Domain 4.0 Operations/Incident Response

Tracert / Traceroute

Shows the route to a remote host like a website and displays response latency at each hop.

Nslookup / Dig

Command line tools to verify IP addresses of hostnames or domains in DNS server database.

Ipconfig / Ifconfig

Tools to display IP configuration, with Windows using ipconfig and Unix/Linux using ifconfig.

Nmap

Free Network Mapper for device inventory, service discovery, and banner grabbing, used cautiously for active reconnaissance.

Pathping

Combines Ping and Traceroute functionalities, calculating statistics and packet loss at each router.

Hping

Open-source TCP/IP Packet Generator and Analyzer for auditing firewalls and networks, useful for pentesting.

Netstat

Windows tool for network statistics, showing connections, listening ports, and running services.

Nc

Linux/Unix utility for network connections, port scanning, and file transfer.

IP Scanners

Tools like Angry IP scanner to scan IP addresses for open ports, available in command line and GUI versions.

Arp

Address Resolution Protocol for mapping IP to MAC addresses on LAN, with commands like arp -a and arp -d.

Route

Windows and Linux command for listing and adding routes in local routing tables.

Curl

Command line tool for data transfer using various protocols like HTTP, FTP, and SMTP.

TheHarvester

Passive tool in Kali Linux for harvesting email addresses, useful for reconnaissance.

Sn1per

Linux tool for automated penetration testing, scanning vulnerabilities, open ports, and web app vulnerabilities.

Scanless

Linux pentesting tool for anonymous open port scans on target hosts, developed in Python.

Dnsenum

Linux command line tool for identifying DNS records and attempting reverse DNS resolution in penetration testing.

Nessus

Network security scanner for vulnerability checks, available in Linux and Windows.

Cuckoo

Open-source tool for creating a sandbox for malware inspection on Windows and Linux.

(Cat)

Linux command for viewing, creating, and combining files, and redirecting output in terminal or files.

Head

Command to view top messages in log files like var/log/messages.

Tail

Command to view last lines in log files, complementary to the head command.

Grep

Linux command for searching text and log files using regular expressions.

Chmod

Command for changing permission levels on files or directories.

What a logger can do?

Adds messages to local system logs or remote syslog servers, commonly used in automation scripts.

SSH

Secure alternative to Telnet for remote command execution, commonly used for secure remote access.

PowerShell

Scripting language for performing tasks in Windows environments, with commands known as commandlets.

Python

Widely used programming language in cybersecurity and data science.

OpenSSL

Software suite for managing TLS and SSL functions like keys and certificates.

Protocol Analyzers

Tools like Wireshark for capturing and analyzing network packets.

Tcpreplay

Open-source tool for analyzing and replaying traffic from .pcap files.

TcpDump

Linux/Unix network packet analyzer tool for monitoring Ethernet adapter information.

Wireshark

Free and open-source network packet analyzer available for Windows and Linux.

Forensics

Tools used in forensic investigations for analyzing digital evidence.

Dd tool

Linux command for cloning disks or copying folders in forensic investigations.

WinHex

Hexadecimal editor for finding evidence in forensic investigations on Windows OS.

Memdump

Linux tool for analyzing dump files created during system crashes.

FTK Imager

Data preview and imaging tool for assessing electronic evidence quickly.

Autopsy

Forensic tool for analyzing hard drives, smartphones, and media cards, with translation capabilities.

Exploitation Frameworks

Software tools for detecting and exploiting vulnerabilities on remote systems.

Password Crackers

Tools like Cain and Abel for cracking passwords and creating password hashes.

Data Sanitization

Process of irreversibly removing data from memory devices to ensure it's not recoverable.

Plan vs Process vs Procedures

Definitions distinguishing between high-level plans, ordered processes, and detailed procedures.

Incident Response Plans

Plans designed to respond to incidents quickly and prevent further compromise of an organization, focusing on maintaining Confidentiality, Integrity, and Availability (C.I.A).

Incident Response Process

Comprised of 6 phases - Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned - to effectively manage and resolve incidents.

Tabletop (Exercise)

A paper-based hypothetical distribution of Incident Response Plans to team members for review and feedback to keep the plan current.

Walkthroughs

Involves role-playing an incident scenario in a large conference room to ensure team members are familiar with their roles and available resources.

Simulations

Structured walkthroughs where response measures are tested, making it the best exercise to enhance incident response capabilities.

MITRE ATT&CK Framework

An online framework developed by MITRE to provide information about adversaries, their tactics, techniques, and common knowledge to prevent cyber-attacks.

The Cyber Kill Chain

Traces stages of a cybersecurity attack from early reconnaissance to achieving the intruders' objectives, following a structured process.

The Diamond Model of Intrusion Analysis

A framework used for gathering intelligence on network intrusion attacks, focusing on adversary, capabilities, infrastructure, and victim.

Communication Plan

Details how stakeholders will be informed in the event of a security breach, ensuring confidentiality and compliance with regulations like GDPR.

Stakeholder Management

Involves informing and managing various groups of stakeholders such as internal stakeholders, cyber insurance providers, and law enforcement during incidents.

Business Continuity Plan (BCP)

An organizational plan focused on how to continue business operations during and after an incident.

