{"id":833,"date":"2019-08-13T08:30:54","date_gmt":"2019-08-13T13:30:54","guid":{"rendered":"https:\/\/packitforwarding.com\/?p=833"},"modified":"2020-02-25T09:32:25","modified_gmt":"2020-02-25T15:32:25","slug":"ccna-cyberops-secops-objective-3-2","status":"publish","type":"post","link":"https:\/\/packitforwarding.com\/index.php\/2019\/08\/13\/ccna-cyberops-secops-objective-3-2\/","title":{"rendered":"CCNA CyberOps SECOPS &#8211; Objective 3.2"},"content":{"rendered":"\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\"><p>Map elements to these steps of analysis based on the NIST.SP800-61 r2 <\/p><cite><strong>Implementing Cisco Cybersecurity Operations (210-255) <\/strong> <\/cite><\/blockquote>\n\n\n\n<p>NIST.SP800-61 r2 defines an Incident Response Life Cycle as shown above. For the SECOPS test, it is necessary to know some of the common elements of the steps in the Incident Response Life Cycle.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Preparation<\/h2>\n\n\n\n<ul class=\"wp-block-list\"><li>Gather Useful Information for Incident Response<ul><li>Contact Information for internal teams, law enforcement, and incident response teams.<\/li><li>On-Call Information<\/li><li>Incident Reporting Mechanisms<\/li><li>Issue Tracking system<\/li><\/ul><\/li><li>Ensure forensic analysis tools are available<\/li><li>Documentation of the network and hosts<\/li><li>Baseline information<\/li><li>Prevention<ul><li>Risk Assessment<\/li><li>Malware Prevention<\/li><li>User Awareness Training<\/li><\/ul><\/li><\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Detection and Analysis<\/h2>\n\n\n\n<p>The detection and analysis phase is where SOC analysts try to detect attacks or precursors to attacks.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Attack Vectors<\/h3>\n\n\n\n<p>There are several attack vectors to be familiar with.<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>External\/Removable Media<\/li><li>Attrition (DDoS, Brute Force)<\/li><li>Web (XSS, SQL Injection)<\/li><li>Email<\/li><li>Impersonation (Spoofing, Man in the Middle)<\/li><li>Improper Usage (Violation of AUP)<\/li><li>Loss or Theft of Equipment<\/li><li>Other<\/li><\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Signs of an Incident<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\">Precursors<\/h4>\n\n\n\n<ul class=\"wp-block-list\"><li>Web server log entries showing vulnerability scans<\/li><li>Announcement of a new exploit of a known vulnerability<\/li><li>Threats against the organization<\/li><\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">Indicators<\/h4>\n\n\n\n<ul class=\"wp-block-list\"><li>NIDS alerts<\/li><li>AV Alerts<\/li><li>Sysadmin finds files with unusual characters<\/li><li>Alerts to configuration changes<\/li><li>Multiple failed login attempts from remote systems<\/li><li>Deviation from normal baseline network traffic flows.<\/li><\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Incident Documentation<\/h3>\n\n\n\n<ul class=\"wp-block-list\"><li>Current status of the incident<\/li><li>Summary of incident<\/li><li>Indicators<\/li><li>Actions that have been taken<\/li><li>Chain of custody<\/li><li>Impact assessments<\/li><li>Contact information for parties involved<\/li><li>Evidence gathered<\/li><li>Next steps<\/li><\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Incident Prioritization<\/h3>\n\n\n\n<p>Incidents are not handled first in first out. They should be treated in a priority queue based on relevant factors such as those below:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Functional Impact<ul><li>None &#8211; No effect on the organization&#8217;s services<\/li><li>Low &#8211; Minimal effect, lost efficiency<\/li><li>Medium &#8211; Lost the ability to provide critical services to a subset of users.<\/li><li>High &#8211; No longer able to provide critical services to all users.<\/li><\/ul><\/li><li>Informational Impact<ul><li>None &#8211; No information was compromised<\/li><li>Privacy Breach &#8211; Sensitive PII was accessed or exfiltrated.