Menu

Incident Response

  1. Explain the importance of the incident response process.

    • Communication plan

      • Limiting communication to trusted parties
      • Disclosing based on regulatory/legislative requirements
      • Preventing inadvertent release of information
      • Using a secure method of communication
      • Reporting requirements

    • Response coordination with relevant entities

      • Legal
      • Human resources
      • Public relations
      • Internal and external
      • Law enforcement
      • Senior leadership
      • Regulatory bodies

    • Factors contributing to data criticality

      • Personally identifiable information (PII)
      • Personal health information (PHI)
      • Sensitive personal information (SPI)
      • High value asset
      • Financial information
      • Intellectual property
      • Corporate information

  2. Given a scenario, apply the appropriate incident response procedure.

    • Preparation

      • Training
      • Testing
      • Documentation of procedures

    • Detection and analysis

      • Characteristics contributing to severity level classification
      • Downtime
      • Recovery time
      • Data integrity
      • Economic
      • System process criticality
      • Reverse engineering
      • Data correlation

    • Containment

      • Segmentation
      • Isolation

    • Eradication and recovery

      • Vulnerability mitigation
      • Sanitization
      • Reconstruction/reimaging
      • Secure disposal
      • Patching
      • Restoration of permissions
      • Reconstitution of resources
      • Restoration of capabilities and services
      • Verification of logging/communication to security monitoring

    • Post-incident activities

      • Evidence retention
      • Lessons learned report
      • Change control process
      • Incident response plan update
      • Incident summary report
      • IoC generation
      • Monitoring

  3. Given an incident, analyze potential indicators of compromise.

    • Network-related

      • Bandwidth consumption
      • Beaconing
      • Irregular peer-to-peer communication
      • Rogue device on the network
      • Scan/sweep
      • Unusual traffic spike
      • Common protocol over non-standard port

    • Host-related

      • Processor consumption
      • Memory consumption
      • Drive capacity consumption
      • Unauthorized software
      • Malicious process
      • Unauthorized change
      • Unauthorized privilege
      • Data exfiltration
      • Abnormal OS process behavior
      • File system change or anomaly
      • Registry change or anomaly
      • Unauthorized scheduled task

    • Application-related

      • Anomalous activity
      • Introduction of new accounts
      • Unexpected output
      • Unexpected outbound communication
      • Service interruption
      • Application log

  4. Given a scenario, utilize basic digital forensics techniques.

    • Network

      • Wireshark
      • tcpdump

    • Endpoint

      • Disk
      • Memory

    • Mobile

    • Cloud

    • Virtualization

    • Legal hold

    • Procedures

    • Hashing

      • Changes to binaries

    • Carving

    • Data acquisition

CySA

  1. Threat and Vulnerability Management
  2. Software and Systems Security
  3. Security Operations and Monitoring
  4. Incident Response
  5. Compliance and Assessment