CCNA CyberOps - d2zmdbbm9feqrf.cloudfront.net CyberOps James Risler, Manager Security Content Development BRKCRT 2009 •

CCNA CyberOps

James Risler, Manager Security Content Development

BRKCRT 2009

• Introduction

• Job Role of a Security Analyst

• CCNA Cyber Ops

• Highlights of SECFND Course

• Highlights of SECOPS Course

• How to Prepare

• Conclusion

Agenda

The Problem

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public

The Problem…

http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

Anthem

Target

Mossack Fonseca

Ebay

JP Morgan Chase

Voter Database

Univ. of MD

Neiman Marcus

TJ Maxx

Sony

Zappos

LinkedIn

Citigroup

BRKCRT 2009 5

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 6


Increased Attack Surface

APTSCyberwar

Spyware and RootkitsWorms

Antivirus

(Host-Based)

IDS/IPS

(Network Perimeter)

Reputation (Global)

and Sandboxing

Intelligence and

Analytics (Cloud)

Enterprise

Response

20102000 2005 Tomorrow

Threat Landscape is Evolving…

BRKCRT 2009 7


The History of Hacking and Examples

20001990 1995 2005 2010 2015 2020

Viruses1990–2000

Worms2000–2005

Spyware and Rootkits2005–Today

APTs CyberwareToday +

Hacking Becomesan Industry

Sophisticated Attacks, Complex Landscape

Phishing, Low Sophistication

ILOVEYOUMelissaAnna Kournikova

NimdaSQL SlammerConficker

AuroraShady RatDuqu

BotnetsTedrooRustockConficker v2

BRKCRT 2009 8

Shamoon2GRIZZLY STEPPEAngler


Welcome to the Hackers’ Economy

Source: CNBC

Global

Cybercrime

Market:

$450B-$1T

How Industrial Hackers Monetize the Opportunity

Social Security

$1 MedicalRecord>$50

DDoSas a Service

~$7/hour

DDoS

CreditCard Data$0.25−$60

Bank Account Info>$1000

depending on account type and balance

$

Exploits$100k-$300K

Facebook Account$1 for an account

with 15 friends

Spam$50/500K emails

Malware Development

$2500(commercial malware)

Mobile Malware$150

Job Role of a Security Analyst


Challenges Facing Organizations

• Identifying Botnet Command & Control Activity. Botnets are implanted in the enterprise to execute commands to send SPAM, Denial of Service attacks, or other malicious acts.

• Detecting Advanced Persistent Threats. Malware that makes it past perimeter security can remain in the enterprise waiting to strike as lurking threats. These may be zero day threats that do not yet have an antivirus signature or be hard to detect for other reasons.

• Finding Internally Spread Malware. Network interior malware proliferation can occur across hosts for the purpose gathering security reconnaissance data, data exfiltration or network backdoors.

• Uncovering Network Reconnaissance. Some attacks will probe the network looking for attack vectors to be utilized by custom-crafted Cyber threats.

BRKCRT 2009 11


New Focus - Attack Continuum

Visibility and Context

Mission Critical Business Systems and Solutions

BEFOREDiscover

Enforce

Harden

AFTERScope

Contain

Remediate

Detect

Block

Defend

DURING

Policies, Process

and People

Response Policy

and Detection

Communication

Strategy

Monitoring Impact MitigationIdentification

BRKCRT 2009 12


National Institute for Standards & Technology

Objective:

• Framework

• Job Role Alignment

• Students have clear job prospects & opportunities

• Help Policy Makers promote job growth

• Assist Employers with job skill hire and development

BRKCRT 2009 13


Perimeter security stops many threats but

sophisticated Cyber threats evade existing security constructs

Fingerprints of threats are often found in network fabric

Firewall

IPS

Web Sec

N-AV

Email Sec

Customized Threat Bypasses Security

Gateways

Threat Spreads Inside Perimeter

Customized Threat Enters from Inside

Threat Spreads to

Devices

Continue: Security Analyst Challenges

BRKCRT 2009 14


Security Investigation Process

1 2

Start End

SOC Solutions ComponentsGoals/Objectives

Detect Collect Analyze Mitigate FoundationsPrevent

Playbook – Process and Procedures

BRKCRT 2009 15


Functional Model for Security Analyst

Network

IPSHost IPS

FirewallEmail/Web

Proxy

AntivirusSpam

Prevention

Prevent

Network IDS Adv. Malware

Behavioral

anomaly

NetFlow

anomaly

Detect

NetFlow

Analyze

IP

Blackhole

Device

Monitoring

Performance

Monitoring

Traffic

Capture

Device

Config

NetFlow

Event

Logs

Proxy

Logs

Web

Firewall

Collect

Skill

Foundation

Malware

Analyze

SIEM

Analysis

Other

ToolsDNS

Poisoning

Adv.

ACL’s

Analyze Mitigate

Security Analyst SOC Solution Components

BRKCRT 2009 16


Analysis Investigate

Data

SIEM, Packet

Capture &

Flow Tools

Tools

Data Analysis,

Collaboration,

& Case Tools

Intel & Research

Evidence & Information

Example – Job Roles in a SOC

BRKCRT 2009 17


“Kimusky” Operation: A North Korean APT

• 4 Key South Korean Targets• Phishing against Hyundai Merchant Marine

• Infecting Systems• Trojan Dropper – DLL library against Windows 7

• Install Spying Modules• Key Stroke Logger, Directory Listing, Remote Control & Execution, Remote Control Access

• Disable Firewall

• Communication• Command and control Bot done through a Bulgarian web-based free email server

• Regular Reporting and RC4 Encryption and Exporting of Data

BRKCRT 2009 18

CCNA Cyber Operations Certification


Secure Infrastructure

Architect & Engineers“Design and Secure”

Architect & Engineer

CSO / Manager“Set Policy & Prioritize”

CISO, Manager

Legal/Compliance/Privacy

Security Operations Team“Detect and Respond”

Security Analyst; First Responder; Network

Auditor; Digital Forensics Investigator; SOC

Team Member

Secure Infrastructure

Engineers, Technicians

& Administrators“Build and Secure”

Engineer, Administrator, Technician

Simplified Security Team Model

Certifications Mapping

CCIE

Security

CCNP

Security

CCNA

Security

Cisco SAFE

Architecture

CCNA

Cyber Ops

Threat Centric Model

• CE Credits

• Cross-Training

• Product or Job-

Role Training

BRKCRT 2009 20


Product Training

Product Deep Dive

Install/Troubleshoot

“Install/Run Product”

Curriculum Paths: Security Career Training

Secure

Infrastructure

Definitive Job-Role

Training on building

Secure Network

Infrastructure.

Build/Secure

“Build the Castle”

Cybersecurity

Operations

Definitive Job-Role

Training for Security

Operations Jobs.

Detect/Respond

“Guard the Castle”

Applied Security

Elective/Specialized

Training Applying

Security Skills to

Technologies or

Environments.

Apply Security Skills

Core (Job) Skills

“Traditional” Mix Newer Areas

BRKCRT 2009 21

Security Fundamentals Course (SECFND)


Security Fundamentals Course14 Sections in this course that cover:

• Fundamentals of TCP/IP

• Fundamentals Cryptography

• Information Security

• Network Applications and Attacks

• Windows and Linux OS Overview

• Endpoint Attacks and Security

• Security Data Collection **

• Security Event Analysis **

75% of the Course is on Foundation Skills

Focused on knowledge needed for SECOPS Course

Data Collection and Event Analysis key feeder concepts

BRKCRT 2009 23


Example Lifecycle of Detection

Preparation

Detection

Analysis

Containment and

Eradication

Recovery

Lessons Learned

SIEM Tools & Workflow Management

Logs & Event Notifications based on Policies

Log & Flow Correlation w/ PCAP files

Security Engineer

Playbook Modification

Communication

& Defensive measures

BRKCRT 2009 24


Attacker Methodology

• Understand what type of Attackers there are.

• What is the methodology an attacker will use• Hacking Techniques

• Basic strategy

• Public Information

• Map Information

• Short-term vs. Long-term attacker goals

Gather Info

Scan

Gain Access

Escalate

Persist

Expand

Accomplish Goal

BRKCRT 2009 25


Understanding Attacks

Infected Workstation

File Server

C&C

Servers

Insecure

FTP Server

External

Attacker

12 34

5 6

Step 1: Attacker sends email to victim

Step 2: Email infects victim, connects to C&C

Step 3: Attacker sends instructions to victim host

Step 4: Victim host copies and encrypts data

Step 5: Victim host uploads encrypted data to FTP

Step 6: Attacker retrieves encrypted data from FTP

BRKCRT 2009 26


Malware and Attacker tools

• Distinguish between general purpose Malware and attacker tools

• Describe roles of each tool in an attacking toolset

• Attacker Exploits – (know the difference between each one of these)

• Backdoors

• Downloaders and droppers

• Rootkits

• Pivots

• Keyloggers

• Exploits

• Payloads

Attacker

Exploits

BRKCRT 2009 27


Example of a Complex Threat Visibility Concept

Automating Context Collection

Correlating Log data with flow

information

SRC/65.32.7.45

DST/165.1.4.9/Uzbekistan : FTP

Context:

User /ORG = Pat Smith, R&D

Client = Dell XYZ100

DST = Poor Reputation

ACTIVE FLOWS: 23,892

SRC/65.32.7.45

DST/171.54.9.2/US : HTTP

DST/34.1.5.78/China : HTTPS

DST/165.1.4.9/Uzbekistan : FTP

DST/123.21.2.5/US : AIM

DST/91.25.1.1/US : FACEBOOK

Attack bypasses

perimeter and

traverses network

Netflow at the access

layer provides greater

granularity

Leveraging Netflow to investigate a potential IT policy violation investigation

BRKCRT 2009 28


Attack Example – SQL Injection

BRKCRT 2009 29


Kill Chain

• Understand what Attackers Do

• Attackers are not bound to this

• Used to prioritize events

• Set Escalation Levels

• Determine Defense Level Controls

• Measure Analytic Completeness

BRKCRT 2009 30


APT Threat Life Cycle

APT’s can go undetected for years

APT1 report – Undetected for 4 years 10 Months (Avg. 356 days)

Source: Mandiant Report – APT1 Exposing One of China’s Cyber Espionage Units

BRKCRT 2009 31


Diamond Model

• Diamond Model was developed to help derive order from chaos.

• Systematic ways to analyze events

• Supports “Critical Thinking” a key skill by Security Analyst

• Example – Grouping Events shows adversary’s capabilities

BRKCRT 2009 32

Security Operations Course (SECOPS)


Security Operations Course14 Sections plus some Appendix Information:

• Define a SOC and job roles in a SOC

• SOC Infrastructure Tools and Systems

• Incident Analysis for a Threat Centric SOC

• Resources to Assist with an Investigation

• Event Correlation and Normalization

• Common Attack Vectors

• Identifying Malicious Activity

• Using the Playbook

• Incident Respond Handbook

• SOC Metrics/Threat Integration

• SOC Workflow and Automation

Course focuses on entry-level Security Analyst skills

Solid Network Foundation is Critical

Generic SOC Approach

BRKCRT 2009 34


Types of SOC’s

• Analogy – Threat Centric SOC is like predicting the weather 100% correct all the time

• One SOC does not fit all

• Threat-Centric – proactively hunts for threats on a network

• Telemetry and Data Analytics

• Versus Compliance-Based SOC• Detection of unauthorized changes

• Policy violations

• Compliance with PCI or DSS 2.0

• Versus Operational-Based SOC

BRKCRT 2009 35


Generic SOC Architecture

Full Packet Capture

NetFlow

Protocol Metadata

Application Logs

Machine Logs

Telemetry Streams

Enrichment

Data

Threat

Intelligence

Feeds

Parse

+

Format

Alert

Applications & Analyst Tools

Log Mining

& Analytics

Network

Packet

Mining

Big Data

Modeling

&

Statistical

Analysis

BRKCRT 2009 36


External Resources

BRKCRT 2009 37


SOC Analyst Tier 1

BRKCRT 2009 38


Stages of Attack

BRKCRT 2009 39


Network Security Monitoring & Tools

• Analyst need data

• Tools are based on requirements

• Tools - Security Onion

• Squil

• ELSA

• Bro

• Snort - NIDS

• OSSEC -HIDs

BRKCRT 2009 40


NetFlow Information

BRKCRT 2009 41


Example NetFlow Traffic Flow

BRKCRT 2009 42


Specific NetFlow Host Communications

BRKCRT 2009 43


DNS RecordLabel TTL Internet Record Type Data

596-958849831234.id-

10293839413421.up.sshdns.

abc.tunnel.private.

0 IN TXT "AAAAlAgfAAAA

gQDKrd3sFmf8a

LX6FdU8ThUy3S

RWGhotR6EsAa

vqHgBzH2khqsQ

HQjEf355jS7c+4a

8kAmFVQ4mpEE

JeBE6IyDWbAQ9

a0rgOKcsaWwJ7

GdngGm9jpvReX

X7S/2oqAIUFCn0

M8="

"MHw9tR0kkDVZ

B7RCfCOpjfHrir7

yuiCbt7FpyX8AA

AABBQAAAAAA

AAAA"

BRKCRT 2009 44


Abnormal Traffic Indicators

DMZ servers scanning the inside network

SOC Analyst understanding “Well Known Ports”

BRKCRT 2009 45


Log Data Search

Using ELSA to search through large volumes of log data

Critical to narrow data down on search because it will only show you 100 records

BRKCRT 2009 46


Malware Site – Identify Malicious Payloads

BRKCRT 2009 47


SGUIL Log Analysis

BRKCRT 2009 48

Snort Feeds TCP/IP Session events to database

• Real Time Events

• Session Data

• Raw Packet captures


Further Investigation

BRKCRT 2009 49

Squil Database Events

Output received from Sensor – so-eth3-1 and so-ossec

Consolidation of messages on single interface

Playbook


Playbook

• The playbook is a prescriptive collection of repeatable plays (reports or methods) to elicit a specific response to a security event

BRKCRT 2009 51


SOC Playbook Example

What does this playbook example show?

Repeatable Process – Play ID

Objective – Defined outcome

• Self Contained Scripts for Searching

• Data Query

Mitigation Action

Analysis – Bulk of the documentation

BRKCRT 2009 52

Workflow


Workflow Components in a SOC

BRKCRT 2009 54


Workflow Management Systems

SIEM Ticketing System

Security Workflow Management System

Security Devices

Info

rmatio

n F

low

• New Solution

• Software that tags and identifies security events

• Tracks events

• Supports playbook process

• Goal – Improve SOC efficiency

• Vendors

• Cyberesponse

BRKCRT 2009 55


Workflow Tool

BRKCRT 2009 56

How to Prepare for the Exams


Exam Preparation

• How to Prepare for the Exams (SECFND 210-250 / SECOPS 210-255)

• Exam Blueprint:http://www.cisco.com/c/en/us/training-events/training-certifications/exams/current-list/secfnd.html

• Resources

• Books – Cisco Press

• Publically available resources

• Cisco Learning Network – Study Group

• Labs “Build your own with Security Onion”

BRKCRT 2009 58


How to Prepare

• Where to Start?

• Blueprint

• Create a study plan

• Study Group on Cisco Learning Network • CCNA Cyber Ops

• Posted documents

• https://learningnetwork.cisco.com/groups/cyber-security-study-group

• Example of Resources

• NIST Documents • http://csrc.nist.gov/publications/PubsSPs.html

• csrc.nist.gov/publications/nistpubs/800-61rev2/SP800-61rev2.pdf

• NetFlow Overview

• Wireshark Usage• www.wireshark.org/docs/wsug_html_chunked

BRKCRT 2009 59

http://csrc.nist.gov/publications/PubsSPs.html


210-250 (SECFND) Cisco CybersecurityFundamentals—Topics and Weighting

12% 1.0 Network Concepts

17% 2.0 Security Concepts

12% 3.0 Cryptography

19% 4.0 Host-Based Analysis

19% 5.0 Security Monitoring

21% 6.0 Attack Methods

SECFND (210-250) Exam—Topics and Weighting

BRKCRT 2009 60


Example – Course Material SECFND

BRKCRT 2009 61


210-250(SECFND) Cisco Security Fundamentals1.0 Network Concepts

1.1 Describe the function of the network layers as specified by the OSI and

the TCP/IP network models

1.2 – Describe the operation of the following

1.2.a IP

1.2.b TCP

1.2.c UDP

1.2.d ICMP

1.3 Describe the operation of these network services

1.3.a ARP

1.3.b DNS

1.3.c DHCP

1.4 Describe the basic operation of these network device types

1.4.a Router

1.4.b Switch

1.4.c Hub

1.4.d Bridge

1.4.e Wireless access point (WAP)

1.4.f Wireless LAN controller (WLC)

1.5 Describe the functions of these network security systems as deployed on

the host, network, or the cloud:

1.5.a Firewall

1.5.b Cisco Intrusion Prevention System (IPS)

1.5.c Cisco Advanced Malware Protection (AMP)

1.5.d Web Security Appliance (WSA) / Cisco Cloud Web Security (CWS)

1.5.e Email Security Appliance (ESA) / Cisco Cloud Email Security (CES)

1.6 – Describe IP subnets and communication within an IP subnet and

between IP subnets

1.0 Network Concepts – continued.

1.7 Describe the relationship between VLANs and data visibility

1.8 Describe the operation of ACLs applied as packet filters on the interfaces

of network devices

1.9 Compare and contrast deep packet inspection with packet filtering and

stateful firewall operation

1.10 Compare and contrast inline traffic interrogation and taps or traffic

mirroring

1.11 Compare and contrast the characteristics of data obtained from taps or

traffic mirroring and NetFlow in the analysis of network traffic

1.12 Identify potential data loss from provided traffic profiles

2.0 Security Concept

2.1 – Describe the principles of defense in depth strategy?

2.2 Compare and contrast these concepts

2.2.a Risk

2.2.b Threat

2.2.c Vulnerability

2.2.d Exploit

2.3 Describe these terms

2.3.aT hreat actor

2.3.b Run book automation (RBA)

2.3.c Chain of custody (evidentiary)

2.3.d Reverse engineering

2.3.e Sliding window anomaly detection

2.3.f PII

2.3.g PHI

BRKCRT 2009 62


210-250(SECFND) Cisco Security Fundamentals- Continue2.0 Security Concepts – cont.

2.4 Describe these security terms

2.4.a Principle of least privilege

2.4.b Risk scoring/risk weighting

2.4.c Risk reduction

2.4.d Risk assessment

2.5 Compare and contrast these access control models

2.5.a Discretionary access control

2.5.b Mandatory access control

2.5.c Nondiscretionary access control

2.6 Compare and contrast these terms

2.6.a Network and host antivirus

2.6.b Agentless and agent-based protections

2.6.c SIEM and log collection

2.7 Describe these concepts

2.7.a Asset management

2.7.b Configuration management

2.7.c Mobile device management

2.7.d Patch management

2.7.e Vulnerability management

3.0 Cryptography

3.1 Describe the uses of a hash algorithm

3.2 Describe the uses of encryption algorithms

3.3 Compare and contrast symmetric and asymmetric encryption algorithms

3.4 Describe the processes of digital signature creation and verification

3.0 Cryptography – continued.

3.5 Describe the operation of a PKI

3.6 Describe the security impact of these commonly used hash

algorithms

3.6.a MD5

3.6.b SHA-1

3.6.c SHA-256

3.6.d SHA-512

3.7 Describe the security impact of these commonly used encryption

algorithms and secure communications protocols

3.7.a DES

3.7.b 3DES

3.7.c AES

3.7.d AES256-CTR

3.7.e RSA

3.7.f DSA

3.7.g SSH

3.7.h SSL/TLS

3.8 Describe how the success or failure of a cryptographic exchange

impacts security investigation

3.9 Describe these items in regards to SSL/TLS

3.9.a Cipher-suite

3.9.b X.509 certificates

3.9.c Key exchange

3.9.d Protocol version

3.9.e PKCS

BRKCRT 2009 63


210-250(SECFND) Cisco Security Fundamentals- Continue4.0 Host-Based Analysis

4.1 Define these terms as they pertain to Microsoft Windows

4.1.a Processes

4.1.b Threads

4.1.c Memory allocation

4.1.d Windows Registry

4.1.e WMI

4.1.f Handles

4.1.g Service

4.2 Define these terms as they pertain to Linux

4.2.a Processes

4.2.b Forks

4.2.c Permissions

4.2.d Symlinks

4.2.e Daemon

4.3 Describe the functionality of these endpoint technologies in regards to

security monitoring

4.3.a Host-based intrusion detection

4.3.b Antimalware and antivirus

4.3.c Host-based firewall

4.3.d Application-level whitelisting/blacklisting

4.3.e Systems-based sandboxing (such as Chrome, Java, Adobe reader)

4.4 Interpret these operating system log data to identify an event

4.4.a Windows security event logs

4.4.b Unix-based syslog

4.4.c Apache access logs

4.4.d IIS access logs

5.0 Security Monitoring

5.1 Identify the types of data provided by these technologies

5.1.a TCP Dump

5.1.b NetFlow

5.1.c Next-Gen firewall

5.1.d Traditional stateful firewall

5.1.e Application visibility and control

5.1.f Web content filtering

5.1.g Email content filtering

5.2 Describe these types of data used in security monitoring

5.2.a Full packet capture

5.2.b Session data

5.2.c Transaction data

5.2.d Statistical data

5.2.f Extracted content

5.2.g Alert data

5.3 Describe these concepts as they relate to security monitoring

5.3.a Access control list

5.3.b NAT/PAT

5.3.c Tunneling

5.3.d TOR

5.3.e Encryption

5.3.f P2P

5.3.g Encapsulation

5.3.h Load balancing

BRKCRT 2009 64


210-250(SECFND) Cisco Security Fundamentals- Continue5.0 Security Monitoring – continued.

5.4 Describe these NextGen IPS event types

5.4.a Connection event

5.4.b Intrusion event

5.4.c Host or endpoint event

5.4.d Network discovery event

5.4.e NetFlow event

5.5 Describe the function of these protocols in the context of security monitoring

5.5.a DNS

5.5.b NTP

5.5.c SMTP/POP/IMAP

5.5.d HTTP/HTTPS

6.0 Security Monitoring

6.1 Compare and contrast an attack surface and vulnerability

6.2 Describe these network attacks

6.2.a Denial of service

6.2.b Distributed denial of service

6.2.c Man-in-the-middle

6.3 Describe these web application attacks

6.3.a SQL injection

6.3.b Command injections

6.3.c Cross-site scripting

6.4 Describe these attacks

6.4.a Social engineering

6.4.b Phishing

6.4.cEvasion methods

6.0 Security Monitoring – continued.

6.5 Describe these endpoint-based attacks

6.5.a Buffer overflows

6.5.b Command and control (C2)

6.5.c Malware

6.5.d Rootkit

6.5.e Port scanning

6.5.f Host profiling

6.6 Describe these evasion methods

6.6.a Encryption and tunneling

6.6.b Resource exhaustion

6.6.c Traffic fragmentation

6.6.d Protocol-level misinterpretation

6.6.e Traffic substitution and insertion

6.6.f Pivot

6.7 Define privilege escalation

6.8 Compare and contrast remote exploit and a local exploit

BRKCRT 2009 65


210-255 (SECOPS) Cisco Cybersecurity Operations —Topics and Weighting

15% 1.0 Endpoint Threat Analysis & Computer Forensics

12% 2.0 Network Intrusion Analysis

18% 3.0 Incident Response

23% 4.0 Data and Event Analysis

22% 5.0 Incident Handling

SECFND (210-255) Exam—Topics and Weighting

BRKCRT 2009 66


Example – Course Material SECOPS

BRKCRT 2009 67


210-255(SECOPS) Cisco Security Operations1.0 Endpoint Threat Analysis & Computer Forensics

