Cisco CyberOps

Course Description 

The Understanding Cisco Cybersecurity Operations Fundamentals (CBROPS) training provides an understanding of the network infrastructure devices, operations, and vulnerabilities of the TCP/IP protocol suite, and basic information security concepts, common network application operations and attacks, the Windows and Linux operating systems, and the types of data that are used to investigate security incidents. After completing this training, you will have the basic knowledge that is required to perform the job role of an associate-level cybersecurity analyst in a threat-centric security operations center (SOC).

This training prepares you for the 200-201 CBROPS v1.2 exam. If passed, you earn the Cisco Certified Cybersecurity Associate certification and the role of a junior or entry-level cybersecurity operations analyst in a SOC. This training also earns you 30 Continuing Education (CE) credits toward recertification.

How You'll Benefit

This training will help you:
Learn the fundamental skills, techniques, technologies, and the hands-on practice necessary to prevent and defend against cyberattacks as part of a SOC team
Prepare for the 200-201 CBROPS v1.2 exam
Earn 30 CE credits toward recertification

Who Should Enroll

This training is designed for associate-level cybersecurity analysts who are working in security operation centers.

What to Expect in the Exam

Understanding Cisco Cybersecurity Operations Fundamentals (200-201 CBROPS) v1.2 is a 120-minute exam associated with the Cisco Certified Cybersecurity Associate certification.
This exam tests your knowledge and skills related to:
Security concepts
Security monitoring
Host-based analysis
Network intrusion analysis
Security policies and procedures

Course Objectives

Explain how a Security Operations Center (SOC) operates and describe the different types of services that are performed from a Tier 1 SOC analyst’s perspective.
Explain Network Security Monitoring (NSM) tools that are available to the network security analyst.
Explain the data that is available to the network security analyst.
Describe the basic concepts and uses of cryptography.
Describe security flaws in the TCP/IP protocol and how they can be used to attack networks and hosts.
Understand common endpoint security technologies.
Understand the kill chain and the diamond models for incident investigations, and the use of exploit kits by threat actors.
Identify resources for hunting cyber threats.
Explain the need for event data normalization and event correlation.
Identify the common attack vectors.
Identify malicious activities.
Identify patterns of suspicious behaviors.
Conduct security incident investigations.
Explain the use of a typical playbook in the SOC.
Explain the use of SOC metrics to measure the effectiveness of the SOC.
Explain the use of a workflow management system and automation to improve the effectiveness of the SOC.
Describe a typical incident response plan and the functions of a typical Computer Security Incident Response Team (CSIRT).
Explain the use of Vocabulary for Event Recording and Incident Sharing (VERIS) to document security incidents in a standard format.

Course Prerequisites

Before taking this course, you should have the following knowledge and skills:
Familiarity with Ethernet and TCP/IP networking
Working knowledge of the Windows and Linux operating systems
Familiarity with basics of networking security concepts

Course Outline

Defining the Security Operations Center
Understanding SOC Metrics
Understanding SOC Workflow and Automation
Understanding Windows Operating System Basics
Understanding Linux Operating System Basics
Understanding Endpoint Security Technologies
Understanding Network Infrastructure and Network Security Monitoring Tools
Understanding Common TCP/IP Attacks
Exploring Data Type Categories
Understanding Basic Cryptography Concepts
Cloud Security Fundamentals
Securing Cloud Deployments
Understanding Incident Analysis in a Threat-Centric SOC
Identifying Common Attack Vectors
Identifying Malicious Activity
Identifying Patterns of Suspicious Behavior
Identifying Resources for Hunting Cyber Threats
Understanding Event Correlation and Normalization
Conducting Security Incident Investigations
Using a Playbook Model to Organize Security Monitoring

Lab Outline

Explore the Windows Operating System
Explore the Linux Operating System
Explore Endpoint Security
Explore TCP/IP Attacks
Use NSM Tools to Analyze Data Categories
Explore Cryptographic Technologies
Investigate Hacker Methodology
Investigate Browser-Based Attacks
Analyze Suspicious DNS Activity
Explore Security Data for Analysis
Investigate Suspicious Activity Using Security Onion
Hunt Malicious Traffic
Cisco XDR to Splunk Enterprise Integration Simulation
Correlate Event Logs, PCAPs, and Alerts of an Attack
Investigate Advanced Persistent Threats
Explore SOC Playbooks

Course Description 

The Conducting Threat Hunting and Defending using Cisco Technologies for CyberOps (CBRTHD) training is a 5-day Cisco threat hunting training that introduces and guides you to a proactive security search through networks, endpoints, and datasets to hunt for malicious, suspicious, and risky activities that may have evaded detection by existing tools. In this training, you will learn the core concepts, methods, and processes used in threat hunting investigations. This training provides an environment for attack simulation and threat hunting skill development using a wide array of security products and platforms from Cisco and third-party vendors.

