Security+ SY0-601 Domains
Security+ SY0-601 now has 5 domains
Domain 1.0: Attacks and Threats (24%)
Domain 2.0: Architecture and Design (21%).
Domain 3.0: Implementation (25%).
Domain 4.0: Operations & Incident Response (16%)
Domain 5.0: Governance and Risk Management (14%)
This blog will discuss domain 4.0 Operations as well as Incident Response.
Operations and Incident Response
This domain focuses solely on the responsibility of security specialists in incident response. This domain covers everything from disaster recovery to incident response and business continuity. The examination covers both technical and administrative subjects. It includes network reconnaissance, forensics, and discovery ideas. It also includes the ability to configure systems for incident mitigation. The planning phase includes everything from simulations and tabletop exercises to the development and implementation of strategies. This domain accounts for 16% of the examination’s weightage.
Below are the topics covered by security+ domain 4.0
Use the appropriate tool to assess your organization’s security in a given situation
Summarize the importance and benefits of policies, processes, or procedures for incident response
Use the appropriate data sources to support your investigation into an incident
Apply mitigation techniques or controls to protect the environment after an incident
Explain the key elements of digital forensics
1. Use the appropriate tool to assess organizational security in a given situation. In this lesson, we will cover a variety of topics and subtopics. Network reconnaissance and discovery is the first topic we will cover. This topic will teach you how to use tracert/traceroute and nslookup/dig. We will learn how to manipulate files and their commands such as head, tail, cat grep, mod, logger. We will also explore concepts such as forensic and commands, Memdump WinHex, FTK Imager, Autopsy, and WinHex. We will also learn about Exploitation frameworks and Password crackers.
2. Summarize the importance policies, processes and procedures for incident response. In this subdomain, we will explain the Incident response process. We will be covering the following topics within this Incident response process:
Preparation
Identification
Containment
Eradication
Recovery
Lessons learned
We are familiar with the Attack frameworks.
MITRE ATT&CK
The Diamond Model of Intrusion Analysis
Cyber Kill Chain
We also cover communication plan, disaster recovery plan, business continuity plan, continuity of operations planning (COOP), incident response team and retention policies.
3. Use the appropriate data sources to support an investigation after an incident. In this subdomain, we’ll learn how vulnerability scan output works. Learn about SIEM dashboards and the subtopics below:
Sensor
Sensitivity
Trends
Alerts
Correlation
We will be discussing Log files. We will be covering the following subtopics within Log files:
Network
System
Application
Security
Web
DNS
Authentication
Dump files
VoIP and call managers
Traffic to Session Initiation Protocols (SIP).
We also cover Metadata and Netflow/sFlow as well as Protocol analyzer output.
4. Apply mitigation techniques or controls to protect an environment following an incident. In this lesson, we will learn about reconfiguring endpoint security solutions. The following topics will be covered in this lesson:
Approved list for applications
Application blocklist/deny lists
Quarantine
Explain Configuration changes and subtopics:
Firewall rules
MDM
DLP
Content filter/URL filter
Certificates can be updated or revoked
Also, learn about Isolation, Containment and Segmentation concepts.
5. Discuss the key elements of digital forensics. Incident response focuses on
