CCNA Cybersecurity Operations Lab Manual, 1st edition
Title overview
CCNA Cybersecurity Operations 1.0 covers knowledge and skills needed to successfully handle the tasks, duties, and responsibilities of an associate-level Security Analyst working in a Security Operations Center (SOC).
- The only authorized Lab Manual for the Cisco Networking Academy CCNA Operations course
- Enables students to easily highlight, take notes, and study offline
- Links directly to Cisco Networking Academy's online curriculum
Table of contents
Chapter 1 Cybersecurity and the Security Operations Center 1
1.0.1.2 Class Activity—Top Hacker Shows Us How It is Done 1
Objectives 1
Background/Scenario 1
Required Resources 1
1.1.1.4 Lab—Installing the CyberOps Workstation Virtual Machine 3
Objectives 3
Background/Scenario 3
Required Resources 3
Part 1: Prepare a Host Computer for Virtualization 3
Part 2: Import the Virtual Machine into the VirtualBox Inventory 4
Reflection 6
1.1.1.5 Lab—Cybersecurity Case Studies 7
Objectives 7
Background/Scenario 7
Required Resources 7
1.1.2.6 Lab—Learning the Details of Attacks 9
Objectives 9
Background/Scenario 9
Required Resources 9
Conduct a Search of IoT Application Vulnerabilities 9
1.1.3.4 Lab—Visualizing the Black Hats 11
Objectives 11
Background/Scenario 11
Required Resources 11
1.2.2.5 Lab—Becoming a Defender 14
Objectives 14
Background/Scenario 14
Required Resources 14
Chapter 2 Windows Operating System 17
2.0.1.2 Class Activity—Identify Running Processes 17
Objectives 17
Background/Scenario 17
Required Resources 17
2.1.2.10 Lab—Exploring Processes, Threads, Handles, and Windows Registry 20
Objectives 20
Required Resources 20
Part 1: Exploring Processes 20
Part 2: Exploring Threads and Handles 23
Part 3: Exploring Windows Registry 25
2.2.1.10 Lab—Create User Accounts 28
Objectives 28
Required Resources 28
Part 1: Creating a New Local User Account 28
Part 2: Reviewing User Account Properties 33
Part 3: Modifying Local User Accounts 34
Reflection 36
2.2.1.11 Lab—Using Windows PowerShell 37
Objectives 37
Background/Scenario 37
Required Resources 37
Reflection 42
2.2.1.12 Lab—Windows Task Manager 43
Objectives 43
Background/Scenario 43
Required Resources 43
Part 1: Working in the Processes Tab 43
Part 2: Working in the Services Tab 47
Part 3: Working in the Performance Tab 48
Reflection 51
2.2.1.13 Lab—Monitor and Manage System Resources in Windows 52
Objectives 52
Recommended Equipment 52
Part 1: Starting and Stopping the Routing and Remote Access Service 52
Part 2: Working in the Computer Management Utility 59
Part 3: Configuring Administrative Tools 61
Chapter 3 Linux Operating System 71
3.1.2.6 Lab—Working with Text Files in the CLI 71
Objectives 71
Required Resources 71
Part 1: Graphical Text Editors 71
Part 2: Command Line Text Editors 72
Part 3: Working with Configuration Files 74
Reflection 81
3.1.2.7 Lab—Getting Familiar with the Linux Shell 82
Introduction 82
Recommended Equipment 82
Part 1: Shell Basics 82
Part 2: Copying, Deleting, and Moving Files 87
Reflection 89
3.1.3.4 Lab—Linux Servers 90
Introduction 90
Recommended Equipment 90
Part 1: Servers 90
Part 2: Using Telnet to Test TCP Services 94
Reflection 96
3.2.1.4 Lab—Locating Log Files 97
Introduction 97
Required Resources 97
Part 1: Log File Overview 97
Part 2: Locating Log Files in Unknown Systems 99
Part 3: Monitoring Log Files in Real Time 104
Reflection 113
3.2.2.4 Lab—Navigating the Linux Filesystem and Permission Settings 114
Objectives 114
Required Resources 114
Part 1: Exploring Filesystems in Linux 114
Part 2: File Permissions 117
Part 3: Symbolic Links and other Special File Types 120
Reflection 123
Chapter 4 Network Protocols and Services 125
4.1.1.7 Lab—Tracing a Route 125
Objectives 125
Background 125
Scenario 125
Required Resources 126
Part 1: Verifying Network Connectivity Using Ping 126
Part 2: Tracing a Route to a Remote Server Using Traceroute 126
