New CCNA Cyber Ops : Are You Ready for Security Analysis ?
In the intensely competitive environment, startups and agile firms are overturning incumbents with digital business models, products, and services. In the 'Digital Era', we are observing the exponential growth in the data over internet. Simultaneously, organizations are facing mounting challenges from cybercrime, cyber-espionage, insider threats, and advanced persistent threats (APT).
As per the Verizon 2015 Data Breach Investigation Report (DBIR), 60 percent of businesses being breached happened within minutes or less and half of these incidents took anywhere from months to even years before being uncovered. We safely can derive inference that breaches tend to happen very quickly and on average take a long time to be detected by the targeted organization. These organizations can be divide into two types: 1) those who have been hacked, and 2) those who don’t yet know that they have been hacked.
Even after the tremendous efforts by the IT security vendors, the below questions still exist:
- Aren’t governments and big businesses investing significant amounts of money already into developing countermeasures to cyberattacks?
- Why are existing security products unable to stop these threats?
Attackers & Defenders have both become highly sophisticated.
Just like IT security solution providers, attackers also have labs for researching products. Hackers test various exploits against the new product until one succeeds, and then either sell the exploit on underground markets, weaponize it for less-skilled attackers, or use it for some other malicious purpose.
Anxiety Is Growing on Boards and in the C-Suite
Most C-suite leaders are still thinking about 'stopping threats' when they could be thinking about the tangible growth that 'cybersecurity excellence' makes possible. Cybersecurity weakness is a “silent disease” that impedes firms’ ability to innovate at precisely the time they can least afford it—when they are being drawn into the Digital Vortex, where digitization, disruption, and exponential changes are the “new normal.” Many companies suffer from this malady, but few are aware that they have it. Left unattended, cybersecurity weakness can be fatal in the Digital Vortex.
Below-par cybersecurity leaves companies in the worst possible competitive position: not innovating fast enough to compete, yet not safe enough from cyberattack despite delaying digital innovations.
In Search of Cybersecurity Excellence
Firms that turn cybersecurity excellence into true competitive advantage can innovate faster and more fully pursue the sort of digital transformation that allows them to respond nimbly to rapidly changing markets. This agility makes them more effective and drives enhanced financial performance.
Cybersecurity excellence also gives firms the opportunity to differentiate their brands by conveying a strong perception of customer trust and this is one of the many reasons organizations develop a Security Operation Center (SOC). They are establishing SOC teams of security professionals who can secure information systems through effective monitoring, detecting, investigating, analyzing, and responding to security events, thus protecting systems from cybersecurity risks, threats, and vulnerabilities.
NOTE: Cybersecurity operations jobs are also among the fastest-growing roles in IT, as organizations set up security operations centers (SOCs), and establish teams to monitor and respond to security incidents. Security is a fundamental requirement for all SOC environments. There are many ways to build in security to a network environment, and it should be a continuous process. One popular saying within Cisco Systems that describes this concept is this: Security is a journey, not a destination.
Cisco is introducing a new $ 10 Million Global Cybersecurity Scholarship program and enhancing its security certification portfolio. Cisco will invest $10 million over a two-year period, to establish a scholarship program with the specific goal of increasing the cybersecurity talent pool. Through the program, Cisco will offer training, mentoring, and certification aligned with the Security Operations Center Analyst role.
Additionally, Cisco will be working with a comprehensive variety of organizations to leverage this scholarship as a platform to spur career interest and jump-start their employees’ careers in cybersecurity. This includes diversity organizations, veterans’ groups, and early-in-career audiences. By launching this new scholarship program, Cisco is playing a significant leadership role, helping the industry meet the current and future challenges of network security. In fact, Cisco is offering a practical and valuable solution to address the global shortage of highly-trained IT security experts.
Observing the demand for a newly-skilled cybersecurity professional, Cisco is introducing a new CCNA, i.e. CCNA Cyber Ops.
New CCNA Cyber Ops
The new CCNA Cyber Ops certification would prepare candidates to begin a career working with associate-level cybersecurity analysts within security operations centers offered by Cisco to its clients. They will learn how to detect and respond to security threats using the latest technology, as such jobs require the knowledge of basic cybersecurity and principles.
It assesses individuals on the skills needed to assist with monitoring IT security systems, detecting cyber-attacks, gathering and analyzing evidence, correlating information, and coordinating responses to cyber incidents.
Benefits of CCNA Cyber Ops:
- Begin a career in the rapidly growing area of cybersecurity operations at the Associate level, working in or with a Security Operations Center (SOC)
- Gain the foundational knowledge and skills to prepare for more advanced job roles in Cybersecurity Operations, working with Security Operations team
- Gain a basic understanding of how a SOC team detects and responds to security incidents, and how they protect their organization's information from modern threats
- Understand further how modern organizations are dealing with detecting and responding to cybercrime, cyberespionage, insider threats, advanced persistent threats, regulatory requirements, and other cybersecurity issues facing their organizations and their customers
- Exam 210-250 Understanding Cisco Cybersecurity Fundamentals - SECFND v1.0
- Exam 210-255 Implementing Cisco Cybersecurity Operations - SECOPS v1.0
Likely skill-set for new CCNA Cyber Ops
Since the detailed Exam Syllabus is not available for both exams as of now, we have attempted to make an intelligent guess of likely skills which might be embed in new CCNA Cyber Ops.
