:
http://www.cisco.com/c/en/us/training-events/training-certifications/exams/current-
list/secfnd.html
• Resources
• Books – Cisco Press
• Publically available resources
• Cisco Learning Network – Study Group
• Labs “Build your own with Security Onion”
How to Prepare
• Where to Start?
• Blueprint
• Create a study plan
• Study Group on Cisco Learning Network
• CCNA Cyber Ops
• Posted documents
• https://learningnetwork.cisco.com/groups/cyber-security-study-group
• Example of Resources
• NIST Documents
• http://csrc.nist.gov/publications/PubsSPs.html
• csrc.nist.gov/publications/nistpubs/800-61rev2/SP800-61rev2.pdf
• NetFlow Overview
• Wireshark Usage
• www.wireshark.org/docs/wsug_html_chunked
210-250 (SECFND) Cisco Cybersecurity
Fundamentals—Topics and Weighting
SECFND (210-250) Exam—Topics and Weighting
12% 1.0 Network Concepts
17% 2.0 Security Concepts
12% 3.0 Cryptography
19% 4.0 Host-Based Analysis
19% 5.0 Security Monitoring
21% 6.0 Attack Methods
Example – Course Material SECFND
210-250(SECFND) Cisco Security Fundamentals
1.0 Network Concepts
1.1 Describe the function of the network layers as specified by the OSI and 1.0 Network Concepts – continued.
the TCP/IP network models
1.2 – Describe the operation of the following 1.7 Describe the relationship between VLANs and data visibility
1.2.a IP 1.8 Describe the operation of ACLs applied as packet filters on the interfaces
1.2.b TCP of network devices
1.2.c UDP 1.9 Compare and contrast deep packet inspection with packet filtering and
1.2.d ICMP stateful firewall operation
1.3 Describe the operation of these network services 1.10 Compare and contrast inline traffic interrogation and taps or traffic
1.3.a ARP mirroring
1.3.b DNS 1.11 Compare and contrast the characteristics of data obtained from taps or
1.3.c DHCP traffic mirroring and NetFlow in the analysis of network traffic
1.4 Describe the basic operation of these network device types 1.12 Identify potential data loss from provided traffic profiles
1.4.a Router 2.0 Security Concept
1.4.b Switch 2.1 – Describe the principles of defense in depth strategy?
1.4.c Hub 2.2 Compare and contrast these concepts
1.4.d Bridge 2.2.a Risk
1.4.e Wireless access point (WAP) 2.2.b Threat
1.4.f Wireless LAN controller (WLC) 2.2.c Vulnerability
1.5 Describe the functions of these network security systems as deployed on 2.2.d Exploit
the host, network, or the cloud: 2.3 Describe these terms
1.5.a Firewall 2.3.aT hreat actor
1.5.b Cisco Intrusion Prevention System (IPS) 2.3.b Run book automation (RBA)
1.5.c Cisco Advanced Malware Protection (AMP) 2.3.c Chain of custody (evidentiary)
1.5.d Web Security Appliance (WSA) / Cisco Cloud Web Security (CWS) 2.3.d Reverse engineering
1.5.e Email Security Appliance (ESA) / Cisco Cloud Email Security (CES) 2.3.e Sliding window anomaly detection
1.6 – Describe IP subnets and communication within an IP subnet and 2.3.f PII
between IP subnets 2.3.g PHI
210-250(SECFND) Cisco Security Fundamentals- Continue
2.0 Security Concepts – cont.
2.4 Describe these security terms 3.0 Cryptography – continued.
2.4.a Principle of least privilege
3.5 Describe the operation of a PKI
2.4.b Risk scoring/risk weighting
2.4.c Risk reduction 3.6 Describe the security impact of these commonly used hash
2.4.d Risk assessment algorithms
3.6.a MD5
2.5 Compare and contrast these access control models
3.6.b SHA-1
2.5.a Discretionary access control
2.5.b Mandatory access control 3.6.c SHA-256
2.5.c Nondiscretionary access control 3.6.d SHA-512
2.6 Compare and contrast these terms 3.7 Describe the security impact of these commonly used encryption
2.6.a Network and host antivirus algorithms and secure communications protocols
2.6.b Agentless and agent-based protections 3.7.a DES
2.6.c SIEM and log collection 3.7.b 3DES
2.7 Describe these concepts 3.7.c AES
2.7.a Asset management 3.7.d AES256-CTR
2.7.b Configuration management 3.7.e RSA
2.7.c Mobile device management 3.7.f DSA
2.7.d Patch management 3.7.g SSH
2.7.e Vulnerability management 3.7.h SSL/TLS
3.8 Describe how the success or failure of a cryptographic exchange
3.0 Cryptography impacts security investigation
3.1 Describe the uses of a hash algorithm 3.9 Describe these items in regards to SSL/TLS
3.9.a Cipher-suite
3.2 Describe the uses of encryption algorithms 3.9.b X.509 certificates
3.3 Compare and contrast symmetric and asymmetric encryption algorithms 3.9.c Key exchange
3.4 Describe the processes of digital signature creation and verification 3.9.d Protocol version
3.9.e PKCS
4.0 Host-Based Analysis 5.0 Security Monitoring

