Transcription
CiscoCyberOpsAssociateCBROPS 200-201Official Cert GuideOMAR SANTOSCisco Press9780136807834 print.indb 106/10/20 6:34 pm
iiCisco CyberOps Associate CBROPS 200-201 Official Cert GuideCisco CyberOps Associate CBROPS200-201 Official Cert GuideOmar SantosCopyright 2021 Cisco Systems, Inc.Published by:Cisco PressHoboken, NJAll rights reserved. No part of this book may be reproduced or transmitted in any form or by any means,electronic or mechanical, including photocopying, recording, or by any information storage and retrievalsystem, without written permission from the publisher, except for the inclusion of brief quotations in areview.ScoutAutomatedPrintCodeLibrary of Congress Control Number: 2020944691ISBN-13: 978-0-13-680783-4ISBN-10: 0-13-680783-6Warning and DisclaimerThis book is designed to provide information about the Understanding Cisco Cybersecurity OperationsFundamentals (CBROPS 200-201) exam. Every effort has been made to make this book as complete and asaccurate as possible, but no warranty or fitness is implied.The information is provided on an “as is” basis. The author, Cisco Press, and Cisco Systems, Inc. shallhave neither liability nor responsibility to any person or entity with respect to any loss or damagesarising from the information contained in this book or from the use of the discs or programs that mayaccompany it.The opinions expressed in this book belong to the author and are not necessarily those of Cisco Systems,Inc.Trademark AcknowledgmentsAll terms mentioned in this book that are known to be trademarks or service marks have beenappropriately capitalized. Cisco Press or Cisco Systems, Inc., cannot attest to the accuracy of thisinformation. Use of a term in this book should not be regarded as affecting the validity of any trademarkor service mark.9780136807834 print.indb 206/10/20 6:34 pm
iiiSpecial SalesFor information about buying this title in bulk quantities, or for special sales opportunities (which mayinclude electronic versions; custom cover designs; and content particular to your business, traininggoals, marketing focus, or branding interests), please contact our corporate sales department atcorpsales@pearsoned.com or (800) 382-3419.For government sales inquiries, please contact governmentsales@pearsoned.com.For questions about sales outside the U.S., please contact intlcs@pearson.com.Feedback InformationAt Cisco Press, our goal is to create in-depth technical books of the highest quality and value. Each bookis crafted with care and precision, undergoing rigorous development that involves the unique expertise ofmembers from the professional technical community.Readers’ feedback is a natural continuation of this process. If you have any comments regarding how wecould improve the quality of this book, or otherwise alter it to better suit your needs, you can contact usthrough email at feedback@ciscopress.com. Please make sure to include the book title and ISBN in yourmessage.We greatly appreciate your assistance.Editor-in-Chief: Mark TaubCopy Editor: Chuck HutchinsonAlliances Manager, Cisco Press: Arezou GolTechnical Editor: John StuppiDirector, ITP Product Management: Brett BartowEditorial Assistant: Cindy TeetersExecutive Editor: James ManlyCover Designer: Chuti PrasertsithManaging Editor: Sandra SchroederComposition: codeMantraDevelopment Editor: Christopher A. ClevelandIndexer: Timothy WrightSenior Project Editor: Tonya SimpsonProofreader: Donna E. MulderAmericas HeadquartersCisco Systems, Inc.San Jose, CAAsia Pacific HeadquartersCisco Systems (USA) Pte. Ltd.SingaporeEurope HeadquartersCisco Systems International BV Amsterdam,The NetherlandsCisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco Website at www.cisco.com/go/offices.Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks,go to this URL: www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner doesnot imply a partnership relationship between Cisco and any other company. (1110R)9780136807834 print.indb 306/10/20 6:35 pm
