For Section 4 of the Security+ Sy-601 exam – Operations and Incident Response, we will be covering various topics like Tools for Organizational Security, Incident Response Policies, Processes, and Procedure, Risk Mitigation, Risk Controls, and Digital Forensics.

1. Incident Response Policies

Incident Response Planning covers the worst-case scenario, which is a successful cyberattack on your organization. This plan basically provides a layout of the stakeholders and their duties in event of an attack and is approved by senior management to avoid confusion during the actual incident. While each organization has its own specialized teams and assets to defend against a security incident, there is no need for writing Incident Response Plan from zero. The National Institute of Standards and Technology (NIST) has already prepared a generic plan, which can be customized to suit your need.

• Response Team – Incident Response Team comprises a wide variety of members, including a group of subject matter experts from various domains like Cloud Infra and Networking, a Physical security team, Management executives, Legal Counsellors, etc. A Diversified team trained in their expertise, with all areas covered is critical for successful incident response. Even though not all team members shall be called upon for each incident, everyone must be on standby for the immediate call.
• Communications – It is vital for the Incident response team to communicate the status of the incident, its impact on the end-users, expected time to recovery, etc. to only relevant stakeholders in a timely manner. The uncontrolled spread of information may jeopardize incident response plans, as it may reach the attacker, even before any strong rectification plan is created and implemented by the response team. It may also lead to panic among end application users, damaging the organization’s credibility and market image.
• Monitoring – Now we have a strong response team ready with a response plan in hand and instructions about whom to communicate developments during incident response. Next, we have to identify security attacks by continuous monitoring of the devices and networks using different tools like IDS/IPS, Firewalls, Server Syslogs, EDRs, etc. Organizations can plan to integrate all these tools into a common SIEM or Security Incident and Event Management tool, for easier monitoring and identification of the attacks.
• Stages of Incident Response – Incident response efforts begin the moment it is identified by the first person on the monitoring team.
  • Containment – It is the duty of the first observer to isolate right away the attacked system from other connected devices in the network using three techniques; Segmentation (where we Connect the system to quarantine VLAN), Isolation (where we Remove the system from Intranet but keep connected to the Internet), or Removal (Completely disconnect the system).
  • Evaluation, Escalation, and Notification – Once an incident is contained, the response team should evaluate its impact on a scale of low, moderate, and high impact incidents. Based on this evaluation, escalation is done to an appropriate level, and notification is sent to the relevant stakeholders.
  • Mitigation – Incident mitigation varies from application to application but the goal behind this stage is to reduce the damage as fast as possible to control the loss to an organization.
  • Eradication and Recovery – Eradication and Recovery activities are normally committed together. Any trace or leftover configuration change, compromised accounts, etc. must be removed from the impacted systems. There may be a need for re-imaging applications or redeployment of the servers with updated images and software, to remove the chances of backdoors and prevent compromising of the servers again. There may be a need of purging or removing old data devices or compromised servers as well.
  • Incident Closure – The Incident can be officially closed after performing the two activities, validation to ensure that all fixes have been applied to impacted systems, and conducting a session for Lessons learned from the incident. Additionally, an Incident Summary report should be prepared with the complete timeline of the incident, a list of involved team members, and the result of the incident with various suggestions for the improvement in monitoring and mitigation techniques.

2. Investigation

Incident closure doesn’t necessarily mean work is over for the Incident response team. A thorough investigation of the system is required to find the root cause of the problem and ensure that a proper fix is applied to the system.

• Logging – System logs are the most simple yet critical information gathering tool available by default in all operating systems. They may be stored locally in readable file format or in binary text format. Syslog is defacto standard for logging messages, which can help in storing logs locally or in the remote archive server. Logs have many different levels of debugging and provide information like event timestamp, severity level, etc.
• Log Analysis – By now we are aware of multiple endpoints that may exist in a production-grade network of any organization. Manually analyzing the huge amount of logs for these systems is neither productive nor efficient. We need to use centralized SIEM (Security Information and Event Management) systems and SOAR (Security, Operations, Automation, and Response) platforms to make this process faster and more reliable. They help in correlating events from different sources and automatically respond to the different scenarios using playbooks.
• Audit Reports – Audits are often conducted by a neutral company to verify whether all standards and compliance are met by an organization acting as the service provider for their clients. We can have three types of Audit reports, SOC1 report (prepared to provide assurance to the customers that all standards are met), SOC2 report (prepared with detailed testing results related to the service provider in accordance with the CIA triad), and SOC3 report (high-level report of the service provider in accordance with the CIA triad).
• Investigation Categories – Investigation categories cover four different types of investigation undertaken by an organization, namely Operational Investigation (which covers technological issues and are fixed internally after finding RCA), Criminal Investigation (which covers the criminal offenses and conducted with the help of law enforcement), Civil Investigation (which covers civil disputes between two parties, mostly due to contract breach, or intellectual property breach), and Regulatory Investigation (which is conducted by regulatory authorities to ensure standards are met by an organization). All investigations may involve various types of evidence like Real evidence, Documentary evidence, and Testimonial evidence.
• Digital Forensics – Digital Forensics involves the collection of digital data from a system to investigate and probably produce as evidence before authorities. Since digital data includes everything from the archive files to messages transmitted in the network backbone and cache information in RAM and swap memory, it is important to follow a pre-defined rule of capturing volatile data first.
  • File Carving – File carving is a data extraction technique used to extract information from a disk. It can help in getting specific information stored on the disk, as a file, or even referred from the name in system logs on the disk.
  • Snapshots – Often it is not recommended to start forensic operations on a disk directly. Instead, a snapshot of the disk is taken and then used for information extraction. This helps to keep the evidence unaltered during the whole forensics operation.
  • Memory Dump – Unlike offline or archived data, random access memory (RAM) of any operating system contains real-time information, which can be extracted using the mem-dump utility.
  • Network Data – Data moving from source to destination in accordance with the OSI network model have information stored in headers and bits. Both of them can be captured on the network device’s port and read using tools like Wireshark packet analyzer and NetFlow Data.
  • Exploitation Frameworks – For penetration testing and simulating attacks, various exploitation tools are available. Metasploit is the most advanced pen-testing tool with a few free features in the community edition.

3. Attack and Exploitation Farmworks –

Attack and Exploitation frameworks are helpful in understanding and simulating any attack. Attack frameworks have detailed a description of various scenarios by which an attacker can access a system and exploit vulnerabilities.

• MITRE’s Framework- Among various attack frameworks, MITRE’s Attack framework is the most popular. It is recognized and used by organizations worldwide. This model follows a tabular approach where you can choose various attack techniques and then read more about them to understand them better.
• Diamond Model of Intrusion Framework – A diamond model of intrusion framework follows four core features, Adversary or Attacker (One who trying to hack your system), Victim (One who is vulnerable to exploitation), Adversary’s Capability (Various attack vectors and hacking tools available in adversary’s arsenal), and Adversary’s Infrastructure (Compute and Network resources available to the attacker to conduct systemwide attack).
• Cyber Kill Chain – While MITRE’s framework list down techniques of the attacks and the Diamond Model described ways in which those techniques can be used, Cyber Kill Chain concentrates on persistent threats any organization or application face. It follows the sequence of attempts conducted by the attacker till the attack is successful.
• Exploitation Frameworks – For penetration testing and simulating attacks, various exploitation tools are available. Metasploit is the most advanced pen-testing tool with a few free features in the community edition.

This ends Section 4 of the CompTIA Security+ Sy-601 exam. In Part 6, we will proceed to the next section of the exam, Governance, Risk, and Compliance.