| Domain 1.0 Identify |
22% |
Objective 1.1 Identify assets (applications, workstations, servers, appliances, operating systems, and others).
- Asset identification tools
- Active
- Passive
- Tools
- Nessus
- Nmap
- Network monitoring tools
- Operating system information
- macOS
- Windows
- Linux/Unix
- Android
- iOS
- Determine which tools to use for each part of the network
- Network topology and architecture information
- Data flow
- Vulnerable ports
- SPAN ports and TAP devices for live packet capture
Objective 1.2 Identify factors that affect the tasking, collection, processing, exploitation, and dissemination architecture’s form and function.
- Identify relevant policies and procedures
- Collect artifacts and evidence based on volatility level
- Review service level agreements (SLAs)
- Network scanning
- Assets and underlying risks
- Data collection
- Data analytics and e-discovery
- Monitor threats and vulnerabilities
- CVSS
- CVE
- CWE
- CAPEC
- Threat modeling
- Identify TTPs
Objective 1.3 Identify and evaluate vulnerabilities and threat actors.
- Vulnerability scanning tools
- Threat targets
- Individuals
- Non-profit associations
- Corporations
- Governments
- Critical Infrastructure
- Systems
- Mobile
- IoT
- SCADA
- ICS
- PLC
- Threat actors
- Threat motives/reasons
- Threat intent
- Attack phases
- Attack vectors
- Technique criteria
Objective 1.4 Identify applicable compliance, standards, frameworks, and best practices for privacy.
- Privacy laws, standards, and regulations
- GDPR
- HIPAA
- COPPA
- GLBA
- CAN-SPAM
- National privacy laws
- Frameworks
- NIST Privacy Framework
- ISO/IEC 27000 series
- ISO 29100
- AICPA Generally Accepted Privacy Principles (GAPP)
- Best practices
- Federal Trade Commission
-
Objective 1.5 Identify applicable compliance, standards, frameworks, and best practices for security.
- Security laws, standards, and regulations
- ISO/IEC 27000 series
- ANSI/ISA-62443
- NIST Special Publication 800 Series
- Standard of Good Practice from ISF
- NERC 1300
- RFC 2196
- PCI DSS
- SSAE 18
- Frameworks
- NIST Cybersecurity Framework
- CIS Critical Security Controls
- COBIT
- NIST Special Publication 800-61
- DoD Risk Management Framework (RMF)
- IT Assurance Framework (ITAF)
- Best practices
- OWASP
- MITRE
- CAPEC
- CSA
Objective 1.6 Identify and conduct vulnerability assessment processes.
- Critical assets and data
- Establish scope
- Determine vulnerability assessment frequency
- Identify common areas of vulnerability
- Users
- Internal acceptable use policies
- Operating systems
- Applications
- Networking software
- Network operations and management
- Firewall
- Network security applications
- Database software
- Network devices
- Access points
- Routers
- Wireless routers
- Switches
- Firewall
- Modems
- NAT (Network Address Translation)
- Network infrastructure
- Network configurations
- Network services
- DSL
- Wireless protocols
- IP addressing
- Configuration files
- IoT
- Regulatory requirements
- Changes to the system
- Determine scanning criteria
- IoC information
- Perform a vulnerability assessment
- Determine scanning criteria
- Utilize scanning tools
- Identify and assess exposures
- Generate reports
- Conduct post-assessment tasks
- Remediate/mitigate vulnerabilities
- Recovery planning processes and procedures
- Hardening
- Patches
- Exceptions documented
- Conduct audit/validate action was taken
Objective 1.7 Establish relationships between internal teams and external groups like law enforcement agencies and vendors.
- Formal policies that drive these internal and external relationships and engagements
- SLAs
- Communication policies and procedures
- Points of contact and methods of contact
- Vendor agreements, NDAs, and vendor assessment questionnaires
- Privacy rules and laws
- Understanding of relevant law enforcement agencies
|
| Domain 2.0 Protect |
24% |
Objective 2.1 Analyze and report system security posture trends.
- Data analytics
- Prioritize the risk observations and formulate remediation steps
- Analyze security system logs, tools, and data
- Threats and vulnerabilities
- Intrusion prevention systems and tools
- Security vulnerability databases
- CVE
- CVSS
- OSVDB
- Discover vulnerabilities in information systems
- Create reports and document evidence
Objective 2.2 Apply security policies to meet the system’s cybersecurity objectives and defend against cyber attacks and intrusions.