<\/li><li>Proprietary Breach &#8211; Protected critical infrastructure information was accessed or exfiltrated<\/li><li>Integrity Loss &#8211; Sensitive or proprietary information was changed or deleted<\/li><\/ul><\/li><li>Recoverability<ul><li>Regular &#8211; Time to recovery is predictable with existing resources<\/li><li>Supplemented &#8211; Time to recovery is predictable but needs additional resources<\/li><li>Extended &#8211; Time to recovery is unpredictable and needs additional resources.<\/li><li>Not Recoverable &#8211; Recovery is not possible<\/li><\/ul><\/li><\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Incident Notification<\/h3>\n\n\n\n<p>Notification requirements vary by organization and industry. Some common people to notify include the CIO, CISO, HR, Public Affairs and Legal. Some organizations will also need to inform US-CERT and law enforcement.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Containment, Eradication, and Recovery<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Containment Strategy<\/h3>\n\n\n\n<p>Containment strategies vary based on the incident and the organization. Some criterion to use for containment strategy include:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Damage potential or theft potential<\/li><li>Evidence preservation<\/li><li>Service availability<\/li><li>Time and resources needed<\/li><li>Effectiveness of the strategy (partial vs full containment)<\/li><li>Duration of the solution<\/li><\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Evidence Gathering and Handling<\/h3>\n\n\n\n<p>Detailed logs on the evidence collected should be maintained. This should include identifying information, who handled the evidence, when it was handled and where it was stored. Chain of custody forms should be maintained individually with each piece of evidence.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Identifying the Attacking Hosts<\/h3>\n\n\n\n<ul class=\"wp-block-list\"><li>Validating the Attacker&#8217;s IP Address<\/li><li>Researching the Attacker through Search Engines<\/li><li>Using Incident Databases<\/li><li>Monitor Potential C2<\/li><\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Eradication and Recovery<\/h3>\n\n\n\n<p>A phased approach is generally taken to eradicate and then recover from a security incident. During eradication, malware and other software are removed. Recovery entails rebuilding systems from backups and returning them to service.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Post-Incident Activity<\/h2>\n\n\n\n<p>After the incident is resolved, the team will review what lessons were learned from the incident. Discussions of lessons learned will also produce incident data to be used in future process improvement. The final part of the post-incident activity is determining the retention and disposition of evidence.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Map elements to these steps of analysis based on the NIST.SP800-61 r2 Implementing Cisco Cybersecurity Operations (210-255) NIST.SP800-61 r2 defines an Incident Response Life Cycle as shown above. For the SECOPS test, it is necessary to know some of the common elements of the steps in the Incident Response Life Cycle. Preparation Gather Useful Information [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":839,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"CCNA CyberOps SECOPS - Objective 3.2 NIST.SP800-61 r2 #ciscocert #ccnacyberops #ciscochampions","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[88,105,31,24],"tags":[107,90,106,149],"class_list":["post-833","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog","category-ccna-cyberops","category-certification","category-cisco","tag-ccna-cyberops","tag-certification","tag-cisco","tag-cisco-certified-cyber-ops-associate"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.4 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>CCNA CyberOps SECOPS - Objective 3.2 -<\/title>\n<meta name=\"description\" content=\"NIST.SP800-61 r2 defines an Incident Response Life Cycle as shown above. For the CCNA CyberOps SECOPS exam, it is necessary to know some of the common elements of the steps in the Incident Response Life Cycle.