CyberOps Professional
Traditional information security is no match for the expanding cybercrime ecosystem; therefore, security measures and professional skills must evolve to meet the demands. Achieving the Cisco Certified CyberOps Professional certification elevates your skills and confirms your abilities as an Information Security analyst in incident response roles, cloud security, and other active defense security roles. To earn a Cisco Certified CyberOps Professional certification, you pass two exams: one that covers core technologies and one concentration exam.
CBRCOR
Core Exam: 350-201 CBRCOR: Performing CyberOps Using Cisco Security Technologies
Concentration Exam: 300-215 CBRFIR: Conducting Forensic Analysis and Incident Response Using Cisco Technologies for CyberOps
350-201 CBRCOR: Performing CyberOps Using Cisco Security Technologies
Performing CyberOps Using Cisco Security Technologies v1.0 (CBRCOR 350-201) is a 120-minute exam that is associated with the Cisco CyberOps Professional Certification. This exam tests a candidate's knowledge of core cybersecurity operations including cybersecurity fundamentals, techniques, processes, and automation.
Course Details:
- Interpret the components within a playbook
- Determine the tools needed based on a playbook scenario
- Apply the playbook for a common scenario (for example, unauthorized elevation of privilege, DoS and DDoS, website defacement)
- Infer the industry for various compliance standards (for example, PCI, FISMA, FedRAMP, SOC, SOX, PCI, GDPR, Data Privacy, and ISO 27101)
- Describe the concepts and limitations of cyber risk insurance
- Analyze elements of a risk analysis (combination asset, vulnerability, and threat)
- Apply the incident response workflow
- Describe characteristics and areas of improvement using common incident response metrics
- Describe types of cloud environments (for example, IaaS platform)
- Compare security operations considerations of cloud platforms (for example, IaaS, PaaS)
- Recommend data analytic techniques to meet specific needs or answer specific questions
- Describe the use of hardening machine images for deployment
- Describe the process of evaluating the security posture of an asset
- Evaluate the security controls of an environment, diagnose gaps, and recommend improvement
- Determine resources for industry standards and recommendations for hardening of systems
- Determine patching recommendations, given a scenario
- Recommend services to disable, given a scenario
- Apply segmentation to a network
- Utilize network controls for network hardening
- Determine SecDevOps recommendations (implications)
- Describe use and concepts related to using a Threat Intelligence Platform (TIP) to automate intelligence
- Apply threat intelligence using tools
- Apply the concepts of data loss, data leakage, data in motion, data in use, and data at rest based on common standards
- Describe the different mechanisms to detect and enforce data loss prevention techniques
- Recommend tuning or adapting devices and software across rules, filters, and policies
- Describe the concepts of security data management
- Describe use and concepts of tools for security data analytics
- Recommend workflow from the described issue through escalation and the automation needed for resolution
- Apply dashboard data to communicate with technical, leadership, or executive stakeholders
- Analyze anomalous user and entity behavior (UEBA)
- Determine the next action based on user behavior alerts
- Describe tools and their limitations for network analysis (for example, packet capture tools, traffic analysis tools, network log analysis tools)
- Evaluate artefacts and streams in a packet capture file
- Troubleshoot existing detection rules
- Determine the tactics, techniques, and procedures (TTPs) from an attack
- Prioritize components in a threat model
- Determine the steps to investigate the common types of cases
- Apply the concepts and sequence of steps in the malware analysis process
- Interpret the sequence of events during an attack based on analysis of traffic patterns
- Determine the steps to investigate potential endpoint intrusion across a variety of platform types (for example, desktop, laptop, IoT, mobile devices)
- Determine known Indicators of Compromise (IOCs) and Indicators of Attack (IOAs), given a scenario
- Determine IOCs in a sandbox environment (includes generating complex indicators)
- Determine the steps to investigate potential data loss from a variety of vectors of modality (for example, cloud, endpoint, server, databases, application), given a scenario
- Recommend the general mitigation steps to address vulnerability issues
- Recommend the next steps for vulnerability triage and risk analysis using industry scoring systems (for example, CVSS) and other techniques
- Compare concepts, platforms, and mechanisms of orchestration and automation
- Interpret basic scripts (for example, Python)
- Modify a provided script to automate a security operations task
- Recognize common data formats (for example, JSON, HTML, CSV, XML)
- Determine opportunities for automation and orchestration
- Determine the constraints when consuming APIs (for example, rate limited, timeouts, and payload)
- Explain the common HTTP response codes associated with REST APIs
- Evaluate the parts of an HTTP response (response code, headers, body)
- Interpret API authentication mechanisms: basic, custom token, and API keys
- Utilize Bash commands (file management, directory navigation, and environmental variables)
- Describe components of a CI/CD pipeline
- Apply the principles of DevOps practices
- Describe the principles of Infrastructure as Code
CBRFIR
300-215 CBRFIR: Conducting Forensic Analysis and Incident Response Using Cisco Technologies for CyberOps
Conducting Forensic Analysis and Incident Response Using Cisco Technologies for CyberOps v1.0 (CBRFIR 300-215) is a 60-minute exam that is associated with the Cisco CyberOps Professional Certification. This exam tests a candidate's knowledge of forensic analysis and incident response fundamentals, techniques, and processes.