This training prepares you for the 300-220 CBRTHD v1.0 exam. If passed, you earn the Cisco Certified Specialist – Threat Hunting and Defending certification and satisfy the concentration exam requirement for the Cisco Certified CyberOps Professional certification. This training also earns you 40 credits towards recertification.

How You'll Benefit

This training will help you:
Learn how to perform a proactive security search through networks, endpoints, and datasets to hunt for malicious, suspicious, and risky activities that may have evaded detection by existing tools
Gain leading-edge career skills focused on cybersecurity
Prepare for the 300-220 CBRTHD v1.0 exam
Earn 40 CE credits toward recertification

Who Should Enroll

Security Operations Center staff
Security Operations Center (SOC) Tier 2 Analysts
Threat Hunters
Cyber Threat Analysts
Threat Managers
Risk Managements

What to Expect in the Exam

Conducting Threat Hunting and Defending using Cisco Technologies for CyberOps (300-220 CBRTHD v1.0) is a 90-minute exam associated with the Cisco Certified Specialist – Threat Hunting and Defending certification and satisfies the concentration exam requirement for the Cisco Certified CyberOps Professional certification.

The exam tests your knowledge of conducting threat hunting and defending, including:
Threat modeling techniques
Threat actor attribution techniques
Threat hunting techniques, processes, and outcomes

Course Objectives

Define threat hunting and identify core concepts used to conduct threat hunting investigations
Examine threat hunting investigation concepts, frameworks, and threat models
Define cyber threat hunting process fundamentals
Define threat hunting methodologies and procedures
Describe network-based threat hunting
Identify and review endpoint-based threat hunting
Identify and review endpoint memory-based threats and develop endpoint-based threat detection
Define threat hunting methods, processes, and Cisco tools that can be utilized for threat hunting
Describe the process of threat hunting from a practical perspective
Describe the process of threat hunt reporting

Course Prerequisites

There are no prerequisites for this training. However, the knowledge and skills you are recommended to have before attending this training are:
General knowledge of networks and network security

These skills can be found in the following Cisco Learning Offerings:
Implementing and Administering Cisco Solutions (CCNA)
Understanding Cisco Cybersecurity Operations Fundamentals (CBROPS)
Performing CyberOps Using Cisco Security Technologies (CBRCOR)

Course Outline

Threat Hunting Theory
Threat Hunting Concepts, Frameworks, and Threat Models
Threat Hunting Process Fundamentals
Threat Hunting Methodologies and Procedures
Network-Based Threat Hunting
Endpoint-Based Threat Hunting
Endpoint-Based Threat Detection Development
Threat Hunting with Cisco Tools
Threat Hunting Investigation Summary: A Practical Approach
Reporting the Aftermath of a Threat Hunt Investigation

Lab Outline

Categorize Threats with MITRE ATTACK Tactics and Techniques
Compare Techniques Used by Different APTs with MITRE ATTACK Navigator
Model Threats Using MITRE ATTACK and D3FEND
Prioritize Threat Hunting Using the MITRE ATTACK Framework and Cyber Kill Chain
Determine the Priority Level of Attacks Using MITRE CAPEC
Explore the TaHiTI Methodology
Perform Threat Analysis Searches Using OSINT
Attribute Threats to Adversary Groups and Software with MITRE ATTACK
Emulate Adversaries with MITRE Caldera
Find Evidence of Compromise Using Native Windows Tools
Hunt for Suspicious Activities Using Open-Source Tools and SIEM
Capturing of Network Traffic
Extraction of IOC from Network Packets
Usage of ELK Stack for Hunting Large Volumes of Network Data
Analyzing Windows Event Logs and Mapping Them with MITRE Matrix
Endpoint Data Acquisition
Inspect Endpoints with PowerShell
Perform Memory Forensics with Velociraptor
Detect Malicious Processes on Endpoints
Identify Suspicious Files Using Threat Analysis
Conduct Threat Hunting Using Cisco Secure Firewall, Cisco Secure Network Analytics, and Splunk
Conduct Threat Hunt Using Cisco XDR Control Center and Investigate
Initiate, Conduct, and Conclude a Threat Hunt

Course Description 

The Performing CyberOps Using Cisco Security Technologies (CBRCOR) v1.0 course guides you through cybersecurity operations fundamentals, methods, and automation. The knowledge you gain in this course will prepare you for the role of Information Security Analyst on a Security Operations Center (SOC) team. You will learn foundational concepts and their application in real-world scenarios, and how to leverage playbooks in formulating an Incident Response (IR). The course teaches you how to use automation for security using cloud platforms and a SecDevOps methodology. You will learn the techniques for detecting cyberattacks, analyzing threats, and making appropriate recommendations to improve cybersecurity.

This course also earns you 40 Continuing Education (CE) credits towards recertification and prepares you for the 350-201 CBRCOR core exam.

