Image for post
Image for post
The Cisco Certified CyberOps Associate focuses on operational skills and knowledge needed in security operations centers.

How I passed: Cisco Certified CyberOps Associate (formerly CCNA CyberOps)

Today I’ll be taking a look at the Cisco Certified CyberOps Associate exam, an entry-level exam designed to validate the day-to-day tactical knowledge and skills that Security Operations Center (SOC) teams need to detect and respond to cybersecurity threats. The exam covers knowledge and skills related to security concepts, security monitoring, host-based analysis, network intrusion analysis, and security policies and procedures to help teach the essentials of preventing, detecting, and responding to incidents and breaches.

Exam Information

The CyberOps Associate’s corresponding exam is Understanding Cisco Cybersecurity Operations Fundamentals (CBROPS 200–201), taken at one of Pearson VUE’s testing centers available worldwide (and online, temporarily, due to the COVID-19 pandemic). The exam itself will cost $300 without any additional training materials, which can run up to $800 for the official Cisco-provided course.

The exam requires a passing score of 825/1000 or about 82.5%. However, not all questions are weighted equally, and scores in each exam section are not cumulative, so take this with a grain of salt. I scored 887/1000 on my first attempt to pass the exam, studying on-and-off while also working full-time from June 1st to August 29th, 2020. My test was scheduled for August 29th at 1:00 PM at a test center about 15 minutes from my apartment in Washington, DC. The CyberOps Associate exam is one of the few Cisco exams that does not use any simulation questions, so I had 100 multiple-choice questions and 120 minutes to complete the exam. I finished with about 45 minutes to spare.

The exam contains five domains, each included below with their weights and how I scored on them:

  • 20% Security Concepts — I scored 80%
  • 25% Security Monitoring — I scored 88%
  • 20% Host-Based Analysis — I scored 80%
  • 20% Network Intrusion Analysis — I scored 90%
  • 15% Security Policies and Procedures — I scored 67%
Image for post
Image for post

The Pearson VUE Testing Center

Test centers vary widely in terms of comfort and noise. I have taken exams in secluded rooms with little noise, open rooms with glass windows that do not shield you from the noise of the surrounding business, and once in a dimly-lit room with a noisy ventilation system. However, all of the centers are standardized in their procedures and equipment and are generally kept very clean. I highly suggest checking the reviews of the location you will be testing to ensure they adhere to these standards, as I did find one that was not.

Schedule a time you know you will be not tired and can think clearly. For me, that’s usually mid-morning, but the time also depends on availability. You may only have one choice to schedule a time (like at 8:00 AM), especially if you wait until the last minute to make an appointment. You are allowed to reschedule an exam up until 24 hours before the appointment as many times as you choose, though, so best to make it sooner than later and then reschedule if you don’t feel prepared.

You will need 2 forms of ID (a primary with name, photo, and signature, and a secondary with name and photo or name and signature). You will be asked to sign the candidate agreement, they will check your signature and take your picture, and then you will initial on a sign-in/out form.

Pearson provides a flimsy legal-size dry-erase paper, a fine-point marker, and earplugs with every exam (don’t initial the form until you get them if you plan on using any of these, as it confirms that they were provided to you). Finally, you must lock all your personals in a box or locker before entering the secure test room.

The PC also has you agree to the exam terms before you can start. At the end of the exam, you will typically take a survey and then your results may be presented on screen. Regardless of if they are or not, you will receive a printed score report and a digital embosser code that lets you view your score online before you leave. You mustn't leave the test center without receiving this form, as it is an official confirmation that you took the test. Sign out and return the whiteboard (don’t erase it!), and you’re done. As long as you scored at or above Cisco’s minimum competency score, you will pass. A pass is a pass, and only this fact is recorded on your certificate. Your score will not appear on your certificate.

On to my study materials…

Image for post
Image for post

Understanding Cisco Cybersecurity Fundamentals (CBROPS 200–201) Exam Objectives (Free)

This should go without saying, but the exam objectives should always be the first resource that anyone studying for a certification exam should review.

Download the topics in PDF format. Cross out or highlight content that is familiar or unfamiliar to you, take notes in the margins, essentially do whatever you need to give yourself a clear picture or roadmap for how you will attempt this exam and in what order you will study the content. Sometimes, Cisco’s syllabus is not always the best order in which new students should learn the content.

Image for post
Image for post
Joe Abraham’s CBROPS Blueprint

Understanding Cisco Cybersecurity Operations Fundamentals (210–250) Exam Blueprint (Free)

The CyberOps certification was unique to me because there is very little training available for the new CBROPS 200–201 exam besides Cisco’s $800 course at the time of this writing. For an exam that only costs $300, I decided to make do with a significant portion of the old CCNA CyberOps (SECFND 210–250 and SECOPS 210–255) curriculum that closely matched the new objectives. Cisco tends to rearrange and reorganize exam content during each routine update rather than drop or add to significant parts of the exam.

This spreadsheet by Joe Abraham was instrumental in helping me find topics that were similar between the old and new exams, as well as independent resources for new content (like threat attribution, SOC metrics, threat hunting, and threat intelligence) and also allowed me to avoid deprecated content (such as VERIS, CSIRT types, and compliance frameworks). I highly recommend using this spreadsheet until new, less expensive CBROPS 200–201 content is released from third parties if you are willing to put in a little bit of extra effort.

