Cisco CyberOps

Course Objectives

After taking this course, you should be able to:
Explain how a Security Operations Center (SOC) operates and describe the different types of services that are performed from a Tier 1 SOC analyst’s perspective.
Explain Network Security Monitoring (NSM) tools that are available to the network security analyst.
Explain the data that is available to the network security analyst.
Describe the basic concepts and uses of cryptography.
Describe security flaws in the TCP/IP protocol and how they can be used to attack networks and hosts.
Understand common endpoint security technologies.
Understand the kill chain and the diamond models for incident investigations, and the use of exploit kits by threat actors.
Identify resources for hunting cyber threats.
Explain the need for event data normalization and event correlation.
Identify the common attack vectors.
Identify malicious activities.
Identify patterns of suspicious behaviors.
Conduct security incident investigations.
Explain the use of a typical playbook in the SOC.
Explain the use of SOC metrics to measure the effectiveness of the SOC.
Explain the use of a workflow management system and automation to improve the effectiveness of the SOC.
Describe a typical incident response plan and the functions of a typical Computer Security Incident Response Team (CSIRT).
Explain the use of Vocabulary for Event Recording and Incident Sharing (VERIS) to document security incidents in a standard format.

Course Prerequisites

Before taking this course, you should have the following knowledge and skills:
Familiarity with Ethernet and TCP/IP networking
Working knowledge of the Windows and Linux operating systems
Familiarity with basics of networking security concepts
The following Cisco course can help you gain the knowledge you need to prepare for this course:

Implementing and Administering Cisco Solutions (CCNA®)

Course Outline

Defining the Security Operations Center
Understanding Network Infrastructure and Network Security Monitoring Tools
Exploring Data Type Categories
Understanding Basic Cryptography Concepts
Understanding Common TCP/IP Attacks
Understanding Endpoint Security Technologies
Understanding Incident Analysis in a Threat-Centric SOC
Identifying Resources for Hunting Cyber Threats
Understanding Event Correlation and Normalization
Identifying Common Attack Vectors
Identifying Malicious Activity
Identifying Patterns of Suspicious Behavior
Conducting Security Incident Investigations
Using a Playbook Model to Organize Security Monitoring
Understanding SOC Metrics
Understanding SOC Workflow and Automation
Describing Incident Response
Understanding the Use of VERIS
Understanding Windows Operating System Basics
Understanding Linux Operating System Basics

Lab Outline

Use NSM Tools to Analyze Data Categories
Explore Cryptographic Technologies
Explore TCP/IP Attacks
Explore Endpoint Security
Investigate Hacker Methodology
Hunt Malicious Traffic
Correlate Event Logs, Packet Captures (PCAPs), and Alerts of an Attack
Investigate Browser-Based Attacks
Analyze Suspicious Domain Name System (DNS) Activity
Explore Security Data for Analysis
Investigate Suspicious Activity Using Security Onion
Investigate Advanced Persistent Threats
Explore SOC Playbooks
Explore the Windows Operating System
Explore the Linux Operating System

Course Objectives

Define threat hunting and identify core concepts used to conduct threat hunting investigations
Examine threat hunting investigation concepts, frameworks, and threat models
Define cyber threat hunting process fundamentals
Define threat hunting methodologies and procedures
Describe network-based threat hunting
Identify and review endpoint-based threat hunting
Identify and review endpoint memory-based threats and develop endpoint-based threat detection
Define threat hunting methods, processes, and Cisco tools that can be utilized for threat hunting
Describe the process of threat hunting from a practical perspective
Describe the process of threat hunt reporting

Course Prerequisites

There are no prerequisites for this training. However, the knowledge and skills you are recommended to have before attending this training are:
General knowledge of networks and network security
These skills can be found in the following Cisco Learning Offerings:
Implementing and Administering Cisco Solutions (CCNA)
Understanding Cisco Cybersecurity Operations Fundamentals (CBROPS)
Performing CyberOps Using Cisco Security Technologies (CBRCOR)

Course Outline

Threat Hunting Theory
Threat Hunting Concepts, Frameworks, and Threat Models
Threat Hunting Process Fundamentals
Threat Hunting Methodologies and Procedures
Network-Based Threat Hunting
Endpoint-Based Threat Hunting
Endpoint-Based Threat Detection Development
Threat Hunting with Cisco Tools
Threat Hunting Investigation Summary: A Practical Approach
Reporting the Aftermath of a Threat Hunt Investigation

