Live Chat
Monday - Friday 8am - 6pm EST Chat Now
Contact Us
Monday - Friday 8am - 8pm EST 1-866-716-6688 Other Contact Options
Checkout

Cart () Loading...

    • Quantity:
    • Delivery:
    • Dates:
    • Location:

    $

SECOPS - Implementing Cisco Cybersecurity Operations v1.0

Begin a career working with associate-level cybersecurity analysts within security operations centers.

GK# 4996

$1950 - $4544 CAD

Enroll Request Group Training

Course Overview

TOP
This course includes Cisco Training Exclusives

EXCLUSIVE TO GLOBAL KNOWLEDGE - Accelerate your Cisco learning experience with complimentary access to the IT Skills Video On-Demand Library, Introduction to Cybersecurity digital learning course, course recordings, IT Resource Library, and digital courseware.

Learn more

Today's organizations are challenged with rapidly detecting cybersecurity breaches and effectively responding to security incidents. Teams of people in Security Operations Centers (SOC’s) keep a vigilant eye on security systems, protecting their organizations by detecting and responding to cybersecurity threats. CCNA Cyber Ops prepares candidates to begin a career working with associate-level cybersecurity analysts within security operations centers.

This course allows learners to understand how a Security Operations Center (SOC) functions and the introductory-level skills and knowledge needed in this environment. It focuses on the introductory-level skills needed for a SOC Analyst at the associate level. Specifically, understanding basic threat analysis, event correlation, identifying malicious activity, and how to use a playbook for incident response.

Schedule

TOP
  • Delivery Format:
  • Date:
  • Location:
  • Access Period:

$

What You'll Learn

TOP
  • Define a SOC and the various job roles in a SOC
  • Understand SOC infrastructure tools and systems
  • Learn basic incident analysis for a threat centric SOC
  • Explore resources available to assist with an investigation
  • Explain basic event correlation and normalization
  • Describe common attack vectors
  • Learn how to identifying malicious activity
  • Understand the concept of a playbook
  • Describe and explain an incident respond handbook
  • Define types of SOC Metrics
  • Understand SOC Workflow Management system and automation

Outline

TOP
Viewing outline for:

Classroom Live Outline

Module 1: SOC Overview
Objective: Describe the three common Security Operations Center types, the different tools used by the SOC analysts, the different job roles within the Security Operations Center, and incident analysis within a threat-centric Security Operations Center.

Lesson 1: Defining the Security Operations Center
Objective: Explain how a SOC operates and describes the different types of services that are performed from a Tier 1 SOC analyst’s perspective.

  • Types of Security Operations Centers
    • Objective: Explain the different types of SOCs (Threat-Centric, Compliance-Based, Operational-Based).
  • SOC Analyst Tools
    • Objective: Describe at a high-level, the types of network security monitoring tools typically used within a SOC.
  • Data Analytics
    • Objective: Explain the purpose of data analytics, and using log mining, packet captures, and rule-based alerts for incident investigations.
  • Hybrid Installations: Automated Reports, Anomaly Alerts
    • Objective: Describe at a high level, the use of automation within the SOC.
  • Proper Staffing Necessary for an Effective Incident Response Team
    • Objective: Describe the proper staffing necessary for implementing an effective incident response team.
  • Roles in a Security Operations Center
    • Objective: Describe the different job roles within a typical SOC.
  • Develop Key Relationships with External Resources
    • Objective: List the external resources a typical SOC needs to establish a relationship with.
  • Challenge

Lesson 2: Understanding NSM Tools and Data
Objective: Explain the network security monitoring tools and data available to the network security analyst.

  • Introduction
  • NSM Tools
    • Objective: Describe the three types of network security monitoring tools used within the SOC (commercial, open source, or homegrown).
  • NSM Data
    • Objective: Describe the different types of network security monitoring data (session data, full packet capture, transaction data, alert data, and statistical data).
  • Security Onion
    • Objective: Explain at a high level, the use of Security Onion as a network security monitoring tool.
  • Full Packet Capture
    • Objective: Explain packet capture data is stored in the PCAP format, and the storage requirements for full packet capture.
  • Session Data
    • Objective: Describe session data content, and provide an example of session data.
  • Transaction Data
    • Objective: Describe transaction data content, and provide an example of transaction data.
  • Alert Data
    • Objective: Describe alert data content, and provide an example of alert data.
  • Other NSM Data Types
    • Objective: Describe the other types of network security monitoring data (extracted content, statistical data, and metadata).
  • Correlating NSM Data
    • Objective: Explain the need to correlate network security monitoring data, and provide an example.

Lesson 3: Understanding Incident Analysis in a Threat-Centric SOC
Objective: Understand the kill chain and the diamond models for incident investigations, and the use of exploit kits by the threat actors.

  • Classic Kill Chain Model Overview
    • Objective: Describe using the classic kill chain model to perform network security incident analysis.
  • Kill Chain Phase 1: Reconnaissance
    • Objective: Describe the reconnaissance phase of the classic kill chain model.
  • Kill Chain Phase 2: Weaponization
    • Objective: Describe the weaponization phase of the classic kill chain model.
  • Kill Chain Phase 3: Delivery
    • Objective: Describe the delivery phase of the classic kill chain model.
  • Kill Chain Phase 4: Exploitation
    • Objective: Describe the exploitation phase of the classic kill chain model.
  • Kill Chain Phase 5: Installation
    • Objective: Describe the installation phase of the classic kill chain model.
  • Kill Chain Phase 6: Command-and-Control
    • Objective: Describe the command-and-control phase of the classic kill chain model.
  • Kill Chain Phase 7: Actions on Objectives
    • Objective: Describe the actions on objectives phase of the classic kill chain model.
  • Applying the Kill Chain Model 
    • Objective: Describe how the kill chain model can be applied to detect and prevent ransomware.
  • Diamond Model Overview
    • Objective: Describe using the diamond model to perform network security incident analysis.
  • Applying the Diamond Model
    • Objective: Describe how to apply the diamond model to perform network security incident analysis using a threat intelligence platform such as ThreatConnect.
  • Exploit Kits
    • Objective: Describe the use of exploit kits by the threat actors.

Lesson 4: Identifying Resources for Hunting Cyber Threats

  • Cyber-Threat Hunting Concepts
    • Objective: Describe at a high level, the cyber-threat hunting concepts.
  • Hunting Maturity Model
    • Objective: Explain the five hunting maturity levels (HM0 to HM4).
  • Cyber-Threat Hunting Cycle
    • Objective: Explain the hunting cycle four-stage loop.
  • Common Vulnerability Scoring System
    • Objective: Describe at a high level, the use of the Common Vulnerability Scoring System, and list the v3.0 base metrics.
  • CVSS v3.0 Scoring
    • Objective: Describe the Common Vulnerability Scoring System v3.0 scoring components (base, temporal, and environmental).
  • CVSS v3.0 Example
    • Objective: Provide an example of Common Vulnerability Scoring System v3.0 scoring.
  • Hot Threat Dashboard
    • Objective: Describe the use of a hot threat dashboard within a SOC.
  • Publicly Available Threat Awareness Resources
    • Objective: Provide examples of some of the publicly available threat awareness resources.
  • Other External Threat Intelligence Sources and Feeds Reference
    • Objective: Provide examples of some of the publicly available external threat intelligence sources and feeds.

Module 2: Security Incident Investigations
Objective: Explain the concepts of security incident investigations, including events correlation and normalization, common attack vectors, and able to identify malicious and suspicious activities.

Lesson 1: Understanding Event Correlation and Normalization

  • Event Sources
    • Objective: Describe some of the network security monitoring event sources (IPS, Firewall, NetFlow, Proxy Server, IAM, AV, Application Logs).
  • Evidence
    • Objective: Describe direct evidence and circumstantial evidence.
  • Security Data Normalization
    • Objective: Provide an example of security data normalization.
  • Event Correlation
    • Objective: Provide an example of security events correlation.
  • Other Security Data Manipulation 
    • Objective: Explain the basic concepts of security data aggregation, summarization, and deduplication.

Lesson 2: Identifying Common Attack Vectors
Objective: Identify the common attack vectors.

  • Obfuscated JavaScript
    • Objective: Explain the use of obfuscated JavaScript by the threat actors.
  • Shellcode and Exploits
    • Objective: Explain the use of shellcode and exploits by the threat actors.
  • Common Metasploit Payloads
    • Objective: Explain the three basic types of payloads within the Metasploit framework (single, stager, stage).
  • Directory Traversal
    • Objective: Explain the use of directory traversal by the threat actors.
  • SQL Injection
    • Objective: Explain the basic concepts of SQL injection attacks.
  • Cross-Site Scripting 
    • Objective: Explain the basic concepts of cross-site scripting attacks.
  • Punycode
    • Objective: Explain the use of punycode by the threat actors.
  • DNS Tunneling
    • Objective: Explain the use of DNS tunneling by the threat actors.
  • Pivoting
    • Objective: Explain the use of pivoting by the threat actors.

Lesson 3: Identifying Malicious Activity
Objective: Explain how to identify malicious activities.

  • Understanding the Network Design
    • Objective: Explain the needs for the security analysts to have an understanding of the network design which they are protecting.
  • Identifying Possible Threat Actors
    • Objective: Describe the different threat actor types.
  • Log Data Search
    • Objective: Provide an example of log data search using ELSA.
  • NetFlow as a Security Tool
    • Objective: Explain using NetFlow as a security tool.
  • DNS Risk and Mitigation Tool
    • Objective: Explain how DNS can be used by the threat actors to perform attacks.

Lesson 4: Identifying Patterns of Suspicious Behavior
Objective: Explain how to identify patterns of suspicious behaviors.

  • Network Baselining
    • Objective: Explain the purpose of baselining the network activities.
  • Identify Anomalies and Suspicious Behaviors 
    • Objective: Explain using the established baseline to identify anomalies and suspicious behaviors.
  • PCAP Analysis 
    • Objective: Explain the basic concepts of performing PCAP analysis.
  • Delivery 
    • Objective: Explain the use of a sandbox to perform file analysis.

Lesson 5: Conducting Security Incident Investigations

  • Security Incident Investigation Procedures
  • Objective: Explain the objective of security incident investigation to discover the who, what, when, where, why, and how about the security incident.
  • Threat Investigation Example: China Chopper Remote Access Trojan
  • Objective: Describe at a high level, the China Chopper Remote Access Trojan.

Module 3: SOC Operations
Objective: Explain using a SOC playbook to assist with investigations, using metrics to measure the SOC's effectiveness, using a SOC workflow management system and automation to improve the SOC's efficiency, and the concepts of an incident response plan.

Lesson 1: Describing the SOC Playbook
Objective: Explain the use of a typical playbook in the SOC.

  • Security Analytics
  • Objective: Describe the security analytics process,
  • Playbook Definition
  • Objective: Describe the use of a playbook in a SOC.
  • What Is in a Play?
  • Objective: Describe the components of a play in a typical SOC playbook.
  • Playbook Management System
  • Objective: Describe the use of a playbook management system in the SOC.

Lesson 2: Understanding the SOC Metrics
Objective: Explain the use of SOC metrics to measure the SOC's effectiveness.

  • Security Data Aggregation
    • Objective: Explain using a SIEM to provide security data aggregation, real-time reporting, and analysis of security events.
  • Time to Detection
    • Objective: Explain what is the time to detection.
  • Security Controls Detection Effectiveness
    • Objective: Explain measuring the security controls effectiveness in terms of true positive/negative events, false positive/negative events.
  • SOC Metrics
    • Objective: Explain using different metrics to measure the SOC effectiveness.
  • Challenge

Lesson 3: Understanding the SOC WMS and Automation
Objective: Explain the use of a workflow management system and automation to improve the SOC's effectiveness.

  • SOC WMS Concepts
    • Objective: Explain the basic concepts and benefits of using a workflow management system within a SOC.
  • Incident Response Workflow
    • Objective: Describe a typical incident response workflow.
  • SOC WMS Integration
    • Objective: Describe how a typical workflow management system is integrated within a SOC.
  • SOC Workflow Automation Example
    • Objective: Provide an example of a SOC workflow automation system (Cybersponse).
  • Challenge

Lesson 4: Describing the Incident Response Plan

  • Incident Response Planning
    • Objective: Explain the purpose for incident response planning.
  • Incident Response Life Cycle
    • Objective: Describe the typical incident response life cycle.
  • Incident Response Policy Elements
    • Objective: Describe the typical elements within an incident response policy.
  • Incident Attack Categories
    • Objective: Describe how incidents can be classified.
  • Reference: US-CERT Incident Categories
    • Objective: Describe the different US-CERT incident categories (CAT 0 to CAT 6).
  • Regulatory Compliance Incident Response Requirements
    • Objective: Describe compliance regulations which contain an incident response requirements.
  • Challenge

Lesson 5: Appendix A—Describing the Computer Security Incident Response Team
Objective: Explain the functions of a typical Computer Security Incident Response Team.

  • CSIRT Categories
    • Objective: Describe the different general CSIRT categories.
  • CSIRT Framework
    • Objective: Describe the basic framework that defines a CSIRT.
  • CSIRT Incident Handling Services
    • Objective: Describe the different CSIRT incident handling services (triage, handling, feedback, optional announcement).
  • Challenge

Lesson 6: Appendix B—Understanding the use of VERIS
Objective: Explain the use of VERIS to document security incidents in a standard format.

  • VERIS Overview
    • Objective: Explain what is VERIS.
  • VERIS Incidents Structure
    • Objective: Explain the VERIS incident structure.
  • VERIS 4 As
    • Objective: Explain the VERIS 4 As.
  • VERIS Records
    • Objective: Describe a typical VERIS record.
  • VERIS Community Database
    • Objective: Describe the VERIS Community Database.
  • Verizon Data Breach Investigations Report and Cisco Annual Security Report
    • Objective: Describe the Verizon Data Breach Investigations Report, and the Cisco Annual Security Report.
  • Challenge

Labs

TOP
Viewing labs for:

Classroom Live Labs

Guided Lab 1: Explore Network Security Monitoring Tools

  • Task 1: Prepare the Lab Environment
  • Task 2: Analyze Alerts
  • Task 3: Extract Content from Packet Captures
  • Task 4: Analyze Malware
  • Task 5: Search Bro Data Using ELSA
  • Challenge

Discovery 1: Investigate Hacker Methodology

  • Task 1: Scanning and Analyzing Reconnaissance Activity
  • Task 2: Analyzing the Weaponization, Delivery, and Exploitation Phases of the Kill Chain Model
  • Task 3: Persistence on the Target Machine
  • Task 4: Host-Based Analysis
  • Task 5: Identifying Data Exfiltration
  • Challenge

Discovery 2: Hunt Malicious Traffic

  • Task 1: Threat Simulation
  • Task 2: Combing Network Traffic with ELSA
  • Task 3: Pivot to Wireshark with capME!
  • Task 4: Analyzing Exfiltration Data
  • Task 5: Confirm A Backdoor
  • Challenge

Discovery 3: Correlate Event Logs, PCAPs, and Alerts of an Attack

  • Task 1: Examine OSSEC Alerts
  • Task 2: Find and Correlate Additional Activity
  • Challenge

Discovery 4: Investigate Browser-Based Attacks

  • Task 1: Setting up Security Onion
  • Task 2: SQL Injection
  • Task 3: Cross Site Scripting Attack
  • Task 4: Local File Inclusion and Directory Traversal
  • Challenge

Discovery 5: Analyze Suspicious DNS Activity

  • Task 1: Investigate DNS Fast Fluxing
  • Task 2: Perform DNS Exfiltration
  • Task 3: Analyze DNS Exfiltration Activities
  • Challenge

Discovery 6: Investigate Suspicious Activity Using Security Onion

  • Task 1: Identify Suspicious Domain Names
  • Task 2: Identify Suspicious User Agents
  • Task 3: Upload Malware to Malwr.com
  • Challenge

Discovery 7: Investigate Advanced Persistent Threats

  • Task 1: Investigate Sguil Alerts
  • Task 2: Investigate Suspicious Packet Captures
  • Task 3: Implement New Custom Snort Rule
  • Challenge

Discovery 8: Explore SOC Playbooks

  • Task 1: Access ELSA on the Security Onion VM
  • Task 2: Play: 404s Indicating Web Recon
  • Task 3: Play: Posts to Dynamic DNS Sites
  • Task 4: Play: DNS over TCP
  • Task 5: Play: HTTP Header Host Field Containing IP Address
  • Task 6: Play: Known Botnet C2 Domains (Manual Play)
  • Task 7: Play: Explore the Raw Bro Log Files
  • Task 8: Play: Known Botnet C2 Domains (Semi-Automated Play)
  • Task 9: Play: Malicious Files (Manual Play)
  • Task 10: Play: Malicious Files (Semi-Automated Play)
  • Task 11: Play: Large File Transfers (Semi-Automated Play)
  • Challenge
  • Challenge

Prerequisites

TOP

It is strongly recommended, but not required, that students have the following knowledge and skills:

  • Skills and knowledge equivalent to those learned in Interconnecting Cisco Networking Devices Part 1 (ICND1)
  • Working knowledge of the Windows operating system
  • Working knowledge of Cisco IOS networking and concepts

Who Should Attend

TOP
  • Security Operations Center Security Analyst
  • Computer Network Defense Analyst
  • Computer Network Defense Infrastructure Support personnel
  • Future Incident Responders and Security Operations Center (SOC) personnel
  • Students beginning a career and entering the cybersecurity field
  • IT personnel looking to learn more about the area of cybersecurity operations
  • Cisco Channel Partners

Vendor Credits

TOP

This course can be purchased with Cisco Learning Credits (CLCs).

Training Exclusives

Classroom and Virtual Classroom sessions of this course include access to the following benefits:

  • IT Skills Video On-Demand Library (over 40,000 titles)
  • Introduction to Cybersecurity digital learning course
  • Course Recordings
  • IT Resource Library
  • Digital Courseware
Learn More
  Cisco On-Demand Learning

Master Cisco technologies on your own schedule. The on-demand version of this course includes access to these elements for 12 months.

  • Bookmarking tools
  • Progress analytics
  • Gamification with leaderboards
  • Searchable glossary
  • Lab recordings
  • Instructor Videos
  • Student Guide
  • Discovery and Integrated Labs
  • Content Review Questions
  • Challenge Tests and Labs
Find out more
Course Delivery

This course is available in the following formats:

On-Demand

Train at your own pace with 24/7 access to courses that help you acquire must-have technology skills.



Classroom Live

Receive face-to-face instruction at one of our training center locations.

Duration: 5 day

Virtual Classroom Live

Experience expert-led online training from the convenience of your home, office or anywhere with an internet connection.

Duration: 5 day

Request this course in a different delivery format.
Enroll