Part 3: Trace a Route to a Remote Server Using Web-Based Traceroute
Tool 127
Reflection 128
4.1.2.10 Lab—Introduction to Wireshark 129
Mininet Topology 129
Objectives 129
Background/Scenario 129
Required Resources 130
Part 1: Install and Verify the Mininet Topology 130
Part 2: Capture and Analyze ICMP Data in Wireshark 131
4.4.2.8 Lab—Using Wireshark to Examine Ethernet Frames 136
Mininet Topology 136
Objectives 136
Background/Scenario 136
Required Resources 137
Part 1: Examine the Header Fields in an Ethernet II Frame 137
Part 2: Use Wireshark to Capture and Analyze Ethernet Frames 139
Reflection 142
4.5.2.4 Lab—Using Wireshark to Observe the TCP 3-Way Handshake 143
Mininet Topology 143
Objectives 143
Background/Scenario 143
Required Resources 143
Part 1: Prepare the Hosts to Capture the Traffic 144
Part 2: Analyze the Packets Using Wireshark 144
Part 3: View the Packets Using tcpdump 147
Reflection 148
4.5.2.10 Lab—Exploring Nmap 149
Topology 149
Objectives 149
Background/Scenario 149
Required Resources 149
Part 1: Exploring Nmap 149
Part 2: Scanning for Open Ports 152
Reflection 155
4.6.2.7 Lab—Using Wireshark to Examine a UDP DNS Capture 156
Topology 156
Objectives 156
Background/Scenario 156
Required Resources 156
Part 1: Record VM’s IP Configuration Information 156
Part 2: Use Wireshark to Capture DNS Queries and Responses 157
Part 3: Analyze Captured DNS or UDP Packets 158
Reflection 162
4.6.4.3 Lab—Using Wireshark to Examine TCP and UDP Captures 163
Topology — Part 1 (FTP) 163
Mininet Topology — Part 2 (TFTP) 163
Objectives 164
Background/Scenario 164
Required Resources 164
Part 1: Identify TCP Header Fields and Operation Using a Wireshark FTP
Session Capture 164
Part 2: Identify UDP Header Fields and Operation Using a Wireshark
TFTP Session Capture 171
Reflection 174
4.6.6.5 Lab—Using Wireshark to Examine HTTP and HTTPS 175
Objectives 175
Background/Scenario 175
Required Resources 175
Part 1: Capture and Vview HTTP Traffic 175
Part 2: Capture and View HTTPS Traffic 178
Reflection 181
Chapter 5 Network Infrastructure 183
5.2.2.4 Packet Tracer—Access Control List Demonstration 183
Topology 183
Objectives 183
Background 183
Part 1: Verify Local Connectivity and Test Access Control List 183
Part 2: Remove ACL and Repeat Test 184
Suggested Scoring Rubric 185
5.3.1.10 Packet Tracer—Identify Packet Flow 186
Topology 186
Objectives 186
Background/Scenario 186
Required Resources 186
Part 1: Verifying Connectivity 187
Part 2: Remote LAN Network Topology 187
Part 3: WAN Network Topology 188
Chapter 6 Principles of Network Security 191
6.2.1.11 Lab—Anatomy of Malware 191
Objectives 191
Background/Scenario 191
Required Resources 191
Conduct a Search of Recent Malware 191
6.2.2.9 Lab—Social Engineering 192
Objectives 192
Background/Scenario 192
Required Resources 192
Chapter 7 Network Attacks: A Deeper Look 195
7.0.1.2 Class Activity—What’s Going On? 195
Objectives 195
Background/Scenario 195
Required Resources 195
7.1.2.7 Packet Tracer—Logging Network Activity 198
Topology 198
Addressing Table 198
Objectives 198
Background 198
Part 1: Create FTP Traffic 198
Part 2: Investigate the FTP Traffic 199
Part 3: View syslog Messages 199
Suggested Scoring Rubric 200
7.3.1.6 Lab—Exploring DNS Traffic 201
Objectives 201
Background/Scenario 201
Required Resources 201
Part 1: Capture DNS Traffic 201
Part 2: Explore DNS Query Traffic 204
Part 3: Explore DNS Response Traffic 209
Reflection 211
7.3.2.4 Lab—Attacking a mySQL Database 212
Objectives 212
Background/Scenario 212
Required Resources 212
Part 1: Open the PCAP File and Follow the SQL Database Attacker 212
Reflection 225
7.3.2.5 Lab—Reading Server Logs 226
Objectives 226
Background/Scenario 226
Required Resources 226
Part 1: Reading Log Files with Cat, More, Less, and Tail 226
Part 2: Log Files and Syslog 230
Part 3: Log Files and Journalctl 231
Reflection 232
Chapter 8 Protecting the Network 233
There are no labs in this chapter.