Image for post
Image for post
SECFND and SECOPS Host Ronnie Wong

ITProTV SECFND 210–250 and SECOPS 210–255 Video Courses (Free with a trial, then $50/mo)

At $30 a month for video access (with a free trial available) and $50 a month for videos and realistic practice exams for both courses, the ITProTV Cisco Cybersecurity Fundamentals (SECFND 210–250) and ITProTV Cisco Cybersecurity Operations (SECOPS 210–255) courses were a great resource. I had never used this provider before, and although Ronnie Wong’s videos could be long at times, they were often quite thorough and entertaining. I found the video summaries included with each exam objective especially helpful for determining which content I was already familiar with versus content that I was unfamiliar with or needed to study further. They are also especially good to copy down into your notes if you are taking any.

Although this resource is for the retired CCNA CyberOps exams, the material covered is still very relevant to the new CBROPS 200–201 exam. Relevant and irrelevant content can easily be matched to the course using the spreadsheet linked above. The practice exams are also fairly accurate as long as you can identify old or removed content and find external resources for new content.

Image for post
Image for post

Cisco CyberOps Associate CBROPS 200–201 Official Cert Guide (~$40)

(or CCNA CyberOps SECFND 210–250 Official Cert Guide and CCNA CyberOps SECOPS 210–255 Official Cert Guide)

I am not a fan of reading the whole exam book to obtain a certification because I find it too easy to skim over concepts only to encounter questions on the topic later and not recall anything I just ready about. Instead, I often choose to use them as a reference for answering a practice test question incorrectly and would like further clarification as to why my answer is incorrect. I primarily used Omar Santos’s CCNA CyberOps SECFND 210–250 Official Cert Guide and CCNA CyberOps SECOPS 210–255 Official Cert Guide books for their chapter tests and cumulative practice exams with answer explanations, allowing me to reference back to a specific section when I need to or assess my understanding at the level of a specific objective or topic.

Santos’s Cisco CyberOps Associate CBROPS 200–201 Official Cert Guide is due to be released in December 2020. Hence, the CCNA CyberOps books are some of the best realistic practice exam materials currently available until then. A minor caveat is that the material might not match up with the new objectives perfectly, though.

Image for post
Image for post

NIST Special Publication 800–61r2 and 800–86 (Free)

For an exam focused heavily on incident response and digital forensics, it would be an anomaly not to include material about these two influential NIST Special Publications (SPs). In fact, the exam objectives even call out these specific documents.

NIST Special Publication 800–61r2

The incident response process described in painstaking detail in NIST’s Computer Security Incident Handling Guide (Special Publication 800–61r2) is the defacto method for incident handling. The process was originally developed by the United States Department of Energy, then adopted by the Navy, and finally by the US federal government and most private industry. Essentially, it breaks down incident response scenarios into 6 steps:

  • Preparation — ensuring that systems, networks, and applications are sufficiently secure
  • Detection and Analysis — being able to recognize and assess the signs of a potential incident and investigate further
  • Containment — isolating a confirmed threat before it can cause more damage to the network
  • Eradication — removing the threat effectively
  • Recovery — restoring systems to a state and capacity similar to that of before the incident occurred
  • Lessons Learned — evaluating the organization’s incident response process, successes, failures, and making modifications to more effectively prevent and handle the next incident

Knowing how to conduct each step in the incident response process is critical if you are to succeed in your studies. I highly recommend reading the whole document. Fortunately, it is free and not that long of a read. It even includes several incident handling scenarios in Appendix A for practice.

NIST Special Publication 800–86

NIST’s Guide to Integrating Forensic Techniques into Incident Response (Special Publication 800–86) goes hand-in-hand with the previous publication. It focuses on data and evidence collection in the incident response process. As with 800–61r2, this document should be read in full to have a detailed understanding of standard forensic processes and how to perform them. I spent a bit more time reviewing section 3.1.2 (Acquiring the Data) because the process is mentioned in the exam objectives. In essence:

  1. Determine the likely value of the data — this will determine which data sets should be collected first, as well as those datasets that can be collected later or do not need to be collected as they are not relevant to the incident
  2. Determine the volatility of the data — more volatile data should be prioritized for collection over less volatile data to prevent loss
  3. Determine the amount of effort required — if the amount of data to be collected or the collection method is infeasible in the given time constraints, the plan will need to be redeveloped
  4. Acquire the data — use forensically-sound and generally accepted tools to acquire the data from all relevant sources, either physically or over a network.
  5. Verify the integrity of the data — Use a cryptographic hash function to confirm that the data stored on the suspect device and the forensic investigator’s device are indeed the same

If data is not collected properly, important exhibits may be excluded from court cases, law enforcement investigations, or legal matters. It is essential to become familiar with the tools and techniques used for this process.

Image for post
Image for post

RegexOne (Free)

Regular expressions are one of the most useful search features in many different operating systems and tools. Since searching is a significant portion of an analyst’s job, it’s no surprise that the exam objectives specify familiarity with regex. RegexOne is a great site for learning and practicing regex queries and helped me brush up on my syntax a few days before the exam.

The site includes 14 lessons, all free, and additional practice problems for common data formats that an analyst would need to collect. I’ve included links to the starting tutorial and some problems specifically applicable to incident response below.

Good luck with your studies!

The Cisco Certified CyberOps Associate certification is definitely unique among Cisco’s offerings. It is designed to validate the day-to-day tactical knowledge and skills that Security Operations Center (SOC) teams need to detect and respond to cybersecurity threats. This exam was a lot of fun to study for, and I definitely feel more comfortable handling incidents. In the future, perhaps I will go for the upcoming (as of this writing) Cisco Certified CyberOps Professional! In the meantime, best of luck with the Associate certification, and do reach out if you have any questions.

I do not use affiliate links, nor do I earn compensation for any products I endorse in this post. These are the resources I used to pass this exam and my honest reviews of them.

Written by

DFIR, CTFs, disinformation, STEM education, and pretty much anything else that comes to mind. RIT Computing Security ’22.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store