4.1 Define these terms as they pertain to Microsoft Windows 5.1 Identify the types of data provided by these technologies
4.1.a Processes 5.1.a TCP Dump
4.1.b Threads 5.1.b NetFlow
4.1.c Memory allocation 5.1.c Next-Gen firewall
4.1.d Windows Registry 5.1.d Traditional stateful firewall
4.1.e WMI 5.1.e Application visibility and control
4.1.f Handles 5.1.f Web content filtering
4.1.g Service 5.1.g Email content filtering
4.2 Define these terms as they pertain to Linux 5.2 Describe these types of data used in security monitoring
4.2.a Processes 5.2.a Full packet capture
4.2.b Forks 5.2.b Session data
4.2.c Permissions 5.2.c Transaction data
4.2.d Symlinks 5.2.d Statistical data
4.2.e Daemon 5.2.f Extracted content
4.3 Describe the functionality of these endpoint technologies in regards to 5.2.g Alert data
security monitoring 5.3 Describe these concepts as they relate to security monitoring
4.3.a Host-based intrusion detection 5.3.a Access control list
4.3.b Antimalware and antivirus 5.3.b NAT/PAT
4.3.c Host-based firewall 5.3.c Tunneling
4.3.d Application-level whitelisting/blacklisting 5.3.d TOR
4.3.e Systems-based sandboxing (such as Chrome, Java, Adobe reader) 5.3.e Encryption
4.4 Interpret these operating system log data to identify an event 5.3.f P2P
4.4.a Windows security event logs 5.3.g Encapsulation
4.4.b Unix-based syslog 5.3.h Load balancing
4.4.c Apache access logs
4.4.d IIS access logs BRKCRT -2207 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
5.0 Security Monitoring – continued. 6.0 Security Monitoring – continued.

