Chapter 1, Classifying Threats, looks at the Common Vulnerability Scoring System (CVSS v3.0) to introduce common terminology, as well as split the substantial topic of cyber threat into three areas of impact, and five areas of vulnerability. You must be able to define the common terminology for the purpose of the exam.

Chapter 2, Operating System Families, does a side-by-side comparison of these factors, which differs from the CISCO approach. Terms of reference between Linux and Windows operating systems are easy marks in the 210-255 exam. Again, they only require definitions and memory. A knowledge of these factors is necessary for the next chapter.

Chapter 3, Computer Forensics and Evidence Handling, covers the standards of investigation required for catching criminals and bringing about prosecutions. Evidence – properly collected – also enables organizations to attribute blame, which can be important in maintaining compliance with government requirements, as well as maintaining customer confidence.

Chapter 4, Identifying Rogue Data from a Dataset, teaches regular expressions (Regex), which always appears as at least one of the questions in the 210-255 exam. Regex is a sequence of characters that define a search expression. Regex enables security professionals to quickly sift through large datasets, grouping data entries, highlighting signs of rogue data, and identifying patterns in it.

Chapter 5, Warning Signs from Network Data, teaches you how to differentiate normal header content from abnormal and rogue content to conduct an initial analysis of network intrusions.

Chapter 6, Network Security Data Analysis, looks at different network security files and identifies different bits of information. This is always a question in the 210-255 exam and an important part of the job of an SOC.

Chapter 7, Roles and Responsibilities During an Incident, teaches you to identify individual and team responsibilities during an incident response, in accordance with NIST guidelines. This section makes up 8-10% of the questions in 210-255, but applying a similar model based on your own national guidelines is the principal job of the operations center and, hence, of a cybersecurity professional.

Chapter 8, Network and Server Profiling, teaches you about network and server profiling, which is used to establish the 'normal' traffic on a network and server. Profiling allows administrators to identify any potential vulnerabilities, such as a lack of redundancy, or bottlenecks in the system, and deal with them ahead of time, and to detect abnormal behaviors that might indicate an incident in progress.

Chapter 9, Compliance Frameworks, teaches you about the requirements of three of the principal pieces of legislation and the industry requirements that affect IT and cybersecurity professionals. Each organization will be covered by one compliance framework or another and, frequently, many overlapping pieces of guidance. It is the fundamental role of a cybersecurity professional to ensure organizational compliance.

Chapter 10, Data Normalization and Exploitation, covers the process of collecting and organizing data from multiple different sources. You will also look at some of the fields that are useful for correlating incidents, including timestamps and the IP 5-tuple. 

Chapter 11, Drawing Conclusions from the Data, explains the different forms of data analysis, and some of the more detailed aims of this process. This will feed into how users can prioritize certain signs, and use Cisco products to generate alerts according to these priorities.

Chapter 12, The Cyber Kill Chain Model, teaches you about the adapted Cyber Kill Chain model. In this model, an attack is laid out in chronological sequence, which helps cybersecurity professionals to appreciate the maturity of an attack in progress. This model also helps to structure the response, guiding the security operations center (SOC) as to what actions are likely to have already occurred, and the ones that may be about to emerge.

Chapter 13, Incident Handling Activities, covers three guidance frameworks that guide incident handling. You will learn about the terminology used, the non-technical activities involved, and the forensic guidance for conducting incident handling. The questions for this chapter will draw heavily from all the previous chapters.

Chapter 14, Mock Exam 1, allows you to practice and analyze the style of Cisco exam questions and test your ability to apply the correct areas of your learning to answer them.

Chapter 15, Mock Exam 2, allows you to further practice and analyze the style of Cisco exam questions and test your ability to apply the correct areas of your learning to answer them.