About Cisco CyberOps Associate Certification
The Cisco Certified CyberOps Associate certification is designed to equip the candidates with the knowledge and skills necessary for performing the associate-level cybersecurity roles within security operation centers. To obtain this certificate, the students are required to pass a single exam known under the codename 200-201 CBROPS. This test is intended for the individuals seeking to start a career in the cybersecurity field as well as the IT professionals looking to learn more about the area of cybersecurity operations.
There are no official prerequisites for earning the Cisco Certified CyberOps Associate certification. However, before attempting the associated exam, you need to make sure that you have a good grasp of all its topics.
Cisco Certified CyberOps Associate Certification Exam Overview: Details & Topics
The Cisco 200-201 test has the allocated duration of 120 minutes. Within this timeframe, you need to complete 95-100 multiple-choice questions. The exam is available in the English language only. To register for the test, you should create an account with Pearson VUE, the official partner of Cisco. You can take this certification exam online or at one of the testing centers located around the globe. To prepare for Cisco 200-201, you can enroll for the training course, Understanding Cisco Cybersecurity Operations Fundamentals (CBROPS), offered on the official website.
The 200-201 CBROPS exam measures the candidates’ knowledge and skills in a wide range of topic areas. These are the following:
- Security concepts (20%)
- Security monitoring (25%)
- Host-based analysis (20%)
- Network intrusion analysis (20%)
- Security policies and procedures (15%)
The percentage in the brackets shows the weight of questions in the certification exam related to a certain domain. All the above-mentioned subject areas contain a wide range of technical tasks. Below we will discuss what specific skills each domain measures.
This topic entails the following skills: explaining the CIA triad; differentiating security deployments (application, endpoint, and network security systems; agent-based as well as agentless protections; legacy antimalware and antivirus; SOAR, log management SIEM); explaining security terms (threat hunting; threat intelligence; malware analysis; run book automation; threat actor; sliding window anomaly detection; threat intelligence platform; reverse engineering; zero trust; the principle of least privilege); differentiating security principles, such as threat, risk, exploit, vulnerability; explaining the principles of an defense-in-depth approach; differentiating access control models (mandatory access control; discretionary access control; authentication, authorization, accounting; rule-based access control; nondiscretionary access control; time-based access control; role-based access control).
Moreover, within this domain, the examinees need to demonstrate that they capable of explaining terms as determined in CVSS (privileges required; attack vector; user interaction; attack complexity; privileges required; scope); defining data visibility challenges (Cloud, network, host) in detection; defining potential loss of data from given traffic profiles; converting a 5-tuple approach to separate a compromised host in a grouped logs; differentiating rule-based statistical/ behavioral detection and detection.
This subject area tests the candidates’ skills in comparing attack surface and vulnerability; defining the kinds of data provided by these technologies (NetFlow; TCP dump; next-gen firewall; application control & visibility; traditional stateful firewall; email content filtering; web content filtering); explaining the influence of these technologies on data visibility (tunneling; access control list; TOR; encryption; NAT/PAT; P2P; load balancing; encapsulation); explaining the utilization of the given data kinds in security monitoring (alert data; full packet capture; transaction data; session data; metadata; statistical data).
This also covers explaining network attacks, including denial of service, man-in-the-middle distributed, protocol-based denial of service; explaining attacks of the web application, including SQL injection, cross-site scripting, as well as command injections; explaining social engineering attacks; explaining endpoint-based attacks including buffer overflows, control and command (C2), ransomware, malware; explaining obfuscation and evasion methods, including proxies, tunneling, encryption; explaining the certificate effect on security (public/private crossing the network, PKI, symmetric or asymmetric); defining the certificate elements in the provided scenario (X.509 certificates; cipher-suite; protocol version; key exchange; PKCS).
Here the test takers must prove their competency in explaining how endpoint technologies are used for security monitoring (antimalware and antivirus; application-level listing or block listing; host-based intrusion detection; host-based firewall; Adobe Reader, Chrome, Java systems-based sandboxing); defining Linux and Windows operating system elements in the existing scenario; explaining the attribution role in an investigation (assets; threat actor; indicators of compromise; indicators of attack; chain of custody); define the type of evidence used on the basis of given logs (best evidence; corroborative evidence; indirect evidence); compare tampered and untampered disk image; interpret operating system, application, or command line logs to identify an event; interpret the output report of a malware analysis tool such as a detonation chamber or sandbox.
Network intrusion analysis
The objective checks one’s ability to map the provided events to source technologies (IPS/IDS; firewall; network application control; proxy logs; antivirus; transaction data); differentiate deep packet inspection, stateful firewall operation and packet filtering; differentiate inline traffic taps/interrogation and traffic monitoring; differentiate the specifics of data received from traffic/tap monitoring and transactional data in the network traffic analysis; excerpt files from a TCP stream with the help of Wireshark and a PCAP file; define core components in an intrusion from an existing PCAP file (destination address; source address; source port; protocols; payloads; destination port;); interpret the fields in protocol headers as related to intrusion analysis (IPv4;ethernet frame; TCP; IPv6; ICMP; UDP; ARP; DNS; SMTP/POP3/IMAP; HTTP/ HTTP2/HTTPS;); interpret common artifact from an event to define an alert (IP address; client and server port identity; process; system; hashes; URI / URL); interpret fundamental regular expression.
Security policies and procedures
This section requires your skills in asset handling (mobile device handling; configuration handling; patch handling; vulnerability handling); explaining the incident response plan elements as indicated in NIST.SP800-61; applying the NIST.SP800-61 incident handling process; mapping components to these steps of analysis on the basis of NIST.SP800-61 (preparation; detection and analysis; containment. eradication, and recovery; post-incident analysis); mapping the enterprise stakeholders against the NIST IR classes, including NIST.SP800-61 and CMMC (preparation; analysis and detection; eradication, recovery, and containment; post-incident analysis); explaining principles as indicated in NIST.SP800-86 (data integrity; evidence collection order; volatile data collection; data preservation).
Additionally, the learners should be able to determine the components that are utilized for network profiling (critical asset address space; session duration; total throughput; ports applied); define the components that are utilized for server profiling (logged in users/service accounts; listening ports; current processes; applications; current tasks); determine preserved data within a network (intellectual property; PHI; PII; PSI); categorize the intrusion events into classes as determined by security models, including Diamond Model of Intrusion and Cyber Kill Chain Model; explain the SOC metrics relationship to scope analysis (time to control, time to contain, time to detect, time to respond).
Cisco Certified CyberOps Associate Certification Merits
After passing the 200-201 CBROPS exam and obtaining the Cisco Certified CyberOps Associate certification, the individuals can land numerous positions in the cybersecurity field. Some of the titles that the certified specialists can apply for include: Computer/Network Defense Analysts, Security Operations Center Specialists, Security Analysts, Cybersecurity Leads, Cybersecurity Engineers, and Cybersecurity Analysts. The average annual income of the certificate holder is $67,000. However, if you have some prior working experience, you can earn over $100,000 per year.