SKILL BENCHMARK

Security+: Operations and Incident Response Competency

  • 20m
  • 20 questions
The Security+: Operations and Incident Response benchmark will measure your ability to recognize key terms and concepts related to operations and incident response. You will be evaluated on security assessment tools and mitigation, incident response and digital forensics, and supporting investigations. A learner who scores high on this benchmark demonstrates that they have the skills related to understanding key operations and incident response terminology and concepts.

Topics covered

  • compare different types of forensic documentation and evidence, including legal holds, videos, admissibility issues, a chain of custody, and timelines of events in sequence
  • compare the following attack frameworks: MITRE ATT&CK, the Diamond Model of Intrusion Analysis, and Cyber Kill Chain
  • compare the following packet capture and replay tools: Tcpreplay, Tcpdump, and Wireshark
  • compare various forensic tools like dd, Memdump, WinHex, FTK Imager, and Autopsy
  • define configuration changes for mitigation, like firewall rules, MDM, DLP, content and URL filtering, and updating or revoking certificates
  • define different incident response plan types used by the IRT, such as communication, disaster recovery, business continuity, and continuity of operation planning (COOP)
  • define the concept of secure orchestration, automation, and response (SOAR) and its associated runbooks and playbooks
  • describe exploitation frameworks, exploitation kits, and various password crackers like John the Ripper and Cain
  • describe incident response plans and processes, such as preparation, identification, containment, eradication, recovery, and lessons learned
  • describe methods for reconfiguring endpoint security solutions, like application whitelisting, blacklisting, and quarantine
  • describe shell and script environments like SSH, PowerShell, Python, and OpenSSL
  • describe the analysis and escalation stages of the incident response lifecycle
  • describe the containment and eradication stages of the incident response lifecycle
  • describe the following network reconnaissance and discovery tools: tracert/traceroute, nslookup/dig, ipconfig/ifconfig, Nmap, ping/pathping, hping, netstat, netcat, arp, route, curl, theHarvester, sn1per, DNSenum, Nessus, and Cuckoo
  • describe the forensic acquisition concept, "order of volatility," and identify potential acquisition sources, such as disks, RAM, swap/pagefile, OS, firmware, and snapshots
  • describe the mitigation concepts of isolation, containment, and segmentation with popular use cases
  • describe the preparation and selection stages of the incident response lifecycle
  • survey file manipulation tools, as in head, tail, cat, grep, chmod, and logger
  • survey various forensic concepts, such as integrity, provenance, preservation, e-discovery, data recovery, non-repudiation, and strategic intelligence/counterintelligence
  • survey various types of incident response exercises, including tabletop, walkthroughs, and simulations