Security+ Domain 4 – Security Operations (28% weightage)
Key terms and definitions from this objective are given below:
4.1 Given a scenario, apply common security techniques to computing resources.
Secure Baselines:
- Establish: Establishing a secure baseline involves defining a set of security configurations and standards that serve as a foundation for securing systems and networks.
- Deploy: Deploying a secure baseline involves implementing the defined security configurations on systems and networks to ensure consistent security measures across the organization.
- Maintain: Maintaining a secure baseline involves regularly updating and monitoring security configurations to adapt to evolving threats and vulnerabilities.
Hardening Targets:
- Mobile Devices: Mobile device hardening involves securing smartphones, tablets, and other portable devices by implementing security measures such as encryption, secure boot, and device management.
- Workstations: Workstation hardening involves securing desktops and laptops by configuring operating systems, applications, and network settings to minimize vulnerabilities.
- Switches: Switch hardening involves configuring network switches to enhance security by implementing measures such as access control lists (ACLs) and port security.
- Routers: Router hardening involves securing network routers by configuring access controls, disabling unnecessary services, and applying firmware updates.
- Cloud Infrastructure: Cloud infrastructure hardening involves securing virtual machines, storage, and networking components in cloud environments by implementing security best practices and configurations.
- Servers: Server hardening involves securing server systems by configuring operating system settings, disabling unnecessary services, and applying security patches.
- ICS/SCADA: ICS/SCADA hardening involves securing industrial control systems and supervisory control and data acquisition systems by implementing security measures specific to these critical systems.
- Embedded Systems: Embedded system hardening involves securing specialized computing systems integrated into devices by configuring security settings and minimizing attack surfaces.
- RTOS: RTOS hardening involves securing real-time operating systems used in critical systems by implementing security configurations and minimizing vulnerabilities.
- IoT Devices: IoT device hardening involves securing internet of things devices by configuring security settings, implementing secure communication, and updating firmware.
Wireless Devices:
Installation Considerations:
- Site Surveys: Site surveys involve assessing the physical location to determine optimal placement and configuration of wireless devices for effective coverage and performance.
- Heat Maps: Heat maps visually represent the signal strength and coverage areas of wireless networks, helping in planning and optimizing the deployment of wireless devices.
Mobile Solutions:
Mobile Device Management (MDM): MDM involves deploying software solutions to manage and secure mobile devices, enforcing policies, and facilitating remote device configuration and monitoring.
Deployment Models:
- Bring Your Own Device (BYOD): BYOD is a deployment model where employees use their personal devices for work, and organizations implement policies and security measures to manage and secure these devices.
- Corporate-Owned, Personally Enabled (COPE): COPE is a deployment model where organizations provide employees with company-owned devices, allowing some personal use within specified boundaries.
- Choose Your Own Device (CYOD): CYOD is a deployment model where employees choose from a list of approved devices provided by the organization, ensuring compatibility with corporate security policies.
Connection Methods:
- Cellular: Cellular connection involves using mobile networks for data connectivity, providing wireless access beyond Wi-Fi coverage.
- Wi-Fi: Wi-Fi connection involves using wireless local area networks (LANs) to provide high-speed internet access to mobile devices within the coverage area.
- Bluetooth: Bluetooth connection involves short-range wireless communication between devices, commonly used for connecting peripherals and accessories.
Wireless Security Settings:
- Wi-Fi Protected Access 3 (WPA3): WPA3 is the latest security protocol for Wi-Fi networks, providing stronger encryption and security features compared to previous versions.
- AAA/Remote Authentication Dial-In User Service (RADIUS): AAA/RADIUS is a network protocol that provides centralized authentication, authorization, and accounting for wireless and remote access.
- Cryptographic Protocols: Cryptographic protocols are algorithms and methods used to secure wireless communication, ensuring confidentiality and integrity.
- Authentication Protocols: Authentication protocols verify the identity of users or devices connecting to a wireless network, ensuring authorized access.
Application Security:
- Input Validation: Input validation is the process of checking user inputs to ensure they meet specified criteria, preventing malicious input that could lead to security vulnerabilities.
- Secure Cookies: Secure cookies are HTTP cookies configured with additional security attributes to protect against unauthorized access and session hijacking.
- Static Code Analysis: Static code analysis involves analyzing source code for security vulnerabilities and coding errors without executing the program.
- Code Signing: Code signing involves digitally signing software or code to verify its authenticity and integrity, ensuring it has not been tampered with.
- Sandboxing: Sandboxing isolates applications or processes from the rest of the system, limiting their access to resources and preventing potential security threats.
- Monitoring: Monitoring involves continuous observation and analysis of application behavior to detect and respond to security incidents in real-time.
4.2 Explain the security implications of proper hardware, software, and data asset management.
Acquisition/Procurement Process:
Definition:
The acquisition/procurement process involves the systematic and organized approach to acquiring goods, services, or solutions, typically through a formal process that includes defining requirements, vendor selection, negotiation, and finalizing contracts.
Assignment/Accounting:
- Ownership: Ownership in the context of asset management refers to the acknowledgment of responsibility for a particular asset. It involves identifying the individual or entity responsible for the asset’s care, use, and security.
- Classification: Asset classification involves categorizing assets based on their importance, sensitivity, or criticality to the organization. It helps in prioritizing security measures and assigning appropriate safeguards.
Monitoring/Asset Tracking:
- Inventory: Asset inventory involves maintaining a comprehensive and up-to-date list of all assets within an organization, including hardware, software, and other tangible or intangible items.
- Enumeration: Asset enumeration is the process of systematically identifying and counting assets within an organization. It ensures that all assets are properly documented and accounted for.
Disposal/Decommissioning:
- Sanitization: Sanitization refers to the process of securely erasing or removing data from a storage device to prevent unauthorized access or data leakage. It ensures that sensitive information is irretrievable.
- Destruction: Asset destruction involves physically destroying or rendering an asset unusable at the end of its lifecycle. This could include shredding physical documents or securely disposing of hardware.
- Certification: Certification in the context of disposal involves obtaining formal documentation or confirmation that assets have been properly decommissioned, sanitized, or destroyed according to established security and environmental standards.
- Data Retention: Data retention refers to the established policies and practices for retaining or securely disposing of data. It includes determining how long data should be kept, when it should be archived, and when it should be permanently deleted.
4.3 Explain various activities associated with vulnerability management.
Identification Methods:
Vulnerability Scan: A vulnerability scan is a systematic process of scanning and analyzing systems, networks, or applications for security vulnerabilities. It helps identify weaknesses that could be exploited by attackers.
Application Security:
- Static Analysis: Static analysis involves examining the source code or binary of an application without executing it. It helps identify potential security vulnerabilities during the development phase.
- Dynamic Analysis: Dynamic analysis involves testing an application during runtime to identify security vulnerabilities that may not be apparent in the source code.
- Package Monitoring: Package monitoring involves tracking and analyzing the security of software packages and dependencies used in an application to ensure they are free from known vulnerabilities.
Threat Feed:
- Open-Source Intelligence (OSINT): OSINT involves collecting and analyzing information from publicly available sources to gather intelligence on potential security threats.
- Proprietary/Third-Party: Proprietary and third-party threat feeds consist of intelligence provided by private security companies or organizations external to the entity, offering insights into emerging threats.
- Information-Sharing Organization: Information-sharing organizations facilitate the exchange of threat intelligence among member entities, enabling collective defense against cyber threats.
- Dark Web: The dark web is a part of the internet that is intentionally hidden and often associated with illegal activities. Monitoring the dark web can provide intelligence on potential threats.
Penetration Testing: Penetration testing, or ethical hacking, involves simulating cyberattacks on systems, networks, or applications to identify vulnerabilities and assess the effectiveness of security measures.
Responsible Disclosure Program:
- Bug Bounty Program: A bug bounty program is a formal initiative that rewards individuals or researchers for responsibly disclosing security vulnerabilities they discover in an organization’s systems or applications.
System/Process Audit: A system or process audit involves a comprehensive examination of organizational systems, processes, and controls to ensure compliance with policies, identify vulnerabilities, and assess overall security posture.
Analysis:
- Confirmation:
- False Positive: A false positive occurs when a security tool incorrectly identifies a benign activity or file as malicious or as a security risk.
- False Negative: A false negative occurs when a security tool fails to detect a genuine security threat or vulnerability.
- Prioritize: Prioritization involves assessing and ranking identified vulnerabilities based on their severity, potential impact, and exploitability to focus on addressing the most critical issues first.
- Common Vulnerability Scoring System (CVSS): CVSS is a standardized scoring system that assigns numerical values to vulnerabilities based on factors such as impact, exploitability, and complexity, helping prioritize remediation efforts.
- Common Vulnerability Enumeration (CVE): CVE is a dictionary of unique identifiers assigned to publicly known cybersecurity vulnerabilities. It provides a common language for discussing and sharing information about vulnerabilities.
- Vulnerability Classification: Vulnerability classification involves categorizing vulnerabilities based on their nature, characteristics, and potential impact to facilitate better understanding and response.
- Exposure Factor: Exposure factor represents the proportion of potential damage that could occur if a vulnerability is exploited. It helps in assessing the impact of a vulnerability on an organization.
- Environmental Variables: Environmental variables refer to factors unique to an organization, such as specific security controls or mitigations in place, that can influence the impact of a vulnerability.
- Industry/Organizational Impact: Industry or organizational impact assesses how a vulnerability may affect specific sectors or an organization, considering the nature of the business and potential consequences.
- Risk Tolerance: Risk tolerance is the level of acceptable risk that an organization is willing to take. It influences decisions related to prioritization and mitigation of identified vulnerabilities.
Vulnerability Response and Remediation:
- Patching: Patching involves applying updates, fixes, or patches to software, operating systems, or firmware to address known vulnerabilities and improve security.
- Insurance: Cybersecurity insurance provides financial protection to organizations in the event of a security breach or cyber incident. It may cover costs related to data breaches, legal fees, and business interruptions.
- Segmentation: Segmentation involves dividing a network into isolated segments to contain and limit the potential impact of a security incident or compromise.
- Compensating Controls: Compensating controls are alternative security measures implemented to mitigate the risks associated with a vulnerability when the primary control is not feasible or effective.
- Exceptions and Exemptions: Exceptions and exemptions involve formally acknowledging and documenting instances where certain security policies or controls cannot be fully implemented due to specific circumstances.
- Validation of Remediation:
- Rescanning: Rescanning involves conducting additional vulnerability scans after applying remediation measures to verify that the identified vulnerabilities have been successfully addressed.
- Audit: Auditing involves a systematic examination and verification of security controls, processes, and configurations to ensure compliance with established security policies.
- Verification: Verification confirms that the remediation measures implemented are effective and have successfully mitigated the identified vulnerabilities.
Reporting:
Reporting involves communicating the findings, analysis, and remediation status of vulnerabilities to relevant stakeholders. It provides transparency and supports informed decision-making in cybersecurity efforts.
4.4 Explain security alerting and monitoring concepts and tools.
Monitoring Computing Resources:
- Systems: Monitoring systems involves observing the behavior, performance, and security of individual computing devices, such as servers, workstations, and endpoints.
- Applications: Monitoring applications involves tracking the performance, usage, and security of software programs and applications to ensure they operate optimally and securely.
- Infrastructure: Monitoring infrastructure involves overseeing the components that support the overall IT environment, including networks, servers, storage, and other foundational elements.
Activities:
- Log Aggregation: Log aggregation is the process of collecting, consolidating, and centralizing log data from various sources, such as systems and applications, for analysis and monitoring.
- Alerting: Alerting involves generating notifications or alerts based on predefined criteria or thresholds, indicating potential security incidents or abnormal activities.
- Scanning: Scanning involves systematically examining systems, networks, or applications for vulnerabilities, misconfigurations, or security weaknesses.
- Reporting: Reporting involves creating and sharing detailed summaries, analyses, or visual representations of security-related data or activities to facilitate decision-making.
- Archiving: Archiving involves storing historical data, logs, or records for future reference, compliance, or analysis purposes.
Alert Response and Remediation/Validation:
- Quarantine: Quarantine involves isolating or restricting access to a system or network segment that may be compromised, preventing further potential harm.
- Alert Tuning: Alert tuning involves adjusting the sensitivity and specificity of security alerts to reduce false positives and improve the accuracy of detection.
Tools:
- Security Content Automation Protocol (SCAP): SCAP is a set of standards and specifications that standardize the format and nomenclature of security-related information, facilitating automation of security processes.
- Benchmarks: Benchmarks are predefined standards or guidelines used to assess and measure the security configuration and posture of systems, applications, or networks.
- Agents/Agentles: Agents are software components installed on devices to collect and transmit data for monitoring. Agentless monitoring uses existing protocols and interfaces without installing additional software.
- Security Information and Event Management (SIEM): SIEM is a comprehensive solution that combines security information management (SIM) and security event management (SEM) to provide real-time analysis of security alerts generated throughout an organization’s IT infrastructure.
- Antivirus: Antivirus software is designed to detect, prevent, and remove malicious software, including viruses, malware, and other types of threats.
- Data Loss Prevention (DLP): DLP solutions are designed to prevent unauthorized access, sharing, or leakage of sensitive data by monitoring, detecting, and blocking data transfers.
- Simple Network Management Protocol (SNMP) Traps: SNMP traps are notifications sent by network devices to a central management system to inform about specific events or conditions, such as network failures or security incidents.
- NetFlow: NetFlow is a network protocol that provides visibility into network traffic by collecting and analyzing information about IP flows, enabling monitoring and analysis of network activity.
- Vulnerability Scanners: Vulnerability scanners are tools that systematically examine systems, networks, or applications for security vulnerabilities and provide reports on potential weaknesses that need to be addressed.
4.5 Given a scenario, modify enterprise capabilities to enhance security.
Firewall:
- Rules: Firewall rules define the criteria for allowing or blocking network traffic. They specify conditions such as source and destination IP addresses, ports, and protocols.
- Access Lists: Access lists (ACLs) are sets of rules that control the flow of traffic through a network device, such as a router or firewall. They can permit or deny traffic based on various criteria.
- Ports/Protocols: Ports and protocols refer to the specific communication channels and rules used by networking protocols to transmit data between devices. Firewalls use port and protocol information to filter traffic.
- Screened Subnets: Screened subnets involve placing a firewall between internal and external networks, creating a DMZ (Demilitarized Zone) to provide an additional layer of security for servers accessible from the internet.
IDS/IPS:
- Trends: IDS/IPS systems analyze network or system activity patterns to identify trends or anomalies that may indicate potential security threats or attacks.
- Signatures: Signatures in IDS/IPS represent predefined patterns or characteristics of known malicious activities. The system compares network or system activity against these signatures to detect and alert on potential threats.
Web Filter:
- Agent-Based: Agent-based web filtering involves installing software agents on individual devices to control and monitor internet access based on predefined policies.
- Centralized Proxy: Centralized proxy web filtering involves routing internet traffic through a central proxy server that filters and monitors content based on specified criteria.
- Universal Resource Locator (URL) Scanning: URL scanning in web filtering involves inspecting and categorizing web addresses to control access to specific websites based on content or security policies.
- Content Categorization: Content categorization in web filtering involves classifying websites or web content into categories (e.g., social media, gaming, malicious) for more granular control over access.
- Block Rules: Block rules in web filtering specify conditions under which access to certain websites or content categories is denied, providing a level of control over internet access.
- Reputation: Reputation-based web filtering assesses the trustworthiness of websites or content based on historical data and reputation scores to block or allow access.
Operating System Security:
- Group Policy: Group Policy is a feature in Microsoft Windows that allows administrators to define and enforce security settings, configurations, and restrictions for users and computers in a network.
- SELinux: SELinux (Security-Enhanced Linux) is a security framework for Linux systems that implements mandatory access controls (MAC) to restrict the actions of processes and users.
Implementation of Secure Protocols:
- Protocol Selection: Protocol selection involves choosing secure communication protocols, such as HTTPS for web traffic, to ensure data confidentiality and integrity.
- Port Selection: Port selection involves using specific communication ports, such as well-known ports for secure protocols, to facilitate secure data transmission.
- Transport Method: The transport method specifies how data is transmitted, with secure protocols often using encryption methods such as TLS or SSL to protect data during transmission.
DNS Filtering:
Definition:
DNS filtering involves controlling access to websites based on domain names. It can be used to block access to malicious or inappropriate sites by associating domain names with certain categories or policies.
Email Security:
- Domain-Based Message Authentication Reporting and Conformance (DMARC): DMARC is an email authentication and reporting protocol that helps protect against email spoofing and phishing by allowing senders to set policies for email authentication and reporting.
- DomainKeys Identified Mail (DKIM): DKIM is an email authentication method that uses cryptographic signatures to verify the authenticity of an email message and ensure it has not been tampered with in transit.
- Sender Policy Framework (SPF): SPF is an email authentication protocol that helps prevent email spoofing by allowing domain owners to specify which mail servers are authorized to send emails on behalf of their domain.
- Gateway: Email security gateways are devices or services positioned at the network gateway to filter and protect against email-borne threats, including spam, malware, and phishing attacks.
File Integrity Monitoring:
- Definition: File integrity monitoring involves continuously monitoring and verifying the integrity of files on systems or networks to detect unauthorized changes or modifications.
- DLP (Data Loss Prevention): DLP is a set of tools and processes designed to prevent unauthorized access, sharing, or leakage of sensitive data by monitoring, detecting, and blocking data transfers.
- Network Access Control (NAC): Network Access Control (NAC) is a security solution that enforces policies to control access to a network, ensuring that only authorized and compliant devices are allowed to connect.
- Endpoint Detection and Response (EDR)/Extended Detection and Response (XDR): EDR and XDR are security solutions that focus on detecting and responding to security incidents on endpoints, providing enhanced capabilities beyond traditional antivirus solutions.
- User Behavior Analytics: User Behavior Analytics (UBA) involves analyzing patterns of user behavior within a network to detect anomalies or deviations that may indicate potential security threats or insider attacks.
4.6 Given a scenario, implement and maintain identity and access management.
User Account Management:
- Provisioning/De-provisioning User Accounts:
- Provisioning: The process of creating and configuring user accounts to grant access to resources, systems, or applications.
- De-provisioning: The process of disabling or removing user accounts when users no longer require access, ensuring security and compliance.
- Permission Assignments and Implications: Assigning permissions involves granting specific access rights or privileges to users based on their roles or responsibilities. Understanding the implications involves recognizing the potential security and operational impacts of these permissions.
- Identity Management:
- Identity Proofing: Identity proofing is the process of verifying the identity of an individual during the initial account creation or registration, typically through the presentation of valid credentials or identity documents.
- Federation: Federation is an identity management approach that enables users to access multiple systems or applications with a single set of credentials, often through a trust relationship between identity providers and service providers.
Single Sign-On (SSO):
- Lightweight Directory Access Protocol (LDAP): LDAP is a protocol used for accessing and managing directory information, such as user profiles and authentication credentials, in a network.
- Open Authorization (OAuth): OAuth is an open standard for secure authentication and authorization, allowing users to grant third-party applications limited access to their resources without revealing their credentials.
- Security Assertions Markup Language (SAML): SAML is an XML-based standard for exchanging authentication and authorization data between parties, enabling SSO and secure communication across different domains.
- Interoperability: Interoperability refers to the ability of different systems or components to work together seamlessly, facilitating the exchange of information and functionality.
- Attestation: Attestation involves verifying and confirming the accuracy of user account information, permissions, and access rights, typically through periodic reviews or audits.
Access Controls:
- Mandatory: Mandatory access controls enforce access restrictions based on security policies or classifications, limiting access to resources based on predefined rules.
- Discretionary: Discretionary access controls allow users to set permissions on resources, giving them the discretion to control access to their own data or files.
- Role-Based: Role-based access controls assign permissions based on a user’s role or job function, streamlining access management and reducing complexity.
- Rule-Based: Rule-based access controls use predefined rules or conditions to determine access permissions, allowing for granular control based on specific criteria.
- Attribute-Based: Attribute-based access controls use attributes such as user characteristics, environmental conditions, or resource properties to make access decisions.
- Time-of-Day Restrictions: Time-of-day restrictions limit access to resources based on specific time periods, helping enforce security policies during designated time frames.
- Least Privilege: The principle of least privilege ensures that users are granted the minimum level of access necessary to perform their tasks, reducing the risk of unauthorized access.
Multifactor Authentication:
Implementations:
- Biometrics: Biometrics involves using unique physical or behavioral characteristics, such as fingerprints or facial recognition, for user authentication.
- Hard/Soft Authentication Tokens: Authentication tokens, whether hardware (e.g., physical devices) or software-based (e.g., mobile apps), generate one-time codes to enhance authentication security.
- Security Keys: Security keys are physical devices used for authentication, often in conjunction with other factors, such as passwords or biometrics.
Factors:
- Something You Know: This factor involves knowledge-based authentication, such as passwords or PINs.
- Something You Have: This factor involves possession-based authentication, such as smart cards or authentication tokens.
- Something You Are: This factor involves biometric authentication, relying on unique physical or behavioral characteristics.
- Somewhere You Are:This factor involves location-based authentication, verifying the user’s physical location.
Password Concepts:
Password Best Practices:
- Length: Password length is a key factor in password strength, with longer passwords generally providing better security.
- Complexity: Password complexity involves using a combination of uppercase letters, lowercase letters, numbers, and special characters to enhance security.
- Reuse: Password reuse refers to using the same password across multiple accounts, which poses security risks.
- Expiration: Password expiration policies require users to change their passwords at regular intervals to enhance security.
- Age: Password age refers to the duration for which a password is valid before it needs to be changed.
Password Managers: Password managers are tools that securely store and manage passwords, often with features like password generation and synchronization across devices.
Passwordless: Passwordless authentication eliminates the need for traditional passwords, relying on alternative authentication methods, such as biometrics, tokens, or mobile-based solutions.
Privileged Access Management Tools:
- Just-in-Time Permissions: Just-in-time permissions grant elevated access only for the necessary duration, reducing the risk associated with prolonged elevated privileges.
- Password Vaulting: Password vaulting involves securely storing and managing privileged account credentials, providing controlled access to authorized users.
- Ephemeral Credentials: Ephemeral credentials are temporary access credentials with a limited validity period, enhancing security by reducing the exposure of privileged information.
4.7 Explain the importance of automation and orchestration related to secure operations.
Use Cases of Automation and Scripting:
- User Provisioning: Automatically creating, modifying, or deleting user accounts based on predefined criteria.
- Resource Provisioning: Automating the allocation and de-allocation of resources like servers, storage, and networking components.
- Guard Rails: Implementing automated guardrails to enforce security policies and compliance.
- Security Groups: Automating the assignment of users to security groups based on roles and responsibilities.
- Ticket Creation: Automatically generating tickets for security incidents or events.
- Escalation: Implementing automated escalation procedures for incidents that require higher-level attention.
- Enabling/Disabling Services and Access: Automating the process of enabling or disabling services and access based on predefined criteria.
- Continuous Integration and Testing: Automating code integration and testing processes to identify and address security vulnerabilities.
- Integrations and Application Programming Interfaces (APIs): Automating interactions between different security tools and systems using APIs.
Benefits:
- Efficiency/Time Saving: Saving time and resources by automating repetitive tasks.
- Enforcing Baselines: Ensuring that systems and configurations adhere to established security baselines.
- Standard Infrastructure Configurations: Promoting consistency and reducing the attack surface by enforcing standardized configurations.
- Scaling in a Secure Manner: Facilitating the scaling of infrastructure while maintaining security controls.
- Employee Retention: Reducing the burden of manual, repetitive tasks to enhance employee job satisfaction.
- Reaction Time: Improving the speed and effectiveness of incident response through automation.
- Workforce Multiplier: Maximizing the impact of the security workforce by automating routine tasks.
Other Considerations:
- Complexity: Balancing automation with simplicity to avoid unnecessary complexity.
- Cost: Evaluating both initial implementation costs and ongoing maintenance costs.
- Single Point of Failure: Implementing redundancy and failover mechanisms to mitigate the risk of a single point of failure.
- Technical Debt: Considering the long-term impact of automation decisions on technical debt and addressing it proactively.
- Ongoing Supportability: Ensuring that automated processes are sustainable over time and can be supported effectively.
4.8 Explain appropriate incident response activities.
Process:
- Preparation: Establishing a plan, roles, responsibilities, and resources to respond to incidents effectively.
- Detection: Identifying and recognizing security incidents through monitoring and alerting systems.
- Analysis: Investigating and understanding the nature, scope, and impact of a security incident.
- Containment: Isolating and limiting the impact of a security incident to prevent further damage.
- Eradication: Identifying and eliminating the root cause of a security incident.
- Recovery: Restoring affected systems and services to normal operation after a security incident.
- Lessons Learned: Conducting a post-incident review to identify improvements and update response plans.
Training:
Providing regular instruction and knowledge updates to incident response team members.
Testing:
- Tabletop Exercise: Simulating an incident scenario in a discussion-based exercise to evaluate the team’s response.
- Simulation: Conducting realistic simulations of incidents to assess an organization’s response capabilities.
Root Cause Analysis:
Investigating and determining the underlying cause of a security incident to prevent recurrence.
Threat Hunting:
Proactively searching for signs of malicious activity within the network.
Digital Forensics:
- Legal Hold: Preserving and protecting digital evidence to ensure its admissibility in legal proceedings.
- Chain of Custody: Documenting and maintaining the integrity of digital evidence throughout an investigation.
- Acquisition: Collecting digital evidence using forensically sound methods.
- Reporting: Generating detailed and accurate reports documenting the findings of a digital forensics investigation.
- Preservation: Ensuring the proper preservation of digital evidence to maintain its authenticity.
- E-Discovery: Following legal procedures for the identification, collection, and production of electronically stored information during legal proceedings.
4.9 Given a scenario, use data sources to support an investigation.
Log Data:
- Firewall Logs: Records generated by a firewall, capturing information about network traffic, allowed or denied connections, and potential security incidents.
- Application Logs: Entries produced by applications, detailing events, errors, or activities within the software.
- Endpoint Logs: Records generated by endpoints (computers, devices), providing information about user activities, system changes, and potential threats.
- OS-Specific Security Logs: Operating system logs dedicated to security-related events, aiding in the detection of suspicious activities or system compromises.
- IPS/IDS Logs: Logs from Intrusion Prevention Systems (IPS) and Intrusion Detection Systems (IDS), containing information about detected threats or attacks.
- Network Logs: Records capturing network-related activities, such as connections, traffic patterns, and anomalies.
- Metadata: Additional information accompanying log entries, offering context to aid in the analysis of log data.
Data Sources:
- Vulnerability Scans: Results and reports from scans designed to identify vulnerabilities in systems or networks.
- Automated Reports: Automatically generated reports providing insights into various security metrics, system status, or compliance.
- Dashboards: Visual representations of security-related data, offering a quick overview of the current security posture.
- Packet Captures: Captured data packets containing information about network communications, often used for analyzing and troubleshooting network issues.