Cisco Certified CyberOps Associate 200-201 Certification Guide E-Book

Cisco Certified CyberOps Associate 200-201 Certification Guide

Learn blue teaming strategies and incident response techniques to mitigate cybersecurity incidents

Glen D. Singh

BIRMINGHAM—MUMBAI

Cisco Certified CyberOps Associate 200-201 Certification Guide

Copyright © 2021 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

Group Product Manager: Wilson D'souza

Publishing Product Manager: Rahul Nair

Senior Editor: Shazeen Iqbal

Content Development Editor: Romy Dias

Technical Editor: Shruthi Shetty

Copy Editor: Safis Editing

Language Support Editor: Safis Editing

Project Coordinator: Shagun Saini

Proofreader: Safis Editing

Indexer: Rekha Nair

Production Designer: Shankar Kalbhor

First published: May 2021

Production reference: 1030521

Published by Packt Publishing Ltd.

Livery Place

35 Livery Street

Birmingham

B3 2PB, UK.

ISBN 978-1-80056-087-1

www.packt.com

I would like to dedicate this book to the people in our society who have always worked hard in their field of expertise and who have not been recognized for their hard work, commitment, sacrifices, and ideas, but who, most importantly, believed in themselves when no one else did. This book is for you. Always have faith in yourself. With commitment, hard work, and focus, anything can be possible. Never give up, because great things take time.

Contributors

About the author

Glen D. Singh is a cybersecurity instructor and an InfoSec author. His areas of expertise are cybersecurity operations, offensive security tactics, and enterprise networking. He is a holder of many certifications, including CEH, CHFI, PAWSP, and 3xCCNA (in CyberOps, Security, and Routing and Switching).

Glen loves teaching and mentoring others, and sharing his wealth of knowledge and experience as an author. He has written many books that focus on vulnerability discovery and exploitation, threat detection, intrusion analysis, incident response (IR), implementing security solutions, and enterprise networking. As an aspiring game-changer, Glen is passionate about increasing cybersecurity awareness in his homeland, Trinidad and Tobago.

I would like to thank Rahul Nair, Ronn Kurien, Suzanne Coutinho, Vivek Anantharaman, Romy Dias, Neil D'mello, and the wonderful team at Packt Publishing, who have provided amazing support and guidance throughout this journey. To the technical reviewers, Jessie J. Araneta and Kyle Reidell, thank you for your outstanding contribution to make this an amazing book.

About the reviewers

Kyle Reidell has world-class experience leading, developing, and architecting cybersecurity and engineering solutions for numerous government agencies, as well as Fortune 500 companies and cutting-edge technology startups. His background is truly multi-disciplinary; from developing and defending global operations centers to securing communications for the highest levels of government and designing cloud-native architectures while continuing to serve as a cyber officer in the Air National Guard.

Mr. Reidell is a Marine Corps veteran who is actively engaged as a mentor for aspiring youth and cybersecurity professionals. He holds multiple degrees and industry certifications, including a master's degree in information security.

I would like to thank my family, especially my wife and son, for the continuous support they have provided throughout my career and endeavors; I could not have done any of this without them!

Jessie James Solomon Araneta holds a degree in electronics engineering and has certifications from Cisco and Microsoft. He has experience in telecommunications (mobile and fixed network). He is currently working as a network support engineer on Etisalat's Managed Service Solutions for SMB networks.

I would like to thank God first, for His almighty guidance on whatever decisions I made. To the team at Packt and to the author, Glen – thank you for the opportunity of letting me contribute to this amazing book.

Table of Contents

Preface

Section 1: Network and Security Concepts

Chapter 1: Exploring Networking Concepts

Technical requirements

The functions of the network layers

The OSI reference model

The TCP/IP protocol suite

Understanding the purpose of various network protocols

Transmission Control Protocol

User Datagram Protocol

Internet Protocol

The Internet Control Message Protocol

Lab – inspecting ICMP messages with Wireshark

Summary

Questions

Further reading

Chapter 2: Exploring Network Components and Security Systems

Technical requirements

Exploring various network services

Address Resolution Protocol

Domain Name System

Dynamic Host Configuration Protocol

Discovering the role and operations of network devices

Hubs

Switches

Layer 3 switches

Routers

Wireless Access Point (WAP)

Wireless LAN Controller (WLC)

Describing the functions of Cisco network security systems

Firewall

Cisco Intrusion Prevention System (IPS)

