CCNA Cybersecurity Operations

(Cyber Ops)
Digital Talent Scholarship – Online Academy

TIM INSTRUKTUR

Luhur Bayuaji
Sri Suning Kusumawardani
Viddi Mardiansyah
Prihadi Yogaswara
Chapter 1 - Sections & Objectives
 1.1 The Danger
• Explain why networks and data are attacked.
• Outline features of examples of cybersecurity incidents.
• Explain the motivations of the threat actors behind specific security incidents.
• Explain the potential impact of network security attacks.

 1.2 Fighters in the War Against Cybercrime

• Explain how to prepare for a career in Cybersecurity operations.
• Explain the mission of the security operations center (SOC).
• Describe resources available to prepare for a career in Cybersecurity operations.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
1.1 The Danger

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
War Stories
Hijacked People
 A hacker set up an open “rogue” wireless hotspot posing as a legitimate wireless network.

 A customer logged onto her bank’s website.

 The hacker hijacked her session.

 The hacker gained access to her bank accounts.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
War Stories
Ransomed Companies
 An employee receive an email from his CEO, containing an attached PDF.

 Ransomware is installed on the employee’s computer.

 Ransomware gathers and encrypts

corporate data.

 The attackers hold the company’s data

for ransom until they are paid.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
War Stories
Targeted Nations
 Stuxnet Worm
• Infiltrated Windows operating systems.
• Targeted Step 7 software that controls programmable logic controllers (PLCs) to damage the
centrifuges in nuclear facilities.
• Transmitted from the infected USB drives into the PLCs eventually damaging many cetrifuges.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
War Stories
Lab – Installing the CyberOps Workstation Virtual Machine

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
War Stories
Lab – Cybersecurity Case Studies

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
Threat Actors
Amateurs
 Known as script kiddies.

 Have little or no skill.

 Use existing tools or instructions found on the

Internet to launch attacks.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
Threat Actors
Hacktivists
 Protest against organizations or governments
• Post articles and videos.
• Leak information.
• Disrupt web services with DDoS attacks.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
Threat Actors
Financial Gain
 Much hacking activity is motivated by financial gain.

 Cybercriminals want to generate cash flow

• Bank accounts
• Personal data
• Anything else they can leverage

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
Threat Actors
Trade Secrets and Global Politics
 Nation states are also interested in using cyberspace
• Hacking other countries
• Interfering with internal politics
• Industrial espionage
• Gain significant advantage in international trade

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
Threat Actors
How Secure is the Internet of Things
 The Internet of Things (IoT)
• Connected things to improve quality of life.
• Example: fitness trackers
 How secure are these devices?
• Firmware
• Security flaws
• Updatable with patch
 DDoS attack against domain name provider, Dyn
• Took down many websites.
• Compromised webcams, DVRs, routers, and other
IoT devices formed a botnet.
• The hacker controlled botnet created the DDoS
attack that disabled essential Internet services.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
Threat Actors
Lab – Learning the Details of Attacks

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
Threat Impact
PII and PHI
 Personally identifiable information (PII) is any information that can
be used to positively identify an individual.
• Examples of PII include: Name, Social security number, Birthdate,
Credit card numbers, Bank account numbers, Government-issued ID,
Address information (street, email, phone numbers)
• This information is sold on the dark web.
• Create fake accounts, such as credit cards and short-term loans.
 Protected Health Information (PHI) – A subset of PII:
• Creates and maintains electronic medical records (EMRs)
• Regulated by Health Insurance Portability and Accountability Act
(HIPAA)

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
Threat Impact
Lost Competitive Advantage
 Could result in lost competitive advantage.
• Corporate espionage in cyberspace.
• Loss of trust that comes when a company is unable
to protect its customers’ personal data.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
Threat Impact
Political and National Security
 In 2016, a hacker published PII of 20,000 U.S. FBI
employees and 9,000 U.S. DHS employees.
 Stuxnet worm was designed to impede Iran’s
progress in enriching uranium
• Example of network attack motivated by national
security concerns
 Cyberwarfare is a serious possibility.

 The Internet has become essential as a medium for

commercial and financial activities.
• Disruption can devastate a nation’s economy and the
safety of its citizens.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
Threat Impact
Lab – Visualizing the Black Hats

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
1.2 Fighters in the War
Against Cybercrime

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
The Modern Security Operations Center
Elements of a SOC
 Security Operations Centers (SOCs) provide a broad range of services:
• Monitoring
• Management
• Comprehensive threat solutions
• Hosted security
 SOCs can be:
• In-house, owned and operated by a business.
• Elements can be contracted out to security vendors.
 The major elements of a SOC:
• People
• Processes
• Technology

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
The Modern Security Operations Center
People in the SOC
 The SANS Institute (www.sans.org) classifies the roles people play in a SOC into four job titles:
• Tier 1 Alert Analyst
• Tier 2 Incident Responder
• Tier 3 Subject Matter Expert (SME)/Hunter
• SOC Manager
 Can you guess the responsibilities for
each of the job titles?

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
The Modern Security Operations Center
Process in the SOC
 Tier 1 Alert Analyst begins with monitoring security
alert queues.

 Tier 1 Alert Analyst verifies if an alert triggered in the

ticketing software represents a true security incident.