- Network Concepts
Identify Network Devices in a Topology, The Function of Layer 1, 2 & 3 Devices & Layer 4, Host to Host Communication using TCP/IP Internet Layer, High-Level Concepts, Introduction to Networking Concepts, LAN Switching, Cisco IP Routing Overview, etc.
- Security Concepts
Network Security Concepts and Policies, IP Network Traffic Plane Security Concepts, Basic Firewall Terminology, IDS and IPS Overview, DNS Best Practices, Network Protections, and Attack Identification, Network Security Using Cisco IOS IPS, Cisco IOS IPS, Advanced Malware Protection (AMP), Cisco Advanced Malware Protection for Endpoints, Cisco Advanced Malware Protection
Diffie Hellman Exchange, Cryptography, Deploying Cisco IOS Security with a Public-Key Infrastructure, Cisco IOS PKI Overview Understanding and Planning a PKI, Next Generation Encryption
- Host-based Security Analysis
Host systems are end-user PC, laptops, servers or mobile devices of different vendors; Understanding of basic working of Microsoft, Linux, Android, Apple, etc.; Microsoft Processes and Threads, Microsoft Services; Linux Processes and threads, service; other devices OS processes.
- Security Monitoring
Network Telemetry, Security Analytics and Forensics with NetFlow, Syslog Server etc.
- Attack Methods
Strategies to Protect Against Distributed Denial of Service (DDoS) Attacks, ARP Poisoning Attack and Mitigation Techniques, Social Engineering – the Exploit that Predates Computers, Understanding SQL Injection, Drive by Web Exploits, Cisco Phishing Overview, Network IPS Traffic Analysis Methods, Evasion Possibilities, and Anti-Evasive Countermeasures, Characterizing and Tracing Packet Floods Using Cisco Routers, Types of Attacks
- Endpoint Threat Analysis and Computer Forensics
Common Vulnerability Scoring System, Comparing NTFS and FAT file systems, Description of NTFS date and time stamps for files and folders, File Times, File system Timestamps: What Makes Them Tick?, General overview of the Linux file system, EXT4, Cisco IOS Software Integrity Assurance, The Evolution of Scoring Security Vulnerabilities, AMP
- Network Intrusion Analysis
Firepower Management Center, Wireshark, NetFlow Export Datagram Format
- Incident Response
Computer Security Incident Handling, 5 Steps to an Effective Data Incident Response Program, Health Insurance Portability and Accountability Act, Cisco Web Security and the Health Insurance Portability and Accountability Act (HIPAA), Sarbanes-Oxley (SOX) Compliance, Cisco PCI Solution for Retail 2.0 Design and Implementation, PCI SECURITY
- Data and Event Analysis
Describe 5-tuple correlation, Baseline Process
- Incident Handling
Security Vulnerability Policy, Incident Detection Phase, incident categories, Incident Severity, Incident Analysis Phase Process
Some Features To Watch Out In CCNA: Cyber-Ops
Cisco Advanced Malware Prevention (AMP)
Advanced Malware Prevention can be used for network and endpoints. Network AMP is enabled on an appliance running FirePOWER services and continuously evaluates all files seen on all networks being monitored. AMP uses a multisource indication of compromise approach, leveraging both network intelligence and cloud security research, which includes sandboxing files of interest and comparing hashes of files with data from other networks.
AMP for endpoints requires a lightweight connector to be installed on host devices such as laptops and mobile tablets, providing visibility of all applications and process. Like AMP for networks, the goal is to detect malware and retrospectively identify where it came from. AMP for endpoints can also offer auto-remediation of threats seen by AMP for network and by the AMP for endpoint client. The below figure shows AMP for endpoint quarantining multiple malicious files on an Apple laptop of a user.
Next-Generation Encryption Protocols
The industry is always looking for new algorithms for encryption, authentication, digital signatures, and key exchange to meet escalating security and performance requirements. The U.S. government selected and recommended a set of cryptographic standards called 'Suite B' because it provides a complete suite of algorithms that are designed to meet future security needs. Suite B has been approved for protecting classified information at both the secret and top secret levels. Cisco participated in the development of some of these standards. The Suite B next-generation encryption (NGE) includes algorithms for authenticated encryption, digital signatures, key establishment, and cryptographic hashing.
