SECOPS – Implementing Cisco Cybersecurity Operations – Knowledge Club

SECOPS – Implementing Cisco Cybersecurity Operations

Teacher

Mandy Jackson

Category

CISCO Security CCNA Cyber Ops

Course Attendees

Still no participant

Course Reviews

Still no reviews

The Course Name : SECOPS - Implementing Cisco Cybersecurity Operations

 

The Duration: 5 Days

 

The Overview :

 

The purpose of this course is to teach participants how to provide the student with the fundamental knowledge and core skills needed to begin working in a Security Operations Center (SOC). This course will help to prepare students to pass the Implementing Cisco Cybersecurity Operations Exam.

 

What You Will Learn:

 

  •         How to define a SOC and the various job roles in a SOC
  •         How to understand SOC infrastructure tools and systems
  •         How to learn basic incident analysis for a threat centric SOC
  •         How to explore resources available to assist with an investigation
  •         How to explain basic event correlation and normalization
  •         How to describe common attack vectors
  •         How to learn how to identifying malicious activity
  •         How to understand the concept of a playbook
  •         How to describe and explain an incident respond handbook
  •         How to define types of SOC Metrics
  •         How to understand SOC Workflow Management system and automation

The Course Index:

 

Module 1: SOC Overview

Objective: Describe the three common Security Operations Center types, the different tools used by the SOC analysts, the different job roles within the Security Operations Center, and incident analysis within a threat-centric Security Operations Center.

Lesson 1: Defining the Security Operations Center

Objective: Explain how a SOC operates and describes the different types of services that are performed from a Tier 1 SOC analyst’s perspective.

  •         Types of Security Operations Centers

o Objective: Explain the different types of SOCs (Threat-Centric, Compliance-Based, Operational-Based).

  •         SOC Analyst Tools

o Objective: Describe at a high-level, the types of network security monitoring tools typically used within a SOC.

  •         Data Analytics

o Objective: Explain the purpose of data analytics, and using log mining, packet captures, and rule-based alerts for incident investigations.

  •         Hybrid Installations: Automated Reports, Anomaly Alerts

o Objective: Describe at a high level, the use of automation within the SOC.

  •         Proper Staffing Necessary for an Effective Incident Response Team

o Objective: Describe the proper staffing necessary for implementing an effective incident response team.

  •         Roles in a Security Operations Center

o Objective: Describe the different job roles within a typical SOC.

  •         Develop Key Relationships with External Resources

o Objective: List the external resources a typical SOC needs to establish a relationship with.

  •         Challenge

Lesson 2: Understanding NSM Tools and Data

Objective: Explain the network security monitoring tools and data available to the network security analyst.

  •         Introduction
  •         NSM Tools

o Objective: Describe the three types of network security monitoring tools used within the SOC (commercial, open source, or homegrown).

  •         NSM Data

o Objective: Describe the different types of network security monitoring data (session data, full packet capture, transaction data, alert data, and statistical data).

  •         Security Onion

o Objective: Explain at a high level, the use of Security Onion as a network security monitoring tool.

  •         Full Packet Capture

o Objective: Explain packet capture data is stored in the PCAP format, and the storage requirements for full packet capture.

  •         Session Data

o Objective: Describe session data content, and provide an example of session data.

  •         Transaction Data

o Objective: Describe transaction data content, and provide an example of transaction data.

  •         Alert Data

o Objective: Describe alert data content, and provide an example of alert data.

  •         Other NSM Data Types

o Objective: Describe the other types of network security monitoring data (extracted content, statistical data, and metadata).

  •         Correlating NSM Data

o Objective: Explain the need to correlate network security monitoring data, and provide an example.

Lesson 3: Understanding Incident Analysis in a Threat-Centric SOC

Objective: Understand the kill chain and the diamond models for incident investigations, and the use of exploit kits by the threat actors.

  •         Classic Kill Chain Model Overview

o Objective: Describe using the classic kill chain model to perform network security incident analysis.

  •         Kill Chain Phase 1: Reconnaissance

o Objective: Describe the reconnaissance phase of the classic kill chain model.

  •         Kill Chain Phase 2: Weaponization

o Objective: Describe the weaponization phase of the classic kill chain model.

  •         Kill Chain Phase 3: Delivery

o Objective: Describe the delivery phase of the classic kill chain model.

  •         Kill Chain Phase 4: Exploitation

o Objective: Describe the exploitation phase of the classic kill chain model.

  •         Kill Chain Phase 5: Installation

o Objective: Describe the installation phase of the classic kill chain model.

