So now that I have completed and passed this new CCNA. I thought I would write up a blog post about the whole process.
Over the last couple of years, Cisco was giving away free online scholarships for this new certification they were releasing. They provided you with the online materials and gave you a voucher to sit each exam twice for free once you had completed all the relevant online coursework.
I had postponed it multiple times due to various other things (VCDX/Linux training etc). This was the final run, if I didn’t do it now there was no opportunity to do it again, so I thought why not I have nothing to lose and a lot to gain!
Now networking has never been an area I have enjoyed, I get its importance there is no way to get away from that, but I would never call myself a networking expert. I did my original CCNA R&S back in 2010 and even though I completed it and learned a lot, during the process I began to realize that pursuing a career in networking wasn’t really for me. I know some really good people who love everything networking just in the same way I love everything virtualization, it is just different things for different people. What it did make me realize is that networking wasn’t for me, some people would say well was the CCNA a waste of time? I would say absolutely not, instead of sitting on the fence and doing nothing, I realized that it wasn’t for me and could take the skills I have learned and move forward towards something I was interested in. I would just like to share that I hate sub-netting lol
Now we all know security and cybersecurity are hot topics at the moment and will be for some time. I work alongside someone who is Security+ and OSCP certified ( shout out to @uk_grl ), so it was interesting getting his take on the whole CyberOps CCNA.
So this certification is split into 2 exams:
SECFND 210-250 and SECOPS 210-255
SECFND:
Now, this exam is all about security fundamentals and after doing it and speaking to @uk_grl it seems to be very similar to the CompTIA Security+, with a bit more focus on Cisco. To be fair there were a lot less Cisco things in there than I thought there would be. It was very much a good solid overview of security concepts ranging from PKI to Dumpster Diving. It was A LOT of information to take it as it was a couple of inches deep but a few miles wide!
I realized how much basic networking I had forgotten over the years! So it was nice to get a bit of a refresher. So the training was split into multiple chapters:
- Understanding the TCP/IP Protocol Suite (OSI Model, TCP Three-Way Handshake)
- Understanding the Network Infrastructure (Routers, Subnetting, Switches, NAT)
- Understanding Common TCP/IP Attacks (TCP/ICMP/UDP/IP Vulnerabilities)
- Understanding Basic Cryptography Concepts (PKI, Hashing, Key Management, Ciphers)
- Describing Information Security Concepts (PII, CVSS v3.0, Compliance, Vulnerability Assessment)
- Understanding Network Applications (DNS Operations, HTTP/S, Web Scripting)
- Understanding Common Network Application Attacks (Password Attacks, Pass-the0hash, DNS Tunnelling, SQL injections)
- Understanding Windows Operating System Basics (Windows History, Powershell, Services, Boot Process)
- Understanding Linux Operating System Basics (Linux History, File Permissions, Shell, Networking)
- Understanding Common Endpoint Attacks (Buffer Overflow, Reconnaissance, Exploit Kits, Rootkits)
- Understanding Network Security Technologies (Defense-in-Depth, VPNs, IPS, Next-Gen Firewall)
- Understanding Endpoint Security Technologies (Host-Based Firewall, Sandboxing, File Integrity Checking)
- Describing Security Data Collection (Logs Logs Logs!, IPS, Netflow)
- Describing Security Event Analysis (Cyber Kill Chain, Advanced Persistent Threats, Diamond Model Intrusion, SOC Runbook, Chain of Custody)
Most of the sections had a virtual lab at the end and they all had a Challange quiz you had to pass with at least a Bronze to move on.
I think it would be nice if after passing this exam you got a Security Fundamentals certification, in the same way when you pass the ICND on your way to the CCNA you get a certification too.
You had about a month to get through the material and then book the exam, they also had a final date that you have to have passed the exam to move on. There was no actual requirement to do the exams if you didn’t want to. You did get a certificate of completion for completing the training material and the labs/challenges
The exam was a standard Cisco style exam. About 60 questions, multiple choice, and some drag and drops. You CAN’T go backwards or flag questions for review. I do find this odd, but it is just the way Cisco do things. What I do find when I do these exams is that I finish quite quickly. This is because you either know the answer or do not and you just pick the answer and move on, no point second guessing much and you can’t go back so you just plow forward.
