Overview

The Cisco CyberOps Associate course provides students with skills and knowledge to setup network infrastructure devices, operations, and vulnerabilities of the Transmission Control Protocol/Internet Protocol (TCP/IP) protocol suite. Students who have attended the CyberOps Associate online training course will gain competency with security concepts, common network application operations and attacks, the Windows and Linux operating systems, and the types of data used to investigate security incidents.

Exam Number: 200-201 – CBROPS

COURSE INSTRUCTOR: Shane Sexton, Cisco, CompTIA, Cybersecurity, Citrix
COURSE DIFFICULTY: Beginner
COURSE DURATION: 8h

After completing this online training course, students will be able to:

  • Describe the CIA triad
  • Describe NIST and ISO
  • Describe common security terms and concepts, like Assets, Threats, Exploits, Malware anaylsis, and more
  • Describe DoD Two Door policy
  • Describe CVSS
  • Describe data types in security monitoring
  • Describe network attacks, social engineering attacks, and endpoint-based attacks
  • Utilize different evidence types in logs
  • Analyze malware
  • Utilize network intrusion analysis
  • Identify intrusion using a PCAP file
  • Identify alerts from events
  • Implement security policies and procedures

This course is designed for an associate-level cybersecurity analyst who is working in security operation centers.

  • Familiarity with Ethernet and TCP/IP networking
  • Working knowledge of the Windows and Linux operating systems
  • Familiarity with basics of networking security concepts
  1. Introduction to CyberOps Associate
  • Instructor
  • Prerequisites
  • CyberOps vs Information Security
  • Course Overview
  1. Introduction to Security Concepts
  • Understanding the CIA triad
    • Confidentiality
    • Integrity
    • Availability
    • Trading Availability for security
  • Standards
    • National Institute of Standards and Technology (NIST)
    • International Organization of Standardization (ISO)
  • Common security terms and concepts
    • Assets
    • Threat
    • Vulnerability
      • Common Vulnerabilities and Exposures
        • US-CERT
        • MITRE
      • Exploit
      • Threat Intelligence (TI)
      • Threat hunting
      • Malware analysis
      • Threat actor
      • Run book automation (RBA)
      • Reverse engineering
      • Sliding window anomaly detection
      • Principle of least privelege
      • Zero trust
      • Threat intelligence platform (TIP)
      • Risk
    • Security Deployments
      • Network, endpoint, and application security systems
      • Agentless and agent-based protections
      • Legacy antivirus and antimalware
      • SIEM, SOAR, and log management
    • Defense-in-depth
      • DoD Two Door policy
      • Layered defense principles
    • Access control models
      • Discretionary access control
      • Mandatory access control
      • Nondiscretionary access control
      • Authentication, authorization, accounting
      • Rule-based access control
      • Time-based access control
      • Role-based access control
    • Common Vulnerability Scoring System CVSS
      • Introduction to CVSS Scoring
      • Attack vector
      • Attack complexity
      • Privileges required
      • User interaction
      • Scope
    • S-tuple approach
      • Isolate compromised host
    • Rule-based & behavioral and statistical detection
  1. Security Monitoring
  • Attack surface and vulnerability management
  • Security effect on data visibility
    • Access control list
    • NAT/PAT
    • Tunneling
    • TOR
    • Encryption
    • P2P
    • Encapsulation
    • Load balancing
  • Data types in security monitoring
    • Full packet capture
    • Session data
    • Transaction data
    • Statistical data
    • Metadata
    • Alert data
  • Network attacks
    • Protocol-based
    • Denial of service
    • Distributed denial of service
    • Man-in-the-middle
  • Web application attacks
    • SQL injection
    • Command injections
    • Cross-site scripting
  • Social engineering attacks
  • Endpoint-based attacks
    • Buffer overflows
    • Command and control (C2)
    • Malware, and ransomware
  • Certificates
    • PKI
    • Public/private crossing the network
    • Asymmetric/symmetric)
  • Certificate components
    • Cipher-suite
    • 509 certificates
    • Key exchange
    • Protocol version
    • PKCS
  1. Host-Based Security
  • Endpoint technologies
    • Host-based intrusion detection
    • Antimalware and antivirus
    • Host-based firewall
    • Application-level listing/block listing
    • Systems-based sandboxing (such as Chrome, Java, Adobe Reader)
  • Operating system components
    • TPM
    • Attack vectors
  • Cyber Attribution
    • Assets
    • Threat actor
    • Indicators of compromise
    • Indicators of attack
    • Chain of custody
  • Evidence types in logs
    • Best evidence
    • Corroborative evidence
    • Indirect evidence
  • Disk image inspection
    • Tampered vs. untampered
  • Log interpretation
    • Identify events
  • Malware analysis
    • Tools
    • Hashes
    • URLs
    • Systems, events, and networking
  1. Network Intrusion Analysis
  • Intrusion event identification
    • IDS/IPS
    • Firewall
    • Network application control
    • Proxy logs
    • Antivirus
    • Transaction data (NetFlow)
  • Cybersecurity impact
    • False positive
    • False negative
    • True positive
    • True negative
    • Benign
  • Packet filtering and inspection
    • Packet filtering3
    • Stateful firewall
    • Deep packet inspection
  • Inline traffic interrogation vs taps
  • Network taps vs transactional data (NetFlow)
  • Extracting files from a TCP stream
    • PCAP file
    • Wireshark
  • Identifying intrusion using a PCAP file
    • Source address
    • Destination address
    • Source port
    • Destination port
    • Protocols
    • Payloads
  • Analyzing protocol headers
    • Ethernet frame
    • IPv4
    • IPv6
    • TCP
    • UDP
    • ICMP
    • DNS
    • SMTP/POP3/IMAP
    • HTTP/HTTPS/HTTP2
    • ARP
  • Identifying alerts from events
    • IP address (source / destination)
    • Client and server port identity
    • Process (file or registry)
    • System (API calls)
    • Hashes
    • URI / URL
  • Interpret basic regular expressions
  1. Security Policies and Procedures
  • Management concepts
    • Asset management
    • Configuration management
    • Mobile device management
    • Patch management
    • Vulnerability management
  • SP800-61 response plan
  • Incident handling process
    • SP800-61
  • SP800-61 analysis steps
    • Preparation
    • Detection and analysis
    • Containment, eradication, and recovery
    • Post-incident analysis
  • SP800-86 concepts
    • Evidence collection order
    • Data integrity
    • Data preservation
    • Volatile data collection
  • Network profiling elements
    • Total throughput
    • Session duration
    • Ports used
    • Critical asset address space
  • Server profiling elements
    • Listening ports
    • Logged in users/service accounts
    • Running processes
    • Running tasks
    • Applications
  • Protected data in a network
    • PII
    • PSI
    • PHI
    • Intellectual property
  • Intrusion event classification
    • Cyber Kill Chain Model
    • Diamond Model of Intrusion
  • SOC metrics & scope analysis
    • Time to detect
    • Time to contain
    • Time to respond
    • Time to control