SYO-701 Security Operations Study Guide for the CompTIA Security+

Incident Response

Incident response (IR) is the process of detecting, responding to, and recovering from a security incident, such as a data breach. Proper IR includes the policies, processes, and procedures needed to not only respond to and recover from an incident but also the best way to learn from an incident. You should be able to understand and summarize various IR methodologies as well as the importance each plays.

Process

The IR process is the life cycle of an incident response. While the IR process may vary slightly from organization to organization, the Security+ exam details seven main phases in the IR process: preparation, detection, analysis, containment, eradication, recovery, and lessons learned.

Preparation

In the preparation phase, the tools, processes, and procedures needed to respond to an incident are defined. This phase includes assigning IR team roles, training the IR team, documenting what will occur during the IR plan, and establishing and maintaining the security tools needed to properly respond to incidents.

Detection

During the detection phase, data is analyzed and evaluated to detect and identify potential incidents within the network. The detection phase utilizes tools such as logs, security monitoring software, and reporting to identify indicators of compromise.

Analysis

During the analysis phase, the detected and verified incident or threat is evaluated to discover information about it, such as how it occurred, how much was impacted, and possible ways to contain the spread.

Containment

Once a potential incident is identified, the next phase is containment. Containment involves minimizing the spread and potential impact of an incident. Containment may be as simple as disconnecting a device from the network or something much more complicated if the exact nature or scope of the breach has not been fully identified.

Eradication

Once the security incident is contained, the eradication phase can begin. During eradication, the artifacts connected with the breach are removed. Eradication often involves restoration from backups to ensure complete threat removal. Once the threat is eradicated, it is important to also validate its full removal.

Recovery

After the eradication phase is complete, the recovery phase can begin. The goal of the recovery phase is to return the system or network to normal working conditions. During the recovery phase, the security flaws or vulnerabilities that were leveraged during the breach are also addressed to prevent a recurrence.

Lessons Learned

After recovery, the documentation and data collected during the IR process are evaluated, and the IR team identifies new policies, procedures, or methodologies that could increase the organization’s security profile. The lessons learned are then implemented in the preparation phase of the IR process, and the cycle continues.

Training

While having a predefined IR plan is important in incident response, it will not be effective unless it has been practiced. This is where training via testing exercises comes into play.

Testing

IR testing exercises are methods that can be used to practice and review the IR plan and the effectiveness of the IR team. Testing exercises can range from simple verbal discussions to full incident simulations.

Tabletop Exercise

A tabletop exercise is a verbal discussion of the IR plan. During a tabletop exercise, a scenario is given, and the participants discuss how to respond to the situation. Tabletop exercises can also be used to brainstorm ideas to increase the IR plan’s effectiveness and identify any potential flaws.

Simulation

A simulation is a complete practice of the IR plan. A simulation provides a live environment for the IR team members to interact with so they can practice the skills needed for a successful IR response. Simulations can be designed to test a single portion or aspect of the IR plan, or they can be complete simulations involving the entire organization.

Root Cause Analysis (RCA)

An RCA occurs after an incident and uses a systematic process to identify and understand how and why the incident occurred. An RCA is useful in the mitigation of future incidents of the same nature.

Threat Hunting

Threat hunting is the process of proactively evaluating a system or network for potential vulnerabilities. Bug bounties are an example of threat hunting.

Digital Forensics

Digital forensics is the process of gathering information from a network or device to determine what occurred. Like physical forensics, gathering digital forensics is a precise science and should adhere to certain principles to ensure that the evidence gathered is viable and usable, especially if needed for legal purposes. You should be able to understand and explain key aspects of digital forensics.

E-Discovery

E-discovery, or electronic discovery, describes the process of evidence discovery between both sides of a legal case. E-discovery allows for each side to obtain digital evidence from the other party as well as any third parties involved. For example, if the defendant enters a drive into evidence, the opposing counsel has the right to evaluate the drive in question.

Legal Hold

A legal hold is a legal notice given to an organization that requires certain data or records to be preserved beyond normal business practices. Legal holds in digital forensics are commonly one of the first legal steps taken in the e-discovery process, during which evidence is obtained and gathered.

Chain of Custody

Chain of custody documentation is created during the digital forensics process. It outlines who has what, when, and where. Chain of custody forms should provide a complete timeline of who had a piece of evidence and where it has been from collection to court presentation.

Acquisition

Acquisition is the process of collecting data during a digital forensic investigation. When acquiring data, it is important to follow proper procedures and protocols to ensure its integrity and admissibility. One of the first steps in data acquisition is to evaluate it, starting with the data targets that are most likely to be lost and working up to the most stable data. This process of evaluating data based on its fragility is referred to as the order of volatility.

Reporting

Reports are a method of documentation that provide an overview of the collected digital forensic evidence without complicated and intricate technical jargon. Reports may include a brief summary of the investigation and its findings, as well as an overview of how the evidence was collected. A summary of the data collected from each device may also be included, as well as a final general conclusion based on the collected data.

Preservation

Preservation in digital forensics is the secure storage of digital data until it is required. Preservation techniques include physical preservation, such as storing a hard drive in a climate-controlled location, and preservation via digital storage systems.

Data Sources for Investigations

Within a network, there are a plethora of potential data sources that can be used during an investigation. You should be familiar with common data sources and how each can be used to gather information on an incident. Questions about this section will be given as scenarios.

Log Data

Log files are collected data on everything that occurs on a system. Log files can be used by incident responders to provide information about incidents. Various aspects of communications within a network are stored and filed in different places. You should be familiar with where to look for information regarding a specific aspect of the network.

Firewall Logs

Firewall logs collect data about traffic attempting to travel into and out of the firewall. They can be used for security monitoring, network performance monitoring, auditing, and compliance, among other activities.

Application Logs

Application logs store data created by applications, including installation data, application errors, and license information. Application logs can be used to identify performance issues as well as anomalies.

Endpoint Logs

Endpoint logs are the logs collected by endpoint devices such as laptops, workstations, and tablets. They provide insight into device usage, the presence of malware, and suspicious activity.

OS-Specific Security Logs

Security logs store data generated by security devices or software, such as authentication data, and may vary depending on the OS. They can be used to identify failed login events or brute-force attacks.

IPS/IDS Logs

IDS/IPS logs collect data captured by intrusion detection devices. IDS/IPS logs provide insight into potential security incidents and can be extremely helpful in discovering information pertaining to breaches and exploits.

Network Logs

Network logs collect data on network devices such as routers and switches, configuration data, traffic data, and network flows. They can also store the information provided by packet capture software, such as Wireshark. Network logs can be used to identify network attacks, such as TCP SYN attacks.

Metadata

Metadata is data collected on data. For example, when a photo is taken on a cellular phone, numerous data points are generated pertaining to the photo beyond the photo itself, such as the GPS location, timestamp, resolution, and file size. Different types of data files collect different types of metadata.

Data Sources

Data sources can be native to the device or collected through outside sources and software.

Vulnerability Scans

A vulnerability scan is the process of using a tool to analyze a system or network for potential security flaws and vulnerabilities. During IR, the output of a vulnerability scan can be used to identify clues as to where an attacker may have targeted, what changes may have occurred, or what vulnerabilities may have been exploited.

Automated Reports

Automated reports are generated based on specific criteria, such as data to be analyzed and reported on, frequency of report generation, and the devices included in the report. Automated reports greatly simplify cybersecurity monitoring by automating the process rather than depending on manual intervention. Many security tools can be used to provide automated reports, such as SIEM systems.

Dashboards

A SIEM system is used by cybersecurity professionals to collect, aggregate, correlate, and analyze log data collected within a system. Depending on the type, a SIEM dashboard is composed of multiple components that provide a high-level, easily digestible view of a network on a single display. For example, a security dashboard of a SIEM system could include informational widgets, attack analysis, endpoint analysis, and security overviews.

Packet Captures

Packet capture is the process of capturing complete packets from a network for analysis. Information sent over the network is broken down into smaller segments for easy transfer. These segments are called packets.