Upload
dinhhuong
View
230
Download
4
Embed Size (px)
Citation preview
CCNA CyberOps
James Risler, Manager Security Content Development
BRKCRT 2009
• Introduction
• Job Role of a Security Analyst
• CCNA Cyber Ops
• Highlights of SECFND Course
• Highlights of SECOPS Course
• How to Prepare
• Conclusion
Agenda
The Problem
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
The Problem…
http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
Anthem
Target
Mossack Fonseca
Ebay
JP Morgan Chase
Voter Database
Univ. of MD
Neiman Marcus
TJ Maxx
Sony
Zappos
Citigroup
BRKCRT 2009 5
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Increased Attack Surface
APTSCyberwar
Spyware and RootkitsWorms
Antivirus
(Host-Based)
IDS/IPS
(Network Perimeter)
Reputation (Global)
and Sandboxing
Intelligence and
Analytics (Cloud)
Enterprise
Response
20102000 2005 Tomorrow
Threat Landscape is Evolving…
BRKCRT 2009 7
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
The History of Hacking and Examples
20001990 1995 2005 2010 2015 2020
Viruses1990–2000
Worms2000–2005
Spyware and Rootkits2005–Today
APTs CyberwareToday +
Hacking Becomesan Industry
Sophisticated Attacks, Complex Landscape
Phishing, Low Sophistication
ILOVEYOUMelissaAnna Kournikova
NimdaSQL SlammerConficker
AuroraShady RatDuqu
BotnetsTedrooRustockConficker v2
BRKCRT 2009 8
Shamoon2GRIZZLY STEPPEAngler
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Welcome to the Hackers’ Economy
Source: CNBC
Global
Cybercrime
Market:
$450B-$1T
How Industrial Hackers Monetize the Opportunity
Social Security
$1 MedicalRecord>$50
DDoSas a Service
~$7/hour
DDoS
CreditCard Data$0.25−$60
Bank Account Info>$1000
depending on account type and balance
$
Exploits$100k-$300K
Facebook Account$1 for an account
with 15 friends
Spam$50/500K emails
Malware Development
$2500(commercial malware)
Mobile Malware$150
Job Role of a Security Analyst
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Challenges Facing Organizations
• Identifying Botnet Command & Control Activity. Botnets are implanted in the enterprise to execute commands to send SPAM, Denial of Service attacks, or other malicious acts.
• Detecting Advanced Persistent Threats. Malware that makes it past perimeter security can remain in the enterprise waiting to strike as lurking threats. These may be zero day threats that do not yet have an antivirus signature or be hard to detect for other reasons.
• Finding Internally Spread Malware. Network interior malware proliferation can occur across hosts for the purpose gathering security reconnaissance data, data exfiltration or network backdoors.
• Uncovering Network Reconnaissance. Some attacks will probe the network looking for attack vectors to be utilized by custom-crafted Cyber threats.
BRKCRT 2009 11
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
New Focus - Attack Continuum
Visibility and Context
Mission Critical Business Systems and Solutions
BEFOREDiscover
Enforce
Harden
AFTERScope
Contain
Remediate
Detect
Block
Defend
DURING
Policies, Process
and People
Response Policy
and Detection
Communication
Strategy
Monitoring Impact MitigationIdentification
BRKCRT 2009 12
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
National Institute for Standards & Technology
Objective:
• Framework
• Job Role Alignment
• Students have clear job prospects & opportunities
• Help Policy Makers promote job growth
• Assist Employers with job skill hire and development
BRKCRT 2009 13
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Perimeter security stops many threats but
sophisticated Cyber threats evade existing security constructs
Fingerprints of threats are often found in network fabric
Firewall
IPS
Web Sec
N-AV
Email Sec
Customized Threat Bypasses Security
Gateways
Threat Spreads Inside Perimeter
Customized Threat Enters from Inside
Threat Spreads to
Devices
Continue: Security Analyst Challenges
BRKCRT 2009 14
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Security Investigation Process
1 2
Start End
SOC Solutions ComponentsGoals/Objectives
Detect Collect Analyze Mitigate FoundationsPrevent
Playbook – Process and Procedures
BRKCRT 2009 15
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Functional Model for Security Analyst
Network
IPSHost IPS
FirewallEmail/Web
Proxy
AntivirusSpam
Prevention
Prevent
Network IDS Adv. Malware
Behavioral
anomaly
NetFlow
anomaly
Detect
NetFlow
Analyze
IP
Blackhole
Device
Monitoring
Performance
Monitoring
Traffic
Capture
Device
Config
NetFlow
Event
Logs
Proxy
Logs
Web
Firewall
Collect
Skill
Foundation
Malware
Analyze
SIEM
Analysis
Other
ToolsDNS
Poisoning
Adv.
ACL’s
Analyze Mitigate
Security Analyst SOC Solution Components
BRKCRT 2009 16
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Analysis Investigate
Data
SIEM, Packet
Capture &
Flow Tools
Tools
Data Analysis,
Collaboration,
& Case Tools
Intel & Research
Evidence & Information
Example – Job Roles in a SOC
BRKCRT 2009 17
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
“Kimusky” Operation: A North Korean APT
• 4 Key South Korean Targets• Phishing against Hyundai Merchant Marine
• Infecting Systems• Trojan Dropper – DLL library against Windows 7
• Install Spying Modules• Key Stroke Logger, Directory Listing, Remote Control & Execution, Remote Control Access
• Disable Firewall
• Communication• Command and control Bot done through a Bulgarian web-based free email server
• Regular Reporting and RC4 Encryption and Exporting of Data
BRKCRT 2009 18
CCNA Cyber Operations Certification
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Secure Infrastructure
Architect & Engineers“Design and Secure”
Architect & Engineer
CSO / Manager“Set Policy & Prioritize”
CISO, Manager
Legal/Compliance/Privacy
Security Operations Team“Detect and Respond”
Security Analyst; First Responder; Network
Auditor; Digital Forensics Investigator; SOC
Team Member
Secure Infrastructure
Engineers, Technicians
& Administrators“Build and Secure”
Engineer, Administrator, Technician
Simplified Security Team Model
Certifications Mapping
CCIE
Security
CCNP
Security
CCNA
Security
Cisco SAFE
Architecture
CCNA
Cyber Ops
Threat Centric Model
• CE Credits
• Cross-Training
• Product or Job-
Role Training
BRKCRT 2009 20
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Product Training
Product Deep Dive
Install/Troubleshoot
“Install/Run Product”
Curriculum Paths: Security Career Training
Secure
Infrastructure
Definitive Job-Role
Training on building
Secure Network
Infrastructure.
Build/Secure
“Build the Castle”
Cybersecurity
Operations
Definitive Job-Role
Training for Security
Operations Jobs.
Detect/Respond
“Guard the Castle”
Applied Security
Elective/Specialized
Training Applying
Security Skills to
Technologies or
Environments.
Apply Security Skills
Core (Job) Skills
“Traditional” Mix Newer Areas
BRKCRT 2009 21
Security Fundamentals Course (SECFND)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Security Fundamentals Course14 Sections in this course that cover:
• Fundamentals of TCP/IP
• Fundamentals Cryptography
• Information Security
• Network Applications and Attacks
• Windows and Linux OS Overview
• Endpoint Attacks and Security
• Security Data Collection **
• Security Event Analysis **
75% of the Course is on Foundation Skills
Focused on knowledge needed for SECOPS Course
Data Collection and Event Analysis key feeder concepts
BRKCRT 2009 23
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Example Lifecycle of Detection
Preparation
Detection
Analysis
Containment and
Eradication
Recovery
Lessons Learned
SIEM Tools & Workflow Management
Logs & Event Notifications based on Policies
Log & Flow Correlation w/ PCAP files
Security Engineer
Playbook Modification
Communication
& Defensive measures
BRKCRT 2009 24
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Attacker Methodology
• Understand what type of Attackers there are.
• What is the methodology an attacker will use• Hacking Techniques
• Basic strategy
• Public Information
• Map Information
• Short-term vs. Long-term attacker goals
Gather Info
Scan
Gain Access
Escalate
Persist
Expand
Accomplish Goal
BRKCRT 2009 25
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Understanding Attacks
Infected Workstation
File Server
C&C
Servers
Insecure
FTP Server
External
Attacker
12 34
5 6
Step 1: Attacker sends email to victim
Step 2: Email infects victim, connects to C&C
Step 3: Attacker sends instructions to victim host
Step 4: Victim host copies and encrypts data
Step 5: Victim host uploads encrypted data to FTP
Step 6: Attacker retrieves encrypted data from FTP
BRKCRT 2009 26
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Malware and Attacker tools
• Distinguish between general purpose Malware and attacker tools
• Describe roles of each tool in an attacking toolset
• Attacker Exploits – (know the difference between each one of these)
• Backdoors
• Downloaders and droppers
• Rootkits
• Pivots
• Keyloggers
• Exploits
• Payloads
Attacker
Exploits
BRKCRT 2009 27
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Example of a Complex Threat Visibility Concept
Automating Context Collection
Correlating Log data with flow
information
SRC/65.32.7.45
DST/165.1.4.9/Uzbekistan : FTP
Context:
User /ORG = Pat Smith, R&D
Client = Dell XYZ100
DST = Poor Reputation
ACTIVE FLOWS: 23,892
SRC/65.32.7.45
DST/171.54.9.2/US : HTTP
DST/34.1.5.78/China : HTTPS
DST/165.1.4.9/Uzbekistan : FTP
DST/123.21.2.5/US : AIM
DST/91.25.1.1/US : FACEBOOK
Attack bypasses
perimeter and
traverses network
Netflow at the access
layer provides greater
granularity
Leveraging Netflow to investigate a potential IT policy violation investigation
BRKCRT 2009 28
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Attack Example – SQL Injection
BRKCRT 2009 29
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Kill Chain
• Understand what Attackers Do
• Attackers are not bound to this
• Used to prioritize events
• Set Escalation Levels
• Determine Defense Level Controls
• Measure Analytic Completeness
BRKCRT 2009 30
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
APT Threat Life Cycle
APT’s can go undetected for years
APT1 report – Undetected for 4 years 10 Months (Avg. 356 days)
Source: Mandiant Report – APT1 Exposing One of China’s Cyber Espionage Units
BRKCRT 2009 31
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Diamond Model
• Diamond Model was developed to help derive order from chaos.
• Systematic ways to analyze events
• Supports “Critical Thinking” a key skill by Security Analyst
• Example – Grouping Events shows adversary’s capabilities
BRKCRT 2009 32
Security Operations Course (SECOPS)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Security Operations Course14 Sections plus some Appendix Information:
• Define a SOC and job roles in a SOC
• SOC Infrastructure Tools and Systems
• Incident Analysis for a Threat Centric SOC
• Resources to Assist with an Investigation
• Event Correlation and Normalization
• Common Attack Vectors
• Identifying Malicious Activity
• Using the Playbook
• Incident Respond Handbook
• SOC Metrics/Threat Integration
• SOC Workflow and Automation
Course focuses on entry-level Security Analyst skills
Solid Network Foundation is Critical
Generic SOC Approach
BRKCRT 2009 34
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Types of SOC’s
• Analogy – Threat Centric SOC is like predicting the weather 100% correct all the time
• One SOC does not fit all
• Threat-Centric – proactively hunts for threats on a network
• Telemetry and Data Analytics
• Versus Compliance-Based SOC• Detection of unauthorized changes
• Policy violations
• Compliance with PCI or DSS 2.0
• Versus Operational-Based SOC
BRKCRT 2009 35
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Generic SOC Architecture
Full Packet Capture
NetFlow
Protocol Metadata
Application Logs
Machine Logs
Telemetry Streams
Enrichment
Data
Threat
Intelligence
Feeds
Parse
+
Format
Alert
Applications & Analyst Tools
Log Mining
& Analytics
Network
Packet
Mining
Big Data
Modeling
&
Statistical
Analysis
BRKCRT 2009 36
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
External Resources
BRKCRT 2009 37
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
SOC Analyst Tier 1
BRKCRT 2009 38
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Stages of Attack
BRKCRT 2009 39
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Network Security Monitoring & Tools
• Analyst need data
• Tools are based on requirements
• Tools - Security Onion
• Squil
• ELSA
• Bro
• Snort - NIDS
• OSSEC -HIDs
BRKCRT 2009 40
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
NetFlow Information
BRKCRT 2009 41
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Example NetFlow Traffic Flow
BRKCRT 2009 42
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Specific NetFlow Host Communications
BRKCRT 2009 43
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
DNS RecordLabel TTL Internet Record Type Data
596-958849831234.id-
10293839413421.up.sshdns.