  •         Kill Chain Phase 6: Command-and-Control

o Objective: Describe the command-and-control phase of the classic kill chain model.

  •         Kill Chain Phase 7: Actions on Objectives

o Objective: Describe the actions on objectives phase of the classic kill chain model.

  •         Applying the Kill Chain Model

o Objective: Describe how the kill chain model can be applied to detect and prevent ransomware.

  •         Diamond Model Overview

o Objective: Describe using the diamond model to perform network security incident analysis.

  •         Applying the Diamond Model

o Objective: Describe how to apply the diamond model to perform network security incident analysis using a threat intelligence platform such as ThreatConnect.

  •         Exploit Kits

o Objective: Describe the use of exploit kits by the threat actors.

Lesson 4: Identifying Resources for Hunting Cyber Threats

  •         Cyber-Threat Hunting Concepts

o Objective: Describe at a high level, the cyber-threat hunting concepts.

  •         Hunting Maturity Model

o Objective: Explain the five hunting maturity levels (HM0 to HM4).

  •         Cyber-Threat Hunting Cycle

o Objective: Explain the hunting cycle four-stage loop.

  •         Common Vulnerability Scoring System

o Objective: Describe at a high level, the use of the Common Vulnerability Scoring System, and list the v3.0 base metrics.

  •         CVSS v3.0 Scoring

o Objective: Describe the Common Vulnerability Scoring System v3.0 scoring components (base, temporal, and environmental).

  •         CVSS v3.0 Example

o Objective: Provide an example of Common Vulnerability Scoring System v3.0 scoring.

  •         Hot Threat Dashboard

o Objective: Describe the use of a hot threat dashboard within a SOC.

  •         Publicly Available Threat Awareness Resources

o Objective: Provide examples of some of the publicly available threat awareness resources.

  •         Other External Threat Intelligence Sources and Feeds Reference

o Objective: Provide examples of some of the publicly available external threat intelligence sources and feeds.

Module 2: Security Incident Investigations

Objective: Explain the concepts of security incident investigations, including events correlation and normalization, common attack vectors, and able to identify malicious and suspicious activities.

Lesson 1: Understanding Event Correlation and Normalization

  •         Event Sources

o Objective: Describe some of the network security monitoring event sources (IPS, Firewall, NetFlow, Proxy Server, IAM, AV, Application Logs).

  •         Evidence

o Objective: Describe direct evidence and circumstantial evidence.

  •         Security Data Normalization

o Objective: Provide an example of security data normalization.

  •         Event Correlation

o Objective: Provide an example of security events correlation.

  •         Other Security Data Manipulation

o Objective: Explain the basic concepts of security data aggregation, summarization, and deduplication.

Lesson 2: Identifying Common Attack Vectors

Objective: Identify the common attack vectors.

  •         Obfuscated JavaScript

o Objective: Explain the use of obfuscated JavaScript by the threat actors.

  •         Shellcode and Exploits

o Objective: Explain the use of shellcode and exploits by the threat actors.

  •         Common Metasploit Payloads

o Objective: Explain the three basic types of payloads within the Metasploit framework (single, stager, stage).

  •         Directory Traversal

o Objective: Explain the use of directory traversal by the threat actors.

  •         SQL Injection

o Objective: Explain the basic concepts of SQL injection attacks.

  •         Cross-Site Scripting

o Objective: Explain the basic concepts of cross-site scripting attacks.

  •         Punycode

o Objective: Explain the use of punycode by the threat actors.

  •         DNS Tunneling

o Objective: Explain the use of DNS tunneling by the threat actors.

  •         Pivoting

o Objective: Explain the use of pivoting by the threat actors.

Lesson 3: Identifying Malicious Activity

Objective: Explain how to identify malicious activities.

  •         Understanding the Network Design

o Objective: Explain the needs for the security analysts to have an understanding of the network design which they are protecting.

  •         Identifying Possible Threat Actors

o Objective: Describe the different threat actor types.

  •         Log Data Search

o Objective: Provide an example of log data search using ELSA.

  •         NetFlow as a Security Tool

o Objective: Explain using NetFlow as a security tool.

  •         DNS Risk and Mitigation Tool

o Objective: Explain how DNS can be used by the threat actors to perform attacks.

Lesson 4: Identifying Patterns of Suspicious Behavior

Objective: Explain how to identify patterns of suspicious behaviors.

  •         Network Baselining

o Objective: Explain the purpose of baselining the network activities.

