Any learner interested in entering associate-level cybersecurity roles such as:
• SOC cybersecurity analysts
• Computer or network defense analysts
• Computer network defense infrastructure support personnel
• Future incident responders and SOC personnel
• Cisco integrators or partners

This course will help you:
• Learn the fundamental skills that a cybersecurity analyst in a security operations center uses, including threat analysis, event correlation, identifying malicious activity, and how to use a playbook for incident response;
• Prepare for the Cisco Certified CyberOps Associate certification with hands-on practice using real-life security analysis tools, such as those found in a Linux distribution;
• Qualify for entry-level job roles in the high-demand area of cybersecurity
• Describe the three common SOC types, tools used by SOC analysts, job roles within the SOC, and incident analysis within a threat-centric SOC;
• Explain security incident investigations, including event correlation and normalization and common attack vectors, and be able to identify malicious and suspicious activities;
• Explain the use of an SOC playbook to assist with investigations, the use of metrics to measure the effectiveness of the SOC, the use of an SOC workflow management system and automation to improve SOC efficiency, and the concepts of an incident response plan.

It is strongly recommended, but not required, that students have the following knowledge and skills:
• Skills and knowledge equivalent to those learned in Interconnecting Cisco Networking Devices Part 1 (ICND1)
• Working knowledge of the Windows operating system
• Working knowledge of Cisco IOS networking and concept

Course Introduction
Course Outline
Course Goals & Objectives

SOC Overview
Defining the Security Operations Center
Types of Security Operations Centers
Describe at a high-level, the types of network security monitoring tools typically used within a SOC.
Explain the purpose of data analytics, and using log mining, packet captures, and rule-based alerts for incident investigations.
Hybrid Installations: Automated Reports, Anomaly Alerts
Proper Staffing Necessary for an Effective Incident Response Team
Roles in a Security Operations Center
Describe the different job roles within a typical SOC.
Develop Key Relationships with External Resources

NSM Tools
Describe the three types of network security monitoring tools used within the SOC (commercial, open source, or homegrown).
Describe the different types of network security monitoring data (session data, full packet capture, transaction data, alert data, and statistical data).
Explain at a high level, the use of Security Onion as a network security monitoring tool.
Explain packet capture data is stored in the PCAP format, and the storage requirements for full packet capture.
Session Data
Describe session data content, and provide an example of session data.
Describe transaction data content, and provide an example of transaction data.
Describe alert data content, and provide an example of alert data.
Describe the other types of network security monitoring data (extracted content, statistical data, and metadata).
Explain the need to correlate network security monitoring data, and provide an example.

Understanding Incident Analysis in a Threat-Centric SOC
Describe using the classic kill chain model to perform network security incident analysis.
Kill Chain Phase 1: Describe the reconnaissance phase of the classic kill chain model.
Kill Chain Phase 2: Describe the weaponization phase of the classic kill chain model.
Kill Chain Phase 3: Describe the delivery phase of the classic kill chain model.
Kill Chain Phase 4: Describe the exploitation phase of the classic kill chain model.
Kill Chain Phase 5: Describe the installation phase of the classic kill chain model.
Kill Chain Phase 6: Describe the command-and-control phase of the classic kill chain model.
Kill Chain Phase 7: Describe the actions on objectives phase of the classic kill chain model.
Applying the Kill Chain Model
Describe how the kill chain model can be applied to detect and prevent ransomware.
Describe using the diamond model to perform network security incident analysis.
Applying the Diamond Model
Describe how to apply the diamond model to perform network security incident analysis using a threat intelligence platform such as ThreatConnect.
Exploit Kits: Describe the use of exploit kits by the threat actors.

Identifying Resources for Hunting Cyber Threats
Cyber-Threat Hunting Concepts
Describe at a high level, the cyber-threat hunting concepts.
Hunting Maturity Model: Explain the five hunting maturity levels (HM0 to HM4).
Cyber-Threat Hunting Cycle: Explain the hunting cycle four-stage loop.
Common Vulnerability Scoring System
Describe at a high level, the use of the Common Vulnerability Scoring System, and list the v3.0 base metrics.
CVSS v3.0 Scoring: Describe the Common Vulnerability Scoring System v3.0 scoring components (base, temporal, and environmental).
Provide an example of Common Vulnerability Scoring System v3.0 scoring.
Hot Threat Dashboard: Describe the use of a hot threat dashboard within a SOC.
Publicly Available Threat Awareness Resources
Objective: Provide examples of some of the publicly available threat awareness resources.
Other External Threat Intelligence Sources and Feeds Reference

Security Incident Investigations
Understanding Event Correlation and Normalization
Describe some of the network security monitoring event sources (IPS, Firewall, NetFlow, Proxy Server, IAM, AV, Application Logs).
Describe direct evidence and circumstantial evidence.
Provide an example of security data normalization.
Provide an example of security events correlation.
Other Security Data Manipulation
Explain the basic concepts of security data aggregation, summarization, and deduplication.