abc.tunnel.private.
0 IN TXT "AAAAlAgfAAAA
gQDKrd3sFmf8a
LX6FdU8ThUy3S
RWGhotR6EsAa
vqHgBzH2khqsQ
HQjEf355jS7c+4a
8kAmFVQ4mpEE
JeBE6IyDWbAQ9
a0rgOKcsaWwJ7
GdngGm9jpvReX
X7S/2oqAIUFCn0
M8="
"MHw9tR0kkDVZ
B7RCfCOpjfHrir7
yuiCbt7FpyX8AA
AABBQAAAAAA
AAAA"
BRKCRT 2009 44
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Abnormal Traffic Indicators
DMZ servers scanning the inside network
SOC Analyst understanding “Well Known Ports”
BRKCRT 2009 45
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Log Data Search
Using ELSA to search through large volumes of log data
Critical to narrow data down on search because it will only show you 100 records
BRKCRT 2009 46
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Malware Site – Identify Malicious Payloads
BRKCRT 2009 47
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
SGUIL Log Analysis
BRKCRT 2009 48
Snort Feeds TCP/IP Session events to database
• Real Time Events
• Session Data
• Raw Packet captures
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Further Investigation
BRKCRT 2009 49
Squil Database Events
Output received from Sensor – so-eth3-1 and so-ossec
Consolidation of messages on single interface
Playbook
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Playbook
• The playbook is a prescriptive collection of repeatable plays (reports or methods) to elicit a specific response to a security event
BRKCRT 2009 51
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
SOC Playbook Example
What does this playbook example show?
Repeatable Process – Play ID
Objective – Defined outcome
• Self Contained Scripts for Searching
• Data Query
Mitigation Action
Analysis – Bulk of the documentation
BRKCRT 2009 52
Workflow
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Workflow Components in a SOC
BRKCRT 2009 54
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Workflow Management Systems
SIEM Ticketing System
Security Workflow Management System
Security Devices
Info
rmatio
n F
low
• New Solution
• Software that tags and identifies security events
• Tracks events
• Supports playbook process
• Goal – Improve SOC efficiency
• Vendors
• Cyberesponse
BRKCRT 2009 55
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Workflow Tool
BRKCRT 2009 56
How to Prepare for the Exams
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Exam Preparation
• How to Prepare for the Exams (SECFND 210-250 / SECOPS 210-255)
• Exam Blueprint:http://www.cisco.com/c/en/us/training-events/training-certifications/exams/current-list/secfnd.html
• Resources
• Books – Cisco Press
• Publically available resources
• Cisco Learning Network – Study Group
• Labs “Build your own with Security Onion”
BRKCRT 2009 58
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
How to Prepare
• Where to Start?