ivCisco CyberOps Associate CBROPS 200-201 Official Cert GuideAbout the AuthorOmar Santos is an active member of the security community, where he leads severalindustrywide initiatives. His active role helps businesses, academic institutions, stateand local law enforcement agencies, and other participants dedicated to increasing thesecurity of the critical infrastructure. Omar is the chair of the OASIS Common SecurityAdvisory Framework (CSAF) technical committee, the co-chair of the Forum of IncidentResponse and Security Teams (FIRST) Open Source Security working group, and theco-lead of the DEF CON Red Team Village.Omar is the author of more than 20 books and video courses as well as numerous whitepapers, articles, and security configuration guidelines and best practices. Omar is a principal engineer of the Cisco Product Security Incident Response Team (PSIRT), where hementors and leads engineers and incident managers during the investigation and resolution of security vulnerabilities.Omar has been quoted by numerous media outlets, such as TheRegister, Wired, ZDNet,ThreatPost, CyberScoop, TechCrunch, Fortune Magazine, Ars Technica, and more. Youcan follow Omar on Twitter @santosomar.About the Technical ReviewerJohn Stuppi, CCIE No. 11154, is a technical leader in the Customer Experience SecurityPrograms (CXSP) organization at Cisco, where he consults Cisco customers on protectingtheir networks against existing and emerging cybersecurity threats, risks, and vulnerabilities. Current projects include working with newly acquired entities to integrate them intothe Cisco PSIRT Vulnerability Management processes. John has presented multiple timeson various network security topics at Cisco Live, Black Hat, as well as other customerfacing cybersecurity conferences. John is also the co-author of the Official Certification Guide for CCNA Security 210-260 published by Cisco Press. Additionally, Johnhas contributed to the Cisco Security Portal through the publication of white papers,security blog posts, and cyber risk report articles. Prior to joining Cisco, John worked asa network engineer for JPMorgan and then as a network security engineer at Time, Inc.,with both positions based in New York City. John is also a CISSP (No. 25525) and holdsAWS Cloud Practitioner and Information Systems Security (INFOSEC) Professional Certifications. In addition, John has a BSEE from Lehigh University and an MBA from Rutgers University. John lives in Ocean Township, New Jersey (down on the “Jersey Shore”),with his wife, two kids, and his dog.9780136807834 print.indb 406/10/20 6:35 pm
vDedicationI would like to dedicate this book to my lovely wife, Jeannette, and my two beautifulchildren, Hannah and Derek, who have inspired and supported me throughout thedevelopment of this book.9780136807834 print.indb 506/10/20 6:35 pm
viCisco CyberOps Associate CBROPS 200-201 Official Cert GuideAcknowledgmentsI would like to thank the technical editor and my good friend, John Stuppi, for his timeand technical expertise.I would like to thank the Cisco Press team, especially James Manly and ChristopherCleveland, for their patience, guidance, and consideration.Finally, I would like to thank Cisco and the Cisco Product Security Incident ResponseTeam (PSIRT), Security Research, and Operations for enabling me to constantly learn andachieve many goals throughout all these years.9780136807834 print.indb 606/10/20 6:35 pm
viiContents at a GlanceIntroductionxxviChapter 1Cybersecurity FundamentalsChapter 2Introduction to Cloud Computing and Cloud Security 82Chapter 3Access Control Models 102Chapter 4Types of Attacks and VulnerabilitiesChapter 5Fundamentals of Cryptography and Public Key Infrastructure (PKI) 178Chapter 6Introduction to Virtual Private Networks (VPNs)Chapter 7Introduction to Security Operations Management 232Chapter 8Fundamentals of Intrusion AnalysisChapter 9Introduction to Digital Forensics 338Chapter 10Network Infrastructure Device Telemetry and Analysis 370Chapter 11Endpoint Telemetry and Analysis 430Chapter 12Challenges in the Security Operations Center (SOC) 496Chapter 13The Art of Data and Event Analysis 520Chapter 14Classifying Intrusion Events into CategoriesChapter 15Introduction to Threat Hunting 552Chapter 16Final Preparation2152212294530574Glossary of Key Terms 577Appendix AAnswers to the “Do I Know This Already?”Quizzes and Review Questions 592Appendix BUnderstanding Cisco Cybersecurity Operations FundamentalsCBROPS 200-201 Exam Updates 614Index616Online ElementsAppendix CStudy PlannerGlossary of Key Terms9780136807834 print.indb 706/10/20 6:35 pm
