This domain focuses on the security specialist’s responsibility in incident response. Everything from incident response to disaster recovery and business continuity is covered in this domain. Both technical and administrative subjects are included in the examination. It not only includes forensics, network reconnaissance, and discovery ideas, and the capacity to configure systems for incident mitigation, but it also includes the planning phase, which includes everything from tabletop exercises and simulations to the development of strategies. This domain covers 16% of weightage in the examination.
https://www.infosectrain.com/blog/comptia-security-sy0-601-domain-4-operation-and-incident-response/
This PowerPoint helps students to consider the concept of infinity.
Comptia security sy0 601 domain 4 operation and incident response
1.
2. www.infosectrain.com | sales@infosectrain.com 01
The latest version of
Security+ SY0-601 has 5 Domains
Domain 1.0: Attacks, Threats, and Vulnerabilities (24%)
Domain 2.0: Architecture and Design (21%)
Domain 3.0: Implementation (25%)
Domain 4.0: Operations and Incident Response (16%)
Domain 5.0: Governance, Risk, and Compliance (14%)
In this blog, we discuss domain 4.0 Operations and Incident Response.
3. www.infosectrain.com | sales@infosectrain.com 02
Operations and
Incident Response
D O M A I N 4
This domain focuses on the security specialist’s responsibility in
incident response. Everything from incident response to disaster
recovery and business continuity is covered in this domain. Both
technical and administrative subjects are included in the
examination. It not only includes forensics, network reconnaissance,
and discovery ideas, and the capacity to configure systems for
incident mitigation, but it also includes the planning phase, which
includes everything from tabletop exercises and simulations to the
development of strategies. This domain covers 16% of weightage in
the examination.
The topics covered in security+ domain 4.0 are listed below:
1. Given a scenario, use the appropriate tool to assess organizational security
2. Summarize the importance of policies, processes, and procedures for incident
response
3. Given an incident, utilize appropriate data sources to support an investigation
4. Given an incident, apply mitigation techniques or controls to secure an environment
5. Explain the key aspects of digital forensics
4. www.infosectrain.com | sales@infosectrain.com 03
Given a scenario, use the appropriate
tool to assess organizational security
01
In this lesson, we will cover various topics and their subtopics. The
very first topic we will understand is Network reconnaissance and
discovery. In this topic, we will learn how to work tracert/traceroute,
nslookup/dig, ipconfig/ifconfig, nmap, ping/pathping, hping, netstat,
netcat, IP scanners, arp, route, curl, theHarvester, sn1per, scanless –
dnsenum, Nessus, Cuckoo. We learn how to do file manipulation and
its commands like head, tail, cat, grep, chmod, logger. We explore
concepts like forensic and commands, dd, Memdump, WinHex, FTK
imager, Autopsy. We will also understand Exploitation frameworks,
Password crackers, Data sanitization.
5. www.infosectrain.com | sales@infosectrain.com 04
Summarize the importance of policies,
processes, and procedures for
incident response
02
In this subdomain, we understand the Incident response process.
Inside this Incident response process, we cover the following
subtopics:
We also cover the concept of Stakeholder management,
Communication plan, Disaster recovery plan, Business continuity
plan, Continuity of operations planning (COOP), Incident
response team, and Retention policies.
We understand the Attack frameworks:
• Preparation
• Identification
• Containment
• Eradication
• Recovery
• Lessons learned
• MITRE ATT&CK
• The Diamond Model of Intrusion Analysis
• Cyber Kill Chain
6. www.infosectrain.com | sales@infosectrain.com 05
Given an incident, utilize appropriate
data sources to support an investigation
03
In this subdomain, we will learn about how Vulnerability scan output
works. Understand SIEM dashboards and the following subtopics:
We will learn about Log files. Inside Log files, we cover the following
subtopics:
We also cover Metadata, Netflow/sFlow, Protocol analyzer output.
• Sensor
• Sensitivity
• Trends
• Alerts
• Correlation
• Network
• System
• Application
• Security
• Web
• DNS
• Authentication
• Dump files
• VoIP and call managers
• Session Initiation Protocol (SIP) traffic
7. www.infosectrain.com | sales@infosectrain.com 06
Given an incident, apply mitigation
techniques or controls to secure an
environment
04
In this lesson, we will get familiar with reconfigure endpoint security
solutions. Inside this we will cover the following subtopics:
Also, understand Isolation, Containment, Segmentation, SOAR
concepts.
Explain Configuration changes and subtopics are:
• Application approved list
• Application blocklist/deny list
• Quarantine
• Firewall rules
• MDM
• DLP
• Content filter/URL filter
• Update or revoke certificates
8. www.infosectrain.com | sales@infosectrain.com 07
Explain the key aspects
of digital forensics
05
Whereas incident response focuses on eradicating malicious
activity as soon as possible, digital forensics needs patient
acquisition, preservation, and examination of evidence using
verified methodologies. In this subdomain, we will learn basic
concepts of digital forensics, explain documentation, evidence,
and admissibility. Inside this we will cover the following subtopics
We understand E-discovery, Preservation, Data recovery, Non-
repudiation, Strategic intelligence/counterintelligence. We will get
familiar with Data Acquisition and subtopics like Order of volatility,
Disk, Random-access memory (RAM), Swap/pagefile, OS, Device,
Firmware, Network, Artifacts. Concept of on-premises vs cloud,
Right to audit clauses, Regulation/jurisdiction, Data breach
notification laws. We will also cover Integrity, Hashing, Checksums,
Provenance.
• Legal hold
• Chain of custody
• Timelines
• Event Logs and Network Traffic