SECOPS - Implementing Cisco Cybersecurity Operations v1.0

Module 1: SOC Overview
Objective: Describe the three common Security Operations Center types, the different tools used by the SOC analysts, the different job roles within the Security Operations Center, and incident analysis within a threat-centric Security Operations Center.

Lesson 1: Defining the Security Operations Center
Objective: Explain how a SOC operates and describes the different types of services that are performed from a Tier 1 SOC analyst’s perspective.

• Types of Security Operations Centers
  
  • Objective: Explain the different types of SOCs (Threat-Centric, Compliance-Based, Operational-Based).
• SOC Analyst Tools
  
  • Objective: Describe at a high-level, the types of network security monitoring tools typically used within a SOC.
• Data Analytics
  
  • Objective: Explain the purpose of data analytics, and using log mining, packet captures, and rule-based alerts for incident investigations.
• Hybrid Installations: Automated Reports, Anomaly Alerts
  
  • Objective: Describe at a high level, the use of automation within the SOC.
• Proper Staffing Necessary for an Effective Incident Response Team
  
  • Objective: Describe the proper staffing necessary for implementing an effective incident response team.
• Roles in a Security Operations Center
  
  • Objective: Describe the different job roles within a typical SOC.
• Develop Key Relationships with External Resources
  
  • Objective: List the external resources a typical SOC needs to establish a relationship with.
• Challenge

Lesson 2: Understanding NSM Tools and Data
Objective: Explain the network security monitoring tools and data available to the network security analyst.

• Introduction
• NSM Tools
  
  • Objective: Describe the three types of network security monitoring tools used within the SOC (commercial, open source, or homegrown).
• NSM Data
  
  • Objective: Describe the different types of network security monitoring data (session data, full packet capture, transaction data, alert data, and statistical data).
• Security Onion
  
  • Objective: Explain at a high level, the use of Security Onion as a network security monitoring tool.
• Full Packet Capture
  
  • Objective: Explain packet capture data is stored in the PCAP format, and the storage requirements for full packet capture.
• Session Data
  
  • Objective: Describe session data content, and provide an example of session data.
• Transaction Data
  
  • Objective: Describe transaction data content, and provide an example of transaction data.
• Alert Data
  
  • Objective: Describe alert data content, and provide an example of alert data.
• Other NSM Data Types
  
  • Objective: Describe the other types of network security monitoring data (extracted content, statistical data, and metadata).
• Correlating NSM Data
  
  • Objective: Explain the need to correlate network security monitoring data, and provide an example.

Lesson 3: Understanding Incident Analysis in a Threat-Centric SOC
Objective: Understand the kill chain and the diamond models for incident investigations, and the use of exploit kits by the threat actors.

• Classic Kill Chain Model Overview
  
  • Objective: Describe using the classic kill chain model to perform network security incident analysis.
• Kill Chain Phase 1: Reconnaissance
  
  • Objective: Describe the reconnaissance phase of the classic kill chain model.
• Kill Chain Phase 2: Weaponization
  
  • Objective: Describe the weaponization phase of the classic kill chain model.
• Kill Chain Phase 3: Delivery
  
  • Objective: Describe the delivery phase of the classic kill chain model.
• Kill Chain Phase 4: Exploitation
  
  • Objective: Describe the exploitation phase of the classic kill chain model.
• Kill Chain Phase 5: Installation
  
  • Objective: Describe the installation phase of the classic kill chain model.
• Kill Chain Phase 6: Command-and-Control
  
  • Objective: Describe the command-and-control phase of the classic kill chain model.
• Kill Chain Phase 7: Actions on Objectives
  
  • Objective: Describe the actions on objectives phase of the classic kill chain model.
• Applying the Kill Chain Model 
  
  • Objective: Describe how the kill chain model can be applied to detect and prevent ransomware.
• Diamond Model Overview
  
  • Objective: Describe using the diamond model to perform network security incident analysis.
• Applying the Diamond Model
  
  • Objective: Describe how to apply the diamond model to perform network security incident analysis using a threat intelligence platform such as ThreatConnect.
• Exploit Kits
  
  • Objective: Describe the use of exploit kits by the threat actors.