Host-based Security Analysis
Host-based IPS and IDS technology typically complements antivirus with signature detection, along with adding some additional behavior detection capabilities. Typically, host-based security software packages offer a combination of antivirus, firewall, and IPS features as one application installed to monitor all traffic coming/leaving the system. Some common examples of vendors offering host security software packages are Symantec, Sophos, and McAfee, etc. Other examples are open-source host firewalling such as using IPTables or IPCop, both used in Linux environments. The logs generated by host device can be and should be use for host-based security analysis. With the help of Syslog server can be used, to collect the logs from the different device for monitoring purpose.
Security Monitoring Procedures
Processes and procedures under security monitoring address how commonly occurring events and incident reports should be examined, assessed, and escalated if necessary. This can include some or all of the following:
Telemetry Data: Network Flows
Every network connection attempt is transported by one or more physical or virtual network devices, presenting you with an opportunity to gain vital visibility and awareness of traffic and usage patterns.
Depending on your platform, a router (or any other flow-collection device) can support sampled/unsampled flow collection, as shown in figure respectively. In the case of sampled flow collection, to update its flow records, the router looks at every n'th packet (for example, 1 in every 128) rather than at every packet that traverses it. This behavior introduces probabilistic security threat detection, meaning some flows might be missed. In unsampled flow collection, every packet undergo the threat detection system and this provide more details which are much more valuable, and best practice is using the most current version if possible.
DoS & DDoS Attacks
DoS attacks attempt to consume all of a critical computer or network resource in order to make it unavailable for valid use. A TCP SYN Flood attack is a classic example of a DoS attack. When a DoS attempt derives from a single host of the network, it constitutes a DoS attack.
Malicious hosts can also coordinate to flood a victim with an abundance of attack packets, so that the attack takes place simultaneously from potentially thousands of sources. This type of attack is called a DDoS attack. DDoS attacks typically emanate from networks of compromised systems that are known as botnets.
Common Vulnerability Scoring System (CVSS) v3
The Common Vulnerability Scoring System (CVSS) provides a way to capture the principal characteristics of a vulnerability, and produce a numerical score reflecting its severity, as well as a textual representation of that score. The numerical score can then be translated Into a qualitative representation (such as low, medium high, and critical) to help organizations properly assess and prioritize their vulnerability management processes.
Endpoint Breach Detection
The security products which are found in the operating systems, are capable to stop the many attacks but these are unable to detect the advanced persistent threats (APT) e.g. modifying boot records or file polymorphism. Features for endpoint breach detection should include tactics to identify day-zeros and auto remediation, track modifications, verify files against external reputation sources, and export threats for further analysis.
Most endpoint breach-detection products include a centralized manager that should be able to export logs to the SOC centralized data-collection tool. The below figure shows the Cisco AMP for endpoint dashboards showing the capture of six Trojans on a Mac laptop running McAfee antivirus and the Cisco AMP agent.
Cisco FirePOWER Services
Cisco first introduced application layer firewall capabilities as a software option that could be installed on the second-generation ASA or ASA-X series using the internal virtualized security module space. Cisco’s application layer firewall offering is known as FirePOWER services. The below figure shows various Cisco FirePOWER-capable devices.
All modules offer the same features based on three different license options. FirePOWER license options are as follows:
- Application Visibility & Control (AVC)
- URL Filtering Subscription
- IPS Subscription
- AMP Subscription
All versions of FirePOWER, regardless of whether run on an ASA or as a dedicated physical or virtual appliance, are managed by a centralized physical or virtual manager known as FirePOWER Management Center (FMC).
The FMC can generate an e-mail, SNMP trap (SNMPv1, SNMPv2, or SNMPv3), or syslog.
Information Security Incident Response
Detecting and responding to information security incidents is at the core of security operations. The team assigned to security operations is expected to monitor the organization’s assets within scope and react to security events and incidents, including the detection and investigation of what would be considered indicators of compromise (IOC). IOCs are technical and nontechnical security compromise signals that could be detected with technology, processes, and people. For example, detecting a user accessing files from a USB memory device on an enterprise desktop machine can indicate that a policy related to restricting the use of USB memory devices has been violated and that a security control has been circumvented. Another example is detecting the IP address of an Internet botnet command-and-control server inside your network probably indicates that one or more of your systems have been compromised.
Here’s how to quickly establish an incident response program:
- Identify an incident response leader who has good knowledge of your business and who is an effective and responsible problem solver.
- Assemble and empower a team of critical stakeholders, with clearly defined roles and responsibilities.
- Draft your incident response process and establish documentation standards. The key is consistency in how you respond to incidents. There’s no need for a complicated plan. Just make sure it works for your organization’s culture.
- Connect people and tools with the needed capabilities from around your organization. Chances are, much of what you need is already in place.
- Understand the most significant capability gaps relative to your draft incident response process and build a plan to address those gaps. Start with a minimum viable process, and then enhance it over time.
“When you launch a new initiative, cybersecurity is included in your business case and project management process. You’ve got to hit all the buttons. You’ll have milestones for data security. You’ll have compliance people involved. Everyone has to sign off.”
—Former VP of Human Resources, Fortune 100 Bank
REGISTER FOR FREE ONLINE DEMO