1.1 - Interpret the output report of a malware analysis tool such as AMP

Threat Grid and Cuckoo Sandbox

1.2 - Describe these terms as they are defined in the CVSS 3.0:

1.2.a Attack vector

1.2.b Attack complexity

1.2.c Privileges required

1.2.d User interaction

1.2.e Scope

1.3 - Describe these terms as they are defined in the CVSS 3.0

1.3.a Confidentiality

1.3.b Integrity

1.3.c Availability

1.4 - Define these items as they pertain to the Microsoft Windows file system

1.4.a FAT32

1.4.b NTFS

1.4.c Alternative data streams

1.4.d MACE

1.4.e EFI

1.4.f Free space

1.4.g Timestamps on a file system

1.5 – Define these terms as they pertain to the Linux file system

1.5.aEXT4

1.5.bJournaling

1.5.cMBR

1.5.d Swap file system

1.5.e MAC

1.0 Endpoint Threat Analysis & Computer Forensic – cont.

1.6 - Compare and contrast three types of evidence

1.6.a Best evidence

1.6.b Corroborative evidence

1.6.c Indirect evidence

1.7 - Compare and contrast two types of image

1.7.a Altered disk image

1.7.b Unaltered disk image

1.8 Describe the role of attribution in an investigation

1.8.a Assets

1.8.b Threat actor

2.0 Network Intrusion Analysis

2.1 Interpret basic regular expressions

2.2 Describe the fields in these protocol headers as they relate to intrusion

analysis:

2.2.a Ethernet frame

2.2.b IPv4

2.2.c IPv6

2.2.d TCP

2.2.e UDP

2.2.f ICMP

2.2.g HTTP

2.3 Identify the elements from a NetFlow v5 record from a security event

BRKCRT 2009 68


210-255(SECOPS) Cisco Security Operations

2.0 Network Intrusion Analysis – cont.

2.6 Interpret common artifact elements from an event to identify an alert

2.6.a IP address (source / destination)

2.6.b Client and Server Port Identity

2.6.c Process (file or registry)

2.6.d System (API calls)

2.6.e Hashes

2.6.f URI / URL

2.7 Map the provided events to these source technologies

2.7.a NetFlow

2.7.b IDS / IPS

2.7.c Firewall

2.7.d Network application control

2.7.e Proxy logs

2.7.f Antivirus

12.8 Compare and contrast impact and no impact for these items

2.8.a False Positive

2.8.b False Negative

2.8.c True Positive

2.8.d True Negative

2.9 Interpret a provided intrusion event and host profile to calculate the

impact flag generated by Firepower Management Center (FMC)

3.0 Incident Response

3.1 Describe the elements that should be included in an incident response

plan as stated in NIST.SP800-61 r2

3.0 Incident Response - cont.

3.2 Map elements to these steps of analysis based on the NIST-SP800-61R2

3.2.a Preparation

3.2.b Detection and analysis

3.2.c Containment, eradication, and recovery

3.2.d Post-incident analysis (lessons learned)

3.3 Map the organization stakeholders against the NIST IR categories (C2M2

page 2, NIST.SP800-61 r2 p.21-p.41)

3.3.a Preparation

3.3.b Detection and analysis

3.3.c Containment, eradication, and recovery

3.3.d Post-incident analysis (lessons learned)

3.4 Describe the goals of the given CSIRT

(https://www.cert.org/incident-management/csirt-development/csirt-faq.cfm)

3.4.a Internal CSIRT

3.4.b National CSIRT

3.4.c Coordination centers

3.4.d Analysis centers

3.4.e Vendor teams

3.4.f Incident response providers (MSSP)

