Operations and Incident Response
Overview
In this unit, students will learn how to respond to incidents, focusing on threat detection, risk mitigation, security controls, and digital forensics
Standards
CompTIA Security+ (SYO-601) Objectives 4.1 – 4.5
Cyber Connections
Threats and Vulnerabilities
Hardware and Software
Cyber Hygiene
Digital Citizenship
Networks and Internet
Section Title
Lessons
Accordion Items
Title
4.1 - Given a scenario, use the appropriate tool to assess organizational security
Content
- Network reconnaissance and discovery
- tracert/traceroute
- nslookup/dig
- ipconfig/ifconfig
- nmap
- ping/pathping
- hping
- netstat
- netcat
- IP scanners
- arp
- route
- curl
- the harvester
- sn1per
- scanless
- dnsenum
- Nessus
- Cuckoo
- File manipulation
- head
- tail
- cat
- grep
- chmod
- logger
- Shell and script environments
- SSH
- PowerShell
- Python
- OpenSSL Packet capture and replay
- Tcpreplay
- Tcpdump
- Wireshark
- Forensics
- dd
- Memdump
- WinHex
- FTK imager
- Autopsy
- Exploitation frameworks
- Password crackers
- Data sanitization
Title
4.2 - Summarize the importance of policies, processes, and procedures for incident response
Content
- Incident response plans
- Incident response process
- Preparation
- Identification
- Containment
- Eradication
- Recovery
- Lessons learned
- Exercises
- Tabletop
- Walkthroughs
- Simulations
- Attack frameworks
- MITRE ATT&CK
- The Diamond Model of Intrusion Analysis
- Cyber Kill Chain
- Stakeholder management
- Communication plan
- Disaster recovery plan
- Business continuity plan
- Continuity of operations planning (COOP)
- Incident response team
- Retention policies
Title
4.3 - Given an incident, utilize appropriate data sources to support an investigation
Content
- Vulnerability scan output
- SIEM dashboards
- Sensor
- Sensitivity
- Trends
- Alerts
- Correlation
- Log files
- Network
- System
- Application
- Security
- Web
- DNS
- Authentication
- Dump files
- VoIP and call managers
- Session Initiation Protocol (SIP) traffic
- syslog/rsyslog/syslog-ng
- journalctl
- nxlog
- Retention
- Bandwidth monitors
- Metadata
- Mobile
- Web
- File
- Netflow/sflow
- Echo
- Ipfix
- Protocol analyzer output
Title
4.4 - Given an incident, apply mitigation techniques or controls to secure an environment
Content
- Reconfigure endpoint security solutions
- Application whitelisting
- Application blacklisting
- Quarantine
- Configuration changes
- Firewall rules
- MDM
- DLP
- Content filter/URL filter
- Update or revoke certificates
- Isolation
- Containment
- Segmentation
- SOAR
- Runbooks
- Playbooks
Title
4.5 - Explain the key aspects of digital forensics
Content
- Documentation/evidence
- Legal hold
- Video
- Admissibility
- Chain of custody
- Timelines of sequence of events
- Time stamps
- Time offset
- Tags
- Reports
- Event logs
- Interviews
- Acquisition
- Order of volatility
- Disk
- Random-access memory (RAM)
- Swap/pagefile
- OS Device
- Firmware
- Snapshot
- Cache
- Network
- Artifacts
- On-premises vs. cloud
- Right-to-audit clauses
- Regulatory/jurisdiction
- Data breach notification laws
- Integrity
- Hashing
- Checksums
- Provenance
- Preservation
- E-discovery
- Data recovery
- Non-repudiation
- Strategic intelligence/ counterintelligence