Security+: Operations and Incident Response Competency (Intermediate Level)

Topics covered

• compare different types of forensic documentation and evidence, including legal holds, videos, admissibility issues, a chain of custody, and timelines of events in sequence
• compare the following attack frameworks: MITRE ATT&CK, the Diamond Model of Intrusion Analysis, and Cyber Kill Chain
• compare the following packet capture and replay tools: Tcpreplay, Tcpdump, and Wireshark
• compare various forensic tools like dd, Memdump, WinHex, FTK Imager, and Autopsy
• define configuration changes for mitigation, like firewall rules, MDM, DLP, content and URL filtering, and updating or revoking certificates
• define different incident response plan types used by the IRT, such as communication, disaster recovery, business continuity, and continuity of operation planning (COOP)
• define the concept of secure orchestration, automation, and response (SOAR) and its associated runbooks and playbooks
• describe exploitation frameworks, exploitation kits, and various password crackers like John the Ripper and Cain
• describe incident response plans and processes, such as preparation, identification, containment, eradication, recovery, and lessons learned
• describe methods for reconfiguring endpoint security solutions, like application whitelisting, blacklisting, and quarantine
• describe shell and script environments like SSH, PowerShell, Python, and OpenSSL
• describe the analysis and escalation stages of the incident response lifecycle
• describe the containment and eradication stages of the incident response lifecycle
• describe the following network reconnaissance and discovery tools: tracert/traceroute, nslookup/dig, ipconfig/ifconfig, Nmap, ping/pathping, hping, netstat, netcat, arp, route, curl, theHarvester, sn1per, DNSenum, Nessus, and Cuckoo
• describe the forensic acquisition concept, "order of volatility," and identify potential acquisition sources, such as disks, RAM, swap/pagefile, OS, firmware, and snapshots
• describe the mitigation concepts of isolation, containment, and segmentation with popular use cases
• describe the preparation and selection stages of the incident response lifecycle
• survey file manipulation tools, as in head, tail, cat, grep, chmod, and logger
• survey various forensic concepts, such as integrity, provenance, preservation, e-discovery, data recovery, non-repudiation, and strategic intelligence/counterintelligence
• survey various types of incident response exercises, including tabletop, walkthroughs, and simulations