Chapter 9 Cryptography and the Public Key Infrastructure 235
9.0.1.2 Class Activity—Creating Codes 235
Objectives 235
Background/Scenario 235
Required Resources 235
9.1.1.6 Lab—Encrypting and Decrypting Data Using OpenSSL 238
Objectives 238
Background/Scenario 238
Required Resources 238
Part 1: Encrypting Messages with OpenSSL 238
Part 2: Decrypting Messages with OpenSSL 240
9.1.1.7 Lab—Encrypting and Decrypting Data Using a Hacker Tool 241
Objectives 241
Background/Scenario 241
Required Resources 241
Part 1: Create and Encrypt Files 242
Part 2: Recover Encrypted Zip File Passwords 243
9.1.1.8 Lab—Examining Telnet and SSH in Wireshark 247
Objectives 247
Background/Scenario 247
Required Resources 247
Part 1: Examining a Telnet Session with Wireshark 247
Part 2: Examine an SSH Session with Wireshark 249
Reflection 250
9.1.2.5 Lab—Hashing Things Out 251
Objectives 251
Background/Scenario 251
Required Resources 251
Part 1: Creating Hashes with OpenSSL 251
Part 2: Verifying Hashes 253
9.2.2.7 Lab—Certificate Authority Stores 254
Objectives 254
Background/Scenario 254
Required Resources 254
Part 1: Certificates Trusted by Your Browser 254
Part 2: Checking for Man-In-Middle 258
Part 3: Challenges (Optional) 262
Reflection 262
Chapter 10 Endpoint Security and Analysis 263
There are no labs in this chapter.
Chapter 11 Security Monitoring 265
11.2.3.10 Packet Tracer—Explore a NetFlow Implementation 265
Topology 265
Objectives 265
Background 265
Part 1: Observe NetFlow Flow Records - One Direction 265
Part 2: Observe NetFlow Records for a Session that Enters and Leaves the
Collector 269
Suggested Scoring Rubric 271
11.2.3.11 Packet Tracer—Logging from Multiple Sources 272
Topology 272
Objectives 272
Background/Scenario 272
Part 1: View Log Entries with Syslog 272
Part 2: Log User Access 273
Part 3: NetFlow and Visualization 274
Reflection 275
11.3.1.1 Lab—Setup a Multi-VM Environment 276
Topology 276
Objectives 276
Background/Scenario 276
Required Resources 276
Chapter 12 Intrusion Data Analysis 283
12.1.1.7 Lab—Snort and Firewall Rules 283
Topology 283
Objectives 283
Background/Scenario 283
Required Resources 284
Part 1: Preparing the Virtual Environment 284
Part 2: Firewall and IDS Logs 284
12.2.1.5 Lab—Convert Data into a Universal Format 292
Objectives 292
Background/Scenario 292
Required Resources 292
Part 1: Normalize Timestamps in a Log File 292
Part 2: Normalize Timestamps in an Apache Log File 295
Part 3: Log File Preparation in Security Onion 297
Part 4: Reflection 303
12.2.2.9 Lab—Regular Expression Tutorial 304
Objectives 304
Background/Scenario 304
Required Resources 304
12.2.2.10 Lab—Extract an Executable from a PCAP 307
Objectives 307
Background/Scenario 307
Required Resources 307
Part 1: Prepare the Virtual Environment 307
Part 2: Analyze Pre-Captured Logs and Traffic Captures 307
Part 3: Extract Downloaded Files From PCAPS 311
12.4.1.1 Alt Lab—Interpret HTTP and DNS Data to Isolate Threat Actor 315
Objectives 315
Background/Scenario 315
Required Resources 315
Part 1: Prepare the Virtual Environment 315
Part 2: Investigate an SQL Injection Attack 316
Part 3: Analyze a Data Exfiltration 323
12.4.1.1 Lab—Interpret HTTP and DNS Data to Isolate Threat Actor 325
Topology 325
Objectives 325
Background/Scenario 325
Required Resources 326
Part 1: Prepare the Virtual Environment 326
Part 2: Investigate an SQL Injection Attack 327
Part 3: Data Exfiltration Using DNS 336
12.4.1.2 Alt Lab—Isolated Compromised Host Using 5-Tuple 342
Objectives 342
Background/Scenario 342
Required Resources 342
Part 1: Prepare the Virtual Environment 342
Part 2: Review the Logs 343
Reflection 351
12.4.1.2 Lab—Isolated Compromised Host Using 5-Tuple 352
Topology 352
Objectives 352
Background/Scenario 352
Required Resources 353
Part 1: Prepare the Virtual Environment 353
Part 2: Reconnaissance 355
Part 3: Exploitation 356
Part 4: Infiltration 360
Part 5: Review the Logs 363
Reflection 371
Chapter 13 Incident Response and Handling 373
13.2.2.13 Lab—Incident Handling 373
Objectives 373
Background/Scenario 373
Scenario 1: Worm and Distributed Denial of Service (DDoS) Agent
Infestation 373
Scenario 2: Unauthorized Access to Payroll Records 374