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/packitforwarding.com\/index.php\/2019\/08\/13\/ccna-cyberops-secops-objective-3-2\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"CCNA CyberOps SECOPS - Objective 3.2 -\" \/>\n<meta property=\"og:description\" content=\"NIST.SP800-61 r2 defines an Incident Response Life Cycle as shown above. For the CCNA CyberOps SECOPS exam, it is necessary to know some of the common elements of the steps in the Incident Response Life Cycle.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/packitforwarding.com\/index.php\/2019\/08\/13\/ccna-cyberops-secops-objective-3-2\/\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/packitforwarding\" \/>\n<meta property=\"article:author\" content=\"https:\/\/www.facebook.com\/packitforwarding\" \/>\n<meta property=\"article:published_time\" content=\"2019-08-13T13:30:54+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2020-02-25T15:32:25+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/i2.wp.com\/packitforwarding.com\/wp-content\/uploads\/2019\/08\/PIF-Incident-Response-Life-Cycle-1.png?fit=800%2C600&ssl=1\" \/>\n\t<meta property=\"og:image:width\" content=\"800\" \/>\n\t<meta property=\"og:image:height\" content=\"600\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Ben Story\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@https:\/\/www.twitter.com\/ntwrk80\" \/>\n<meta name=\"twitter:site\" content=\"@ntwrk80\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Ben Story\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/packitforwarding.com\\\/index.php\\\/2019\\\/08\\\/13\\\/ccna-cyberops-secops-objective-3-2\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/packitforwarding.com\\\/index.php\\\/2019\\\/08\\\/13\\\/ccna-cyberops-secops-objective-3-2\\\/\"},\"author\":{\"name\":\"Ben Story\",\"@id\":\"https:\\\/\\\/packitforwarding.com\\\/#\\\/schema\\\/person\\\/441c2562293c45fbcf483f246430e6c8\"},\"headline\":\"CCNA CyberOps SECOPS &#8211; Objective 3.2\",\"datePublished\":\"2019-08-13T13:30:54+00:00\",\"dateModified\":\"2020-02-25T15:32:25+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/packitforwarding.com\\\/index.php\\\/2019\\\/08\\\/13\\\/ccna-cyberops-secops-objective-3-2\\\/\"},\"wordCount\":633,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/packitforwarding.com\\\/#\\\/schema\\\/person\\\/441c2562293c45fbcf483f246430e6c8\"},\"image\":{\"@id\":\"https:\\\/\\\/packitforwarding.com\\\/index.php\\\/2019\\\/08\\\/13\\\/ccna-cyberops-secops-objective-3-2\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/i0.wp.com\\\/packitforwarding.com\\\/wp-content\\\/uploads\\\/2019\\\/08\\\/PIF-Incident-Response-Life-Cycle-1.png?fit=800%2C600&ssl=1\",\"keywords\":[\"CCNA CyberOps\",\"certification\",\"cisco\",\"Cisco Certified Cyber Ops Associate\"],\"articleSection\":[\"Blog\",\"CCNA CyberOps\",\"Certification\",\"cisco\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/packitforwarding.com\\\/index.php\\\/2019\\\/08\\\/13\\\/ccna-cyberops-secops-objective-3-2\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/packitforwarding.com\\\/index.php\\\/2019\\\/08\\\/13\\\/ccna-cyberops-secops-objective-3-2\\\/\",\"url\":\"https:\\\/\\\/packitforwarding.com\\\/index.php\\\/2019\\\/08\\\/13\\\/ccna-cyberops-secops-objective-3-2\\\/\",\"name\":\"CCNA CyberOps SECOPS - Objective 3.2 -\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/packitforwarding.com\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/packitforwarding.com\\\/index.php\\\/2019\\\/08\\\/13\\\/ccna-cyberops-secops-objective-3-2\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/packitforwarding.com\\\/index.php\\\/2019\\\/08\\\/13\\\/ccna-cyberops-secops-objective-3-2\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/i0.wp.com\\\/packitforwarding.com\\\/wp-content\\\/uploads\\\/2019\\\/08\\\/PIF-Incident-Response-Life-Cycle-1.png?fit=800%2C600&ssl=1\",\"datePublished\":\"2019-08-13T13:30:54+00:00\",\"dateModified\":\"2020-02-25T15:32:25+00:00\",\"description\":\"NIST.SP800-61 r2 defines an Incident Response Life Cycle as shown above. For the CCNA CyberOps SECOPS exam, it is necessary to know some of the common elements of the steps in the Incident Response Life Cycle.