Lesson 4: Identifying Resources for Hunting Cyber Threats

• Cyber-Threat Hunting Concepts
  
  • Objective: Describe at a high level, the cyber-threat hunting concepts.
• Hunting Maturity Model
  
  • Objective: Explain the five hunting maturity levels (HM0 to HM4).
• Cyber-Threat Hunting Cycle
  
  • Objective: Explain the hunting cycle four-stage loop.
• Common Vulnerability Scoring System
  
  • Objective: Describe at a high level, the use of the Common Vulnerability Scoring System, and list the v3.0 base metrics.
• CVSS v3.0 Scoring
  
  • Objective: Describe the Common Vulnerability Scoring System v3.0 scoring components (base, temporal, and environmental).
• CVSS v3.0 Example
  
  • Objective: Provide an example of Common Vulnerability Scoring System v3.0 scoring.
• Hot Threat Dashboard
  
  • Objective: Describe the use of a hot threat dashboard within a SOC.
• Publicly Available Threat Awareness Resources
  
  • Objective: Provide examples of some of the publicly available threat awareness resources.
• Other External Threat Intelligence Sources and Feeds Reference
  
  • Objective: Provide examples of some of the publicly available external threat intelligence sources and feeds.

Module 2: Security Incident Investigations
Objective: Explain the concepts of security incident investigations, including events correlation and normalization, common attack vectors, and able to identify malicious and suspicious activities.

Lesson 1: Understanding Event Correlation and Normalization

• Event Sources
  • Objective: Describe some of the network security monitoring event sources (IPS, Firewall, NetFlow, Proxy Server, IAM, AV, Application Logs).
• Evidence
  
  • Objective: Describe direct evidence and circumstantial evidence.
• Security Data Normalization
  
  • Objective: Provide an example of security data normalization.
• Event Correlation
  
  • Objective: Provide an example of security events correlation.
• Other Security Data Manipulation 
  
  • Objective: Explain the basic concepts of security data aggregation, summarization, and deduplication.

Lesson 2: Identifying Common Attack Vectors
Objective: Identify the common attack vectors.

• Obfuscated JavaScript
  
  • Objective: Explain the use of obfuscated JavaScript by the threat actors.
• Shellcode and Exploits
  
  • Objective: Explain the use of shellcode and exploits by the threat actors.
• Common Metasploit Payloads
  
  • Objective: Explain the three basic types of payloads within the Metasploit framework (single, stager, stage).
• Directory Traversal
  
  • Objective: Explain the use of directory traversal by the threat actors.
• SQL Injection
  
  • Objective: Explain the basic concepts of SQL injection attacks.
• Cross-Site Scripting 
  
  • Objective: Explain the basic concepts of cross-site scripting attacks.
• Punycode
  
  • Objective: Explain the use of punycode by the threat actors.
• DNS Tunneling
  
  • Objective: Explain the use of DNS tunneling by the threat actors.
• Pivoting
  
  • Objective: Explain the use of pivoting by the threat actors.

Lesson 3: Identifying Malicious Activity
Objective: Explain how to identify malicious activities.

• Understanding the Network Design
  
  • Objective: Explain the needs for the security analysts to have an understanding of the network design which they are protecting.
• Identifying Possible Threat Actors
  
  • Objective: Describe the different threat actor types.
• Log Data Search
  
  • Objective: Provide an example of log data search using ELSA.
• NetFlow as a Security Tool
  
  • Objective: Explain using NetFlow as a security tool.
• DNS Risk and Mitigation Tool
  
  • Objective: Explain how DNS can be used by the threat actors to perform attacks.

Lesson 4: Identifying Patterns of Suspicious Behavior
Objective: Explain how to identify patterns of suspicious behaviors.

• Network Baselining
  
  • Objective: Explain the purpose of baselining the network activities.
• Identify Anomalies and Suspicious Behaviors 
  
  • Objective: Explain using the established baseline to identify anomalies and suspicious behaviors.
• PCAP Analysis 
  
  • Objective: Explain the basic concepts of performing PCAP analysis.
• Delivery 
  
  • Objective: Explain the use of a sandbox to perform file analysis.

