Securing Cisco Networks with Threat Detection and Analysis (SCYBER)
The Securing Cisco Networks with Threat Detection and Analysis (SCYBER) v1.2 combines lecture materials and hands-on labs throughout to make sure you are able to understand cybersecurity concepts and recognize specific network threats and attacks. You will learn how a network security operations center (SOC) works and how to begin to monitor, analyze, and respond to security threats within the network.
This lab-intensive training course prepares you to take the Cyber Security Specialist Certification exam (exam ID = 600-199).
Who should attend
This course is designed for technical professionals who need to know how to monitor, analyze, and respond to network security threats and attacks.
- CCNA equivalent knowledge is preferred
- Basic understanding of Cisco security product features
- Basic understanding of open-source and commercial network security tools
- Basic understanding of Microsoft Windows and UNIX/Linux operating systems, desktops, and servers
- Basic understanding of the Open Systems Interconnection (OSI) model and TCP/IP
Upon completion of this course, you will be able to:
- Describe the tools, techniques, and thought processes of an attacker.
- Describe the features, functions, and benefits of an SOC.
- Identify the common sources used to detect an incident, as well as the actions that should be considered in response.
- Perform basic packet capture and packet analysis.
- Enable syslog on Cisco devices and to perform basic network log analysis.
- Discuss the relevance of baselining and some of the most useful steps to be used when deploying a system.
- Discuss the policies and roles in the typical SOC, as well as some of the common tools used by SOC members.
- Discuss techniques used to identify anomalies and correlate log entries.
- Understand techniques used to scope, document, and analyze investigations.
- Discuss the methodology behind mitigations.
- Discuss documentation and communication during an incident.
- Discuss post-incident considerations.
Detailed Course Outline
Module 1: Attacker Methodology
- Types of Attackers
- Malware and attacker tools
- Understand common attacks
Module 2: Defender Methodology
- Define vulnerabilities, threats, exploits, and attacks
- Define the network (NOC) and security operations center (SOC)
- SOC processes and procedures
- Responsibilities of the SOC
- Identify security incidents
Module 3: Defender Tools
- Identify common sources used to detect security incidents
- Understand event correlation and baseline data
- Define data across layers of TCP/IP model
- Data synchronization and data collection
- Data encryption
- Network monitoring and event management
- User Reports
- Risk analysis and mitigation strategies
Module 4: Packet Analysis
- Network structures related to packet analysis
- Analyze packets using Cisco IOS software
- Access control lists
- Debug commands
- IOS embedded packet capture (EPC)
- Methods used to capture traffic
- Network taps
- Local SPAN
- remote SPAN
- Conduct network traces
- Establish a packet baseline using Wireshark
Module 5: Network Log Analysis
- Use log analysis protocols and tools
- Explore log mechanics
- Retrieve syslog data
- Retrieve DNS events and proxy logs
- Correlate log files
Module 6: Baseline Network Operations
- Establish a network baseline
- Baseline methodologies
- Exception handling and monitoring tools
- Network topology mapping
- Network securing best practices
- Define and identify mission-critical business components
- Determine the health state of monitored network components
Module 7: Incident Response Preparation
- SOC roles and responsibilities
- Incident response standards
- IRT roles and responsibilities
- Remediation, resolution and closure
- Establish an effective monitoring system
- Analyze monitoring system
Module 8: Security Incident Detection
- Identify an incident
- Correlate data sources
- SIEM as an automatic correlation
- Review and classify incident information
- Identify source of incident
Module 9: Investigations
- Framework and scope of investigation
- Data collection process
- Describe the role of flow data in an investigation
- Use flow data to monitor, analyze, and visualize network traffic
- Historical analysis
Module 10: Mitigations and Best Practices
- Development and deployment
- Validate and test mitigations
- Proper documentation methods
- Describe cyber threat defense solutions and components
- Implement access control lists (ACLs)
- Zone-based policy firewall overview
- Describe default policies, traffic flows, and zone Interaction
- Implement network-layer mitigations and best practices
- Implement link-layer best practices
Module 11: Communication
- Incident documentation requirements and process
- Incident assessment
Module 12: Post-Event Activity
- Conduct an incident post-mortem
- Policies and procedures
- Develop security proposals
- Analyze deficiencies
- Propose remediations
- Implement, publicize and monitor remediations
- Assessing Your Understanding of Network and Security Operations
- Exploring the Remote Lab Environment
- Enabling Netflow Export and Syslog
- Capturing Packets on the Pod Router and using Wireshark to examine the PCAP
- Capturing Packets using TCPDUMP
- Examining Logs Manually
- Enabling AAA for Router SSH Management Access
- Enabling SMNPv3 on the Pod Router and Pod Switch
- Performing NMAP Scans and Using Netcat to Connect to Open Ports
- Analyzing PCAP File with Suspicious Activities Using Wireshark
- Examining Event Logs Manually
- Examining Event Logs Using Splunk
- Analyzing NetFlow Data with Lancope StealthWatch
- Implementing IOS Zone-Based Firewall
- Incident Response