Disaster Recovery Plan (DRP)

A plan for recovering from a disaster impacting IT infrastructure and returning it to regular operations.

Retention Policies

Policies determining how long an organization can store data, considering data classification and regulatory compliance requirements.

Vulnerability Scanner

Identifies and reports vulnerabilities like software flaws, missing patches, and weak passwords to prevent known attacks.

Credentialed Vulnerability Scanner

A thorough scan using admin credentials to expose vulnerabilities effectively, providing detailed information for mitigation.

SIEM Dashboards

Collect data for correlation and analysis, offering centralized visibility and real-time information on threats.

Sensors

Deployed across networks to monitor changes in network patterns or log file entries, aiding in detecting and responding to events.

Sensitivity (SIEM Dashboards)

Monitors sensitive data to ensure regulatory compliance, focusing on protecting personally identifiable information (PII) and other sensitive data.

Trends

Identify patterns in network traffic, event volume, and activities to understand changes in the environment.

Alerts (from SIEM Solution)

Provide information about events on network devices, with optional email notifications and response automation for timely actions.

Correlation

Analyzes log files from multiple sources to generate a centralized view, emphasizing the importance of time synchronization for accurate analysis.

Log Files

Core evidence sources for investigations, including network, web, system, application, security, DNS, and authentication logs.

VOIP and Call Managers

Systems that log call details, including call quality metrics, to secure VoIP phones and monitor call activities for security purposes.

Session Initiation Protocol (SIP) / Traffic

Used for internet-based calls, log files show events like INVITE and 200 OK, helping detect potential attacks based on call patterns.

Syslog

A log collector that gathers event logs from various devices and sends them to a central syslog server. In Linux, it is implemented as syslogd or syslog daemon, storing logs in the var/log/syslog directory.

Rsyslog

Known for high performance, it receives, transforms, and sends data to destinations like SIEM servers or other syslogs. It is an open-source option.

Syslog-ng

An open-source logging solution for Unix and Linux systems with broader platform support than Rsyslog.

Journalctl

Utility for querying and displaying logs from journald, systemd's logging service, to view logs in a readable format.

NXLog

An open-source log management tool for identifying security risks in Linux/Unix environments, offering log processing features and supporting Linux, Windows, and Android.

Bandwidth Monitors

Tools used to understand network traffic flow, monitor changes in traffic patterns, identify network devices causing bottlenecks, and detect broadcast storms or denial-of-service attacks.

Metadata

Data providing information about other data, such as email headers, mobile telecom data, website metadata, and file metadata.

Netflow, sflow, IPFIX

Network monitoring solutions like Netflow (CISCO proprietary), sflow (multi-vendor), and IPFIX (Open Standard Protocol) used to monitor network traffic and identify patterns.

Protocol Analyzer Output

Details on output format, compatibility, and use in forensic investigations, often referred to as a packet sniffer, saving data to a .PCAP file format.

Reconfigure Endpoint Security Solutions

Adjusting endpoint security solutions due to technological changes or data breaches.

Approved Applications List

A list of authorized applications; if an app is not listed, it cannot be launched.

Application Block List/Deny List

Catalog of dangerous apps, preventing them from running, especially offensive security tools.

Quarantine

Isolating infected devices from the network, ensuring compliance before granting access, and potentially placing them in a remediation network.

Configuration Changes

Adjustments made to secure the environment against emerging threats.

Firewall Rules

Used to block traffic, with changes applied through MDM solutions or group policies on endpoint devices.

MDM (Mobile Device Management)

Manages and configures mobile devices, enforcing settings like password policies and camera blocking.

Data Loss Prevention (DLP)

Policy-based protection of sensitive data, safeguarding data at rest or in transit, in various platforms.

Content Filter / URL Filter

Filters updated to counter new threats, especially on proxy servers or UTM firewalls.

Update or Revoke Certificates

Updating or revoking certificates to address errors or compromises, essential for internet-facing services.

Isolation

Blocking all access, like air-gapping endpoints to protect against network-based attacks.

Containment

Minimizing damage and limiting incident scope, crucial in incident response before root cause analysis.

Segmentation

Dividing a network into smaller parts for better management, including mobile device, endpoint, and application segmentation.

SIEM & SOAR

Security solutions utilizing AI, ML, and threat intelligence, offering centralized alerting and response automation.

Runbooks

Documents detailing actions to stop threats, human response steps for security incidents, and pre-defined procedures for managing incidents.

Playbooks

Contain rules and actions to identify and respond to incidents, often requiring amendments for better automated responses.

Legal Hold

Protecting evidence from alteration or destruction, also known as litigation hold.

Chain of Custody

Tracks evidence movement through collection, safeguarding, and analysis, documenting handling and transfers.

Admissibility

Requirements for evidence to be valid in court, ensuring relevance, materiality, and legal collection.

Video

CCTV as evidence for identifying attackers and reconstructing events.

Timelines of Sequences of Events

Using timestamps and time offsets to reconstruct event sequences accurately.

Tags

eDiscovery labels attached to documents for easier search and organization.

Reports

Documenting key discussions and decisions post-incident for review and stakeholder presentation.

Event Logs (For Documentation / Evidence)

Centralized log collection for reconstructing events and maintaining audit trails.

Interviews

Witness statements and photofits used to develop a picture of involved parties.