Introduction

The Understanding Cisco Cybersecurity Operations Fundamentals (CBROPS) exam is a 120-minute exam that includes 95 to 105 questions. This exam and curriculum are designed to prepare the cybersecurity analysts of the future! The CyberOps Associate certification provides a path to prepare individuals pursuing a cybersecurity career and associate-level job roles in security operations centers (SOCs). The exam covers the fundamentals you need to prevent, detect, analyze, and respond to cybersecurity incidents.

This book gives you the foundation and covers the topics necessary to start your CyberOps Associate certification journey.

The Cisco CyberOps Associate Certification

The Cisco CyberOps Associate certification is one of the industry’s most respected certifications. There are no formal prerequisites for the CyberOps Associate certification. In other words, you do not have to pass any other exams or certifications to take the 200-201 CBROPS exam. On the other hand, you must have a good understanding of basic networking and IT concepts.

Cisco considers ideal candidates to be those who possess the following:

• Knowledge of fundamental security concepts

• An understanding of security monitoring

• An understanding of host-based and network intrusion analysis

• An understanding of security policies and procedures related to incident response and digital forensics.

The Exam Objectives (Domains)

The Understanding Cisco Cybersecurity Operations Fundamentals (CBROPS 200-201) exam is broken down into five major domains. The contents of this book cover each of the domains and the subtopics included in them, as illustrated in the following descriptions.

The following table breaks down each of the domains represented in the exam.

Here are the details of each domain:

Domain 1: Security Concepts: This domain is covered in Chapters 1, 2, 3, and 4.

1.1 Describe the CIA triad

1.2 Compare security deployments

1.2.a Network, endpoint, and application security systems

1.2.b Agentless and agent-based protections

1.2.c Legacy antivirus and antimalware

1.2.d SIEM, SOAR, and log management

1.3 Describe security terms

1.3.a Threat intelligence (TI)

1.3.b Threat hunting

1.3.c Malware analysis

1.3.d Threat actor

1.3.e Run book automation (RBA)

1.3.f Reverse engineering

1.3.g Sliding window anomaly detection

1.3.h Principle of least privilege

1.3.i Zero trust

1.3.j Threat intelligence platform (TIP)

1.4 Compare security concepts

1.4.a Risk (risk scoring/risk weighting, risk reduction, risk assessment)

1.4.b Threat

1.4.c Vulnerability

1.4.d Exploit

1.5 Describe the principles of the defense-in-depth strategy

1.6 Compare access control models

1.6.a Discretionary access control

1.6.b Mandatory access control

1.6.c Nondiscretionary access control

1.6.d Authentication, authorization, accounting

1.6.e Rule-based access control

1.6.f Time-based access control

1.6.g Role-based access control

1.7 Describe terms as defined in CVSS

1.7.a Attack vector

1.7.b Attack complexity

1.7.c Privileges required

1.7.d User interaction

1.7.e Scope

1.8 Identify the challenges of data visibility (network, host, and cloud) in detection

1.9 Identify potential data loss from provided traffic profiles

1.10 Interpret the 5-tuple approach to isolate a compromised host in a grouped set of logs

1.11 Compare rule-based detection vs. behavioral and statistical detection

Domain 2: Security Monitoring: This domain is covered primarily in Chapters 5, 7, 10, 12, 14, and 15.

2.1 Compare attack surface and vulnerability

2.2 Identify the types of data provided by these technologies

2.2.a TCP dump

2.2.b NetFlow

2.2.c Next-gen firewall

2.2.d Traditional stateful firewall

2.2.e Application visibility and control

2.2.f Web content filtering

2.2.g Email content filtering

2.3 Describe the impact of these technologies on data visibility

2.3.a Access control list

2.3.b NAT/PAT

2.3.c Tunneling

2.3.d TOR

2.3.e Encryption

2.3.f P2P

2.3.g Encapsulation

2.3.h Load balancing

2.4 Describe the uses of these data types in security monitoring

2.4.a Full packet capture

2.4.b Session data

2.4.c Transaction data

2.4.d Statistical data

2.4.e Metadata

2.4.f Alert data

2.5 Describe network attacks, such as protocol-based, denial of service, distributed denial of service, and man-in-the-middle

2.6 Describe web application attacks, such as SQL injection, command injections, and cross-site scripting

2.7 Describe social engineering attacks

2.8 Describe endpoint-based attacks, such as buffer overflows, command and control (C2), malware, and ransomware

2.9 Describe evasion and obfuscation techniques, such as tunneling, encryption, and proxies

2.10 Describe the impact of certificates on security (includes PKI, public/private crossing the network, asymmetric/symmetric)

2.11 Identify the certificate components in a given scenario

2.11.a Cipher-suite

2.11.b X.509 certificates

2.11.c Key exchange

2.11.d Protocol version

2.11.e PKCS

Domain 3: Host-based Analysis: This domain is covered primarily in Chapter 11.