• Blueprint
• Create a study plan
• Study Group on Cisco Learning Network • CCNA Cyber Ops
• Posted documents
• https://learningnetwork.cisco.com/groups/cyber-security-study-group
• Example of Resources
• NIST Documents • http://csrc.nist.gov/publications/PubsSPs.html
• csrc.nist.gov/publications/nistpubs/800-61rev2/SP800-61rev2.pdf
• NetFlow Overview
• Wireshark Usage• www.wireshark.org/docs/wsug_html_chunked
BRKCRT 2009 59
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
210-250 (SECFND) Cisco CybersecurityFundamentals—Topics and Weighting
12% 1.0 Network Concepts
17% 2.0 Security Concepts
12% 3.0 Cryptography
19% 4.0 Host-Based Analysis
19% 5.0 Security Monitoring
21% 6.0 Attack Methods
SECFND (210-250) Exam—Topics and Weighting
BRKCRT 2009 60
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Example – Course Material SECFND
BRKCRT 2009 61
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
210-250(SECFND) Cisco Security Fundamentals1.0 Network Concepts
1.1 Describe the function of the network layers as specified by the OSI and
the TCP/IP network models
1.2 – Describe the operation of the following
1.2.a IP
1.2.b TCP
1.2.c UDP
1.2.d ICMP
1.3 Describe the operation of these network services
1.3.a ARP
1.3.b DNS
1.3.c DHCP
1.4 Describe the basic operation of these network device types
1.4.a Router
1.4.b Switch
1.4.c Hub
1.4.d Bridge
1.4.e Wireless access point (WAP)
1.4.f Wireless LAN controller (WLC)
1.5 Describe the functions of these network security systems as deployed on
the host, network, or the cloud:
1.5.a Firewall
1.5.b Cisco Intrusion Prevention System (IPS)
1.5.c Cisco Advanced Malware Protection (AMP)
1.5.d Web Security Appliance (WSA) / Cisco Cloud Web Security (CWS)
1.5.e Email Security Appliance (ESA) / Cisco Cloud Email Security (CES)
1.6 – Describe IP subnets and communication within an IP subnet and
between IP subnets
1.0 Network Concepts – continued.
1.7 Describe the relationship between VLANs and data visibility
1.8 Describe the operation of ACLs applied as packet filters on the interfaces
of network devices
1.9 Compare and contrast deep packet inspection with packet filtering and
stateful firewall operation
1.10 Compare and contrast inline traffic interrogation and taps or traffic
mirroring
1.11 Compare and contrast the characteristics of data obtained from taps or
traffic mirroring and NetFlow in the analysis of network traffic
1.12 Identify potential data loss from provided traffic profiles
2.0 Security Concept
2.1 – Describe the principles of defense in depth strategy?
2.2 Compare and contrast these concepts
2.2.a Risk
2.2.b Threat
2.2.c Vulnerability
2.2.d Exploit
2.3 Describe these terms
2.3.aT hreat actor
2.3.b Run book automation (RBA)
2.3.c Chain of custody (evidentiary)
2.3.d Reverse engineering
2.3.e Sliding window anomaly detection
2.3.f PII
2.3.g PHI
BRKCRT 2009 62
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
210-250(SECFND) Cisco Security Fundamentals- Continue2.0 Security Concepts – cont.