Lesson 5: Conducting Security Incident Investigations

• Security Incident Investigation Procedures
• Objective: Explain the objective of security incident investigation to discover the who, what, when, where, why, and how about the security incident.
• Threat Investigation Example: China Chopper Remote Access Trojan
• Objective: Describe at a high level, the China Chopper Remote Access Trojan.

Module 3: SOC Operations
Objective: Explain using a SOC playbook to assist with investigations, using metrics to measure the SOC's effectiveness, using a SOC workflow management system and automation to improve the SOC's efficiency, and the concepts of an incident response plan.

Lesson 1: Describing the SOC Playbook
Objective: Explain the use of a typical playbook in the SOC.

• Security Analytics
• Objective: Describe the security analytics process,
• Playbook Definition
• Objective: Describe the use of a playbook in a SOC.
• What Is in a Play?
• Objective: Describe the components of a play in a typical SOC playbook.
• Playbook Management System
• Objective: Describe the use of a playbook management system in the SOC.

Lesson 2: Understanding the SOC Metrics
Objective: Explain the use of SOC metrics to measure the SOC's effectiveness.

• Security Data Aggregation
  
  • Objective: Explain using a SIEM to provide security data aggregation, real-time reporting, and analysis of security events.
• Time to Detection
  
  • Objective: Explain what is the time to detection.
• Security Controls Detection Effectiveness
  
  • Objective: Explain measuring the security controls effectiveness in terms of true positive/negative events, false positive/negative events.
• SOC Metrics
  
  • Objective: Explain using different metrics to measure the SOC effectiveness.
• Challenge

Lesson 3: Understanding the SOC WMS and Automation
Objective: Explain the use of a workflow management system and automation to improve the SOC's effectiveness.

• SOC WMS Concepts
  
  • Objective: Explain the basic concepts and benefits of using a workflow management system within a SOC.
• Incident Response Workflow
  
  • Objective: Describe a typical incident response workflow.
• SOC WMS Integration
  
  • Objective: Describe how a typical workflow management system is integrated within a SOC.
• SOC Workflow Automation Example
  
  • Objective: Provide an example of a SOC workflow automation system (Cybersponse).
• Challenge

Lesson 4: Describing the Incident Response Plan

• Incident Response Planning
  
  • Objective: Explain the purpose for incident response planning.
• Incident Response Life Cycle
  
  • Objective: Describe the typical incident response life cycle.
• Incident Response Policy Elements
  
  • Objective: Describe the typical elements within an incident response policy.
• Incident Attack Categories
  
  • Objective: Describe how incidents can be classified.
• Reference: US-CERT Incident Categories
  
  • Objective: Describe the different US-CERT incident categories (CAT 0 to CAT 6).
• Regulatory Compliance Incident Response Requirements
  
  • Objective: Describe compliance regulations which contain an incident response requirements.
• Challenge

Lesson 5: Appendix A—Describing the Computer Security Incident Response Team
Objective: Explain the functions of a typical Computer Security Incident Response Team.

• CSIRT Categories
  
  • Objective: Describe the different general CSIRT categories.
• CSIRT Framework
  
  • Objective: Describe the basic framework that defines a CSIRT.
• CSIRT Incident Handling Services
  
  • Objective: Describe the different CSIRT incident handling services (triage, handling, feedback, optional announcement).
• Challenge

Lesson 6: Appendix B—Understanding the use of VERIS
Objective: Explain the use of VERIS to document security incidents in a standard format.