3.1 Describe the functionality of these endpoint technologies in regard to security monitoring

3.1.a Host-based intrusion detection

3.1.b Antimalware and antivirus

3.1.c Host-based firewall

3.1.d Application-level whitelisting/blacklisting

3.1.e Systems-based sandboxing (such as Chrome, Java, Adobe Reader)

3.2 Identify components of an operating system (such as Windows and Linux) in a given scenario

3.3 Describe the role of attribution in an investigation

3.3.a Assets

3.3.b Threat actor

3.3.c Indicators of compromise

3.3.d Indicators of attack

3.3.e Chain of custody

3.4 Identify type of evidence used based on provided logs

3.4.a Best evidence

3.4.b Corroborative evidence

3.4.c Indirect evidence

3.5 Compare tampered and untampered disk image

3.6 Interpret operating system, application, or command line logs to identify an event

3.7 Interpret the output report of a malware analysis tool (such as a detonation chamber or sandbox)

3.7.a Hashes

3.7.b URLs

3.7.c Systems, events, and networking

Domain 4: Network Intrusion Analysis: This domain is covered primarily in Chapters 10, 13, and 15.

4.1 Map the provided events to source technologies

4.1.a IDS/IPS

4.1.b Firewall

4.1.c Network application control

4.1.d Proxy logs

4.1.e Antivirus

4.1.f Transaction data (NetFlow)

4.2 Compare impact and no impact for these items

4.2.a False positive

4.2.b False negative

4.2.c True positive

4.2.d True negative

4.2.e Benign

4.3 Compare deep packet inspection with packet filtering and stateful firewall operation

4.4 Compare inline traffic interrogation and taps or traffic monitoring

4.5 Compare the characteristics of data obtained from taps or traffic monitoring and transactional data (NetFlow) in the analysis of network traffic

4.6 Extract files from a TCP stream when given a PCAP file and Wireshark

4.7 Identify key elements in an intrusion from a given PCAP file

4.7.a Source address

4.7.b Destination address

4.7.c Source port

4.7.d Destination port

4.7.e Protocols

4.7.f Payloads

4.8 Interpret the fields in protocol headers as related to intrusion analysis

4.8.a Ethernet frame

4.8.b IPv4

4.8.c IPv6

4.8.d TCP

4.8.e UDP

4.8.f ICMP

4.8.g DNS

4.8.h SMTP/POP3/IMAP

4.8.i HTTP/HTTPS/HTTP2

4.8.j ARP

4.9 Interpret common artifact elements from an event to identify an alert

4.9.a IP address (source/destination)

4.9.b Client and server port identity

4.9.c Process (file or registry)

4.9.d System (API calls)

4.9.e Hashes

4.9.f URI/URL

4.10 Interpret basic regular expressions

Domain 5: Endpoint Protection and Detection: This domain is covered primarily in Chapters 7, 8, 9, 14, and 15.

5.1 Describe management concepts

5.1.a Asset management

5.1.b Configuration management

5.1.c Mobile device management

5.1.d Patch management

5.1.e Vulnerability management

5.2 Describe the elements in an incident response plan as stated in NIST.SP800-61

5.3 Apply the incident handling process (such as NIST.SP800-61) to an event

5.4 Map elements to these steps of analysis based on the NIST.SP800-61

5.4.a Preparation

5.4.b Detection and analysis

5.4.c Containment, eradication, and recovery

5.4.d Post-incident analysis (lessons learned)

5.5 Map the organization stakeholders against the NIST IR categories (CMMC, NIST.SP800-61)

5.5.a Preparation

5.5.b Detection and analysis

5.5.c Containment, eradication, and recovery

5.5.d Post-incident analysis (lessons learned)

5.6 Describe concepts as documented in NIST.SP800-86

5.6.a Evidence collection order

5.6.b Data integrity

5.6.c Data preservation

5.6.d Volatile data collection

5.7 Identify these elements used for network profiling

5.7.a Total throughput

5.7.b Session duration

5.7.c Ports used

5.7.d Critical asset address space

5.8 Identify these elements used for server profiling

5.8.a Listening ports

5.8.b Logged in users/service accounts

5.8.c Running processes

5.8.d Running tasks

5.8.e Applications

5.9 Identify protected data in a network

5.9.a PII

5.9.b PSI

5.9.c PHI

5.9.d Intellectual property

5.10 Classify intrusion events into categories as defined by security models, such as Cyber Kill Chain Model and Diamond Model of Intrusion

5.11 Describe the relationship of SOC metrics to scope analysis (time to detect, time to contain, time to respond, time to control)

Steps to Pass the 200-201 CBROPS Exam

There are no prerequisites for the 200-201 CBROPS exam; however, students must have an understanding of networking and cybersecurity concepts.

Signing Up for the Exam

The steps required to sign up for the 200-201 CBROPS exam as follows:

1. Create an account at https://home.pearsonvue.com/cisco.

2. Complete the Examination Agreement, attesting to the truth of your assertions regarding professional experience and legally committing to the adherence of the testing policies.

3. Submit the examination fee.

Facts About the Exam

The exam is a computer-based test. The exam consists of multiple-choice questions only. You must bring a government-issued identification card. No other forms of ID will be accepted.

About the Cisco CyberOps Associate CBROPS 200-201 Official Cert Guide

This book covers the topic areas of the 200-201 CBROPS exam and uses a number of features to help you understand the topics and prepare for the exam.

Objectives and Methods

This book uses several key methodologies to help you discover the exam topics on which you need more review, to help you fully understand and remember those details, and to help you prove to yourself that you have retained your knowledge of those topics. This book does not try to help you pass the exam only by memorization; it seeks to help you truly learn and understand the topics. This book is designed to help you pass the Implementing and Understanding Cisco Cybersecurity Operations Fundamentals (200-201 CBROPS) exam by using the following methods:

• Helping you discover which exam topics you have not mastered

• Providing explanations and information to fill in your knowledge gaps

• Supplying exercises that enhance your ability to recall and deduce the answers to test questions

• Providing practice exercises on the topics and the testing process via test questions on the companion website

Book Features

To help you customize your study time using this book, the core chapters have several features that help you make the best use of your time:

• Foundation Topics: These are the core sections of each chapter. They explain the concepts for the topics in that chapter.

• Exam Preparation Tasks: After the “Foundation Topics” section of each chapter, the “Exam Preparation Tasks” section lists a series of study activities that you should do at the end of the chapter:

• Review All Key Topics: The Key Topic icon appears next to the most important items in the “Foundation Topics” section of the chapter. The Review All Key Topics activity lists the key topics from the chapter, along with their page numbers. Although the contents of the entire chapter could be on the exam, you should definitely know the information listed in each key topic, so you should review these.

• Define Key Terms: Although the Understanding Cisco Cybersecurity Operations Fundamentals (200-201 CBROPS) exam may be unlikely to ask a question such as “Define this term,” the exam does require that you learn and know a lot of cybersecurity terminology. This section lists the most important terms from the chapter, asking you to write a short definition and compare your answer to the glossary at the end of the book.

• Review Questions: Confirm that you understand the content you just covered by answering these questions and reading the answer explanations.

• Web-Based Practice Exam: The companion website includes the Pearson Cert Practice Test engine, which allows you to take practice exam questions. Use it to prepare with a sample exam and to pinpoint topics where you need more study.

How This Book Is Organized

This book contains 15 core chapters Chapters 1 through 15. Chapter 16 includes preparation tips and suggestions for how to approach the exam. Each core chapter covers a subset of the topics on the Understanding Cisco Cybersecurity Operations Fundamentals (200-201 CBROPS) exam. The core chapters map to the Cisco CyberOps Associate topic areas and cover the concepts and technologies you will encounter on the exam.

The Companion Website for Online Content Review

All the electronic review elements, as well as other electronic components of the book, exist on this book’s companion website.

To access the companion website, which gives you access to the electronic content with this book, start by establishing a login at www.ciscopress.com and registering your book.

To do so, simply go to www.ciscopress.com/register and enter the ISBN of the print book: 9780136807834. After you have registered your book, go to your account page and click the Registered Products tab. From there, click the Access Bonus Content link to get access to the book’s companion website.

Note that if you buy the Premium Edition eBook and Practice Test version of this book from Cisco Press, your book will automatically be registered on your account page. Simply go to your account page, click the Registered Products tab, and select Access Bonus Content to access the book’s companion website.

Please note that many of our companion content files can be very large, especially image and video files.

If you are unable to locate the files for this title by following these steps, please visit www.pearsonITcertification.com/contact and select the Site Problems/Comments option. Our customer service representatives will assist you.

How to Access the Pearson Test Prep (PTP) App

You have two options for installing and using the Pearson Test Prep application: a web app and a desktop app. To use the Pearson Test Prep application, start by finding the registration code that comes with the book. You can find the code in these ways:

• Print book: Look in the cardboard sleeve in the back of the book for a piece of paper with your book’s unique PTP code.

• Premium Edition: If you purchase the Premium Edition eBook and Practice Test directly from the Cisco Press website, the code will be populated on your account page after purchase. Just log in at www.ciscopress.com, click account to see details of your account, and click the digital purchases tab.

• Amazon Kindle: For those who purchased a Kindle edition from Amazon, the access code will be supplied directly from Amazon.

• Other bookseller e-books: Note that if you purchase an e-book version from any other source, the practice test is not included because other vendors to date have not chosen to provide the required unique access code.

Once you have the access code, to find instructions about both the PTP web app and the desktop app, follow these steps:

Step 1. Open this book’s companion website, as was shown earlier in this Introduction under the heading “The Companion Website for Online Content Review.”

Step 2. Click the Practice Exams button.

Step 3. Follow the instructions listed there both for installing the desktop app and for using the web app.

Note that if you want to use the web app only at this point, just navigate to www.pearsontestprep.com, establish a free login if you do not already have one, and register this book’s practice tests using the registration code you just found. The process should take only a couple of minutes.

Customizing Your Exams

Once you are in the exam settings screen, you can choose to take exams in one of three modes:

• Study mode: Allows you to fully customize your exams and review answers as you are taking the exam. This is typically the mode you would use first to assess your knowledge and identify information gaps.

• Practice Exam mode: Locks certain customization options, as it is presenting a realistic exam experience. Use this mode when you are preparing to test your exam readiness.

• Flash Card mode: Strips out the answers and presents you with only the question stem. This mode is great for late-stage preparation when you really want to challenge yourself to provide answers without the benefit of seeing multiple-choice options. This mode does not provide the detailed score reports that the other two modes do, so you should not use it if you are trying to identify knowledge gaps.

In addition to these three modes, you will be able to select the source of your questions. You can choose to take exams that cover all of the chapters, or you can narrow your selection to just a single chapter or the chapters that make up specific parts in the book. All chapters are selected by default. If you want to narrow your focus to individual chapters, simply deselect all the chapters and then select only those on which you wish to focus in the Objectives area.

You can also select the exam banks on which to focus. Each exam bank comes complete with a full exam of questions that cover topics in every chapter. The two exams printed in the book are available to you as well as two additional exams of unique questions. You can have the test engine serve up exams from all four banks or just from one individual bank by selecting the desired banks in the exam bank area.

There are several other customizations you can make to your exam from the exam settings screen, such as the time of the exam, the number of questions served up, whether to randomize questions and answers, whether to show the number of correct answers for multiple-answer questions, and whether to serve up only specific types of questions. You can also create custom test banks by selecting only questions that you have marked or questions on which you have added notes.

Updating Your Exams

If you are using the online version of the Pearson Test Prep software, you should always have access to the latest version of the software as well as the exam data. If you are using the Windows desktop version, every time you launch the software while connected to the Internet, it checks if there are any updates to your exam data and automatically downloads any changes that were made since the last time you used the software.

Sometimes, due to many factors, the exam data may not fully download when you activate your exam. If you find that figures or exhibits are missing, you may need to manually update your exams. To update a particular exam you have already activated and downloaded, simply click the Tools tab and click the Update Products button. Again, this is an issue only with the desktop Windows application.

If you wish to check for updates to the Pearson Test Prep exam engine software, Windows desktop version, simply click the Tools tab and click the Update Application button. This ensures that you are running the latest version of the software engine.