Web Security Appliance

Email Security Appliance

Cisco Advanced Malware Protection

Summary

Questions

Further reading

Chapter 3: Discovering Security Concepts

Introducing the principles of defense in depth

Confidentiality

Integrity

Availability

Combining the three pillars

Exploring security terminologies

Threats, vulnerabilities, and exploits

Identifying threat actors

Understanding runbook automation

Chain of custody

Reverse engineering

PII and PHI

Understanding risk

Exploring access control models

Discretionary access control

Mandatory access control

Rule-based access control

Time-based access control

Role-based access control

Authentication, authorization, and accounting

Understanding security deployment

Summary

Questions

Section 2: Principles of Security Monitoring

Chapter 4: Understanding Security Principles

Technical requirements

Understanding a security operation center

Types of SOC

Elements of an SOC

Understanding the security tools used to inspect data types on a network

Attack surface and vulnerability

tcpdump

NetFlow

Application visibility and control

Web content filtering

Email content filtering

Understanding the impact of data visibility through networking technologies

Access control lists

NAT and PAT

Tunneling, encapsulation, and encryption

Peer-to-Peer (P2P) and TOR

Load balancing

Next-gen IPS event types

Understanding how threat actors transport malicious code

The domain name system

The Network Time Protocol

Web-based traffic

Email-based traffic

Delving into data types used during security monitoring

Session data

Transaction data

Full packet capture

Statistical data

Extracted content (metadata)

Alert data

Summary

Questions

Further reading

Chapter 5: Identifying Attack Methods

Understanding network-based attacks

Denial of Service

Protocol-based attacks

Distributed Denial of Service

Man-in-the-middle

Exploring web application attacks

SQL injection

Command injection

Cross-site scripting

Cross-site request forgery

Delving into social engineering attacks

Key elements of social engineering

Types of social engineering attacks

Understanding endpoint-based attacks

Buffer overflows

Command and control (C2)