Identifying Common Attack Vectors
Explain the use of obfuscated JavaScript by the threat actors.
Explain the use of shellcode and exploits by the threat actors.
Explain the three basic types of payloads within the Metasploit framework (single, stager, stage).
Explain the use of directory traversal by the threat actors.
Explain the basic concepts of SQL injection attacks.
Explain the basic concepts of cross-site scripting attacks.
Explain the use of punycode by the threat actors.
Explain the use of DNS tunneling by the threat actors.
Explain the use of pivoting by the threat actors.

Identifying Malicious Activity
Explain the needs for the security analysts to have an understanding of the network design which they are protecting.
Identifying Possible Threat Actors
Describe the different threat actor types.
Log Data Search
Provide an example of log data search using ELSA.
Explain using NetFlow as a security tool.
DNS Risk and Mitigation Tool
Explain how DNS can be used by the threat actors to perform attacks.

Identifying Patterns of Suspicious Behavior
Explain how to identify patterns of suspicious behaviors.
Explain the purpose of baselining the network activities.
Explain using the established baseline to identify anomalies and suspicious behaviors.
Explain the basic concepts of performing PCAP analysis.
Explain the use of a sandbox to perform file analysis.

Conducting Security Incident Investigations
Security Incident Investigation Procedures
Explain the objective of security incident investigation to discover the who, what, when, where, why, and how about the security incident.
Threat Investigation Example: China Chopper Remote Access Trojan

SOC Operations
Explain using a SOC playbook to assist with investigations, using metrics to measure the SOC's
Describing the SOC Playbook
Explain the use of a typical playbook in the SOC.
Describe the security analytics process,
Describe the use of a playbook in a SOC.
Describe the components of a play in a typical SOC playbook.
Describe the use of a playbook management system in the SOC.

Understanding the SOC Metrics
Explain the use of SOC metrics to measure the SOC's effectiveness.
Explain using a SIEM to provide security data aggregation, real-time reporting, and analysis of security events.
Explain what is the time to detection.
Security Controls Detection Effectiveness
Explain measuring the security controls effectiveness in terms of true positive/negative events, false positive/negative events.
Explain using different metrics to measure the SOC effectiveness.

Understanding the SOC WMS and Automation
Explain the use of a workflow management system and automation to improve the SOC's effectiveness.
Explain the basic concepts and benefits of using a workflow management system within a SOC.
Describe a typical incident response workflow.
Describe how a typical workflow management system is integrated within a SOC.
Provide an example of a SOC workflow automation system (Cybersponse).

Incident Response Planning
Explain the purpose for incident response planning.
Describe the typical incident response life cycle.
Describe the typical elements within an incident response policy.
Describe how incidents can be classified.
Describe the different US-CERT incident categories (CAT 0 to CAT 6).
Regulatory Compliance Incident Response Requirements
Describe compliance regulations which contain an incident response requirements.

CSIRT Categories
Describe the different general CSIRT categories.
Describe the basic framework that defines a CSIRT.
Describe the different CSIRT incident handling services (triage, handling, feedback, optional announcement).

VERIS Overview
Explain what is VERIS.
Explain the VERIS incident structure.
Explain the VERIS 4 As.
Describe a typical VERIS record.
Describe the VERIS Community Database.
Describe the Verizon Data Breach Investigations Report, and the Cisco Annual Security Report

Lab Outline
Lab 1: Explore Network Security Monitoring Tools
Lab 2: Investigate Hacker Methodology
Lab 3: Hunt Malicious Traffic
Lab 4: Correlate Event Logs, PCAPs, and Alerts of an Attack
Lab 5: Investigate Browser-Based Attacks
Lab 6: Analyze Suspicious DNS Activity
Lab 7: Investigate Suspicious Activity Using Security Onion
Lab 8: Investigate Advanced Persistent Threats
Lab 9: Explore SOC Playbooks