Understanding Cisco Cybersecurity Opera ons Fundamentals v1.

1 (200-201)

Exam Descrip on: Understanding Cisco Cybersecurity Opera ons Fundamentals v1.1 (CBROPS 200-201
is a 120-minute exam that is associated with the Cisco Cer ed CyberOps Associate Cer ca on. This
exam cer es a candidate’s knowledge and skills related to security concepts, security monitoring, host-
based analysis, network intrusion analysis, and security policies and procedures. The course,
Understanding Cisco Cybersecurity Opera ons Fundamentals, helps candidates to prepare for this exam.

The following topics are general guidelines for the content likely to be included on the exam. However,
other related topics may also appear on any speci c delivery of the exam. To be er re ect the contents
of the exam and for clarity purposes, the guidelines below may change at any me without no ce.

20% 1.0 Security Concepts

1. Describe the CIA triad
2. Compare security deployments
a. Network, endpoint, and applica on security systems
b. Agentless and agent-based protec ons
c. Legacy an virus and an malware
d. SIEM, SOAR, and log management
e. Container and virtual environments
f. Cloud security deployments

3. Describe security terms

a. Threat intelligence (TI)
b. Threat hun ng
c. Malware analysis
d. Threat actor
e. Run book automa on (RBA)
f. Reverse engineering
g. Sliding window anomaly detec on
h. Principle of least privilege
i. Zero trust
j. Threat intelligence pla orm (TIP)
k. Threat modeling

4. Compare security concepts

a. Risk (risk scoring/risk weigh ng, risk reduc on, risk assessment)
b. Threat
c. Vulnerability
d. Exploit

5. Describe the principles of the defense-in-depth strategy

6. Compare access control models

2023 Cisco Systems, Inc. This document is Cisco Public. Page 1

ti
ti
fi
ti
ti
ti
tf
ti
ti
ti
ti
ti
ti
ti
fi
ti
ti
fi
ti
ti
tt
fl
ti
fi
ti
ti
 a. Discre onary access control
b. Mandatory access control
c. Nondiscre onary access control
d. Authen ca on, authoriza on, accoun ng
e. Rule-based access control
f. Time-based access control
g. Role-based access control
h. A ribute-based access control

7. Describe terms as de ned in CVSS

a. A ack vector
b. A ack complexity
c. Privileges required
d. User interac on
e. Scope
f. Temporal metrics
g. Environmental metrics

8. Iden fy the challenges of data visibility (network, host, and cloud) in detec on

9. Iden fy poten al data loss from tra c pro les

10. Interpret the 5-tuple approach to isolate a compromised host in a grouped set of logs

11. Compare rule-based detec on vs. behavioral and sta s cal detec on

25% 2.0 Security Monitoring

1. Compare a ack surface and vulnerability
2. Iden fy the types of data provided by these technologies
a. TCP dump
b. NetFlow
c. Next-gen rewall
d. Tradi onal stateful rewall
e. Applica on visibility and control
f. Web content ltering
g. Email content ltering

3. Describe the impact of these technologies on data visibility

a. Access control list
b. NAT/PAT
c. Tunneling
d. TOR
e. Encryp on
f. P2P
g. Encapsula on
h. Load balancing

4. Describe the uses of these data types in security monitoring

a. Full packet capture
b. Session data

2023 Cisco Systems, Inc. This document is Cisco Public. Page 2

tt
tt
tt
ti
ti
ti
ti
ti
ti
ti
ti
fi
ti
ti
tt
ti
ti
fi
ti
fi
fi
fi
ti
ti
ffi
ti
fi
ti
ti
ti
ti
 c. Transac on data
d. Sta s cal data
e. Metadata
f. Alert data

5. Describe network a acks, such as protocol-based, denial of service, distributed denial of

service, and man-in-the-middle

6. Describe web applica on a acks, such as SQL injec on, command injec ons, and cross-
site scrip ng

7. Describe social engineering a acks

8. Describe endpoint-based a acks, such as bu er over ows, command and control (C2),
malware, and ransomware

9. Describe evasion and obfusca on techniques, such as tunneling, encryp on, and proxies

10. Describe the impact of cer cates on security (includes PKI, public/private crossing the
network, asymmetric/symmetric)

11. Iden fy the cer cate components in a given scenario

a. Cipher-suite
b. X.509 cer cates
c. Key exchange
d. Protocol version
e. PKCS

20% 3.0 Host-Based Analysis

1. Describe the func onality of these endpoint technologies in regard to security
monitoring
a. Host-based intrusion detec on
b. An malware and an virus
c. Host-based rewall
d. Applica on-level allow lis ng/block lis ng
e. Systems-based sandboxing (such as Chrome, Java, Adobe Reader)