Malware and ransomware

Interpreting evasion and obfuscation techniques

Summary

Questions

Further reading

Chapter 6: Working with Cryptography and PKI

Technical requirements

Understanding the need for cryptography

Elements of cryptography

Types of ciphers

Substitution cipher

Transposition cipher

Understanding cryptanalysis

Understanding the hashing process

Describing hashing algorithms

Lab – Comparing hashes

Exploring symmetric encryption algorithms

Symmetric algorithms

Delving into asymmetric encryption algorithms

Understanding PKI

Components of PKI

PKI trust system

Lab – Observing the exchange of digital certificates

Using cryptography in wireless security

Summary

Questions

Further reading

Section 3: Host and Network-Based Analysis

Chapter 7: Delving into Endpoint Threat Analysis

Technical requirements

Understanding endpoint security technologies

Anti-malware and antivirus

Host-based firewall

Host-based intrusion detection

Application-level whitelisting/blacklisting

Systems-based sandboxing

Understanding Microsoft Windows components

Processes, threads, and services

The Windows paging file

Windows registry

Windows Management Instrumentation

Monitoring tools

Exploring Linux components

Linux Terminal

Viewing directories

Log files

Monitoring resources

Summary

Questions

Further reading

Chapter 8: Interpreting Endpoint Security

Technical requirements

Exploring the Microsoft Windows filesystem

Filesystems

Alternate data streams

Delving into the Linux filesystem

Understanding the CVSS

CVSS metrics

Working with malware analysis tools

Lab exercise – Building a malware analysis sandbox

Summary

Questions

Chapter 9: Exploring Computer Forensics

Technical requirements

Understanding the need for computer forensics

Understanding the process of digital forensics

Understanding the chain of custody

Understanding volatility of evidence

Understanding types of evidence

Contrasting tampered and untampered disk images

Lab – capturing a disk image on Linux

Lab – using FTK Imager to capture a disk image on Microsoft Windows

Tools commonly used during a forensics investigation

Understanding the role of attribution in an investigation

Summary

Questions

Further reading

Chapter 10: Performing Intrusion Analysis

Technical requirements

Identifying intrusion events based on source technologies

IDS/IPS

Firewall

Network application control

Proxy logs

Antivirus

Elements of NetFlow and transactional data

Stateful and deep packet firewall operations

DPI firewall

Stateful firewall

Packet filtering

Comparing inline traffic interrogation techniques

Understanding impact and no impact on intrusion

Protocol headers in intrusion analysis

Ethernet frame

IPv4 and IPv6

TCP

UDP

ICMP

SMTP

HTTP and HTTPS

ARP

Packet analysis using a PCAP file and Wireshark

Lab – packet analysis using Wireshark

Summary

Questions

Further reading

Section 4: Security Policies and Procedures

Chapter 11: Security Management Techniques

Technical requirements

Identifying common artifact elements

Interpreting basic regular expressions

Lab – using regexes to find specific data values

Understanding asset management

Delving into configuration and mobile device management

Exploring patch and vulnerability management

Summary

Questions

Further reading

Chapter 12: Dealing with Incident Response

Understanding the incident handling process

Understanding the phases of incident handling

Exploring CSIRT teams and their responsibilities

Delving into network and server profiling

Network profiling

Server profiling

Comparing compliance frameworks

PCI DSS

HIPAA

SOX

Summary

Questions

Further reading

Chapter 13: Implementing Incident Handling

Understanding the NIST SP 800-86 components

Evidence collection order and volatility

Data acquisition and integrity

Sharing information using VERIS

Exploring the Cyber Kill Chain

Reconnaissance

Weaponization

Delivery

Exploitation

Installation

Command and Control (C2)

Actions on objectives

Delving into the Diamond Model of Intrusion Analysis

Identifying protected data in a network

Personally Identifiable Information (PII)

Personal Security Information (PSI)

Protected Health Information (PHI)

Intellectual property

Summary

Questions

Further reading

Chapter 14: Implementing Cisco Security Solutions

Technical requirements

Implementing AAA in a Cisco environment

Part 1 – Configuring IP addresses on host devices

Part 2 – Configuring RADIUS and TACACS+ services

Part 3 – Configuring local AAA on the R1 router

Part 4 – Configuring server-based AAA using RADIUS

Part 5 – Configuring server-based AAA using TACACS+

Part 6 – Verification

Deploying a zone-based firewall

Part 1 – Configuring IP addresses on PC 1 and the web server

Part 2 – Enabling the security technology license on the HQ router

Part 3 – Configuring IP addresses and routes on HQ and ISP routers

Part 4 – Creating security zones

Part 5 – Identifying traffic

Part 6 – Creating a policy map to define the action of matching traffic

Part 7 – Identifying the zone pair and match policy

Part 8 – Assigning the security zones to the interface

Part 9 – Verification

Configuring an IPS

Part 1 – Configuring IP addresses on end devices

Part 2 – Enabling the security technology license on the HQ router

Part 4 – Configuring the IPS signature storage location and rule on HQ

Part 5 – Configuring the logging of IPS events

Part 6 – Configuring IPS with signature categories

Part 7 – Applying the IPS rule to an interface

Part 8 – Creating an alert and dropping inbound ICMP Echo Reply packets

Part 3 – Configuring IP addresses and routes on HQ and ISP routers

Part 9 – Verification

Summary

Further reading

Chapter 15: Working with Cisco Security Solutions

Technical requirements

Implementing secure protocols on Cisco devices

Part 1 – Configuring IP addresses on host devices

Part 2 – Configuring the Syslog and NTP servers

Part 3 – Configuring hostnames, banners, and IP addresses on routers

Part 4 – Configuring OSPFv2 routing with authentication

Part 5 – Configuring NTP with authentication

Part 6 – Configuring Syslog

Part 7 – Implementing secure remote access using SSH

Part 8 – Verification

Deploying Layer 2 security controls

Part 1 – Configuring end devices and the DHCP server

Part 2 – Securing STP

Part 3 – Configuring DHCP snooping with ARP inspection

Part 4 – Verification

Configuring a Cisco ASA firewall

Part 1 – Configuring the ISP router and end devices

Part 2 – Performing basic ASA configurations

Part 3 – Configuring security zones and interfaces

Part 4 – Assigning the physical interfaces to a security zone

Part 5 – Configuring routing and NAT

Part 6 – Configuring the Cisco MPF

Part 7 – Configuring DHCP and remote access

Part 8 – Configuring the DMZ

Part 9 – Verification

Summary

Chapter 16: Real-World Implementation and Best Practices

Technical requirements

Implementing an open source SIEM tool

Part 1 – Creating a virtual environment

Part 2 – Installing OSSIM

Part 3 – Getting started with AlienVault OSSIM

Implementing tools to perform the active scanning of assets

Part 1 – Setting up Kali Linux

Part 2 – Acquiring and installing Nessus

Part 3 – Performing a vulnerability scan

Using open source breach and attack simulation tools

Part 1 – Installing Infection Monkey

Part 2 – Setting up C2

Part 3 – Breach and attack reporting

Implementing an open source honeypot platform

Part 1 – Creating the virtual environment

Part 2 – Installing the honeypot platform

Part 3 – Initializing the honeypot and its applications

Part 4 – Accessing the honeypot dashboard

Summary

Chapter 17: Mock Exam 1

Chapter 18: Mock Exam 2

Assessment

Other Books You May Enjoy

Preface

As a cybersecurity trainer, I've realized it's rare to find books that focus on cybersecurity operations for students and IT professionals who want to pursue a career in cybersecurity operations, incident response, and Blue Teaming strategies. Having the opportunity to write this book allowed me to share my knowledge, insights, and wisdom with others while helping to fill the gap between the offensive and defensive sides of cybersecurity.