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/packitforwarding.com\\\/index.php\\\/2019\\\/08\\\/13\\\/ccna-cyberops-secops-objective-3-2\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/packitforwarding.com\\\/index.php\\\/2019\\\/08\\\/13\\\/ccna-cyberops-secops-objective-3-2\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/packitforwarding.com\\\/index.php\\\/2019\\\/08\\\/13\\\/ccna-cyberops-secops-objective-3-2\\\/#primaryimage\",\"url\":\"https:\\\/\\\/i0.wp.com\\\/packitforwarding.com\\\/wp-content\\\/uploads\\\/2019\\\/08\\\/PIF-Incident-Response-Life-Cycle-1.png?fit=800%2C600&ssl=1\",\"contentUrl\":\"https:\\\/\\\/i0.wp.com\\\/packitforwarding.com\\\/wp-content\\\/uploads\\\/2019\\\/08\\\/PIF-Incident-Response-Life-Cycle-1.png?fit=800%2C600&ssl=1\",\"width\":800,\"height\":600,\"caption\":\"Visual depiction of the steps in the Incident Response Life Cycle as defined by NIST SP800.61r2\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/packitforwarding.com\\\/index.php\\\/2019\\\/08\\\/13\\\/ccna-cyberops-secops-objective-3-2\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/packitforwarding.com\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"CCNA CyberOps SECOPS &#8211; Objective 3.2\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/packitforwarding.com\\\/#website\",\"url\":\"https:\\\/\\\/packitforwarding.com\\\/\",\"name\":\"\",\"description\":\"Paying it forward to the next generation of IT.\",\"publisher\":{\"@id\":\"https:\\\/\\\/packitforwarding.com\\\/#\\\/schema\\\/person\\\/441c2562293c45fbcf483f246430e6c8\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/packitforwarding.com\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":[\"Person\",\"Organization\"],\"@id\":\"https:\\\/\\\/packitforwarding.com\\\/#\\\/schema\\\/person\\\/441c2562293c45fbcf483f246430e6c8\",\"name\":\"Ben Story\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/i0.wp.com\\\/packitforwarding.com\\\/wp-content\\\/uploads\\\/2026\\\/02\\\/cropped-PIF_Logo-Color-Horizontal-Rounded-1.png?fit=489%2C250&ssl=1\",\"url\":\"https:\\\/\\\/i0.wp.com\\\/packitforwarding.com\\\/wp-content\\\/uploads\\\/2026\\\/02\\\/cropped-PIF_Logo-Color-Horizontal-Rounded-1.png?fit=489%2C250&ssl=1\",\"contentUrl\":\"https:\\\/\\\/i0.wp.com\\\/packitforwarding.com\\\/wp-content\\\/uploads\\\/2026\\\/02\\\/cropped-PIF_Logo-Color-Horizontal-Rounded-1.png?fit=489%2C250&ssl=1\",\"width\":489,\"height\":250,\"caption\":\"Ben Story\"},\"logo\":{\"@id\":\"https:\\\/\\\/i0.wp.com\\\/packitforwarding.com\\\/wp-content\\\/uploads\\\/2026\\\/02\\\/cropped-PIF_Logo-Color-Horizontal-Rounded-1.png?fit=489%2C250&ssl=1\"},\"description\":\"In the course of my career, I have had the pleasure of working in multiple verticals including Education, Logistics and Healthcare. Although I started as a systems administrator (aka server jockey), I am now firmly in the network engineering arena. Currently I am working for a multi-state hospital system.\",\"sameAs\":[\"https:\\\/\\\/www.facebook.com\\\/packitforwarding\",\"https:\\\/\\\/www.linkedin.com\\\/in\\\/benstory\",\"https:\\\/\\\/x.com\\\/https:\\\/\\\/www.twitter.com\\\/ntwrk80\"]}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"CCNA CyberOps SECOPS - Objective 3.2 -","description":"NIST.SP800-61 r2 defines an Incident Response Life Cycle as shown above. For the CCNA CyberOps SECOPS exam, it is necessary to know some of the common elements of the steps in the Incident Response Life Cycle.