ITPro.TV: CompTIA Security+ (SY0-601)

CompTIA Security+ Exam Cram

Today’s reading is Chapters 27 and 29, “Incident Response” and “Incident Mitigation”, from the Security+ Exam Cram.

Cyber Kill Chain

As originally developed by Lockheed Martin. There are seven stages, and the goal is to disrupt the attacker as early in the kill chain as possible.

There are other “intrusion kill chains” out there.


Divides an attack up into stages (which makes it similar to a kill chain), but then focuses on providing a library of potential attacker tactics at each stage.

Diamond Model of Intrusion Analysis

This is an adversary-focused functional model. Four components are arrayed on a diamond:

There’s apparently math involved here, not that the Exam Cram is going to explain it.

Incident Response Plan

“Procedures” in particular should include business continuity planning under the assumption of continued attack.

Incident response plans will often cover preventative measures as part of preparing an organization for attack. Useful parts:

See NIST Special Publication 800-61r2. Revise annually.

Documented Incident Type/Category Definitions

Roles and Responsibilities

Also: Stakeholder management!

Reporting Requirements and Escalation

The current standard for investigating a potential data breach is to have a report ready within 24 hours of becoming aware of the potential incident.

Cyber-Incident Response Teams

A.k.a., the CIRT or CSIRT (Computer Security Incident Response Team). Which would be the “incident response team” above.

Three models:

Training, Tests, and Exercises

The difference between a “test” and an “exercise” is that the former uses real systems (for example, the backup restoration procedure) while the later is a simulation (tabletop exercises, etc.). Tests tend to be functional, while exercises can be either functional or scenario-based (the latter are “tabletop” exercises).

Incident Response Process


Resources needed to respond to an incident:

These are typically consolidated into a “jump kit”.

Incident Identification and Analysis

Impact classification axis:

Containment, Eradication, and Recovery

The emphasis here is on treating work areas experiencing an incident as crime scenes, though this seems potentially less applicable as more systems/services are mored to the cloud.

Continuity and Recovery Plans

BCP = Business Continuity Planning

COOP = Continuity of Operations Planning

DRP = Disaster Recovery Planning

Disaster Recovery

(One of these things is not like the others…)

One thing to keep in mind here is how to handle active sabotage or additional losses during the recovery efforts…

Continuity of Operations Planning

A.k.a. business continuity planning (but for government).

Active succession planning is highlighted here, though in my experience it’s often neglected in the corporate world (but maybe I’ve just never interacted with the right corps).

Tabletop exercises are used here too.

Containment and Eradication

Generally containment is accomplished via network isolation or endpoint configuration changes, rather than by shutting things down.


Three types of systems:

Configuration Changes

When responding to an incident, in general you want to implement the control that prevents the widest range of attacks without compromising needed functionality.

Application Control

Microsoft’s application black/whitelist solution is AppLocker. AppLocker can function based on digital signatures, application path, and hash.

Allowed lists are more useful for preventing incidents; blocked lists are more useful as part of (short-term) incident response.

Secure Orchestration, Automation, and Response (SOAR)

Orchestration/Automation + threat intelligence + incident response. Basically, data goes in while policies and automated actions come out. The advantage here is that incident response can be more formalized and faster than is otherwise generally possible.

“Incident response plans” provide general guidance, while “playbooks” outline formalized response steps for specific types of incidents.

Things a SOAR system can automate: