Professional Documents
Culture Documents
CompTIA Security+ Lesson 17 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 2
Syllabus Objectives Covered
CompTIA Security+ Lesson 17 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 3
Incident Response Process
CompTIA Security+ Lesson 17 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 4
Cyber Incident Response Team
CompTIA Security+ Lesson 17 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 5
Communication Plan and Stakeholder Management
CompTIA Security+ Lesson 17 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 6
Incident Response Plan
CompTIA Security+ Lesson 17 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 7
Cyber Kill Chain Attack Framework
CompTIA Security+ Lesson 17 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 8
Other Attack Frameworks
• MITRE ATT&CK
• Database of TTPs
• Tactic categories
• No explicit sequencing
• The Diamond Model of Intrusion
Analysis
• Framework for describing
adversary capability and
infrastructure plus effect on victim
CompTIA Security+ Lesson 17 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 9
Incident Response Exercises
• Tabletop
• Facilitator presents a scenario
• Does not involve live systems
• Walkthroughs
• Responders demonstrate
response actions
• Simulations
• Red team performs a simulated
intrusion
CompTIA Security+ Lesson 17 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 10
Incident Response, Disaster Recovery, and Retention Policy
CompTIA Security+ Lesson 17 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 11
Topic 17B
Utilize Appropriate Data Sources for Incident Response
CompTIA Security+ Lesson 17 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 12
Syllabus Objectives Covered
CompTIA Security+ Lesson 17 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 13
Incident Identification
CompTIA Security+ Lesson 17 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 14
Security and Information Event Management
• Correlation
• Static rules and logical expressions
• Threat intelligence feeds
• AI-assisted analysis
• Retention
• Preserve evidence of attack
• Facilitate threat hunting and retrospective incident identification
CompTIA Security+ Lesson 17 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 15
SIEM Dashboards
• Analyst dashboard
• Console of alerts that require
prioritization and investigation
• Manager dashboard
• Overall status indicators
• Sensitivity and alerts
• Log only/alert/alarm
• Sensors
• Source for network traffic data
• Aggregate data under one
dashboard
• Per-sensor dashboards
Screenshot courtesy of Security Onion (securityonion.net.)
CompTIA Security+ Lesson 17 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 16
Trend Analysis
CompTIA Security+ Lesson 17 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 17
Logging Platforms
• Syslog
• Logging format, protocol, and server (daemon) software
• PRI – facility and severity
• Timestamp
• Host
• Message part
• Rsyslog and syslog-ng
• journalctl
• Binary logging
• Nxlog
• Log normalization tool
CompTIA Security+ Lesson 17 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 18
Network, OS, and Security Log Files
CompTIA Security+ Lesson 17 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 19
Application Log Files
CompTIA Security+ Lesson 17 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 20
Metadata
• File
• Date/time and security attributes
• Extended attributes and properties
• Web
• Request and response headers
• Email
• Internet header listing message transfer agents
• Spam/security analysis
• Mobile
• Call detail records (CDRs)
CompTIA Security+ Lesson 17 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 21
Network Data Sources
CompTIA Security+ Lesson 17 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 22
Topic 17C
Apply Mitigation Controls
CompTIA Security+ Lesson 17 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 23
Syllabus Objectives Covered
CompTIA Security+ Lesson 17 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 24
Containment Phase
CompTIA Security+ Lesson 17 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 25
Incident Eradication and Recovery
CompTIA Security+ Lesson 17 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 26
Firewall Configuration Changes
CompTIA Security+ Lesson 17 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 27
Content Filter Configuration Changes
CompTIA Security+ Lesson 17 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 28
Endpoint Configuration Changes
CompTIA Security+ Lesson 17 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 29
Security Orchestration, Automation, and Response
CompTIA Security+ Lesson 17 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 30
Adversarial Artificial Intelligence
CompTIA Security+ Lesson 17 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 31
Lesson 17
Summary
CompTIA Security+ Lesson 17 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 32