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/packitforwarding.com\/index.php\/2019\/08\/13\/ccna-cyberops-secops-objective-3-2\/","og_locale":"en_US","og_type":"article","og_title":"CCNA CyberOps SECOPS - Objective 3.2 -","og_description":"NIST.SP800-61 r2 defines an Incident Response Life Cycle as shown above. For the CCNA CyberOps SECOPS exam, it is necessary to know some of the common elements of the steps in the Incident Response Life Cycle.","og_url":"https:\/\/packitforwarding.com\/index.php\/2019\/08\/13\/ccna-cyberops-secops-objective-3-2\/","article_publisher":"https:\/\/www.facebook.com\/packitforwarding","article_author":"https:\/\/www.facebook.com\/packitforwarding","article_published_time":"2019-08-13T13:30:54+00:00","article_modified_time":"2020-02-25T15:32:25+00:00","og_image":[{"width":800,"height":600,"url":"https:\/\/i2.wp.com\/packitforwarding.com\/wp-content\/uploads\/2019\/08\/PIF-Incident-Response-Life-Cycle-1.png?fit=800%2C600&ssl=1","type":"image\/png"}],"author":"Ben Story","twitter_card":"summary_large_image","twitter_creator":"@https:\/\/www.twitter.com\/ntwrk80","twitter_site":"@ntwrk80","twitter_misc":{"Written by":"Ben Story","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/packitforwarding.com\/index.php\/2019\/08\/13\/ccna-cyberops-secops-objective-3-2\/#article","isPartOf":{"@id":"https:\/\/packitforwarding.com\/index.php\/2019\/08\/13\/ccna-cyberops-secops-objective-3-2\/"},"author":{"name":"Ben Story","@id":"https:\/\/packitforwarding.com\/#\/schema\/person\/441c2562293c45fbcf483f246430e6c8"},"headline":"CCNA CyberOps SECOPS &#8211; Objective 3.2","datePublished":"2019-08-13T13:30:54+00:00","dateModified":"2020-02-25T15:32:25+00:00","mainEntityOfPage":{"@id":"https:\/\/packitforwarding.com\/index.php\/2019\/08\/13\/ccna-cyberops-secops-objective-3-2\/"},"wordCount":633,"commentCount":0,"publisher":{"@id":"https:\/\/packitforwarding.com\/#\/schema\/person\/441c2562293c45fbcf483f246430e6c8"},"image":{"@id":"https:\/\/packitforwarding.com\/index.php\/2019\/08\/13\/ccna-cyberops-secops-objective-3-2\/#primaryimage"},"thumbnailUrl":"https:\/\/i0.wp.com\/packitforwarding.com\/wp-content\/uploads\/2019\/08\/PIF-Incident-Response-Life-Cycle-1.png?fit=800%2C600&ssl=1","keywords":["CCNA CyberOps","certification","cisco","Cisco Certified Cyber Ops Associate"],"articleSection":["Blog","CCNA CyberOps","Certification","cisco"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/packitforwarding.com\/index.php\/2019\/08\/13\/ccna-cyberops-secops-objective-3-2\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/packitforwarding.com\/index.php\/2019\/08\/13\/ccna-cyberops-secops-objective-3-2\/","url":"https:\/\/packitforwarding.com\/index.php\/2019\/08\/13\/ccna-cyberops-secops-objective-3-2\/","name":"CCNA CyberOps SECOPS - Objective 3.2 -","isPartOf":{"@id":"https:\/\/packitforwarding.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/packitforwarding.com\/index.php\/2019\/08\/13\/ccna-cyberops-secops-objective-3-2\/#primaryimage"},"image":{"@id":"https:\/\/packitforwarding.com\/index.php\/2019\/08\/13\/ccna-cyberops-secops-objective-3-2\/#primaryimage"},"thumbnailUrl":"https:\/\/i0.wp.com\/packitforwarding.com\/wp-content\/uploads\/2019\/08\/PIF-Incident-Response-Life-Cycle-1.png?fit=800%2C600&ssl=1","datePublished":"2019-08-13T13:30:54+00:00","dateModified":"2020-02-25T15:32:25+00:00","description":"NIST.SP800-61 r2 defines an Incident Response Life Cycle as shown above. For the CCNA CyberOps SECOPS exam, it is necessary to know some of the common elements of the steps in the Incident Response Life Cycle.","breadcrumb":{"@id":"https:\/\/packitforwarding.com\/index.php\/2019\/08\/13\/ccna-cyberops-secops-objective-3-2\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/packitforwarding.com\/index.php\/2019\/08\/13\/ccna-cyberops-secops-objective-3-2\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/packitforwarding.com\/index.php\/2019\/08\/13\/ccna-cyberops-secops-objective-3-2\/#primaryimage","url":"https:\/\/i0.wp.com\/packitforwarding.com\/wp-content\/uploads\/2019\/08\/PIF-Incident-Response-Life-Cycle-1.png?fit=800%2C600&ssl=1","contentUrl":"https:\/\/i0.wp.com\/packitforwarding.com\/wp-content\/uploads\/2019\/08\/PIF-Incident-Response-Life-Cycle-1.png?fit=800%2C600&ssl=1","width":800,"height":600,"caption":"Visual