- Cybersecurity policies and procedures
- Acceptable use policy
- Network access control (NAC)
- Disaster recovery and business continuity plans
- Remote work policies
- Active Directory Group Policy Objects (GPOs)
- Best practices in hardening techniques
- Threats and vulnerabilities
- Security laws, standards, and regulations
- Risk management principles
- Attack methods and techniques
- Footprinting
- Scanning
- Enumeration
- Gaining access
- Web attacks
- Password attacks
- Wireless attacks
- Social engineering
- Man-in-the-middle
- Malware
- Out of band
- DoS
- DDoS
- Resource exhaustion
- Forced system outage
- Packet generators
Objective 2.3 Collaborate across internal and external organizational lines to enhance the collection, analysis, and dissemination of information.
- Organizational structure
- Internal teams
- Personnel roles and responsibilities
- Communication policies and procedures
- Knowledge sharing processes
- Conflict management
- SLAs
- Relationships with external stakeholders
- Law enforcement
- Vendors
Objective 2.4 Employ approved defense-in-depth principles and practices.
- Intrusion Prevention or Detection Systems (IDS/IPS)
- Firewalls
- Network Segmentation
- Endpoint Detection and Response (EDR)
- Account Management
- The Principle of Least Privilege
- Separation of duties
- Password policy enforcement
- Active directory hygiene
- Patch management
- Mobile Device Management (MDM)
Objective 2.5 Develop and implement cybersecurity independent audit processes.
- Identify assets
- Cybersecurity policies and procedures
- Data security policies
- Cybersecurity auditing processes and procedures
- Audit objectives
- Network structure
- Compliance standards
- Document and communicate results
Objective 2.6 Ensure that plans of action are in place for vulnerabilities identified during risk assessments, audits, and inspections.
- Review assessments, audits, and inspections
- Analyze critical issues for action
- Develop plans of action
- Specify success criteria
- Remediation planning
- Resource implications
- Monitoring procedures
Objective 2.7 Protect organizational resources through security updates.
- Cybersecurity policies and procedures
- Software updates
- Scope
- Attributes
- Vulnerabilities
- Firmware updates
- Scope
- Attributes
- Vulnerabilities
- Software patches
Objective 2.8 Protect identity management and access control within the organization, including physical and remote access.
- Enterprise resources
- Access control
- Authentication systems
- Remote-access monitoring
- Cybersecurity policies and procedures
- Identity management
- Authorization
- Infrastructure/physical security
- Physical security controls
- User credentials
|
| Domain 3.0 Detect |
18% |
Objective 3.1 Analyze common indicators of potential compromise, anomalies, and patterns.
- Analyze security system logs, security tools, and data
- IP networking/ IP resolving
- DoS attacks/ DDoS attacks
- Security Vulnerability Databases
- Intrusion Detection Systems
- Network encryption
- SSL decryption
- SIEM
- Firewalls
- DLP
- IPS
- IDS
- Evaluate and interpret metadata
- Malware
- Network topology
- Anomalies
- False positives
- Superhuman logins/geo-velocity
- APT activity
- Botnets
- Unauthorized programs in the startup menu
- Malicious software
- Presence of attack tools
- Registry entries
- Unusual network traffic
- Bandwidth usage
- Malicious network communication
- Off-hours usage
- New administrator/user accounts
- Guest account usage
- Unknown open ports
- Unknown use of protocols
- Service disruption
- Website defacement
- Unauthorized changes/modifications
- Suspicious files
- Patches
- Recipient of suspicious emails
- Unauthorized sessions
- Failed logins
- Rogue hardware
Objective 3.2 Perform analysis of log files from various sources to identify possible threats to network security.
- Log collection
- Agent-based
- Agentless
- Syslog
- Log auditing
- Source validation
- Verification of log integrity
- Evidence collection
- Log enrichment
- IP address and hostname resolution
- Field name consistency
- Time zones
- Alerts, reports, and event correlation
- Threat hunting
- Long tail analysis
- Intrusion detection
- Behavioral monitoring
- Log retention
- Industry compliance/regulatory requirements
- Log aggregator and analytics tools
- SIEM
- Linux tools
- grep
- cut
- diff
- Windows tools
- Find
- WMIC
- Event Viewer
- Scripting languages
- Bash
- PowerShell
- Data sources
- Network-based
- WAP logs
- WIPS logs
- Controller logs
- Packet capture
- Traffic log
- Flow data
- Device state data
- SDN
- Host-based
- Linux syslog
- Application logs
- Cloud
- Audit logs
- Threat feeds
Objective 3.3 Provide timely detection, identification, and alerting of possible attacks/intrusions, anomalous activities, and misuse activities and distinguish
these incidents and events from benign activities.
- Asset discovery methods and tools
- Alerting systems
- Intrusion Prevention or Detection Systems (IDS/IPS)
- Firewalls
- Endpoint Detection and Response (EDR)
- Common indicators of potential compromise, anomalies, and patterns
- Analysis tools
- Document and communicate results
Objective 3.4 Take appropriate action to document and escalate incidents that may cause an ongoing and immediate impact on the environment.
- Communication and documentation policies and processes
- Security incident reports
- Description
- Potential impact
- Sensitivity of information
- Logs
- Escalation processes and procedures
- Specific technical processes
- Techniques
- Checklists
- Forms
- Incident response teams
- Levels of Authority
- Personnel roles and responsibilities
- Document and communicate results
-
Objective 3.5 Determine the extent of threats and recommend courses of action or countermeasures to mitigate risks.
- Post exploitation tools and tactics
- Command and control
- Data exfiltration
- Pivoting
- Lateral movement
- Persistence/maintaining access
- Keylogging
- Anti-forensics
- Covering tracks
- Prioritization or severity ratings of incidents
- Communication policies and procedures
- Levels of Authority
- Communicate recommended courses of action and countermeasures
|
| Domain 4.0 Respond |
19% |
Objective 4.1 Execute the incident response process.
- Incident response plans and processes
- Communication with internal and external stakeholders
- Personnel roles and responsibilities
- Incident reporting
- Containment Methods
- Allowlist/blocklist
- IDS/IPS rules configuration
- Network segmentation
- Web content filtering
- Port blocking
- Containment Tools
- Firewall
- IDS/IPS
- Web proxy
- Anti-malware
- Endpoint security solutions
- DLP
- Windows tools to analyze incidents
- Registry
- Network
- File system
- Malware
- Processes
- Services
- Volatile memory
- Active Directory tools
- Linux-based tools to analyze incidents
- Network
- File system
- Malware
- Processes
- Volatile memory
- Session management
Objective 4.2 Collect and seize documentary or physical evidence and create a forensically sound duplicate that ensures the original evidence is not unintentionally modified to use for data recovery and analysis processes.
- Evidence collection, preservation, and security
- Digital
- Physical
- Chain of custody
- Forensic investigation
- Static analysis
- Dynamic analysis
- Forensic collection and analysis tools
- FTK
- EnCase
- eDiscovery
- Forensic Explorer
- Kali Linux Forensic Mode
- CAINE
- SANS SIFT
- Volatility
- Binalyze AIR
- Forensically sound duplicates
- Document and communicate results
Objective 4.3 Correlate incident data and create reports.
- Logs
- Data analysis
- Intrusion Prevention or Detection Systems (IDS/IPS)
- Forensics analysis
- Correlation analysis
- Event correlation tools and techniques
- Root cause analysis
- Alerting systems
- Incident reports
- Document and communicate results
Objective 4.4 Implement system security measures in accordance with established procedures.
- Escalation procedures
- Chain of command
- Organizational systems and processes
- Policies
- Procedures
- Incident response plan
- Security configuration controls
- Baseline configurations
- Hardening documentation
- Document measures implemented
Objective 4.5 Determine tactics, techniques, and procedures (TTPs) of intrusion sets.
- Threat actors
- Patterns of activity
- Methods
- Tactics
- Early stages of the campaign
- Key facts of the infrastructure
- Artifacts and tools used
- Techniques
- Technological
- Non-technological
- Procedures
Objective 4.6 Interface with internal teams and external organizations to ensure appropriate and accurate dissemination of incident information.
- Communication policies and procedures
- Internal communication methods
- Secure channels
- Out-of-band communications
- External communication guidelines
- Local law enforcement
- Stockholders
- Breach victims
- Media
- Other CERTs/CSIRTs
- Vendors
|
| Domain 5.0 Recover |
17% |
Objective 5.1 Implement recovery planning processes and procedures to restore systems and assets affected by cybersecurity incidents.
- Post-incident
- Root cause analysis
- After Action Report (AAR)
- Lessons learned
- Reporting and documentation
- Analyze incident reports
- Execute recovery planning processes and procedures
- Document and communicate results
Objective 5.2 Implement specific cybersecurity countermeasures for systems and applications.
- Security requirements of systems
- System interoperability and integration
- Prevention & mitigation
- Actions
- Processes
- Tools and technologies
- Devices
- Systems
- Safeguards
- Security features
- Management constraints
- Personnel security
- Physical structures, areas, and devices
Objective 5.3 Review forensic images and other data sources for recovery of potentially relevant information.
- Memory forensics analysis/tools
- Volatility
- Data sources and disk images
- Analysis of digital evidence
- Hardware and software tools
- File copying techniques
- Logical backup
- Bit stream imaging
- File modification, access, and creation times
- Forensic recordkeeping
- Automated audit trails
- Chain of custody
- Forensic investigation
- Forensic collection and analysis tools
Objective 5.4 Provide advice and input for disaster recovery, contingency, and continuity of operations plans.
- Recovery planning processes
- Contingency planning
- Systems and assets
- Lessons learned
- Review of existing strategies
- Implement improvements
- Document and communicate reports, lessons learned, and advice for recovery, contingency, and continuity of operations plans
|