2.4 Describe these security terms
2.4.a Principle of least privilege
2.4.b Risk scoring/risk weighting
2.4.c Risk reduction
2.4.d Risk assessment
2.5 Compare and contrast these access control models
2.5.a Discretionary access control
2.5.b Mandatory access control
2.5.c Nondiscretionary access control
2.6 Compare and contrast these terms
2.6.a Network and host antivirus
2.6.b Agentless and agent-based protections
2.6.c SIEM and log collection
2.7 Describe these concepts
2.7.a Asset management
2.7.b Configuration management
2.7.c Mobile device management
2.7.d Patch management
2.7.e Vulnerability management
3.0 Cryptography
3.1 Describe the uses of a hash algorithm
3.2 Describe the uses of encryption algorithms
3.3 Compare and contrast symmetric and asymmetric encryption algorithms
3.4 Describe the processes of digital signature creation and verification
3.0 Cryptography – continued.
3.5 Describe the operation of a PKI
3.6 Describe the security impact of these commonly used hash
algorithms
3.6.a MD5
3.6.b SHA-1
3.6.c SHA-256
3.6.d SHA-512
3.7 Describe the security impact of these commonly used encryption
algorithms and secure communications protocols
3.7.a DES
3.7.b 3DES
3.7.c AES
3.7.d AES256-CTR
3.7.e RSA
3.7.f DSA
3.7.g SSH
3.7.h SSL/TLS
3.8 Describe how the success or failure of a cryptographic exchange
impacts security investigation
3.9 Describe these items in regards to SSL/TLS
3.9.a Cipher-suite
3.9.b X.509 certificates
3.9.c Key exchange
3.9.d Protocol version
3.9.e PKCS
BRKCRT 2009 63
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
210-250(SECFND) Cisco Security Fundamentals- Continue4.0 Host-Based Analysis
4.1 Define these terms as they pertain to Microsoft Windows
4.1.a Processes
4.1.b Threads
4.1.c Memory allocation
4.1.d Windows Registry
4.1.e WMI
4.1.f Handles
4.1.g Service
4.2 Define these terms as they pertain to Linux
4.2.a Processes
4.2.b Forks
4.2.c Permissions
4.2.d Symlinks
4.2.e Daemon
4.3 Describe the functionality of these endpoint technologies in regards to
security monitoring
4.3.a Host-based intrusion detection
4.3.b Antimalware and antivirus
4.3.c Host-based firewall
4.3.d Application-level whitelisting/blacklisting
4.3.e Systems-based sandboxing (such as Chrome, Java, Adobe reader)
4.4 Interpret these operating system log data to identify an event
4.4.a Windows security event logs
4.4.b Unix-based syslog
4.4.c Apache access logs
4.4.d IIS access logs
5.0 Security Monitoring
5.1 Identify the types of data provided by these technologies
5.1.a TCP Dump
5.1.b NetFlow
5.1.c Next-Gen firewall
5.1.d Traditional stateful firewall
5.1.e Application visibility and control
5.1.f Web content filtering
5.1.g Email content filtering
5.2 Describe these types of data used in security monitoring
5.2.a Full packet capture
5.2.b Session data
5.2.c Transaction data
5.2.d Statistical data
5.2.f Extracted content
5.2.g Alert data
5.3 Describe these concepts as they relate to security monitoring
5.3.a Access control list
5.3.b NAT/PAT
5.3.c Tunneling
5.3.d TOR
5.3.e Encryption
5.3.f P2P
5.3.g Encapsulation
5.3.h Load balancing
BRKCRT 2009 64
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
210-250(SECFND) Cisco Security Fundamentals- Continue5.0 Security Monitoring – continued.
