Cisco Certified CyberOps Associate

• Compare security deployments
• Network, endpoint, and application security systems
• Agentless and agent-based protections
• Legacy antivirus and antimalware
• SIEM, SOAR, and log management

• Describe security terms
• Threat intelligence (TI)
• Threat hunting
• Malware analysis
• Threat actor
• Run book automation (RBA)
• Reverse engineering
• Sliding window anomaly detection
• Principle of least privilege
• Zero trust
• Threat intelligence platform (TIP)

• Compare security concepts
• Risk (risk scoring/risk weighting, risk reduction, risk assessment)
• Threat
• Vulnerability
• Exploit

• Describe the principles of the defense-in-depth strategy1.6 Compare access control models
• Discretionary access control
• Mandatory access control
• Non-discretionary access control
• Authentication, authorization, accounting
• Rule-based access control
• Time-based access control
• Role-based access control

• Describe terms as defined in CVSS
• Attack vector
• Attack complexity
• Privileges required
• User interaction
• Scope
• Identify the challenges of data visibility (network, host, and cloud) in detection
• Identify potential data loss from provided traffic profiles
• Interpret the 5-tuple approach to isolate a compromised host in a grouped set of logs
• Compare rule-based detection vs. behavioral and statistical detection

• Compare attack surface and vulnerability
• Identify the types of data provided by these technologies
• TCP dump
• NetFlow
• Next-gen firewall
• Traditional stateful firewall
• Application visibility and control
• Web content filtering
• Email content filtering

• Describe the impact of these technologies on data visibility
• Access control list
• NAT/PAT
• Tunneling
• TOR
• Encryption
• P2P
• Encapsulation
• Load balancing

• Describe the uses of these data types in security monitoring
• Full packet capture
• Session data
• Transaction data
• Statistical data
• Metadata
• Alert data
• Describe network attacks, such as protocol-based, denial of service, distributed denial of service, and man-in-the-middle
• Describe web application attacks, such as SQL injection, command injections, and cross-site scripting
• Describe social engineering attacks2.8 Describe endpoint-based attacks, such as buffer overflows, command and control (C2), malware, and ransomware
• Describe evasion and obfuscation techniques, such as tunneling, encryption, and proxies
• Describe the impact of certificates on security (includes PKI, public/private crossing the network, asymmetric/symmetric)
• Identify the certificate components in a given scenario
• Cipher-suite
• X.509 certificates
• Key exchange
• Protocol version
• PKCS

• Describe the functionality of these endpoint technologies in regard to security monitoring
• Host-based intrusion detection
• Antimalware and antivirus
• Host-based firewall
• Application-level listing/block listing
• Systems-based sandboxing (such as Chrome, Java, Adobe Reader)
• Identify components of an operating system (such as Windows and Linux) in a given scenario
• Describe the role of attribution in an investigation
  • Assets
  • Threat actor
  • Indicators of compromise
  • Indicators of attack
  • Chain of custody
  • Identify the type of evidence used based on provided logs
    • Best evidence
    • Corroborative evidence
    • Indirect evidence
    • Compare tampered and untampered disk image
    • Interpret operating system, application, or command line logs to identify an event
    • Interpret the output report of a malware analysis tool (such as a detonation chamber or sandbox)
    • Hashes
    • URLs
    • Systems, events, and networking

• Map the provided events to source technologies
• IDS/IPS
• Firewall
• Network application control
• Proxy logs
• Antivirus
• Transaction data (NetFlow)
• Compare impact and no impact for these items
• False positive
• False negative
• True positive
• True negative
• Benign
• Compare deep packet inspection with packet filtering and stateful firewall operation
• Compare inline traffic interrogation and taps or traffic monitoring
• Compare the characteristics of data obtained from taps or traffic monitoring and transactional data (NetFlow) in the analysis of network traffic
• Extract files from a TCP stream when given a PCAP file and Wireshark
• Identify key elements in an intrusion from a given PCAP fie h3
  • Source address
  • Destination address
  • Source port
  • Destination port
  • Protocols
  • Payloads
  • Interpret the fields in protocol headers as related to intrusion analysis
    • Ethernet frame
    • IPv4
    • IPv6
    • TCP
    • UDP
    • ICMP
    • DNS
    • SMTP/POP3/IMAP
    • HTTP/HTTPS/HTTP2
    • ARP
      • Interpret common artifact elements from an event to identify an alert
      • IP address (source / destination)
      • Client and server port identity
      • Process (file or registry)
      • System (API calls)
      • Hashes
      • URI / URL
      • Interpret basic regular expressions

• Describe management concepts
• Asset management
• Configuration management
• Mobile device management
• Patch management
• Vulnerability management
• Describe the elements in an incident response plan as stated in NIST.SP800-61
• Apply the incident handling process (such as NIST.SP800-61) to an event
• Map elements to these steps of analysis based on the NIST.SP800-61
• Preparation
• Detection and analysis
• Containment, eradication, and recovery
• Post-incident analysis (lessons learned)
• Map the organization stakeholders against the NIST IR categories (CMMC, NIST.SP800-61)</;o>
  • • Preparation
    • Detection and analysis
    • Containment, eradication, and recovery
    • Post-incident analysis (lessons learned)

  Describe concepts as documented in NIST.SP800-86

• • Evidence collection order
  • Data integrity
  • Data preservation
  • Volatile data collection

Identify these elements used for network profiling

• Total throughput
• Session duration
• Ports used
• Critical asset address space
• Identify these elements used for server profiling
  • Listening ports
  • Logged-in users/service accounts
  • Running processes
  • Running tasks
  • Applications
  • Identify protected data in a network
    • PII
    • PSI
    • PHI
    • Intellectual property
    • Classify intrusion events into categories as defined by security models, such as the Cyber Kill Chain Model and Diamond Model of Intrusion
    • Describe the relationship of SOC metrics to scope analysis (time to detect, time to contain, time to respond, time to control)