5.4 Describe these NextGen IPS event types 6.5 Describe these endpoint-based attacks
5.4.a Connection event 6.5.a Buffer overflows
5.4.b Intrusion event 6.5.b Command and control (C2)
5.4.c Host or endpoint event 6.5.c Malware
5.4.d Network discovery event 6.5.d Rootkit
5.4.e NetFlow event 6.5.e Port scanning
5.5 Describe the function of these protocols in the context of security monitoring 6.5.f Host profiling
5.5.a DNS 6.6 Describe these evasion methods
5.5.b NTP 6.6.a Encryption and tunneling
5.5.c SMTP/POP/IMAP 6.6.b Resource exhaustion
5.5.d HTTP/HTTPS 6.6.c Traffic fragmentation
6.6.d Protocol-level misinterpretation
6.0 Security Monitoring
6.6.e Traffic substitution and insertion
6.1 Compare and contrast an attack surface and vulnerability 6.6.f Pivot
6.2 Describe these network attacks 6.7 Define privilege escalation
6.2.a Denial of service
6.2.b Distributed denial of service 6.8 Compare and contrast remote exploit and a local exploit
6.2.c Man-in-the-middle
6.3 Describe these web application attacks
6.3.a SQL injection
6.3.b Command injections
6.3.c Cross-site scripting
6.4 Describe these attacks
6.4.a Social engineering
6.4.b Phishing
6.4.cEvasion methods BRKCRT-2207 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
210-255 (SECOPS) Cisco Cybersecurity Operations —
Topics and Weighting
SECFND (210-255) Exam—Topics and Weighting
15% 1.0 Endpoint Threat Analysis & Computer Forensics
12% 2.0 Network Intrusion Analysis
18% 3.0 Incident Response
23% 4.0 Data and Event Analysis
22% 5.0 Incident Handling
Example – Course Material SECOPS
210-255(SECOPS) Cisco Security Operations
1.0 Endpoint Threat Analysis & Computer Forensics 1.0 Endpoint Threat Analysis & Computer Forensic – cont.
1.1 - Interpret the output report of a malware analysis tool such as AMP
1.6 - Compare and contrast three types of evidence
Threat Grid and Cuckoo Sandbox
1.6.a Best evidence
1.2 - Describe these terms as they are defined in the CVSS 3.0:
1.6.b Corroborative evidence
1.2.a Attack vector
1.6.c Indirect evidence
1.2.b Attack complexity
1.7 - Compare and contrast two types of image
1.2.c Privileges required
1.7.a Altered disk image
1.2.d User interaction
1.7.b Unaltered disk image
1.2.e Scope
1.8 Describe the role of attribution in an investigation
1.3 - Describe these terms as they are defined in the CVSS 3.0
1.8.a Assets
1.3.a Confidentiality
1.8.b Threat actor
1.3.b Integrity
1.3.c Availability
1.4 - Define these items as they pertain to the Microsoft Windows file system 2.0 Network Intrusion Analysis
1.4.a FAT32 2.1 Interpret basic regular expressions
1.4.b NTFS 2.2 Describe the fields in these protocol headers as they relate to intrusion
1.4.c Alternative data streams analysis:
1.4.d MACE 2.2.a Ethernet frame
1.4.e EFI 2.2.b IPv4
1.4.f Free space 2.2.c IPv6
1.4.g Timestamps on a file system 2.2.d TCP
1.5 – Define these terms as they pertain to the Linux file system 2.2.e UDP
1.5.aEXT4 2.2.f ICMP
1.5.bJournaling 2.2.g HTTP
1.5.cMBR 2.3 Identify the elements from a NetFlow v5 record from a security event
1.5.d Swap file system
1.5.e MAC
3.0 Incident Response - cont.
2.0 Network Intrusion Analysis – cont. 3.2 Map elements to these steps of analysis based on the NIST-SP800-61R2
2.6 Interpret common artifact elements from an event to identify an alert 3.2.a Preparation
2.6.a IP address (source / destination) 3.2.b Detection and analysis
2.6.b Client and Server Port Identity 3.2.c Containment, eradication, and recovery
2.6.c Process (file or registry) 3.2.d Post-incident analysis (lessons learned)
2.6.d System (API calls) 3.3 Map the organization stakeholders against the NIST IR categories (C2M2
2.6.e Hashes page 2, NIST.SP800-61 r2 p.21-p.41)
2.6.f URI / URL 3.3.a Preparation
2.7 Map the provided events to these source technologies 3.3.b Detection and analysis
2.7.a NetFlow 3.3.c Containment, eradication, and recovery
2.7.b IDS / IPS 3.3.d Post-incident analysis (lessons learned)
2.7.c Firewall 3.4 Describe the goals of the given CSIRT
2.7.d Network application control (https://www.cert.org/incident-management/csirt-development/csirt-faq.cfm)
2.7.e Proxy logs 3.4.a Internal CSIRT
2.7.f Antivirus 3.4.b National CSIRT
12.8 Compare and contrast impact and no impact for these items 3.4.c Coordination centers
2.8.a False Positive 3.4.d Analysis centers
2.8.b False Negative 3.4.e Vendor teams
2.8.c True Positive 3.4.f Incident response providers (MSSP)
2.8.d True Negative 3.5 Identify these elements used for network profiling
2.9 Interpret a provided intrusion event and host profile to calculate the 3.5.a Total throughput
impact flag generated by Firepower Management Center (FMC) 3.5.b Session duration
3.0 Incident Response 3.5.c Ports used
3.1 Describe the elements that should be included in an incident response 3.5.d Critical asset address space
plan as stated in NIST.SP800-61 r2 3.6 Identify these elements used for server profiling
3.6.a Listening ports
3.6.b Logged in users/service accounts
3.6.c Running processes
3.6.d Running tasks
3.6.e Applications 69
BRKCRT-2207 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
3.0 Incident Response - cont. 5.0 Incident Handling
3.7 Map data types to these compliance frameworks 5.1 Classify intrusion events into these categories as defined in the diamond
3.7.aPCI model of intrusion
3.7.bHIPPA (Health Insurance Portability and Accountability Act) 5.1.a Reconnaissance
3.7.cSOX 5.1.b Weaponization
3.8 Identify data elements that must be protected with regards to a specific 5.1.c Delivery
standard (PCI-DSS) 5.1.d Exploitation
5.1.e Installation
4.0 Data and Event Analysis 5.1.f Command and control
5.1.g Action on objectives
4.1 Describe the process of data normalization
5.2 Apply the NIST.SP800-61 r2 incident handling process to an event
4.2 Interpret common data values into a universal format
5.3 Define these activities as they relate to incident handling
4.3 Describe 5-tuple correlation
5.3.a Identification
4.4 Describe the 5-tuple approach to isolate a compromised host in a 5.3.b Scoping
grouped set of logs 5.3.c Containment
4.5 Describe the retrospective analysis method to find a malicious file, 5.3.d Remediation
provided file analysis report 5.3.e Lesson-based hardening
4.6 Identify potentially compromised hosts within the network based on a 5.3.f Reporting
threat analysis report containing malicious IP address or domains 5.4 Describe these concepts as they are documented in NIST SP800-86
4.7 Map DNS logs and HTTP logs together to find a threat actor 5.4.a Evidence collection order
4.8 Map DNS, HTTP, and threat intelligence data together 5.4.b Data integrity
4.9 Identify a correlation rule to distinguish the most significant alert from a 5.4.c Data preservation
given set of events from multiple data sources using the firepower 5.4.d Volatile data collection
management console 5.5 Apply the VERIS schema categories to a given incident
4.10 Compare and contrast deterministic and probabilistic analysis
Recommended Books
CCNA Cyber Ops SECFND #210-250 Official Cert Guide
By Omar Santos, Joey Muniz, and Stefano De Crescenzo
ISBN: 9781587147029
CCNA Cyber Ops SECOPS #210-255 Official Cert Guide