• VERIS Overview
  • Objective: Explain what is VERIS.
• VERIS Incidents Structure
  
  • Objective: Explain the VERIS incident structure.
• VERIS 4 As
  
  • Objective: Explain the VERIS 4 As.
• VERIS Records
  
  • Objective: Describe a typical VERIS record.
• VERIS Community Database
  
  • Objective: Describe the VERIS Community Database.
• Verizon Data Breach Investigations Report and Cisco Annual Security Report
  
  • Objective: Describe the Verizon Data Breach Investigations Report, and the Cisco Annual Security Report.
• Challenge

• Define a SOC and the various job roles in a SOC
• Understand SOC infrastructure tools and systems
• Learn basic incident analysis for a threat centric SOC
• Explore resources available to assist with an investigation
• Explain basic event correlation and normalization
• Describe common attack vectors
• Learn how to identifying malicious activity
• Understand the concept of a playbook
• Describe and explain an incident respond handbook
• Define types of SOC Metrics
• Understand SOC Workflow Management system and automation

Guided Lab 1: Explore Network Security Monitoring Tools

• Task 1: Prepare the Lab Environment
• Task 2: Analyze Alerts
• Task 3: Extract Content from Packet Captures
• Task 4: Analyze Malware
• Task 5: Search Bro Data Using ELSA
• Challenge

Discovery 1: Investigate Hacker Methodology

• Task 1: Scanning and Analyzing Reconnaissance Activity
• Task 2: Analyzing the Weaponization, Delivery, and Exploitation Phases of the Kill Chain Model
• Task 3: Persistence on the Target Machine
• Task 4: Host-Based Analysis
• Task 5: Identifying Data Exfiltration
• Challenge

Discovery 2: Hunt Malicious Traffic

• Task 1: Threat Simulation
• Task 2: Combing Network Traffic with ELSA
• Task 3: Pivot to Wireshark with capME!
• Task 4: Analyzing Exfiltration Data
• Task 5: Confirm A Backdoor
• Challenge

Discovery 3: Correlate Event Logs, PCAPs, and Alerts of an Attack

• Task 1: Examine OSSEC Alerts
• Task 2: Find and Correlate Additional Activity
• Challenge

Discovery 4: Investigate Browser-Based Attacks

• Task 1: Setting up Security Onion
• Task 2: SQL Injection
• Task 3: Cross Site Scripting Attack
• Task 4: Local File Inclusion and Directory Traversal
• Challenge

Discovery 5: Analyze Suspicious DNS Activity

• Task 1: Investigate DNS Fast Fluxing
• Task 2: Perform DNS Exfiltration
• Task 3: Analyze DNS Exfiltration Activities
• Challenge

Discovery 6: Investigate Suspicious Activity Using Security Onion

• Task 1: Identify Suspicious Domain Names
• Task 2: Identify Suspicious User Agents
• Task 3: Upload Malware to Malwr.com
• Challenge

Discovery 7: Investigate Advanced Persistent Threats

• Task 1: Investigate Sguil Alerts
• Task 2: Investigate Suspicious Packet Captures
• Task 3: Implement New Custom Snort Rule
• Challenge

Discovery 8: Explore SOC Playbooks

• Task 1: Access ELSA on the Security Onion VM
• Task 2: Play: 404s Indicating Web Recon
• Task 3: Play: Posts to Dynamic DNS Sites
• Task 4: Play: DNS over TCP
• Task 5: Play: HTTP Header Host Field Containing IP Address
• Task 6: Play: Known Botnet C2 Domains (Manual Play)
• Task 7: Play: Explore the Raw Bro Log Files
• Task 8: Play: Known Botnet C2 Domains (Semi-Automated Play)
• Task 9: Play: Malicious Files (Manual Play)
• Task 10: Play: Malicious Files (Semi-Automated Play)
• Task 11: Play: Large File Transfers (Semi-Automated Play)
• Challenge

• Challenge

It is strongly recommended, but not required, that students have the following knowledge and skills:

• Skills and knowledge equivalent to those learned in Interconnecting Cisco Networking Devices Part 1 (ICND1)
• Working knowledge of the Windows operating system
• Working knowledge of Cisco IOS networking and concepts

• Security Operations Center Security Analyst
• Computer Network Defense Analyst
• Computer Network Defense Infrastructure Support personnel
• Future Incident Responders and Security Operations Center (SOC) personnel
• Students beginning a career and entering the cybersecurity field
• IT personnel looking to learn more about the area of cybersecurity operations
• Students beginning a career, entering the cybersecurity field. 
• Cisco Channel Partners