viiiCisco CyberOps Associate CBROPS 200-201 Official Cert GuideReader ServicesIn addition to the features in each of the core chapters, this book has additional studyresources on the companion website, including the following:Practice exams: The companion website contains an exam engine that enables you toreview practice exam questions. Use these to prepare with a sample exam and to pinpointtopics where you need more study.Interactive exercises and quizzes: The companion website contains hands-on exercisesand interactive quizzes so that you can test your knowledge on the spot.Glossary quizzes: The companion website contains interactive quizzes that enable you totest yourself on every glossary term in the book.The companion website contains 30 minutes of unique test-prep video training.To access this additional content, simply register your product. To start the registrationprocess, go to www.ciscopress.com/register and log in or create an account.* Enter theproduct ISBN 9780136807834 and click Submit. After the process is complete, you willfind any available bonus content under Registered Products.*Be sure to check the box that you would like to hear from us to receive exclusivediscounts on future editions of this product.9780136807834 print.indb 806/10/20 6:35 pm
ixContentsIntroduction xxviChapter 1Cybersecurity Fundamentals2“Do I Know This Already?” Quiz3Foundation Topics 8Introduction to Cybersecurity8Cybersecurity vs. Information Security (Infosec) 8The NIST Cybersecurity Framework9Additional NIST Guidance and Documents 9The International Organization for StandardizationThreats, Vulnerabilities, and ExploitsWhat Is a Threat?101010What Is a Vulnerability? 11What Is an Exploit?13Risk, Assets, Threats, and Vulnerabilities15Threat Actors 17Threat Intelligence17Threat Intelligence Platform 19Vulnerabilities, Exploits, and Exploit Kits 20SQL Injection 21HTML Injection 22Command Injection 22Authentication-Based Vulnerabilities22Credential Brute-Force Attacks and Password CrackingSession Hijacking2324Default Credentials 24Insecure Direct Object Reference Vulnerabilities 24Cross-Site Scripting 25Cross-Site Request Forgery 27Cookie Manipulation Attacks27Race Conditions 27Unprotected APIs 27Return-to-LibC Attacks and Buffer OverflowsOWASP Top 102829Security Vulnerabilities in Open-Source Software 299780136807834 print.indb 906/10/20 6:35 pm
xCisco CyberOps Associate CBROPS 200-201 Official Cert GuideNetwork Security Systems 30Traditional Firewalls 30Packet-Filtering Techniques 3135Application ProxiesNetwork Address Translation3637Port Address TranslationStatic Translation 37Stateful Inspection Firewalls 38Demilitarized Zones38Firewalls Provide Network Segmentation39Application-Based Segmentation and Micro-segmentation39High Availability 40Clustering Firewalls 41Firewalls in the Data Center42Virtual Firewalls 44Deep Packet Inspection44Next-Generation Firewalls45Intrusion Detection Systems and Intrusion Prevention Systems 46Pattern Matching and Stateful Pattern-Matching Recognition47Protocol Analysis 48Heuristic-Based Analysis 49Anomaly-Based Analysis49Global Threat Correlation Capabilities50Next-Generation Intrusion Prevention Systems 50Firepower Management CenterAdvanced Malware ProtectionAMP for Endpoints505050AMP for Networks 53Web Security Appliance54Email Security Appliance58Cisco Security Management Appliance60Cisco Identity Services Engine 60Security Cloud-Based SolutionsCisco Cloud Email Security6262Cisco AMP Threat Grid 62Umbrella (OpenDNS)Stealthwatch CloudCloudLock9780136807834 print.indb 1063636406/10/20 6:35 pm
ContentsCisco NetFlowxi64Data Loss Prevention65The Principles of the Defense-in-Depth Strategy 66Confidentiality, Integrity, and Availability: The CIA Triad 69Confidentiality 69Integrity 70Availability70Risk and Risk Analysis 70Personally Identifiable Information and Protected Health InformationPIIPHI727272Principle of Least Privilege and Separation of Duties 73Principle of Least Privilege 73Separation of Duties 73Security Operations Centers 74Playbooks, Runbooks, and Runbook AutomationDigital Forensics7576Exam Preparation Tasks78Review All Key Topics 78Define Key Terms 79Review QuestionsChapter 280Introduction to Cloud Computing and Cloud Security 82“Do I Know This Already?” Quiz82Foundation Topics 84Cloud Computing and the Cloud Service Models 84Cloud Security Responsibility Models 86Patch Management in the CloudSecurity Assessment in the Cloud8888DevOps, Continuous Integration (CI), Continuous Delivery (CD),and DevSecOps 88The Agile Methodology 89DevOps90CI/CD Pipelines 90The Serverless Buzzword 92A Quick Introduction to Containers and DockerContainer Management and Orchestration9294Understanding the Different Cloud Security Threats 95Cloud Computing Attacks 979780136807834 print.indb 1106/10/20 6:35 pm
xiiCisco CyberOps Associate CBROPS 200-201 Official Cert GuideExam Preparation Tasks 99Review All Key Topics 99Define Key Terms 99Review QuestionsChapter 3100Access Control Models 102102“Do I Know This Already?” QuizFoundation Topics 105Information Security Principles 105Subject and Object Definition106Access Control Fundamentals 107Identification 107Authentication 108Authentication by Knowledge108Authentication by Ownership 108Authentication by CharacteristicMultifactor Authentication108109Authorization 110Accounting110Access Control Fundamentals: Summary 110Access Control Process 111Asset Classification 112Asset Marking 113Access Control Policy114Data Disposal 114Information Security Roles and Responsibilities 115Access Control TypesAccess Control Models117119Discretionary Access Control 121Mandatory Access Control122Role-Based Access Control123Attribute-Based Access ControlAccess Control Mechanisms125127Identity and Access Control Implementation129Authentication, Authorization, and Accounting Protocols 130RADIUSTACACS 130131Diameter 1339780136807834 print.indb 1206/10/20 6:35 pm
ContentsxiiiPort-Based Access Control 135Port Security802.1x135136Network Access Control List and FirewallingVLAN Map138139Security Group-Based ACL 139Downloadable ACLFirewalling140140Identity Management and ProfilingNetwork Segmentation140141Network Segmentation Through VLAN 141Firewall DMZ142Cisco TrustSec142Intrusion Detection and Prevention 144Network-Based Intrusion Detection and Protection System 147Host-Based Intrusion Detection and Prevention147Antivirus and Antimalware 148Exam Preparation Tasks 149Review All Key Topics 149Define Key Terms 150Review QuestionsChapter 4150Types of Attacks and Vulnerabilities“Do I Know This Already?” Quiz152152Foundation Topics 154Types of Attacks 154Reconnaissance Attacks154Social Engineering 160Privilege Escalation Attacks162Backdoors 163Buffer Overflows and Code Execution 163Man-in-the Middle Attacks 165Denial-of-Service AttacksDirect DDoS166166Botnets Participating in DDoS Attacks 167Reflected DDoS Attacks167Attack Methods for Data ExfiltrationARP Cache Poisoning9780136807834 print.indb 1316816906/10/20 6:35 pm
xivCisco CyberOps Associate CBROPS 200-201 Official Cert GuideSpoofing Attacks 170Route Manipulation Attacks171Password Attacks 171172Wireless AttacksTypes of Vulnerabilities172Exam Preparation Tasks174Review All Key Topics 174Chapter 5Define Key Terms175Review Questions175Fundamentals of Cryptography and Public Key Infrastructure(PKI) 178“Do I Know This Already?” Quiz178Foundation Topics 182Cryptography 182Ciphers and Keys182Ciphers 182Keys183Key Management183Block and Stream Ciphers 183Block Ciphers184Stream Ciphers 184Symmetric and Asymmetric AlgorithmsSymmetric Algorithms184184Asymmetric Algorithms 185Elliptic Curve 186Quantum Cryptography 187More Encryption Types 187One-Time Pad 187PGP 188Pseudorandom Number GeneratorsHashes189189Hashed Message Authentication Code 191Digital Signatures192Digital Signatures in Action 192Next-Generation Encryption Protocols9780136807834 print.indb 1419506/10/20 6:35 pm
ContentsxvIPsec and SSL/TLS 196IPsec196Secure Sockets Layer and Transport Layer SecuritySSH196198Fundamentals of PKI199Public and Private Key Pairs 199RSA Algorithm, the Keys, and Digital Certificates 199Certificate Authorities 200Root and Identity Certificates 202Root Certificate 202Identity Certificates 204X.500 and X.509v3204Authenticating and Enrolling with the CAPublic Key Cryptography Standards205206Simple Certificate Enrollment Protocol 206Revoking Digital Certificates 207Using Digital Certificates 207PKI Topologies208Single Root CA 208Hierarchical CA with Subordinate CAsCross-Certifying CAs208208Exam Preparation Tasks 209Review All Key Topics 209Define Key Terms 210Review QuestionsChapter 6210Introduction to Virtual Private Networks (VPNs) 212“Do I Know This Already?” Quiz212Foundation Topics 214What Are VPNs?214Site-to-Site vs. Remote-Access VPNs 215An Overview of IPsecIKEv1 Phase 1217IKEv1 Phase 2220IKEv2SSL VPNs216222225SSL VPN Design Considerations 227User Connectivity228VPN Device Feature Set 2289780136807834 print.indb 1506/10/20 6:35 pm
xviCisco CyberOps Associate CBROPS 200-201 Official Cert GuideInfrastructure Planning228Implementation Scope 228Exam Preparation Tasks229Review All Key Topics 229Define Key Terms 229Review QuestionsChapter 7230Introduction to Security Operations Management 232“Do I Know This Already?” Quiz232Foundation Topics 235Introduction to Identity and Access Management 235Phases of the Identity and Access Life Cycle 235Registration and Identity Validation236Privileges Provisioning 236Access Review 236Access Revocation 236Password Management 236Password Creation 237Multifactor Authentication239Password Storage and Transmission 240Password Reset 240Password Synchronization 240Directory Management 241Single Sign-On 243Kerberos 245Federated SSO 246Security Assertion Markup Language 247OAuth249OpenID Connect 251Security Events and Log Management 251Log Collection, Analysis, and DisposalSyslog251253Security Information and Event Manager 255Security Orchestration, Automation, and Response (SOAR)SOC Case Management (Ticketing) Systems257257Asset Management 257Asset Inventory 258Asset Ownership9780136807834 print.indb 1625906/10/20 6:35 pm
ContentsAsset Acceptable Use and Return Policiesxvii259Asset Classification 260Asset Labeling 260Asset and Information HandlingMedia Management260260Introduction to Enterprise Mobility Management 261Mobile Device Management 263Cisco BYOD Architecture 264Cisco ISE and MDM Integration 266Cisco Meraki Enterprise Mobility Management267Configuration and Change Management 268Configuration Management 268Planning269Identifying and Implementing the Configuration 270Controlling the Configuration Changes 270Monitoring 270Change Management270Vulnerability Management 273Vulnerability Identification273Finding Information About a Vulnerability 274Vulnerability Scan 276Penetration Testing (Ethical Hacking Assessments)277Product Vulnerability Management 278Vulnerability Analysis and Prioritization 282Vulnerability Remediation 286Patch Management287Exam Preparation Tasks 291Review All Key Topics 291Define Key Terms 292Review QuestionsChapter 8292Fundamentals of Intrusion Analysis 294“Do I Know This Already?” Quiz 294Foundation Topics 299Introduction to Incident ResponseThe Incident Response Plan9780136807834 print.indb 1729930106/10/20 6:35 pm
xviii Cisco CyberOps Associate CBROPS 200-201 Official Cert GuideThe Incident Response Process302The Preparation Phase 302The Detection and Analysis Phase 302Containment, Eradication, and Recovery303Post-Incident Activity (Postmortem) 304304Information Sharing and CoordinationIncident Response Team Structure 307Computer Security Incident Response TeamsProduct Security Incident Response Teams307309Security Vulnerabilities and Their Severity 310Vulnerability Chaining Role in Fixing Prioritization 312How to Fix Theoretical Vulnerabilities313Internally Versus Externally Found Vulnerabilities 313National CSIRTs and Computer Emergency Response Teams314Coordination Centers 315Incident Response Providers and Managed Security Service Providers(MSSPs) 315Common Artifact Elements and Sources of Security Events 316The 5-Tuple317File Hashes320Tips on Building Your Own Lab 321False Positives, False Negatives, True Positives, and True Negatives 326Understanding Regular Expressions327Protocols, Protocol Headers, and Intrusion Analysis 330How to Map Security Event Types to Source Technologies333Exam Preparation Tasks 335Review All Key Topics 335Define Key Terms 336Review QuestionsChapter 9336Introduction to Digital Forensics“Do I Know This Already?” Quiz338338Foundation Topics 341Introduction to Digital Forensics 341The Role of Attribution in a Cybersecurity Investigation 342The Use of Digital Evidence342Defining Digital Forensic Evidence343Understanding Best, Corroborating, and Indirect or CircumstantialEvidence 3439780136807834 print.indb 1806/10/20 6:35 pm
ContentsCollecting Evidence from Endpoints and ServersUsing Encryptionxix344345Analyzing Metadata 345Analyzing Deleted Files 346Collecting Evidence from Mobile Devices 346Collecting Evidence from Network Infrastructure Devices 346Evidentiary Chain of CustodyReverse Engineering348351Fundamentals of Microsoft Windows ForensicsProcesses, Threads, and Services353353Memory Management 356Windows Registry357The Windows File System 359Master Boot Record (MBR) 359The Master File Table ( MFT)Data Area and Free SpaceFATNTFS360360360361MFT 361Timestamps, MACE, and Alternate Data Streams361EFI 362Fundamentals of Linux ForensicsLinux ProcessesExt4362362366Journaling366Linux MBR and Swap File System366Exam Preparation Tasks 367Review All Key Topics 367Define Key Terms 368Review QuestionsChapter 10368Network Infrastructure Device Telemetry and Analysis 370“Do I Know This Already?” Quiz370Foundation Topics 373Network Infrastructure Logs 373Network Time Protocol and Why It Is Important374Configuring Syslog in a Cisco Router or Switch 3769780136807834 print.indb 1906/10/20 6:35 pm
xxCisco CyberOps Associate CBROPS 200-201 Official Cert GuideTraditional Firewall Logs 378Console Logging378Terminal Logging379ASDM Logging 379Email Logging 379Syslog Server Logging 379SNMP Trap Logging 379Buffered Logging 379Configuring Logging on the Cisco ASA 379Syslog in Large-Scale Environments 381Splunk381Graylog381Elasticsearch, Logstash, and Kibana (ELK) Stack 382Next-Generation Firewall and Next-Generation IPS Logs 385NetFlow Analysis 395What Is a Flow in NetFlow?The NetFlow Cache399400NetFlow Versions 401IPFIX 402IPFIX Architecture 403IPFIX Mediators404IPFIX Templates 404Commercial NetFlow Analysis Tools404Open-Source NetFlow Analysis Tools 408Big Data Analytics for Cybersecurity Network Telemetry411Cisco Application Visibility and Control (AVC) 413Network Packet Capture 414tcpdump415Wireshark417Network Profiling 418Throughput419Measuring Throughput 421Used Ports 423Session Duration424Critical Asset Address Space 424Exam Preparation Tasks427Review All Key Topics 4279780136807834 print.indb 2006/10/20 6:35 pm
ContentsxxiDefine Key Terms 427Review QuestionsChapter 11427Endpoint Telemetry and Analysis 430“Do I Know This Already?” Quiz430Foundation Topics 435Understanding Host Telemetry435Logs from User Endpoints 435Logs from Servers440Host Profiling 441Listening Ports441Logged-in Users/Service Accounts 445Running Processes448Applications Identification 450Analyzing Windows Endpoints 454Windows Processes and Threads 454Memory Allocation 456The Windows Registry458Windows Management Instrumentation 460Handles462Services 463Windows Event Logs 466Linux and macOS Analysis 468Processes in LinuxForks468471Permissions 472Symlinks 479Daemons480Linux-Based Syslog 481Apache Access Logs484NGINX Logs 485Endpoint Security Technologies 486Antimalware and Antivirus Software486Host-Based Firewalls and Host-Based Intrusion Prevention488Application-Level Whitelisting and Blacklisting 490System-Based Sandboxing491Sandboxes in the Context of Incident Response9780136807834 print.indb 2149306/10/20 6:35 pm
xxii Cisco CyberOps Associate CBROPS 200-201 Official Cert GuideExam Preparation Tasks 494Review All Key Topics 494Define Key Terms 495Review QuestionsChapter 12495Challenges in the Security Operations Center (SOC) 496“Do I Know This Already?” Quiz496Foundation Topics 499Security Monitoring Challenges in the SOC 499Security Monitoring and Encryption500Security Monitoring and Network Address Translation 501Security Monitoring and Event Correlation Time Synchronization 502DNS Tunneling and Other Exfiltration Methods 502Security Monitoring and Tor 504Security Monitoring and Peer-to-Peer Communication 505Additional Evasion and Obfuscation TechniquesResource Exhaustion506508Traffic Fragmentation 509Protocol-Level Misinterpretation510Traffic Timing, Substitution, and Insertion 511Pivoting 512Exam Preparation Tasks517Review All Key Topics 517Define Key Terms 517Review QuestionsChapter 13517The Art of Data and Event Analysis 520“Do I Know This Already?” Quiz520Foundation Topics 522Normalizing Data 522Interpreting Common Data Values into a Universal Format523Using the 5-Tuple Correlation to Respond to Security Incidents523Using Retrospective Analysis and Identifying Malicious Files 525Identifying a Malicious File526Mapping Threat Intelligence with DNS and Other Artifacts 527Using Deterministic Versus Probabilistic Analysis 527Exam Preparation Tasks9780136807834 print.indb 2252806/10/20 6:35 pm
ContentsxxiiiReview All Key Topics 528Define Key Terms 528Review QuestionsChapter 14528Classifying Intrusion Events into Categories“Do I Know This Already?” Quiz530530Foundation Topics 532Diamond Model of IntrusionCyber Kill Chain Model532539Reconnaissance 540Weaponization 543Delivery544Exploitation 545Installation 545Command and ControlAction on Objectives546547The Kill Chain vs. MITRE’s ATT&CK548Exam Preparation Tasks 550Review All Key Topics 550Define Key Terms 550Review QuestionsChapter 15550Introduction to Threat Hunting 552“Do I Know This Already?” Quiz552Foundation Topics 554What Is Threat Hunting?554Threat Hunting vs. Traditional SOC Operations vs. VulnerabilityManagement 555The Threat-Hunting Process556Threat-Hunting Maturity Levels557Threat Hunting and MITRE’s ATT&CKAutomated Adversarial Emulation558563Threat-Hunting Case Study 567Threat Hunting, Honeypots, Honeynets, and Active Defense 571Exam Preparation Tasks 571Review All Key Topics 571Define Key Terms 572Review Questions9780136807834 print.indb 2357206/10/20 6:35 pm
xxivCisco CyberOps Associate CBROPS 200-201 Official Cert GuideChapter 16Final Preparation 574Hands-on Activities574Suggested Plan for Final Review and Study 574Summary575Glossary of Key Terms 577Appendix AAnswers to the “Do I Know This Already?” Quizzes and ReviewQuestions 592Appendix BUnderstanding Cisco Cybersecurity Operations FundamentalsCBROPS 200-201 Exam Updates 614Index616Online ElementsAppendix CStudy PlannerGlossary of Key Terms9780136807834 print.indb 2406/10/20 6:35 pm
xxvCommand Syntax ConventionsThe conventions used to present command syntax in this book are the same conventionsused in the IOS Command Reference. The Command Reference describes these conventions as follows:9780136807834 print.indb 25 Boldface indicates commands and keywords that are entered literally as shown. Inactual configuration examples and output (not general command syntax), boldfaceindicates commands that are manually input by the user (such as a show command). Italic indicates arguments for which you supply actual values. Vertical bars ( ) separate alternative, mutually exclusive elements. Square brackets ([ ]) indicate an optional element. Braces ({ }) indicate a required choice. Braces within brackets ([{ }]) indicate a required choice within an optional element.06/10/20 6:35 pm
xxviCisco CyberOps Associate CBROPS 200-201 Official Cert GuideIntroductionThe Understanding Cisco Cybersecurity Operations Fundamentals (CBROPS) exam isa 120-minute exam that includes 95 to 105 questions. This exam and curriculum aredesigned to prepare the cybersecurity analysts of the future! The CyberOps Associatecertification provides a path to prepare individuals pursuing a cybersecurity career andassociate-level job roles in security operations centers (SOCs). The exam covers the fundamentals you need to prevent, detect, analyze, and respond to cybersecurity incidents.TIP You can review the exam blueprint from the Cisco website at ops.html.This book gives you the foundation and covers the topics necessary to start yourCyberOps Associate certification journey.The Cisco CyberOps Associate CertificationThe Cisco CyberOps Associate certification is one of the industry’s most respectedcertifications. There are no formal prerequisites for the CyberOps Associate certification.In other words, you do not have to pass any other exams or certifications to take the200-201 CBROPS exam. On the other hand, you must have a good understanding ofbasic networking and IT concepts.Cisco considers ideal candidates to be those who possess the following: Knowle
iv Cisco CyberOps Associate CBROPS 200-201 Official Cert Guide About the Author Omar Santos is an active member of the security community, where he leads several industrywide initiatives. His active role helps businesses, academic institutions, state