Lab Outline

Categorize Threats with MITRE ATTACK Tactics and Techniques
Compare Techniques Used by Different APTs with MITRE ATTACK Navigator
Model Threats Using MITRE ATTACK and D3FEND
Prioritize Threat Hunting Using the MITRE ATTACK Framework and Cyber Kill Chain
Determine the Priority Level of Attacks Using MITRE CAPEC
Explore the TaHiTI Methodology
Perform Threat Analysis Searches Using OSINT
Attribute Threats to Adversary Groups and Software with MITRE ATTACK
Emulate Adversaries with MITRE Caldera
Find Evidence of Compromise Using Native Windows Tools
Hunt for Suspicious Activities Using Open-Source Tools and SIEM
Capturing of Network Traffic
Extraction of IOC from Network Packets
Usage of ELK Stack for Hunting Large Volumes of Network Data
Analyzing Windows Event Logs and Mapping Them with MITRE Matrix
Endpoint Data Acquisition
Inspect Endpoints with PowerShell
Perform Memory Forensics with Velociraptor
Detect Malicious Processes on Endpoints
Identify Suspicious Files Using Threat Analysis
Conduct Threat Hunting Using Cisco Secure Firewall, Cisco Secure Network Analytics, and Splunk
Conduct Threat Hunt Using Cisco XDR Control Center and Investigate
Initiate, Conduct, and Conclude a Threat Hunt

Course Objectives

After taking this course, you should be able to:
Describe the types of service coverage within a SOC and operational responsibilities associated with each.
Compare security operations considerations of cloud platforms.
Describe the general methodologies of SOC platforms development, management, and automation.
Explain asset segmentation, segregation, network segmentation, micro-segmentation, and approaches to each, as part of asset controls and protections.
Describe Zero Trust and associated approaches, as part of asset controls and protections.
Perform incident investigations using Security Information and Event Management (SIEM) and/or security orchestration and automation (SOAR) in the SOC.
Use different types of core security technology platforms for security monitoring, investigation, and response.
Describe the DevOps and SecDevOps processes.
Explain the common data formats, for example, JavaScript Object Notation (JSON), HTML, XML, Comma-Separated Values (CSV).
Describe API authentication mechanisms.
Analyze the approach and strategies of threat detection, during monitoring, investigation, and response.
Determine known Indicators of Compromise (IOCs) and Indicators of Attack (IOAs).
Interpret the sequence of events during an attack based on analysis of traffic patterns.
Describe the different security tools and their limitations for network analysis (for example, packet capture tools, traffic analysis tools, network log analysis tools).
Analyze anomalous user and entity behavior (UEBA).
Perform proactive threat hunting following best practices.

Course Prerequisites

Although there are no mandatory prerequisites, to fully benefit from this course, you should have the following knowledge:
Familiarity with UNIX/Linux shells (bash, csh) and shell commands
Familiarity with the Splunk search and navigation functions
Basic understanding of scripting using one or more of Python, JavaScript, PHP or similar.

Recommended Cisco offerings that may help you prepare for this course:
Understanding Cisco Cybersecurity Operations Fundamentals (CBROPS)
Implementing and Administering Cisco Solutions (CCNA)

Recommended third-party resources:
Splunk Fundamentals 1
Blue Team Handbook: Incident Response Edition by Don Murdoch
Threat Modeling- Designing for Security y Adam Shostack
Red Team Field Manual by Ben Clark
Blue Team Field Manual by Alan J White
Purple Team Field Manual by Tim Bryant
Applied Network Security and Monitoring by Chris Sanders and Jason Smith

Course Outline

Enterprise Network Assurance Overview
Introduction to Cisco Catalyst Center Assurance
Introduction to Cisco AppDynamics
Introduction to Cisco Catalyst SD-WAN Assurance
Introduction to Cisco ThousandEyes
Enterprise Agents Deployment
BGP, Network, DNS, and Voice Tests Configuration
Web Tests Configuration
Endpoint Agent
System Administration
Network Troubleshooting with Cisco ThousandEyes
Internet Insights
Alerts and Dashboards Configuration
Monitoring Solutions
Cisco Meraki Network Assurance
Cisco Meraki Insights

Lab Outline

Troubleshoot the Health of Network Devices
Explore Cisco Catalyst SD-WAN Analytics
Schedule a Test
Deploy Enterprise Agent
Configure Network, DNS, and Voice Tests
Configure Web Tests
Deploy and Configure an Endpoint Agent
Configure Account Administration
Examine Internet Insights
Configure Alerts
Build a Dashboard
Implementing Network Assurance with Cisco Meraki
Examine Cisco Meraki Insight