 The incident can be forwarded to investigators, or

resolved as a false alarm.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
The Modern Security Operations Center
Technologies in the SOC
 Security Information and Event Management (SIEM) systems:
• Collect and filter data.
• Detect and classify threats.
• Analyze and investigate threats.
• Implement preventive measures.
• Address future threats.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32
The Modern Security Operations Center
Enterprise and Managed Security

 Organizations may implement an enterprise-level SOC.

 The SOC can be :

• A complete in-house solution
• Outsourced at least part of the SOC operations to
a security solutions provider.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33
The Modern Security Operations Center
Security vs. Availability
 Most enterprise networks must be up and running at all times.

 Preferred uptime is often measured in the number of down minutes in a year. A “five nines” uptime
means that the network is up 99.999% of the time (or down for no more
than 5 minutes a year).
 Trade off between strong security and permitting business functions.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34
Becoming a Defender
Certifications
 A variety of cybersecurity certifications are available:
• CCNA Cyber Ops
• CompTIA Cybersecurity Analyst Certification (CSA+)
• (ISC)² Information Security Certifications (including CISSP)
• Global Information Assurance Certification (GIAC)

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35
Becoming a Defender
Further Education
 Consider pursuing a technical degree or
bachelor’s degree in computer science,
electrical engineering, information technology,
or information security.

 Computer programming is an essential skill in

cybersecurity.
 Python is an object-oriented, open-source
programing language. It is routinely used by
cybersecurity analysts

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36
Becoming a Defender
Sources of Career Information
 A variety of websites and mobile applications advertise information technology jobs:
• Indeed.com
• CareerBuilder.com
• USAJobs.gov
• Glassdoor.com - salary information
• LinkedIn – professional network

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37
Becoming a Defender
Getting Experience
 Ways to gain experience:
• Internships
• Cisco Cybersecurity Scholarship
• Temporary Agencies
• Your first job

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38
Becoming a Defender
Lab – Becoming a Defender

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 39
1.3 Chapter Summary

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 40
Chapter Summary
Summary
 A public “rogue” wireless network can be used to gain access personal information.
 Employees of a company can inadvertently download ransomware that could begin the
process of gathering and encrypting corporate data.
 Sophisticated malware, Stuxnet worm, is an example of how nations can be targeted to
influence nation’s vulnerable infrastructure.
 Amateurs cause damage by using simple tools found online.
 Hacktivists are experienced hackers who work for good causes or malicious purposes.
 Many hackers are only seeking financial gain by stealing money electronically, or stealing
corporations’ or nations’ trade secrets and selling this information.
 Defending a nation against cyberespionage and cyberwarfare continues to be a priority.
 Be aware of the insecurities in The Internet of Things.
 PII stands for personally identifiable information. PHI is personal health information. Both PII
and PHI can be stolen and used to gain access to private information.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 41
Chapter Summary
Summary (Cont.)
 The loss of competitive advantage may come from the loss of trust if a company cannot
protect the PII of its customers.
 National security can be disrupted by hackers. Stuxnet worm is an example.
 The major elements of a SOC are people, processes, and technology.
 Security Operations Centers work to combat cybercrime.
 The people in a SOC are Tier 1 Analysts (for which this course was developed), Tier 2
Incident Responders, Tier 3 SME/Hunters, and the SOC Manager.
 A Tier 1 Analyst monitors security alert queues. The Tier 1 Analyst may need to verify that an
alert represents a true security incident. When verification is established, the incident can be
forwarded to investigators, or resolved as a false alarm.
 SIEM systems are used for collecting and filtering data, detecting and classifying threats,
analyzing and investigating threats, implementing preventive measures, and addressing
future threats.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 42
Chapter Summary
Summary (Cont.)
 An SOC can be a complete in-house solution or outsource part of the operations to a security
solutions provider.
 Preferred uptime is often measured in the number of down minutes in a year. A “five nines”
uptime means that the network is up 99.999% of the time or down for no more than 5 minutes
a year.
 A variety of cybersecurity certifications are available from several different organizations.
 For a career in the cybersecurity field, consider a technical degree or bachelor’s degree.
Cybersecurity analysts need to know computer programming. Learning Python is a good
place to start.
 A variety of resources provide job search and salary information.
 People prepare for work in a Security Operations Center (SOC) by earning certifications,
seeking formal education, and by using employment services to gain internship experience
and jobs.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 43
Chapter 1
New Terms and Commands
• distributed denial of service (DDoS)
• hacktivists
• malware
• personally identifiable information (PII)
• protected health information (PHI)
• ransomware
• script kiddies
• security information and event management
system (SIEM)
• security Operations Center (SOC)
• SOC Manager
• Tier 1 Alert Analyst
• Tier 2 Incident Responder
• Tier 3 Subject Matter Expert (SME)/Hunter

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 44
Cybersecurity Operations Certification
This chapter covers the following areas in the Cybersecurity Operations Certification:

From 210-250 SECFND - Understanding Cisco Cybersecurity Fundamentals:

 Domain 2: Security Concepts

• 2.3 Describe the following terms:
• Threat Actor
• Reverse engineering
• PII
• PHI

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 45