4.0 Operations and Incident Response

4.1 Given a scenario, use the appropriate tool to assess organizational security.

Network reconnaissance and discovery
--- scanless
--- OpenSSL
--- tracert/traceroute
--- dnsenum
Packet capture
--- nslookup/dig
--- Nessus
--- Tcpreplay
--- ipconfig/ifconfig
--- Cuckoo
--- Tcpdump
--- nmap
File manipulation
--- Wireshark
--- hping
--- head
Forensics
--- netstat
--- tail
--- dd
--- IP scanners
--- cat
--- Memdump
--- arp
--- grep
--- WinHex
--- route
--- chmod
--- FTK imager
--- curl
--- logger
Exploitation frameworks
--- theHarvester
Shell and script environments
Password crackers
--- sn1per
--- SSH
Data sanitation
--- PowerShell
--- Python

4.2 Summarize the importance of policies, processes, and procedures for incident response.

Incident response plans
Exercises
Stakeholder management
--- Incident response process
--- Tabletop
Communication plan
--- Preperation
--- Walkthroughs
Disaster recovery plan
--- Identification
--- Simulations
Business continuity plan
--- Containment
Attack frameworks
Continuity of operations planning (COOP)
--- Eradication
--- MITRE ATT&CK
Incident response team
--- Recovery
--- The Diamond Model of Intrusion Analysis
Retention policies
--- Lessons learned
--- Cyber Kill Chain

4.3 Given an incident, utilize appropriate data sources to support an investigation.

Vulnerability scan output
--- Security
Metadata
SIEM dashboards
--- Web
--- Email
--- Sensor
--- DNS
--- Mobile
--- Sensitivity
--- Autenthication
--- Web
--- Trends
--- Dump files
--- File
--- Alerts
--- VoIP and call managers
Netflow/sFlow
--- Correlation
--- Session Initiation Protocol (SIP) traffic
--- Netflow
Log files
syslog/rsyslog/syslog-ng
--- sFlow
--- Network
journalctl
--- IPFIX
--- System
NXLog
Protocol analyzer output
--- Application
Bandwidth monitors

4.4 Given an incident, apply mitigation techniques or controls to secure an environment.

Reconfigure endpoint security solutions
Isolation
--- Application approved list
Containment
--- Application blacklist/deny list
Segmentation
--- Quarentine
SOAR
Configuration changes
--- Runbooks
--- Firewall rules
--- Playbooks
--- MDM
--- DLP
--- Content filter/URL filter
--- Update or revoke certificates

4.5 Explain the key aspects of digital forensics.

Documentation/evidence
Acquisition
On-premises vs. cloud
--- Legal hold
--- Order of volatility
--- Right-to-audit clauses
--- Video
--- Disk
--- Regulatory/jurisdiction
--- Admissibility
--- Random-access memory (RAM)
--- Data breach notification laws
--- Chain of custody
--- Swap/pagefile
Integrity
--- Timelines of sequence of events
--- OS
--- Hashing
     --- Time stamps
--- Device
--- Checksums
     --- Time offset
--- Firmware
--- Provenance
--- Tags
--- Snapshot
Preservation
--- Reports
--- Cache
E-discovery
--- Event logs
--- Network
Data recovery
--- Interviews
--- Artifacts
Non-repudiation
Strategic intelligence/counterintelligence