Cisco CyberOps Associate: Security Monitoring, Analysis, and Incident Response

A SOC analyst's primary tool is the SIEM — it ingests security events from across the network and correlates them into actionable alerts. Log sources: network devices (firewall logs, IDS/IPS alerts, NetFlow — metadata about connections without packet payload), endpoint agents (EDR telemetry — process creation, file modification, registry changes, network connections), authentication logs (failed logins, account lockouts, privilege use), DNS and proxy logs (websites visited, malware C2 beacon patterns). NetFlow data: source IP, destination IP, ports, protocol, byte/packet counts — useful for detecting anomalous data volumes and scanning behaviour without capturing full packet content. SIEM correlation rules: alert when multiple related events occur (5 failed logins in 60 seconds triggers brute force alert). False positive management: tune thresholds and whitelist known-good behaviour to reduce analyst fatigue. Alert triage: use the confidence score, event count, asset criticality, and threat intelligence context to prioritise which alerts investigate first.

CyberOps requires protocol-level understanding to identify malicious traffic. HTTP: GET and POST methods, status codes (200 = OK, 301/302 = redirect, 403 = forbidden, 404 = not found, 500 = server error), HTTP headers (User-Agent string reveals browser/OS — useful for anomaly detection), URL structure (base domain + path + query string). HTTPS: TLS handshake (ClientHello with supported ciphers, ServerHello with chosen cipher, Certificate exchange, key exchange, session established) — JA3/JA3S fingerprinting identifies TLS clients and servers by cipher suite selection patterns. DNS: query types (A = IPv4, AAAA = IPv6, MX = mail, CNAME = alias, TXT = verification and SPF), DNS over HTTPS (DoH) bypasses DNS monitoring — malware increasingly uses DoH for C2. Suspicious patterns: DNS tunnelling (long domain labels, high query rate), domain generation algorithms (DGA — malware generates pseudo-random domain names programmatically — high entropy domain names are indicators). ICMP: ping and traceroute use ICMP — ICMP tunnelling encodes data in ICMP echo payload.

SOC analysts analyse endpoint telemetry for signs of compromise. Windows event IDs for analysts: 4624 (successful logon — with logon type: 3 = network, 10 = remote interactive), 4625 (failed logon), 4648 (explicit credential logon — often indicates lateral movement), 4688 (process creation — with command line if audit policy enabled), 4697 (service installed), 7045 (new service installed), 4663 (file accessed), 4698 (scheduled task created), 4720 (user account created). Sysmon event IDs: 1 (process creation with full command line and hash), 3 (network connection), 7 (image loaded — DLL), 11 (file created), 13 (registry value set). Malware behaviour patterns: persistence (run keys, scheduled tasks, services — look for Event 4698, 4697, 7045), C2 communication (regular beaconing at fixed intervals — beacon interval analysis), lateral movement (PsExec, WMI, PowerShell remoting, SMB — Event 4648, 5140), data staging and exfiltration (large file creation in temp directories, then compressed and transferred out).

SOC analysts follow structured incident response procedures. NIST 800-61 adapted for SOC: Detection and Analysis (triage the alert — is it a true positive? Gather IOCs, determine scope of impact), Containment (isolate affected systems — EDR endpoint isolation, firewall block, account disable), Eradication (remove malware, reset credentials, patch vulnerability), Recovery (restore from clean backup, re-image if necessary, verify), Post-Incident (write incident report, update runbooks, tune SIEM rules). IOC categories: host-based (file hash, registry key, process name, file path), network-based (IP address, domain, URL, certificate hash), behaviour-based (ATT&CK technique — process injection, scheduled task creation). Threat intelligence consumption: IP and domain blocklists, STIX/TAXII feeds, ISACs (Information Sharing and Analysis Centers — sector-specific: FS-ISAC for financial, H-ISAC for healthcare, MS-ISAC for government). Playbook execution: follow the documented steps for each incident type — deviating without authorisation is a common exam trap, even if you think a better approach exists.