When I gained my Cisco Certified CyberOps Associate certification, I fully understood the need and importance of such skills and knowledge for any professional within the cybersecurity industry. Therefore, I was inspired to give back to the community to help others learn and become better within their profession while improving their skills.

Using experience, research, and discussions with like-minded professionals within the industry, I was able to not only create the core content for the certification curriculum but also provided a beyond-certification approach through various chapters. This will allow you to obtain more in-depth information and strategies on key topics with hands-on labs to become an awesome cybersecurity professional.

As you embark on this new journey in the field of cybersecurity, I can definitely say it is going to be very exciting and thrilling as you will learn about the core operations of a cybersecurity professional.

The Cisco Certified CyberOps Associate certification is designed to provide you with all the essential skills and knowledge for the cybersecurity landscape of the world tomorrow. The certification is focused on ensuring the learner is well equipped to start a career in cybersecurity operations.

Furthermore, you will start by learning the fundamentals of networking and security concepts as they are important for cybersecurity professionals to have a solid foundation of how network protocols and security technologies function, and the role they play in enterprise networks.

You'll then take a deep dive in later sections of this book, which will cover how to perform security monitoring. You'll learn how to identify threats and various types of cyber-attacks. Then, you'll explore the need to perform both host-based and network-based analysis to detect and prevent intrusions on systems and networks.

Lastly, as an aspiring cybersecurity professional you will also learn about various incident response standards, strategies, and procedures that are used to prevent and recover from security events and intrusions.

Who this book is for

This book is written for students who are looking to pursue a career in cybersecurity operations, threat detection, and analysis, and aim to become part of a Blue Team. Additionally, IT professionals who are looking to gain a career boost and acquire new skills in security operations, incident response (IR), and security procedures will find this book a must-have in their library. Furthermore, enthusiasts and cybersecurity trainers who are always looking for great content will discover very informative discussions on key topics within the cybersecurity industry.

What this book covers

Chapter 1, Exploring Networking Concepts, covers the fundamentals of network protocol suites, and the characteristics and functionality of each layer of TCP/IP.

Chapter 2, Exploring Network Components and Security Systems, covers the function of various networking protocols, and the role and functions of networking and security devices.

Chapter 3, Discovering Security Concepts, covers the importance of implementing a Defense in Depth approach, explaining key security terminology and access control models.

Chapter 4, Understanding Security Principles, covers the functionality of a security operations center (SOC), how data visibility is affected by network technologies, and how threat actors are able to exfiltrate data using common network protocols.

Chapter 5, Identifying Attack Methods, covers the characteristics of common network-based attacks, web application attacks, social engineering attacks, and endpoint-based attacks, and explains how threat actors evade threat detection systems.

Chapter 6, Working with Cryptography and PKI, covers the importance of cryptography and the characteristics of confidentiality, interiority, origin authentication, non-repudiation, and Public Key Infrastructure (PKI).

Chapter 7, Delving into Endpoint Threat Analysis, covers the fundamentals of endpoint security and how it protects a system of various security threats, and also covers key components of both Windows and Linux operating systems that can help identify endpoint-based threats.

Chapter 8, Interpreting Endpoint Security, covers the filesystem for Windows and Linux operating systems, how security professionals are able to determine the vulnerability score of a security weakness, and malware analysis.

Chapter 9, Exploring Computer Forensics, covers the fundamentals of computer forensics, types of evidence collected during an investigation, and how to compare disk images.

Chapter 10, Performing Intrusion Analysis, covers the operations of various firewall technologies. It compares inline traffic interrogation techniques and explains the elements of various protocol headers as they relate to an intrusion.

Chapter 11, Security Management Techniques, covers the fundamentals of identifying artifact elements and explains the need for various security management techniques and practices within an enterprise organization.

Chapter 12, Dealing with Incident Response, covers the importance of incident response and handling processes, the characteristics of various security teams, and security compliance.

Chapter 13, Implementing Incident Handling, covers the fundamentals of implementing forensics techniques into IR, explains how the Cyber Kill Chain can be used to stop a cyber-attack, and explains how the Diamond Model of Intrusion is used to better understand how an intrusion occurs.