3.5 Identify these elements used for network profiling

3.5.a Total throughput

3.5.b Session duration

3.5.c Ports used

3.5.d Critical asset address space

3.6 Identify these elements used for server profiling

3.6.a Listening ports

3.6.b Logged in users/service accounts

3.6.c Running processes

3.6.d Running tasks

3.6.e Applications

https://www.cert.org/incident-management/csirt-development/csirt-faq.cfm


210-255(SECOPS) Cisco Security Operations5.0 Incident Handling

5.1 Classify intrusion events into these categories as defined in the diamond

model of intrusion

5.1.a Reconnaissance

5.1.b Weaponization

5.1.c Delivery

5.1.d Exploitation

5.1.e Installation

5.1.f Command and control

5.1.g Action on objectives

5.2 Apply the NIST.SP800-61 r2 incident handling process to an event

5.3 Define these activities as they relate to incident handling

5.3.a Identification

5.3.b Scoping

5.3.c Containment

5.3.d Remediation

5.3.e Lesson-based hardening

5.3.f Reporting

5.4 Describe these concepts as they are documented in NIST SP800-86

5.4.a Evidence collection order

5.4.b Data integrity

5.4.c Data preservation

5.4.d Volatile data collection

5.5 Apply the VERIS schema categories to a given incident

3.0 Incident Response - cont.

3.7 Map data types to these compliance frameworks

3.7.aPCI

3.7.bHIPPA (Health Insurance Portability and Accountability Act)

3.7.cSOX

3.8 Identify data elements that must be protected with regards to a specific

standard (PCI-DSS)

4.0 Data and Event Analysis

4.1 Describe the process of data normalization

4.2 Interpret common data values into a universal format

4.3 Describe 5-tuple correlation

4.4 Describe the 5-tuple approach to isolate a compromised host in a

grouped set of logs

4.5 Describe the retrospective analysis method to find a malicious file,

provided file analysis report

4.6 Identify potentially compromised hosts within the network based on a

threat analysis report containing malicious IP address or domains

4.7 Map DNS logs and HTTP logs together to find a threat actor

4.8 Map DNS, HTTP, and threat intelligence data together

4.9 Identify a correlation rule to distinguish the most significant alert from a

given set of events from multiple data sources using the firepower

management console

4.10 Compare and contrast deterministic and probabilistic analysis

BRKCRT 2009 70


Recommended Books

CCNA Cyber Ops SECFND #210-250 Official Cert GuideBy Omar Santos, Joey Muniz, and Stefano De CrescenzoISBN: 9781587147029

CCNA Cyber Ops SECOPS #210-255 Official Cert Guideby Omar Santos and Joey MunizISBN: 9781587147036

Security Operations CenterBy Omar Santos, Gary McIntyre, and Nadhem AlFardenISBN: 13: 978-0-13-405201-4

Crafting the InfoSec PlaybookBy Jeff Bollinger, Brandon Enright, and Matthew VatilesISBN: 978-1491949405

BRKCRT 2009 71


More Resources…

Books

• Cisco Press - Network Security with NetFlow and IPFIX

• Cisco Press - Computer Incident and Product Vulnerability Handling

• The Tao of Network Security Monitoring – by Richard Bejtlich (SECOPS)

• Incident Response with NetFlow for Dummies

http://www.lancope.com/blog/incident-response-for-dummies/

• Real Digital Forensics: Computer Security and Incident Response

• Security Monitoring by Chris Fry and Martin Nystrom

BRKCRT 2009 72

http://www.lancope.com/blog/incident-response-for-dummies/


Cyber Range Service Delivery Platform

• A Platform for ServiceDelivery and Learning

• Deeper understanding of leading security methodologies, operations, and procedures

• Empower customers with the architecture and capability to combat modern cyber threats

• Over 50 Attack Cases for 9 Technology Solutions

• 100+ applications simultaneously merged with 200-500 different Malware types

• Virtual environment accessible from any place in the world

PEOPLE PROCESS DATA THINGS

BRKCRT 2009 73


Complete Your Online Session Evaluation

Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online

• Please complete your Online Session Evaluations after each session

• Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt

• All surveys can be completed via the Cisco Live Mobile App or the Communication Stations

BRKCRT 2009 74

CiscoLive.com/Online


Continue Your Education

• Demos in the Cisco campus

• Walk-in Self-Paced Labs

• Lunch & Learn

• Meet the Engineer 1:1 meetings

• Related sessions

BRKCRT 2009 75

Q & A

Thank You