Why This Cheat Sheet Matters for CYBEROPS
This cheat sheet covers the most important CyberOps Incident Handling concepts tested on the CYBEROPS (CyberOps Associate) certification exam. It contains 2 sections with 10 key points that you should memorize before exam day. Learn the incident response lifecycle (preparation, detection, containment, eradication, recovery, lessons learned), escalation procedures, evidence handling, and post-incident activities. Use this as a quick-reference guide during your final review sessions.
NIST IR Phases
- 1. Preparation: policies, tools, training, communication plans.
- 2. Detection & Analysis: identify IOCs, triage alerts, determine scope.
- 3. Containment: short-term (isolate host) + long-term (patch, segment).
- 4. Eradication: remove malware, close vulnerabilities.
- 5. Recovery: restore systems, monitor for re-infection.
- 6. Post-Incident: lessons learned, update playbooks.
Evidence Handling
- Maintain chain of custody: document who handled evidence, when, how.
- Create forensic images — never work on the original.
- Use hash values (SHA-256) to verify evidence integrity.
- Volatile evidence first: memory → network connections → running processes → disk.
Practice Incident Response Questions
Put your knowledge to the test with practice questions.
Cisco Command Quick Reference
Cisco IOS commands follow a hierarchical structure: User EXEC mode (>), Privileged EXEC mode (#), Global Configuration mode (config)#, and Interface Configuration mode (config-if)#. Master the transitions between these modes and the key "show" commands for each technology area — they are heavily tested on every Cisco exam.