Chapter 14, Implementing Cisco Security Solutions, covers the fundamentals of implementing security solutions such as AAA, zone-based firewall, and an intrusion prevention system using Cisco solutions on a network.

Chapter 15, Working with Cisco Security Solutions, covers the fundamentals of implementing additional security solutions such as Layer 2 security controls, securing networking devices, and configuring a Cisco ASA firewall appliance.

Chapter 16, Real-World Implementation and Best Practices, covers advanced topics on implementing various real-world security solutions, such as an open source SIEM, performing active scanning of assets, performing breach and attack simulations, and deploying a honeypot.

Chapter 17, Mock Exam 1, includes a simple mock test containing questions that will help you to prepare for the Cisco Certified CyberOps Associate examination and will help you identify any topics you need to spend additional time learning about and practicing.

Chapter 18, Mock Exam 2, includes another mock test containing questions that will help you to prepare for the Cisco Certified CyberOps Associate examination.

To get the most out of this book

All of the labs completed within this book used virtualization technologies to ensure the learner can perform these hands-on labs without needing to purchase additional equipment. Keep in mind that you are required to have a fundamental knowledge of virtualization and its benefits. Furthermore, you are required to know the essentials of computer networking, such as IP addressing schemes and how to perform basic network troubleshooting.

When running the labs within this book, during some phases you'll notice that the installation or the setup process may get stuck. Don't worry, give it some time to complete on its own.

If you are using the digital version of this book, we advise you to type the code yourself or access the code via the GitHub repository (link available in the next section). Doing so will help you avoid any potential errors related to the copying and pasting of code.

After completing this book, using your imagination, attempt to use the knowledge and skills you have gained to perform vulnerability assessments and implement security technologies on your network. Keep in mind that you should not scan systems or networks that you do not own.

Download the example code files

You can download the example code files for this book from GitHub at https://github.com/PacktPublishing/Cisco-Certified-CyberOps-Associate-200-201-Certification-Guide. In case there's an update to the code, it will be updated on the existing GitHub repository.

We also have other code bundles from our rich catalog of books and videos available at https://github.com/PacktPublishing/. Check them out!

Code in Action

Code in Action videos for this book can be viewed at https://bit.ly/3xrwJTG.

Download the color images

We also provide a PDF file that has color images of the screenshots/diagrams used in this book. You can download it here: http://www.packtpub.com/sites/default/files/downloads/9781800560871_ColorImages.pdf.

Conventions used

There are a number of text conventions used throughout this book.

Code in text: Indicates code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles. Here is an example: "A subnet such as 255.255.255.0 contains a total of 24 ones, so we can represent this subnet mask by simply writing it as /24. "

A block of code is set as follows:

html, body, #map {

height: 100%;

margin: 0;

padding: 0

}

When we wish to draw your attention to a particular part of a code block, the relevant lines or items are set in bold:

[default]

exten => s,1,Dial(Zap/1|30)

exten => s,2,Voicemail(u100)

exten => s,102,Voicemail(b100)

exten => i,1,Voicemail(s0)

Any command-line input or output is written as follows:

$ ping 8.8.8.8 -c 4

$ sudo tcpdump -i eth0 -nn -s0 -v port 443 -w /home/kali/Desktop/tcpdump_capture.pcap

Bold: Indicates a new term, an important word, or words that you see onscreen. For example, words in menus or dialog boxes appear in the text like this. Here is an example: "The VirtualBox import wizard will open. Simply click Import to begin importing the virtual image into VirtualBox."

Tips or important notes

Appear like this.

Get in touch

Feedback from our readers is always welcome.

General feedback: If you have questions about any aspect of this book, mention the book title in the subject of your message and email us at [email protected].

Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packtpub.com/support/errata, selecting your book, clicking on the Errata Submission Form link, and entering the details.

Piracy: If you come across any illegal copies of our works in any form on the Internet, we would be grateful if you would provide us with the location address or website name. Please contact us at [email protected] with a link to the material.

If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.

Reviews

Please leave a review. Once you have read and used this book, why not leave a review on the site that you purchased it from? Potential readers can then see and use your unbiased opinion to make purchase decisions, we at Packt can understand what you think about our products, and our authors can see your feedback on their book. Thank you!

For more information about Packt, please visit packt.com.

Section 1: Network and Security Concepts

This section will be begin by introducing the reader to the fundamentals of security, security deployment models, factors, key terminology that is important to a security analyst, principles of defense in depth in security, and various access control models.

This section contains the following chapters: