Cisco CCNA Associate & CyberOps Associate Training Boot Camp with dual certification

CCNA (200-301)

Network fundamentals

• Role and function of network components
  • Routers
  • L2 and L3 switches
  • Next-generation firewalls and IPS
  • Access points
  • Controllers (Cisco DNA Center and WLC)
  • Endpoints
  • Servers
• Characteristics of network topology architectures
  • 2 tier
  • 3 tier
  • Spine-leaf
  • WAN
  • Small office/home office (SOHO)
  • On-premises and cloud
• Compare and contrast network topologies
• Physical interface and cabling types
  • Single-mode fiber, multimode fiber, copper
  • Connections (Ethernet shared media and point-to-point)
  • Concepts of PoE
• Interface and cable issues (collisions, errors, mismatch duplex, and/or speed)
• TCP and UDP
• Configuring and verifying IPv4 addressing and subnetting
• The need for private IPv4 addressing
• Configuring and verifying IPv6 addressing and prefix
• IPv6 address types
  • Global unicast
  • Unique local
  • Link local
  • Anycast
  • Multicast
  • Modified EUI 64
• Verifying IP parameters for client OS (Windows, Mac OS, Linux)
• Wireless principles
  • Nonoverlapping Wi-Fi channels
  • SSID
  • RF
  • Encryption
• Virtualization fundamentals (virtual machines)
• Switching concepts
  • MAC learning and aging
  • Frame switching
  • Frame flooding
  • MAC address table

Network access

• Configuring and verifying VLANs (normal range) spanning multiple switches
  • Access ports (data and voice)
  • Default VLAN
  • Connectivity
• Configuring and verifying interswitch connectivity
• Trunk ports
• 802.1Q
• Native VLAN
• Configuring and verifying Layer 2 discovery protocols (Cisco Discovery Protocol and LLDP)
• Configuring and verifying (Layer 2/Layer 3) EtherChannel (LACP)
• The need for and basic operations of Rapid PVST+ Spanning Tree Protocol
  • Root port, root bridge (primary/secondary), and other port names
  • Port states (forwarding/blocking)
  • PortFast benefits
• Cisco Wireless Architectures and AP modes
• Physical infrastructure connections of WLAN components (AP, WLC, access/trunk ports, and LAG)
• AP and WLC management access connections (Telnet, SSH, HTTP, HTTPS, console and TACACS+/RADIUS)
• Configuring the components of a wireless LAN access for client connectivity using GUI only such as WLAN creation, security settings, QoS profiles and advanced WLAN settings

IP connectivity

• Components of routing table
  • Routing protocol code
  • Prefix
  • Network mask
  • Next hop
  • Administrative distance
  • Metric
  • Gateway of last resort
• Determining how a router makes a forwarding decision by default
  • Longest match
  • Administrative distance
  • Routing protocol metric
• Configuring and verifying IPv4 and IPv6 static routing
  • Default route
  • Network route
  • Host route
  • Floating static
• Configuring and verifying single area OSPFv2
  • Neighbor adjacencies
  • Point-to-point
  • Broadcast (DR/BDR selection)
  • Router ID
• The purpose of first hop redundancy protocol

IP services

• Configuring and verifying inside source NAT using static and pools
• Configuring and verifying NTP operating in a client and server mode
• Role of DHCP and DNS within the network Function of SNMP in network operations
• Use of syslog features including facilities and levels
• Configuring and verifying DHCP client and relay
• Understanding the forwarding per-hop behavior (PHB) for QoS such as classification, marking, queuing, congestion, policing, shaping
• Configuring network devices for remote access using SSH
• Capabilities and function of TFTP/FTP in the network

Security fundamentals

• Key security concepts (threats, vulnerabilities, exploits and mitigation techniques)
• Security program elements (user awareness, training and physical access control)
• Configuring device access control using local passwords
• Security password policies elements: management, complexity and password alternatives (multifactor authentication, certificates and biometrics)
• Remote access and site-to-site VPNs
• Configuring and verifying access control lists
• Configuring Layer 2 security features (DHCP snooping, dynamic ARP inspection and port security)
• Authentication, authorization and accounting
• Wireless security protocols (WPA, WPA2 and WPA3)
• Configuring WLAN using WPA2 PSK using the GUI

Automation and programmability

• How automation impacts network management
• Traditional networks vs. controller-based networking
• Controller-based and software defined architectures (overlay, underlay and fabric)
  • Separation of control plane and data plane
  • North-bound and south-bound APIs
• Traditional campus device management vs. Cisco DNA Center enabled device management
• Characteristics of REST-based APIs (CRUD, HTTP verbs and data encoding)
• Capabilities of configuration management mechanisms Puppet, Chef and Ansible
• Interpreting JSON encoded data

Cisco Certified CyberOps Associate (200-201)

Security concepts

• Describe the CIA triad
• Compare security deployments
  • Network, endpoint and application security systems
  • Agentless and agent-based protections
  • Legacy antivirus and antimalware
  • SIEM, SOAR and log management
• Describe security terms
  • Threat intelligence (TI)
  • Threat hunting
  • Malware analysis
  • Threat actor
  • Run book automation (RBA)
  • Reverse engineering
  • Sliding window anomaly detection
  • Principle of least privilege
  • Zero trust
  • Threat intelligence platform (TIP)
• Compare security concepts
  • Risk (risk scoring/risk weighting, risk reduction, risk assessment)
  • Threat
  • Vulnerability
  • Exploit
• Describe the principles of the defense-in-depth strategy
• Compare access control models
  • Discretionary access control
  • Mandatory access control
  • Nondiscretionary access control
  • Authentication, authorization, accounting
  • Rule-based access control
  • Time-based access control
  • Role-based access control
• Describe terms as defined in CVSS
  • Attack vector
  • Attack complexity
  • Privileges required
  • User interaction
  • Scope
• Identify the challenges of data visibility (network, host, and cloud) in detection
• Identify potential data loss from provided traffic profiles
• Interpret the 5-tuple approach to isolate a compromised host in a grouped set of logs
• Compare rule-based detection vs. behavioral and statistical detection

