CySA+
  • CySA+ CS0-002 Exam Objectives
  • Threat Intelligence Cycle
  • Intelligence Sources
  • Security Intelligence Sharing
  • Threat Classification and Threat Actors
  • Threat Research and Indicators of Compromise
  • Attack Frameworks and The Cyber Kill Chain
  • Defining Threat Modeling and Threat Hunting
  • Vulnerability Identification and Validation
  • Vulnerability Scan Results and CVSS Scores
  • Nmap and Enumeration
  • Security Controls
  • Defense in Depth Security Baselines
  • Security Trend Analysis
  • Remediation Issues
  • Asset, Change, and Configuration Management
  • Software Development Lifecycle & Development Models
  • Software Assessment and Code Review
  • Mitigating Attack Types Part 1
  • Mitigating Attack Types Part 2
  • Mitigating Attack Types Part 3
  • Password Cracking and Hashing
  • Privilege Escalation & Man-in-the-Middle
  • Network Based IoCs
  • Host Based IoCs
  • Network Architecture and Segmentation
  • Network Traffic, Packet, and Protocol Analysis
  • Pentesting and Active Defense
  • Firewalls
  • URL Analysis & DNS in Malware
  • Network Access Control and Port Security
  • Identity and Access Management (IAM)
  • Web Application Scanners
  • SSL/TLS Digital Certificate Management
  • Mobile Threats
  • Email Threats and Mitigation
  • Data Loss Prevention (DLP)
  • Endpoint Security and Behavior Analysis
  • Hardware Assurance
  • Blackholes and Sinkholes
  • IoT, Embedded Systems & ICS/SCADA Threats
  • Log Analysis & Continuous Security Monitoring
  • SIEM and Event Correlation
  • Malware Analysis
  • Cloud Models and Service Threats
  • Cloud Automation and Other Cloud Threats
  • VDI, Containers, and Microservices
  • CI/CD, IaC, DevOps
  • AI and Machine Learning
  • Digital Forensics
  • Technical Controls for Securing Data
  • Non-Technical Controls for Securing Data
  • Security Policies and Procedures
  • Continuity Planning and Risk Assessment
  • Incident Response Phases and Communication
Powered by GitBook
On this page

Incident Response Phases and Communication

  • IR Phases

    • Preparation

      • Incident procedure

      • Training, testing

    • Identification

      • Detection, analysis

      • Is it a security incident?

    • Containment

      • Isolate the damage

      • Segmentation vs isolation

    • Eradication

      • Removing the root cause

      • Sanitazation, secure erase

    • Recovery

      • Restoring systems

      • Reimaging

    • Lessons Learned

      • Chosen solution

      • Reporting

  • OODA Loop

    • Observe

    • Orient

    • Decide

    • Act

  • Prioritization

    • Human safety

    • Prevent intrusion from continuing

    • Identify the primary attack

    • Avoid alerting the attacker

    • Preserve evidence

  • Communication Plan

    • Starts with the CSIRT or any similar team

    • Use out of band communication

    • CSIRT should be a single point of contact

    • Adversaries might be insiders

  • External Communication

    • Outside parties might need to be informed in the following situations (breaches)

      • Data theft

      • Insider data exfiltration

      • Device theft/loss

      • Misconfigurations

      • Integrity and Availability breaches

  • Response Coordination – Involving other departments

    • Senior leadership

    • Legal

    • IT/Networking

    • HR

    • Marketing/PR

  • Data Involved in the Incident

    • PII – personally identifiable information

    • SPI – Sensitive Personal Information

    • PHI – Personal Health Information

    • Financial information

    • IP – Intellectual property

    • Corporate information

    • HVA – High Value Assets

  • Train your people!

  • Test your IR plan!

    • Tabletop exercises

    • Penetration tests

      • Black box – No knowledge

      • Gray box – Some knowledge

      • White box – All knowledge

    • Rules of engagement

PreviousContinuity Planning and Risk Assessment

Last updated 2 years ago