5.4 Map elements to these steps of analysis based on the NIST.SP800-61
📘Cisco Certified CyberOps Associate (200-201 CBROPS)
Goal: The purpose of detection and analysis is to identify potential security incidents quickly and accurately. This is the second phase in the incident handling process defined by NIST.
Think of it like this in IT terms: You want to catch suspicious activity on your network or systems, figure out whether it’s a real problem, and decide how serious it is.
Step 1: Detecting an Incident
Detection is all about noticing something unusual in your environment.
Sources of Detection
In IT, we have several sources to detect incidents:
- Security Tools (Automated Detection)
- IDS/IPS (Intrusion Detection/Prevention Systems): Alerts you when unusual network traffic is detected.
Example: An IDS flags that someone is sending thousands of login attempts to your server. - Antivirus/Endpoint Security: Detects malware or unusual activity on endpoints (like laptops, servers).
- SIEM (Security Information and Event Management): Collects logs from multiple sources and correlates them to identify patterns.
- IDS/IPS (Intrusion Detection/Prevention Systems): Alerts you when unusual network traffic is detected.
- System and Application Logs
- Logs from servers, firewalls, or applications can show anomalies.
Example: Multiple failed login attempts in a short time or unexpected changes to files.
- Logs from servers, firewalls, or applications can show anomalies.
- Network Monitoring
- Monitoring network traffic can reveal abnormal spikes or connections to suspicious IP addresses.
Example: A workstation suddenly sending large amounts of data to an unknown external server.
- Monitoring network traffic can reveal abnormal spikes or connections to suspicious IP addresses.
- User Reports
- Sometimes users report suspicious activity, like strange emails or slow computer behavior.
Step 2: Analyzing the Alert
Once something suspicious is detected, you must analyze it to determine if it’s a true incident.
Key Tasks in Analysis
- Identify the Type of Incident
- Is it malware, phishing, DoS attack, unauthorized access, or data exfiltration?
Example: Antivirus logs show a ransomware executable running—this is a malware incident.
- Is it malware, phishing, DoS attack, unauthorized access, or data exfiltration?
- Verify the Incident
- Not every alert is real. Some are false positives. You need to confirm.
Example: An IDS alert may show high traffic, but it could be a legitimate backup process.
- Not every alert is real. Some are false positives. You need to confirm.
- Collect Context and Evidence
- Capture logs, system snapshots, or network data that can help understand what happened.
Example: Collecting Windows event logs and firewall logs to trace the source of suspicious activity.
- Capture logs, system snapshots, or network data that can help understand what happened.
- Assess the Impact
- Determine how much damage or risk the incident could cause.
Example: Did it affect a single workstation or the entire corporate network? Was sensitive data accessed?
- Determine how much damage or risk the incident could cause.
- Prioritize Incidents
- Not all incidents are equally critical. Use severity to decide which to handle first.
Example: A ransomware infection on a domain controller is more critical than a single phishing email.
- Not all incidents are equally critical. Use severity to decide which to handle first.
Step 3: Tools and Techniques for Detection and Analysis
Understanding the tools is crucial for the exam.
| Category | Example Tool | Purpose |
|---|---|---|
| Network Monitoring | Wireshark, Zeek | Inspect network traffic for anomalies |
| SIEM | Splunk, QRadar | Aggregate logs, detect patterns, generate alerts |
| Endpoint Security | Microsoft Defender, CrowdStrike | Detect malware or suspicious behavior on endpoints |
| IDS/IPS | Snort, Suricata | Detect and prevent network attacks |
| Log Analysis | ELK Stack (Elasticsearch, Logstash, Kibana) | Analyze server/application logs |
| Threat Intelligence | Open Threat Exchange, VirusTotal | Compare indicators against known threats |
Step 4: Key Indicators During Analysis
When analyzing, you look for Indicators of Compromise (IoCs):
- Unusual logins: e.g., from unknown IPs or strange times.
- Suspicious files or processes: e.g., malware executables, crypto miners.
- Anomalous network connections: e.g., to known malicious IPs.
- Changes to critical files or settings: e.g., system configuration modified without authorization.
Step 5: Reporting and Escalation
Once detection and analysis are complete:
- Document Findings
- Include what was detected, how it was verified, impact, and severity.
- Escalate if Needed
- If it’s serious, escalate to higher-level analysts or management.
- Inform Containment Team
- Share enough detail so that the next phase (containment and eradication) can act effectively.
Summary of Detection and Analysis Steps
- Detect → Identify potential security issues via alerts, logs, monitoring, or users.
- Analyze → Confirm if it’s real, determine type, collect evidence, assess impact, prioritize.
- Use Tools → SIEM, IDS/IPS, endpoint protection, network analysis, log analysis.
- Look for IoCs → Suspicious logins, malware, unusual traffic, file changes.
- Report & Escalate → Document findings, severity, and notify the right teams.
Easy Way to Remember for Exam
- DAD-P:
Detect → Analyze → Document → Prioritize
Think of it as a cycle: Detect, analyze to understand, document what happened, and prioritize action.
💡 Tip for 200-201 CBROPS Exam:
Focus on the difference between detection and analysis:
- Detection is “noticing” the problem.
- Analysis is “understanding” the problem and deciding how serious it is.