2. Iden fy components of an opera ng system (such as Windows and Linux) in a given

scenario

3. Describe the role of a ribu on in an inves ga on

a. Assets
b. Threat actor
c. Indicators of compromise
d. Indicators of a ack
e. Chain of custody

4. Iden fy type of evidence used based on provided logs

a. Best evidence
b. Corrobora ve evidence

2023 Cisco Systems, Inc. This document is Cisco Public. Page 3

ti
ti
ti
ti
ti
ti
ti
ti
ti
ti
ti
fi
fi
tt
ti
fi
ti
tt
ti
ti
tt
ti
ti
tt
tt
ti
ti
fi
tt
ti
ti
ti
ti
ff
ti
ti
fl
ti
ti
 c. Indirect evidence

5. Compare tampered and untampered disk image

6. Interpret opera ng system, applica on, or command line logs to iden fy an event

7. Interpret the output report of a malware analysis tool such as a detona on chamber or
sandbox
a. Hashes
b. URLs
c. Systems, events, and networking

20% 4.0 Network Intrusion Analysis

1. Map the provided events to source technologies
a. IDS/IPS
b. Firewall
c. Network applica on control
d. Proxy logs
e. An virus
f. Transac on data (NetFlow)

2. Compare impact and no impact for these items

a. False posi ve
b. False nega ve
c. True posi ve
d. True nega ve
e. Benign

3. Compare deep packet inspec on with packet ltering and stateful rewall opera on

4. Compare inline tra c interroga on and taps or tra c monitoring

5. Compare the characteris cs of data obtained from taps or tra c monitoring and
transac onal data (NetFlow) in the analysis of network tra c

6. Extract les from a TCP stream when given a PCAP le and Wireshark

7. Iden fy key elements in an intrusion from a given PCAP le

a. Source address
b. Des na on address
c. Source port
d. Des na on port
e. Protocols
f. Payloads

8. Interpret the elds in protocol headers as related to intrusion analysis

a. Ethernet frame
b. IPv4
c. IPv6
d. TCP

2023 Cisco Systems, Inc. This document is Cisco Public. Page 4

ti
ti
ti
ti
ti
ti
ti
fi
ti
ti
ti
ti
ti
fi
ti
ti
ffi
ti
ti
ti
ti
fi
ffi
fi
fi
ffi
ffi
fi
ti
ti
ti
 e. UDP
f. ICMP
g. DNS
h. SMTP/POP3/IMAP
i. HTTP/HTTPS/HTTP2
j. ARP

9. Interpret common ar fact elements from an event to iden fy an alert

a. IP address (source / des na on)
b. Client and server port iden ty
c. Process ( le or registry)
d. System (API calls)
e. Hashes
f. URI / URL

10. Interpret basic regular expressions

15% 5.0 Security Policies and Procedures

1. Describe management concepts
a. Asset management
b. Con gura on management
c. Mobile device management
d. Patch management
e. Vulnerability management

2. Describe the elements in an incident response plan as stated in NIST.SP800-61

3. Apply the incident handling process such as NIST.SP800-61 to an event

4. Map elements to these steps of analysis based on the NIST.SP800-61

a. Prepara on
b. Detec on and analysis
c. Containment, eradica on, and recovery
d. Post-incident analysis (lessons learned)

5. Map the organiza on stakeholders against the NIST IR categories (CMMC,

NIST.SP800-61)
a. Prepara on
b. Detec on and analysis
c. Containment, eradica on, and recovery
d. Post-incident analysis (lessons learned)

6. Describe concepts as documented in NIST.SP800-86

5.6.a Evidence collec on order
5.6.b Data integrity
5.6.c Data preserva on
5.6.d Vola le data collec on

7. Iden fy these elements used for network pro ling

a. Total throughput

2023 Cisco Systems, Inc. This document is Cisco Public. Page 5

fi
ti
ti
ti
ti
ti
fi
ti
ti
ti
ti
ti
ti
ti
ti
ti
ti
ti
ti
fi
ti
 b. Session dura on
c. Ports used
d. Cri cal asset address space

8. Iden fy these elements used for server pro ling

a. Listening ports
b. Logged in users/service accounts
c. Running processes
d. Running tasks
e. Applica ons

9. Iden fy protected data in a network

a. PII
b. PSI
c. PHI
d. Intellectual property

10. Classify intrusion events into categories as de ned by security models, such as Cyber Kill
Chain Model and Diamond Model of Intrusion

11. Describe the rela onship of SOC metrics to scope analysis ( me to detect, me to
contain, me to respond, me to control)

2023 Cisco Systems, Inc. This document is Cisco Public. Page 6

ti
ti
ti
ti
ti
ti
ti
ti
fi
fi
ti
ti