SECOPS:
- Defining the Security Operations Center (SOC Tools, Data Analytics)
- Understanding NSM Tools and Data (Network Security Management Tools, Security Onion, Packet Captures, Session/Transaction/Alert Data)
- Understanding Incident Analysis in a Threat Centric SOC (Kill Chain Model, Diamond Model, Exploit Kits)
- Identifying Resources for Hunting Cyber Threats (Threat Hunting Cycle, CVSS v3.0)
- Understanding Event Correlation and Normalization (Evidence, Data Normalization, PCAPS, Correlate Events)
- Identifying Common Attack Vectors (Metasploit Payloads, Cross Site Scripting, Pivoting)
- Identifying Malicious Activity (Network Design, Threat Actors, Log Data Search)
- Identifying Patterns of Suspicious Behavior (Network Baselining, Anomalies and Suspicious Behaviours)
- Conducting Security Incident Investigations (Security Incident Investigation Procedures, Advanced Persistent Threats)
- Describing the SOC Playbook (Security Analytics, Playbook Definition)
- Understating the SOC Metrics (Data Aggregation, Time to Detection, SOC Metrics)
- Understanding the SOC WMS and Automation (Incident Response Workflow, Workflow Management System)
- Describing the Incident Response Plan (Incident Response Planning, Response Life Cycle, US-CERT Incident Categories)
- Describing the Computer Security Incident Response team (CSIRT Framework/Incident Handling Services)
- Understanding the use of VERIS (VERIS Vocabulary for Event Recording and Incident Sharing, Community Database)
The study material for this was more focused and there was a lot less of it, it took me half the time to get through this in comparison to SECFND. I also did not find it as interesting, about halfway through I was just wanting it to end so I could move on with my life! LOL.
I think that was partly down to the fact, you had such a tight frame to go through it all, that it was just non-stop, you had to keep pushing forward to complete it all. There was a heavy focus on NIST documentation (NIST 800-61 R2, NIST 800-86) that you needed to know about esp for the exam. It was very common to hear people failing and saying that the NIST documentation you needed to know it inside and out.
There was a big focus on being able to analyze logs and being able to pull key information from them. This was true for the drag and drops and the multiple choice questions. The exam was 60+ questions and a good mix of drag and drops and multiple choice. Remember no going backwards or flagging for review, so you either have a good idea or you don’t.
I bought the official CCNA CyberOps hardback books, the SECOPs book was very good but the test questions overall were not very good at all in my opinion. I remember trying some of them and the questions were asking about detailed ASA configs which were outside the scope of the exam in my opinion! I used some Udemy practice questions :
https://www.udemy.com/cisco-ccna-cyber-ops-210-250-secfnd-practice-tests
https://www.udemy.com/cisco-ccna-cyber-ops-210-255-secops-practice-tests/
These were closer to what you would get in the exam and gave you an idea of what to expect and what your weak areas were. (I have no affiliation with the author or anything). I just saw him on Reddit saying he created these to help people with the exams.
Overall it was an interesting course, I learned a lot of things. The certification is supposed to be for a Tier 1 SOC Analyst, you are not supposed to walk away being some kind of elite pentester.
Even though it is a CCNA, there was nothing really on BGP, EIGRP and cisco commands etc. Thing is since this cert is not well known, people will see CCNA and assume you have that core networking knowledge, but that is totally not what this certification is about. If this wasn’t given to me free would I have done it? Probably not, I found SECFND interesting but you do not get a cert for passing that, so I would have been tempted to just do the CompTIA Security+ instead. But I did learn a lot out Exploits, Vectors, Cross Site Scripting (XSS), SQL Injections. These type of things I would never have dug into otherwise.
Leave a Reply