depiction of the steps in the Incident Response Life Cycle as defined by NIST SP800.61r2"},{"@type":"BreadcrumbList","@id":"https:\/\/packitforwarding.com\/index.php\/2019\/08\/13\/ccna-cyberops-secops-objective-3-2\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/packitforwarding.com\/"},{"@type":"ListItem","position":2,"name":"CCNA CyberOps SECOPS &#8211; Objective 3.2"}]},{"@type":"WebSite","@id":"https:\/\/packitforwarding.com\/#website","url":"https:\/\/packitforwarding.com\/","name":"","description":"Paying it forward to the next generation of IT.","publisher":{"@id":"https:\/\/packitforwarding.com\/#\/schema\/person\/441c2562293c45fbcf483f246430e6c8"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/packitforwarding.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":["Person","Organization"],"@id":"https:\/\/packitforwarding.com\/#\/schema\/person\/441c2562293c45fbcf483f246430e6c8","name":"Ben Story","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/i0.wp.com\/packitforwarding.com\/wp-content\/uploads\/2026\/02\/cropped-PIF_Logo-Color-Horizontal-Rounded-1.png?fit=489%2C250&ssl=1","url":"https:\/\/i0.wp.com\/packitforwarding.com\/wp-content\/uploads\/2026\/02\/cropped-PIF_Logo-Color-Horizontal-Rounded-1.png?fit=489%2C250&ssl=1","contentUrl":"https:\/\/i0.wp.com\/packitforwarding.com\/wp-content\/uploads\/2026\/02\/cropped-PIF_Logo-Color-Horizontal-Rounded-1.png?fit=489%2C250&ssl=1","width":489,"height":250,"caption":"Ben Story"},"logo":{"@id":"https:\/\/i0.wp.com\/packitforwarding.com\/wp-content\/uploads\/2026\/02\/cropped-PIF_Logo-Color-Horizontal-Rounded-1.png?fit=489%2C250&ssl=1"},"description":"In the course of my career, I have had the pleasure of working in multiple verticals including Education, Logistics and Healthcare. Although I started as a systems administrator (aka server jockey), I am now firmly in the network engineering arena. Currently I am working for a multi-state hospital system.","sameAs":["https:\/\/www.facebook.com\/packitforwarding","https:\/\/www.linkedin.com\/in\/benstory","https:\/\/x.com\/https:\/\/www.twitter.com\/ntwrk80"]}]}},"jetpack_publicize_connections":[],"jetpack_featured_media_url":"https:\/\/i0.wp.com\/packitforwarding.com\/wp-content\/uploads\/2019\/08\/PIF-Incident-Response-Life-Cycle-1.png?fit=800%2C600&ssl=1","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/pay9MD-dr","jetpack-related-posts":[{"id":830,"url":"https:\/\/packitforwarding.com\/index.php\/2019\/08\/12\/ccna-cyberops-secops-objective-3-1\/","url_meta":{"origin":833,"position":0},"title":"CCNA CyberOps SECOPS &#8211; Objective 3.1","author":"Ben Story","date":"August 12, 2019","format":false,"excerpt":"Describe the elements that should be included in an incident response plan as stated in NIST.SP800-61 r2 Implementing Cisco Cybersecurity Operations (210-255) NIST's SP 800-61 was developed to help organizations formulate incident response plans. It can be found here. Each organization's incident response plan will be different. There are some\u2026","rel":"","context":"In &quot;Blog&quot;","block_context":{"text":"Blog","link":"https:\/\/packitforwarding.com\/index.php\/category\/blog\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/packitforwarding.com\/wp-content\/uploads\/2018\/07\/security-protection-anti-virus-software-60504-1.jpeg?fit=1200%2C800&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/packitforwarding.com\/wp-content\/uploads\/2018\/07\/security-protection-anti-virus-software-60504-1.jpeg?fit=1200%2C800&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/packitforwarding.com\/wp-content\/uploads\/2018\/07\/security-protection-anti-virus-software-60504-1.jpeg?fit=1200%2C800&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/packitforwarding.com\/wp-content\/uploads\/2018\/07\/security-protection-anti-virus-software-60504-1.jpeg?fit=1200%2C800&ssl=1&resize=700%2C400 2x, https:\/\/i0.wp.com\/packitforwarding.com\/wp-content\/uploads\/2018\/07\/security-protection-anti-virus-software-60504-1.jpeg?fit=1200%2C800&ssl=1&resize=1050%2C600 