Security monitoring

• Compare attack surface and vulnerability
• Identify the types of data provided by these technologies
  • TCP dump
  • NetFlow
  • Next-gen firewall
  • Traditional stateful firewall
  • Application visibility and control
  • Web content filtering
  • Email content filtering
• Describe the impact of these technologies on data visibility
  • Access control list
  • NAT/PAT
  • Tunneling
  • TOR
  • Encryption
  • P2P
  • Encapsulation
  • Load balancing
• Describe the uses of these data types in security monitoring
  • Full packet capture
  • Session data
  • Transaction data
  • Statistical data
  • Metadata
  • Alert data
• Describe network attacks, such as protocol-based, denial of service, distributed denial of service and man-in-the-middle
• Describe web application attacks, such as SQL injection, command injections and crosssite scripting
• Describe social engineering attacks
• Describe endpoint-based attacks, such as buffer overflows, command and control (C2), malware and ransomware
• Describe evasion and obfuscation techniques, such as tunneling, encryption and proxies
• Describe the impact of certificates on security (includes PKI, public/private crossing the network, asymmetric/symmetric)
• Identify the certificate components in a given scenario
• Cipher-suite
  • X.509 certificates
  • Key exchange
  • Protocol version
  • PKCS

Host-based analysis

• Describe the functionality of these endpoint technologies in regard to security monitoring
  • Host-based intrusion detection
  • Antimalware and antivirus
  • Host-based firewall
  • Application-level whitelisting/blacklisting
  • Systems-based sandboxing (such as Chrome, Java, Adobe Reader)
• Identify components of an operating system (such as Windows and Linux) in a given scenario
• Describe the role of attribution in an investigation
  • Assets
  • Threat actor
  • Indicators of compromise
  • Indicators of attack
  • Chain of custody
• Identify type of evidence used based on provided logs
  • Best evidence
  • Corroborative evidence
  • Indirect evidence
• Compare tampered and untampered disk image
• Interpret operating system, application, or command line logs to identify an event
• Interpret the output report of a malware analysis tool (such as a detonation chamber or sandbox)
  • Hashes
  • URLs
  • Systems, events and networking

Network intrusion analysis

• Map the provided events to source technologies
  • IDS/IPS
  • Firewall
  • Network application control
  • Proxy logs
  • Antivirus
  • Transaction data (NetFlow)
• Compare impact and no impact for these items
  • False positive
  • False negative
  • True positive
  • True negative
  • Benign
• Compare deep packet inspection with packet filtering and stateful firewall operation
• Compare inline traffic interrogation and taps or traffic monitoring
• Compare the characteristics of data obtained from taps or traffic monitoring and transactional data (NetFlow) in the analysis of network traffic
• Extract files from a TCP stream when given a PCAP file and Wireshark
• Identify key elements in an intrusion from a given PCAP file
  • Source address
  • Destination address
  • Source port
  • Destination port
  • Protocols
  • Payloads
• Interpret the fields in protocol headers as related to intrusion analysis
  • Ethernet frame
  •  IPv4
  • IPv6
  • TCP
  • UDP
  • ICMP
  • DNS
  • SMTP/POP3/IMAP
  • HTTP/HTTPS/HTTP2
  • ARP
• Interpret common artifact elements from an event to identify an alert
  • IP address (source / destination)
  • Client and server port identity
  • Process (file or registry)
  • System (API calls)
  • Hashes
  • URI / URL
• Interpret basic regular expressions

Security policies and procedures

• Describe management concepts
  • Asset management
  • Configuration management
  • Mobile device management
  • Patch management
  • Vulnerability management
• Describe the elements in an incident response plan as stated in NIST.SP800-61
• Apply the incident handling process (such as NIST.SP800-61) to an event
• Map elements to these steps of analysis based on the NIST.SP800-61
  • Preparation
  • Detection and analysis
  • Containment, eradication, and recovery
  • Post-incident analysis (lessons learned)
• Map the organization stakeholders against the NIST IR categories (CMMC, NIST.SP800-61)
  • Preparation
  • Detection and analysis
  • Containment, eradication, and recovery
  • Post-incident analysis (lessons learned)
• Describe concepts as documented in NIST.SP800-86
  • Evidence collection order
  • Data integrity
  • Data preservation
  • Volatile data collection
• Identify these elements used for network profiling
  • Total throughput
  • Session duration
  • Ports used
  • Critical asset address space
• Identify these elements used for server profiling
  • Listening ports
  • Logged in users/service accounts
  • Running processes
  • Running tasks
  • Applications
• Identify protected data in a network
  • PII
  • PSI
  • PHI
  • Intellectual property
• Classify intrusion events into categories as defined by security models, such as Cyber Kill Chain Model and Diamond Model of Intrusion
• Describe the relationship of SOC metrics to scope analysis (time to detect, time to contain, time to respond, time to control)