  •         Identify Anomalies and Suspicious Behaviors

o Objective: Explain using the established baseline to identify anomalies and suspicious behaviors.

  •         PCAP Analysis

o Objective: Explain the basic concepts of performing PCAP analysis.

  •         Delivery

o Objective: Explain the use of a sandbox to perform file analysis.

Lesson 5: Conducting Security Incident Investigations

  •         Security Incident Investigation Procedures
  •         Objective: Explain the objective of security incident investigation to discover the who, what, when, where, why, and how about the security incident.
  •         Threat Investigation Example: China Chopper Remote Access Trojan
  •         Objective: Describe at a high level, the China Chopper Remote Access Trojan.

Module 3: SOC Operations

Objective: Explain using a SOC playbook to assist with investigations, using metrics to measure the SOC's effectiveness, using a SOC workflow management system and automation to improve the SOC's efficiency, and the concepts of an incident response plan.

Lesson 1: Describing the SOC Playbook

Objective: Explain the use of a typical playbook in the SOC.

  •         Security Analytics
  •         Objective: Describe the security analytics process,
  •         Playbook Definition
  •         Objective: Describe the use of a playbook in a SOC.
  •         What Is in a Play?
  •         Objective: Describe the components of a play in a typical SOC playbook.
  •         Playbook Management System
  •         Objective: Describe the use of a playbook management system in the SOC.

Lesson 2: Understanding the SOC Metrics

Objective: Explain the use of SOC metrics to measure the SOC's effectiveness.

  •         Security Data Aggregation

o Objective: Explain using a SIEM to provide security data aggregation, real-time reporting, and analysis of security events.

  •         Time to Detection

o Objective: Explain what is the time to detection.

  •         Security Controls Detection Effectiveness

o Objective: Explain measuring the security controls effectiveness in terms of true positive/negative events, false positive/negative events.

  •         SOC Metrics

o Objective: Explain using different metrics to measure the SOC effectiveness.

  •         Challenge

Lesson 3: Understanding the SOC WMS and Automation

Objective: Explain the use of a workflow management system and automation to improve the SOC's effectiveness.

  •         SOC WMS Concepts

o Objective: Explain the basic concepts and benefits of using a workflow management system within a SOC.

  •         Incident Response Workflow

o Objective: Describe a typical incident response workflow.

  •         SOC WMS Integration

o Objective: Describe how a typical workflow management system is integrated within a SOC.

  •         SOC Workflow Automation Example

o Objective: Provide an example of a SOC workflow automation system (Cybersponse).

  •         Challenge

Lesson 4: Describing the Incident Response Plan

  •         Incident Response Planning

o Objective: Explain the purpose for incident response planning.

  •         Incident Response Life Cycle

o Objective: Describe the typical incident response life cycle.

  •         Incident Response Policy Elements

o Objective: Describe the typical elements within an incident response policy.

  •         Incident Attack Categories

o Objective: Describe how incidents can be classified.

  •         Reference: US-CERT Incident Categories

o Objective: Describe the different US-CERT incident categories (CAT 0 to CAT 6).

  •         Regulatory Compliance Incident Response Requirements

o Objective: Describe compliance regulations which contain an incident response requirements.

  •         Challenge

Lesson 5: Appendix A—Describing the Computer Security Incident Response Team

Objective: Explain the functions of a typical Computer Security Incident Response Team.

  •         CSIRT Categories

o Objective: Describe the different general CSIRT categories.

  •         CSIRT Framework

o Objective: Describe the basic framework that defines a CSIRT.

  •         CSIRT Incident Handling Services

o Objective: Describe the different CSIRT incident handling services (triage, handling, feedback, optional announcement).

  •         Challenge

Lesson 6: Appendix B—Understanding the use of VERIS

 

Objective: Explain the use of VERIS to document security incidents in a standard format.

  •         VERIS Overview

o Objective: Explain what is VERIS.

  •         VERIS Incidents Structure

o Objective: Explain the VERIS incident structure.

  •         VERIS 4 As

o Objective: Explain the VERIS 4 As.

  •         VERIS Records

o Objective: Describe a typical VERIS record.

  •         VERIS Community Database

o Objective: Describe the VERIS Community Database.

  •         Verizon Data Breach Investigations Report and Cisco Annual Security Report

o Objective: Describe the Verizon Data Breach Investigations Report, and the Cisco Annual Security Report.

  •         Challenge

Our Main Teachers

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Aenean egestas magna at porttitor vehicula.

Price : Free

Max Availability : 20

Register For Course