by Omar Santos and Joey Muniz
ISBN: 9781587147036
Security Operations Center

By Omar Santos, Gary McIntyre, and Nadhem AlFarden
ISBN: 13: 978-0-13-405201-4
Crafting the InfoSec Playbook

By Jeff Bollinger, Brandon Enright, and Matthew Vatiles
ISBN: 978-1491949405
More Resources…
Books
• Cisco Press - Network Security with NetFlow and IPFIX
• Cisco Press - Computer Incident and Product Vulnerability Handling
• The Tao of Network Security Monitoring – by Richard Bejtlich (SECOPS)
• Incident Response with NetFlow for Dummies
http://www.lancope.com/blog/incident-response-for-dummies/
• Real Digital Forensics: Computer Security and Incident Response
• Security Monitoring by Chris Fry and Martin Nystrom
Cyber Range Service Delivery Platform
• A Platform for Service • Over 50 Attack Cases for 9

Delivery and Learning Technology Solutions
• Deeper understanding of leading • 100+ applications simultaneously
security methodologies, merged with 200-500 different
operations, and procedures Malware types
• Empower customers with the • Virtual environment accessible
architecture and capability to from any place in the world
combat modern cyber threats
PEOPLE PROCESS DATA THINGS
Q&A
Complete Your Online Session Evaluation
Give us your feedback and receive a
Cisco Live 2017 Cap by completing the
overall event evaluation and 5 session
evaluations.
All evaluations can be completed via

the Cisco Live Mobile App.
Caps can be collected Friday 10 March Learn online with Cisco Live!
at Registration. Visit us online after the conference
for full access to session videos and
presentations.
www.CiscoLiveAPAC.com
Thank you

CCNA - Cyber Ops Intro

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CCNA - Cyber Ops Intro

Uploaded by

Copyright:

Available Formats

CCNA Cyber Ops

James Risler – Manager Security Content Development

Spyware APTS Increased

2000 2005 2010 Tomorrow

Mobile Malware Exploits

Welcome to the Hackers’ Economy

• Uncovering Network Reconnaissance. Some attacks will probe

• Identifying Botnet Command & Control Activity. Botnets are

BEFORE DURING AFTER

Monitoring Identification Impact Mitigation

Visibility and Context

Policies, Process Response Policy Communication

Firewall Threat Spreads

Perimeter security stops many threats but

Start Playbook – Process and Procedures End

Goals/Objectives SOC Solutions Components

Prevent Detect Collect Analyze Mitigate Foundations

Collect Analyze Mitigate

• Install Spying Modules

• Regular Reporting and RC4 Encryption and Exporting of Data

Product Deep Dive Definitive Job-Role Definitive Job-Role Elective/Specialized

Install/Troubleshoot Build/Secure Detect/Respond Apply Security Skills

Logs & Event

Communication Log & Flow

• What is the methodology an Gain Access

Infected Workstation C&C

File Server External

• Distinguish between general purpose Malware and attacker tools

Netflow at the access Automating Context Collection

• Attackers are not bound to this

• Used to prioritize events

• Set Escalation Levels

• Determine Defense Level Controls

• Measure Analytic Completeness

APT’s can go undetected for years

APT1 report – Undetected for 4 years 10 Months (Avg. 356 days)

• Systematic ways to analyze

• Supports “Critical Thinking” a

• Example – Grouping Events

• Versus Operational-Based SOC

Protocol Metadata Parse Big Data

• Analyst need data

596-958849831234.id- 0 IN TXT "AAAAlAgfAAAA

Using ELSA to search

Critical to narrow data

Snort Feeds TCP/IP

• Real Time Events

Squil Database Events

Output received from

Repeatable Process – Play ID

identifies security events

• Goal – Improve SOC

4.0 Host-Based Analysis 5.0 Security Monitoring

5.0 Security Monitoring – continued. 6.0 Security Monitoring – continued.

CCNA Cyber Ops SECOPS #210-255 Official Cert Guide

Security Operations Center

Crafting the InfoSec Playbook

• A Platform for Service • Over 50 Attack Cases for 9

PEOPLE PROCESS DATA THINGS

All evaluations can be completed via

You might also like