5.4 Describe these NextGen IPS event types
5.4.a Connection event
5.4.b Intrusion event
5.4.c Host or endpoint event
5.4.d Network discovery event
5.4.e NetFlow event
5.5 Describe the function of these protocols in the context of security monitoring
5.5.a DNS
5.5.b NTP
5.5.c SMTP/POP/IMAP
5.5.d HTTP/HTTPS
6.0 Security Monitoring
6.1 Compare and contrast an attack surface and vulnerability
6.2 Describe these network attacks
6.2.a Denial of service
6.2.b Distributed denial of service
6.2.c Man-in-the-middle
6.3 Describe these web application attacks
6.3.a SQL injection
6.3.b Command injections
6.3.c Cross-site scripting
6.4 Describe these attacks
6.4.a Social engineering
6.4.b Phishing
6.4.cEvasion methods
6.0 Security Monitoring – continued.
6.5 Describe these endpoint-based attacks
6.5.a Buffer overflows
6.5.b Command and control (C2)
6.5.c Malware
6.5.d Rootkit
6.5.e Port scanning
6.5.f Host profiling
6.6 Describe these evasion methods
6.6.a Encryption and tunneling
6.6.b Resource exhaustion
6.6.c Traffic fragmentation
6.6.d Protocol-level misinterpretation
6.6.e Traffic substitution and insertion
6.6.f Pivot
6.7 Define privilege escalation
6.8 Compare and contrast remote exploit and a local exploit
BRKCRT 2009 65
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
210-255 (SECOPS) Cisco Cybersecurity Operations —Topics and Weighting
15% 1.0 Endpoint Threat Analysis & Computer Forensics
12% 2.0 Network Intrusion Analysis
18% 3.0 Incident Response
23% 4.0 Data and Event Analysis
22% 5.0 Incident Handling
SECFND (210-255) Exam—Topics and Weighting
BRKCRT 2009 66
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Example – Course Material SECOPS
BRKCRT 2009 67
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
210-255(SECOPS) Cisco Security Operations1.0 Endpoint Threat Analysis & Computer Forensics
1.1 - Interpret the output report of a malware analysis tool such as AMP
Threat Grid and Cuckoo Sandbox
1.2 - Describe these terms as they are defined in the CVSS 3.0:
1.2.a Attack vector
1.2.b Attack complexity
1.2.c Privileges required
1.2.d User interaction
1.2.e Scope
1.3 - Describe these terms as they are defined in the CVSS 3.0
1.3.a Confidentiality
1.3.b Integrity
1.3.c Availability
1.4 - Define these items as they pertain to the Microsoft Windows file system
1.4.a FAT32
1.4.b NTFS
1.4.c Alternative data streams
1.4.d MACE
1.4.e EFI
1.4.f Free space
1.4.g Timestamps on a file system
1.5 – Define these terms as they pertain to the Linux file system
1.5.aEXT4
1.5.bJournaling
1.5.cMBR
1.5.d Swap file system
1.5.e MAC
1.0 Endpoint Threat Analysis & Computer Forensic – cont.
1.6 - Compare and contrast three types of evidence
1.6.a Best evidence
1.6.b Corroborative evidence
1.6.c Indirect evidence
1.7 - Compare and contrast two types of image
1.7.a Altered disk image
1.7.b Unaltered disk image
1.8 Describe the role of attribution in an investigation
1.8.a Assets
1.8.b Threat actor
2.0 Network Intrusion Analysis
2.1 Interpret basic regular expressions
2.2 Describe the fields in these protocol headers as they relate to intrusion
analysis:
2.2.a Ethernet frame
2.2.b IPv4
2.2.c IPv6
2.2.d TCP
2.2.e UDP
2.2.f ICMP
2.2.g HTTP
2.3 Identify the elements from a NetFlow v5 record from a security event
BRKCRT 2009 68
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
210-255(SECOPS) Cisco Security Operations
2.0 Network Intrusion Analysis – cont.
2.6 Interpret common artifact elements from an event to identify an alert
2.6.a IP address (source / destination)
2.6.b Client and Server Port Identity
2.6.c Process (file or registry)
2.6.d System (API calls)
2.6.e Hashes
2.6.f URI / URL
2.7 Map the provided events to these source technologies
2.7.a NetFlow
2.7.b IDS / IPS
2.7.c Firewall
2.7.d Network application control
2.7.e Proxy logs
2.7.f Antivirus
12.8 Compare and contrast impact and no impact for these items
2.8.a False Positive
2.8.b False Negative
2.8.c True Positive
2.8.d True Negative
2.9 Interpret a provided intrusion event and host profile to calculate the
impact flag generated by Firepower Management Center (FMC)
3.0 Incident Response
3.1 Describe the elements that should be included in an incident response
plan as stated in NIST.SP800-61 r2
3.0 Incident Response - cont.
3.2 Map elements to these steps of analysis based on the NIST-SP800-61R2
3.2.a Preparation
3.2.b Detection and analysis
3.2.c Containment, eradication, and recovery
3.2.d Post-incident analysis (lessons learned)
3.3 Map the organization stakeholders against the NIST IR categories (C2M2
page 2, NIST.SP800-61 r2 p.21-p.41)
3.3.a Preparation
3.3.b Detection and analysis
3.3.c Containment, eradication, and recovery
3.3.d Post-incident analysis (lessons learned)
3.4 Describe the goals of the given CSIRT
(https://www.cert.org/incident-management/csirt-development/csirt-faq.cfm)
3.4.a Internal CSIRT
3.4.b National CSIRT
3.4.c Coordination centers
3.4.d Analysis centers
3.4.e Vendor teams
3.4.f Incident response providers (MSSP)