3x"},"classes":[]},{"id":845,"url":"https:\/\/packitforwarding.com\/index.php\/2019\/08\/15\/ccna-cyberops-secops-objective-3-4\/","url_meta":{"origin":833,"position":1},"title":"CCNA CyberOps SECOPS &#8211; Objective 3.4","author":"Ben Story","date":"August 15, 2019","format":false,"excerpt":"Describe the goals of the given CSIRT Implementing Cisco Cybersecurity Operations (210-255) A Computer Security Incident Response Team (CSIRT) can come in several different forms. Internal CSIRT - an Internal CSIRT is established by an organization to handle incident response for their own organization.National CSIRT - National CSIRTs provide services\u2026","rel":"","context":"In &quot;Blog&quot;","block_context":{"text":"Blog","link":"https:\/\/packitforwarding.com\/index.php\/category\/blog\/"},"img":{"alt_text":"Photo by Markus Spiske temporausch.com from Pexels","src":"https:\/\/i0.wp.com\/packitforwarding.com\/wp-content\/uploads\/2018\/09\/pexels-photo-193349.jpeg?fit=640%2C960&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/packitforwarding.com\/wp-content\/uploads\/2018\/09\/pexels-photo-193349.jpeg?fit=640%2C960&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/packitforwarding.com\/wp-content\/uploads\/2018\/09\/pexels-photo-193349.jpeg?fit=640%2C960&ssl=1&resize=525%2C300 1.5x"},"classes":[]},{"id":823,"url":"https:\/\/packitforwarding.com\/index.php\/2019\/08\/11\/ccna-cyberops-secops-objective-2-9\/","url_meta":{"origin":833,"position":2},"title":"CCNA CyberOps SECOPS &#8211; Objective 2.9","author":"Ben Story","date":"August 11, 2019","format":false,"excerpt":"Interpret a provided intrusion event and host profile to calculate the impact flag generated by Firepower Management Center (FMC) Implementing Cisco Cybersecurity Operations (210-255) FMC Incident FMC Host Profile The firepower management console (FMC) presents information about the incidents and hosts. Impact flag 1 indicates an incident against a host\u2026","rel":"","context":"In &quot;Blog&quot;","block_context":{"text":"Blog","link":"https:\/\/packitforwarding.com\/index.php\/category\/blog\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/packitforwarding.com\/wp-content\/uploads\/2018\/06\/abstract-business-code-270348.jpg?fit=1200%2C645&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/packitforwarding.com\/wp-content\/uploads\/2018\/06\/abstract-business-code-270348.jpg?fit=1200%2C645&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/packitforwarding.com\/wp-content\/uploads\/2018\/06\/abstract-business-code-270348.jpg?fit=1200%2C645&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/packitforwarding.com\/wp-content\/uploads\/2018\/06\/abstract-business-code-270348.jpg?fit=1200%2C645&ssl=1&resize=700%2C400 2x, https:\/\/i0.wp.com\/packitforwarding.com\/wp-content\/uploads\/2018\/06\/abstract-business-code-270348.jpg?fit=1200%2C645&ssl=1&resize=1050%2C600 3x"},"classes":[]},{"id":901,"url":"https:\/\/packitforwarding.com\/index.php\/2019\/09\/23\/ccna-cyberops-secops-objective-5-2\/","url_meta":{"origin":833,"position":3},"title":"CCNA CyberOps SECOPS &#8211; Objective 5.2","author":"Ben Story","date":"September 23, 2019","format":false,"excerpt":"Apply the NIST.SP800-61 r2 incident handling process to an event Implementing Cisco Cybersecurity Operations (210-255) The NIST.SP800-61 r2 incident handling process document contains several example scenarios. These are all contained in Appendix A of the document. Below are some of the suggested questions for each phase from section A-1 of\u2026","rel":"","context":"In &quot;Blog&quot;","block_context":{"text":"Blog","link":"https:\/\/packitforwarding.com\/index.php\/category\/blog\/"},"img":{"alt_text":"Whiteboard drawing of a flow chart.","src":"https:\/\/i0.wp.com\/packitforwarding.com\/wp-content\/uploads\/2019\/09\/diagram-flowchart-hand-1181311.jpg?fit=640%2C427&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/packitforwarding.com\/wp-content\/uploads\/2019\/09\/diagram-flowchart-hand-1181311.jpg?fit=640%2C427&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/packitforwarding.com\/wp-content\/uploads\/2019\/09\/diagram-flowchart-hand-1181311.jpg?fit=640%2C427&ssl=1&resize=525%2C300 