How You'll Benefit

This course will help you:
Gain an advanced understanding of the tasks involved for senior-level roles in a security operations center
Configure common tools and platforms used by security operation teams via practical application
Prepare you to respond like a hacker in real-life attack scenarios and submit recommendations to senior management
Prepare for the 350-201 CBRCOR core exam
Earn 40 CE credits toward recertification

Who Should Enroll

Although there are no mandatory prerequisites, the course is particularly suited for the following audiences:
Cybersecurity engineer
Cybersecurity investigator
Incident manager
Incident responder
Network engineer
SOC analysts currently functioning at entry level with a minimum of 1 year of experience

What to Expect in the Exam

350-201 Performing CyberOps Using Cisco Security Technologies (CBRCOR) is a 120-minute exam associated with the Cisco Certified CyberOps Professional certification. The multiple-choice format tests knowledge of core cybersecurity operations including cybersecurity fundamentals, techniques, policies, processes, and automation. The exam will test for knowledge in the following areas:
Monitoring for cyberattacks
Analyzing high volume of data using automation tools and platforms—both open source and commercial
Accurately identifying the nature of attack and formulate a mitigation plan
Scenario-based questions; for example, using a screenshot of output from a tool, you may be asked to interpret portions of output and establish conclusions

Course Objectives

After taking this course, you should be able to:
Describe the types of service coverage within a SOC and operational responsibilities associated with each.
Compare security operations considerations of cloud platforms.
Describe the general methodologies of SOC platforms development, management, and automation.
Explain asset segmentation, segregation, network segmentation, micro-segmentation, and approaches to each, as part of asset controls and protections.
Describe Zero Trust and associated approaches, as part of asset controls and protections.
Perform incident investigations using Security Information and Event Management (SIEM) and/or security orchestration and automation (SOAR) in the SOC.
Use different types of core security technology platforms for security monitoring, investigation, and response.
Describe the DevOps and SecDevOps processes.
Explain the common data formats, for example, JavaScript Object Notation (JSON), HTML, XML, Comma-Separated Values (CSV).
Describe API authentication mechanisms.
Analyze the approach and strategies of threat detection, during monitoring, investigation, and response.
Determine known Indicators of Compromise (IOCs) and Indicators of Attack (IOAs).
Interpret the sequence of events during an attack based on analysis of traffic patterns.
Describe the different security tools and their limitations for network analysis (for example, packet capture tools, traffic analysis tools, network log analysis tools).
Analyze anomalous user and entity behavior (UEBA).
Perform proactive threat hunting following best practices.

Course Prerequisites

Although there are no mandatory prerequisites, to fully benefit from this course, you should have the following knowledge:
Familiarity with UNIX/Linux shells (bash, csh) and shell commands
Familiarity with the Splunk search and navigation functions
Basic understanding of scripting using one or more of Python, JavaScript, PHP or similar.

Recommended Cisco offerings that may help you prepare for this course:
Understanding Cisco Cybersecurity Operations Fundamentals (CBROPS)
Implementing and Administering Cisco Solutions (CCNA)

Recommended third-party resources:
Splunk Fundamentals 1
Blue Team Handbook: Incident Response Edition by Don Murdoch
Threat Modeling- Designing for Security y Adam Shostack
Red Team Field Manual by Ben Clark
Blue Team Field Manual by Alan J White
Purple Team Field Manual by Tim Bryant
Applied Network Security and Monitoring by Chris Sanders and Jason Smith

Course Outline

Understanding Risk Management and SOC Operations
Understanding Analytical Processes and Playbooks
Investigating Packet Captures, Logs, and Traffic Analysis
Investigating Endpoint and Appliance Logs
Understanding Cloud Service Model Security Responsibilities
Understanding Enterprise Environment Assets
Implementing Threat Tuning
Threat Research and Threat Intelligence Practices
Understanding APIs
Understanding SOC Development and Deployment Models
Performing Security Analytics and Reports in a SOC
Malware Forensics Basics
Threat Hunting Basics
Performing Incident Investigation and Response

Lab Outline

Explore Cisco SecureX Orchestration
Explore Splunk Phantom Playbooks
Examine Cisco Firepower Packet Captures and PCAP Analysis
Validate an Attack and Determine the Incident Response
Submit a Malicious File to Cisco Threat Grid for Analysis
Endpoint-Based Attack Scenario Referencing MITRE ATTACK
Evaluate Assets in a Typical Enterprise Environment
Explore Cisco Firepower NGFW Access Control Policy and Snort Rules
Investigate IOCs from Cisco Talos Blog Using Cisco SecureX
Explore the ThreatConnect Threat Intelligence Platform
Track the TTPs of a Successful Attack Using a TIP
Query Cisco Umbrella Using Postman API Client
Fix a Python API Script
Create Bash Basic Scripts
Reverse Engineer Malware
Perform Threat Hunting
Conduct an Incident Response