3.5 Identify these elements used for network profiling
3.5.a Total throughput
3.5.b Session duration
3.5.c Ports used
3.5.d Critical asset address space
3.6 Identify these elements used for server profiling
3.6.a Listening ports
3.6.b Logged in users/service accounts
3.6.c Running processes
3.6.d Running tasks
3.6.e Applications
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
210-255(SECOPS) Cisco Security Operations5.0 Incident Handling
5.1 Classify intrusion events into these categories as defined in the diamond
model of intrusion
5.1.a Reconnaissance
5.1.b Weaponization
5.1.c Delivery
5.1.d Exploitation
5.1.e Installation
5.1.f Command and control
5.1.g Action on objectives
5.2 Apply the NIST.SP800-61 r2 incident handling process to an event
5.3 Define these activities as they relate to incident handling
5.3.a Identification
5.3.b Scoping
5.3.c Containment
5.3.d Remediation
5.3.e Lesson-based hardening
5.3.f Reporting
5.4 Describe these concepts as they are documented in NIST SP800-86
5.4.a Evidence collection order
5.4.b Data integrity
5.4.c Data preservation
5.4.d Volatile data collection
5.5 Apply the VERIS schema categories to a given incident
3.0 Incident Response - cont.
3.7 Map data types to these compliance frameworks
3.7.aPCI
3.7.bHIPPA (Health Insurance Portability and Accountability Act)
3.7.cSOX
3.8 Identify data elements that must be protected with regards to a specific
standard (PCI-DSS)
4.0 Data and Event Analysis
4.1 Describe the process of data normalization
4.2 Interpret common data values into a universal format
4.3 Describe 5-tuple correlation
4.4 Describe the 5-tuple approach to isolate a compromised host in a
grouped set of logs
4.5 Describe the retrospective analysis method to find a malicious file,
provided file analysis report
4.6 Identify potentially compromised hosts within the network based on a
threat analysis report containing malicious IP address or domains
4.7 Map DNS logs and HTTP logs together to find a threat actor
4.8 Map DNS, HTTP, and threat intelligence data together
4.9 Identify a correlation rule to distinguish the most significant alert from a
given set of events from multiple data sources using the firepower
management console
4.10 Compare and contrast deterministic and probabilistic analysis
BRKCRT 2009 70
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Recommended Books
CCNA Cyber Ops SECFND #210-250 Official Cert GuideBy Omar Santos, Joey Muniz, and Stefano De CrescenzoISBN: 9781587147029
CCNA Cyber Ops SECOPS #210-255 Official Cert Guideby Omar Santos and Joey MunizISBN: 9781587147036
Security Operations CenterBy Omar Santos, Gary McIntyre, and Nadhem AlFardenISBN: 13: 978-0-13-405201-4
Crafting the InfoSec PlaybookBy Jeff Bollinger, Brandon Enright, and Matthew VatilesISBN: 978-1491949405
BRKCRT 2009 71
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
More Resources…
Books
• Cisco Press - Network Security with NetFlow and IPFIX
• Cisco Press - Computer Incident and Product Vulnerability Handling
• The Tao of Network Security Monitoring – by Richard Bejtlich (SECOPS)
• Incident Response with NetFlow for Dummies
http://www.lancope.com/blog/incident-response-for-dummies/
• Real Digital Forensics: Computer Security and Incident Response
• Security Monitoring by Chris Fry and Martin Nystrom
BRKCRT 2009 72
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cyber Range Service Delivery Platform
• A Platform for ServiceDelivery and Learning
• Deeper understanding of leading security methodologies, operations, and procedures
• Empower customers with the architecture and capability to combat modern cyber threats
• Over 50 Attack Cases for 9 Technology Solutions
• 100+ applications simultaneously merged with 200-500 different Malware types
• Virtual environment accessible from any place in the world
PEOPLE PROCESS DATA THINGS
BRKCRT 2009 73
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Complete Your Online Session Evaluation
Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online
• Please complete your Online Session Evaluations after each session
• Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt
• All surveys can be completed via the Cisco Live Mobile App or the Communication Stations
BRKCRT 2009 74
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Continue Your Education
• Demos in the Cisco campus
• Walk-in Self-Paced Labs
• Lunch & Learn
• Meet the Engineer 1:1 meetings
• Related sessions
BRKCRT 2009 75
Q & A
Thank You