Operations and Incident Response

Operations and Incident Response

Rating
Average: 4 (4 votes)
Risk Management
Course
Course
Cybersecurity
Subjects
Subjects
Career & Technical Education
Engineering
Robotics & Coding
Cybersecurity
Grade Levels
Grade Levels
10
11
12
Duration (hours)
Duration (Approx hours)
20
Overview
In this unit, students will learn how to respond to incidents, focusing on threat detection, risk mitigation, security controls, and digital forensics
Standards
CompTIA Security+ (SYO-601) Objectives 4.1 – 4.5
Cyber Connections
Threats and Vulnerabilities
Hardware and Software
Cyber Hygiene
Digital Citizenship
Networks and Internet
Section Title
Lessons
Accordion Items
Title
4.1 - Given a scenario, use the appropriate tool to assess organizational security
Content
  • Network reconnaissance and discovery
    • tracert/traceroute
    • nslookup/dig
    • ipconfig/ifconfig
    • nmap
    • ping/pathping
    • hping
    • netstat
    • netcat
    • IP scanners
    • arp
    • route
    • curl
    • the harvester
    • sn1per
    • scanless
    • dnsenum
    • Nessus
    • Cuckoo
  • File manipulation
    • head
    • tail
    • cat
    • grep
    • chmod
    • logger
  • Shell and script environments
    • SSH
    • PowerShell
    • Python
    • OpenSSL Packet capture and replay
    • Tcpreplay
    • Tcpdump
    • Wireshark
  • Forensics
    • dd
    • Memdump
    • WinHex
    • FTK imager
    • Autopsy
  • Exploitation frameworks
  • Password crackers
  • Data sanitization
Title
4.2 - Summarize the importance of policies, processes, and procedures for incident response
Content
  • Incident response plans
  • Incident response process
    • Preparation
    • Identification
    • Containment
    • Eradication
    • Recovery
    • Lessons learned
  • Exercises
    • Tabletop
    • Walkthroughs
    • Simulations
    • Attack frameworks
    • MITRE ATT&CK
    • The Diamond Model of Intrusion Analysis
    • Cyber Kill Chain
  • Stakeholder management
  • Communication plan
  • Disaster recovery plan
  • Business continuity plan
  • Continuity of operations planning (COOP)
  • Incident response team
  • Retention policies
Title
4.3 - Given an incident, utilize appropriate data sources to support an investigation
Content
  • Vulnerability scan output
  • SIEM dashboards
    • Sensor
    • Sensitivity
    • Trends
    • Alerts
    • Correlation
  • Log files
    • Network
    • System
    • Application
    • Security
    • Web
    • DNS
    • Authentication
    • Dump files
    • VoIP and call managers
    • Session Initiation Protocol (SIP) traffic
  • syslog/rsyslog/syslog-ng
  • journalctl
  • nxlog
  • Retention
  • Bandwidth monitors
  • Metadata
    • Email
    • Mobile
    • Web
    • File
  • Netflow/sflow
    • Echo
    • Ipfix
  • Protocol analyzer output
Title
4.4 - Given an incident, apply mitigation techniques or controls to secure an environment
Content
  • Reconfigure endpoint security solutions
    • Application whitelisting
    • Application blacklisting
    • Quarantine
  • Configuration changes
    • Firewall rules
    • MDM
    • DLP
    • Content filter/URL filter
    • Update or revoke certificates
  • Isolation
  • Containment
  • Segmentation
  • SOAR
    • Runbooks
    • Playbooks
Title
4.5 - Explain the key aspects of digital forensics
Content
  • Documentation/evidence
    • Legal hold
    • Video
    • Admissibility
    • Chain of custody
    • Timelines of sequence of events
    • Time stamps
    • Time offset
    • Tags
    • Reports
    • Event logs
    • Interviews
  • Acquisition
    • Order of volatility
    • Disk
    • Random-access memory (RAM)
    • Swap/pagefile
    • OS  Device
    • Firmware
    • Snapshot
    • Cache
    • Network
    • Artifacts
  • On-premises vs. cloud
    • Right-to-audit clauses
    • Regulatory/jurisdiction
    • Data breach notification laws
  • Integrity
    • Hashing
    • Checksums
    • Provenance
  • Preservation
  • E-discovery
  • Data recovery
  • Non-repudiation
  • Strategic intelligence/ counterintelligence