1.5x"},"classes":[]},{"id":902,"url":"https:\/\/packitforwarding.com\/index.php\/2019\/09\/24\/ccna-cyberops-secops-objective-5-3\/","url_meta":{"origin":833,"position":4},"title":"CCNA CyberOps SECOPS &#8211; Objective 5.3","author":"Ben Story","date":"September 24, 2019","format":false,"excerpt":"Define these activities as they relate to incident handling Implementing Cisco Cybersecurity Operations (210-255) Identification Continuous monitoring of the environment by the SOC allows for identification of true positive incidents. This monitoring can come from multiple sources including IPS\/IDS, Firewalls, Endpoint Agents and the SIEM. Once detected and confirmed the\u2026","rel":"","context":"In &quot;Blog&quot;","block_context":{"text":"Blog","link":"https:\/\/packitforwarding.com\/index.php\/category\/blog\/"},"img":{"alt_text":"Photo by rawpixel.com from Pexels","src":"https:\/\/i0.wp.com\/packitforwarding.com\/wp-content\/uploads\/2019\/09\/care-case-cure-1327217.jpg?fit=640%2C427&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/packitforwarding.com\/wp-content\/uploads\/2019\/09\/care-case-cure-1327217.jpg?fit=640%2C427&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/packitforwarding.com\/wp-content\/uploads\/2019\/09\/care-case-cure-1327217.jpg?fit=640%2C427&ssl=1&resize=525%2C300 1.5x"},"classes":[]},{"id":843,"url":"https:\/\/packitforwarding.com\/index.php\/2019\/08\/14\/ccna-cyberops-secops-objective-3-3\/","url_meta":{"origin":833,"position":5},"title":"CCNA CyberOps SECOPS &#8211; Objective 3.3","author":"Ben Story","date":"August 14, 2019","format":false,"excerpt":"Map the organization stakeholders against the NIST IR categories (C2M2, NIST.SP800-61 r2) Implementing Cisco Cybersecurity Operations (210-255) The best I could find for this topic were the stakeholders defined by the Cybersecurity Capability Maturity Model (C2M2) documentation as listed below. Decision makers (executives) who control the allocation of resources and\u2026","rel":"","context":"In &quot;Blog&quot;","block_context":{"text":"Blog","link":"https:\/\/packitforwarding.com\/index.php\/category\/blog\/"},"img":{"alt_text":"Photo by Lukas from Pexels","src":"https:\/\/i0.wp.com\/packitforwarding.com\/wp-content\/uploads\/2019\/01\/pexels-photo-652348.jpeg?fit=640%2C423&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/packitforwarding.com\/wp-content\/uploads\/2019\/01\/pexels-photo-652348.jpeg?fit=640%2C423&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/packitforwarding.com\/wp-content\/uploads\/2019\/01\/pexels-photo-652348.jpeg?fit=640%2C423&ssl=1&resize=525%2C300 1.5x"},"classes":[]}],"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/packitforwarding.com\/index.php\/wp-json\/wp\/v2\/posts\/833","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/packitforwarding.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/packitforwarding.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/packitforwarding.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/packitforwarding.com\/index.php\/wp-json\/wp\/v2\/comments?post=833"}],"version-history":[{"count":1,"href":"https:\/\/packitforwarding.com\/index.php\/wp-json\/wp\/v2\/posts\/833\/revisions"}],"predecessor-version":[{"id":1107,"href":"https:\/\/packitforwarding.com\/index.php\/wp-json\/wp\/v2\/posts\/833\/revisions\/1107"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/packitforwarding.com\/index.php\/wp-json\/wp\/v2\/media\/839"}],"wp:attachment":[{"href":"https:\/\/packitforwarding.com\/index.php\/wp-json\/wp\/v2\/media?parent=833"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/packitforwarding.com\/index.php\/wp-json\/wp\/v2\/categories?post=833"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/packitforwarding.com\/index.php\/wp-json\/wp\/v2\/tags?post=833"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}