Course Details:
- Analyze the components needed for a root cause analysis report
- Describe the process of performing forensics analysis of infrastructure network devices
- Describe antiforensic tactics, techniques, and procedures
- Recognize encoding and obfuscation techniques (such as, base 64 and hex encoding)
- Describe the use and characteristics of YARA rules (basics) for malware identification, classification, and documentation
- Describe the role of hex editors (HxD, Hiew, and Hexfiend) in DFIR investigations
- Describe the role of disassemblers and debuggers (such as, Ghidra, Radare, and Evans Debugger) to perform basic malware analysis
- Describe the role of deobfuscation tools (such as, XORBruteForces, xortool, and unpacker)
- Describe the issues related to gathering evidence from virtualized environments
- Recognize the methods identified in the MITRE attack framework to perform fileless malware analysis
- Determine the files needed and their location on the host
- Evaluate output(s) to identify IOC on a host
- Determine the type of code based on a provided snippet
- Construct Python, PowerShell, and Bash scripts to parse and search logs or multiple data sources (such as, Cisco Umbrella, Sourcefire IPS, AMP for Endpoints, AMP for Network, and PX Grid)
- Recognize purpose, use, and functionality of libraries and tools (such as, Volatility, Systernals, SIFT tools, and TCPdump)
- Interpret alert logs (such as, IDS/IPS and syslogs)
- Determine data to correlate based on incident type (host-based and network-based activities)
- Determine attack vectors or attack surface and recommend mitigation in a given scenario
- Recommend actions based on post-incident analysis
- Recommend mitigation techniques for evaluated alerts from firewalls, intrusion prevention systems (IPS), data analysis tools (such as, Cisco Umbrella Investigate, Cisco Stealthwatch, and Cisco SecureX), and other systems to responds to cyber incidents
- Recommend a response to 0 day exploitations (vulnerability management)
- Recommend a response based on intelligence artifacts
- Recommend the Cisco security solution for detection and prevention, given a scenario
- Interpret threat intelligence data to determine IOC and IOA (internal and external sources)
- Evaluate artifacts from threat intelligence to determine the threat actor profile
- Describe capabilities of Cisco security solutions related to threat intelligence (such as, Cisco Umbrella, Sourcefire IPS, AMP for Endpoints, and AMP for Network)
- Describe antiforensic techniques (such as, debugging, Geo location, and obfuscation)
- Analyze logs from modern web applications and servers (Apache and NGINX)
- Analyze network traffic associated with malicious activities using network monitoring tools (such as, NetFlow and display filtering in Wireshark)
- Recommend next step(s) in the process of evaluating files based on distinguished characteristics of files in a given scenario
- Interpret binaries using objdump and other CLI tools (such as, Linux, Python, and Bash)
- Describe the goals of incident response
- Evaluate elements required in an incident response playbook
- Evaluate the relevant components from the ThreatGrid report
- Recommend next step(s) in the process of evaluating files from endpoints and performing ad-hoc scans in a given scenario
- Analyze threat intelligence provided in different formats (such as, STIX and TAXII)