• Topology discovery
• OS fingerprinting
• Service discovery
• Packet capture
• Log review
• Router/firewallACLsreview
• Email harvesting
• Social media profiling
• Social engineering
• DNS harvesting
• Phishing

• Wireless vs. wired
• Virtual vs. physical
• Internal vs. external
• On-premises vs. cloud

• NMAP
• Host scanning
• Network mapping
• NETSTAT
• Packet analyzer
• IDS/IPS
• HIDS/NIDS
• Firewall rule-based and logs
• Syslog
• Vulnerability scanner

• Packet analysis
• Protocol analysis
• Traffic analysis
• Netflowanalysis
• Wireless analysis

• Anomaly analysis
• Trend analysis
• Availability analysis
• Heuristic analysis
• Behavioral analysis

• Firewall logs
• Packet captures
• NMAPscan results
• Event logs
• Syslogs
• IDS report

• SIEM
• Packet analyzer
• IDS
• Resource monitoring tool
• Netflowanalyzer

• System isolation
• Jump box

2.Honeypot
3.Endpoint security
4.Group policies
5.ACLs

• Sinkhole

6.Hardening

• Mandatory Access Control (MAC)
• Compensating controls
• Blocking unused ports/services
• Patching

7.Network Access Control (NAC)

• Time-based
• Rule-based
• Role-based
• Location-based

• Rules of engagement
• Timing
• Scope
• Authorization
• Exploitation
• Communication
• Reporting

• Isolation/sandboxing
• Hardware
• Source authenticity of hardware
• Trusted foundry
• OEM documentation
• Software/malware
• Fingerprinting/hashing
• Decomposition

• Red team
• Blue team
• White team

• Technical control review
• Operational control review
• Technical impact and likelihood
• High
• Medium
• Low

• Regulatory environments
• Corporate policy
• Data classification
• Asset inventory
• Critical
• Non-critical

• Risk appetite
• Regulatory requirements
• Technical constraints
• Workflow

• Determine scanning criteria
• Sensitivity levels
• Vulnerability feed
• Scope
• Credentialed vs. non-credentialed
• Types of data
• Server-based vs. agent-based
• Tool updates/plug-ins
• SCAP
• Permissions and access

• Automated vs. manual distribution

6.Remediation

• Prioritizing
• Criticality
• Difficulty of implementation
• Communication/change control
• Sandboxing/testing
• Inhibitors to remediation
• MOUs
• SLAs
• Organizational governance
• Business process interruption
• Degrading functionality

• Review and interpret scan results
• Identify false positives
• Identify exceptions
• Prioritize response actions

• Compare to best practices or compliance
• Reconcile results
• Review related logs and/ or other data sources
• Determine trends

• Virtual hosts
• Virtual networks
• Management interface

• Known threats vs. unknown threats
• Zero day
• Advanced persistent threat

• Scope of impact
• Downtime
• Recovery time
• Data integrity
• Economic
• System process criticality
• Types of data
• Personally Identifiable
• Information (PII)
• Personal Health Information (PHI)
• Payment card information
• Intellectual property
• Corporate confidential
• Accounting data
• Mergers and acquisitions

• Digital forensics workstation
• Write blockers
• Cables
• Drive adapters
• Wiped removable media
• Cameras
• Crime tape
• Tamper-proof seals
• Documentation/forms
• Chain of custody form
• Incident response plan
• Incident form
• Call list/escalation list

• Imaging utilities
• Analysis utilities
• Chain of custody
• Hashing utilities
• OS and process analysis
• Mobile device forensics
• Password crackers
• Cryptography tools
• Log viewers

• HR
• Legal
• Marketing
• Management

• Limit communication to trusted parties
• Disclosure based on regulatory/ legislative requirements
• Prevent inadvertent release of information
• Secure method of communication

• Technical
• Management
• Law enforcement
• Retain incident response provider

• Bandwidth consumption
• Beaconing
• Irregular peer-to-peer communication
• Rogue devices on the network
• Scan sweeps
• Unusual traffic spikes

• Processor consumption
• Memory consumption
• Drive capacity consumption
• Unauthorized software
• Malicious processes
• Unauthorized changes
• Unauthorized privileges
• Data exfiltration

• Anomalous activity
• Introduction of new accounts
• Unexpected output
• Unexpected outbound communication
• Service interruption
• Memory overflows

• Segmentation
• Isolation
• Removal
• Reverse engineering

• Sanitization
• Reconstruction/reimage
• Secure disposal

• Patching
• Permissions
• Scanning
• Verify logging/communication to security monitoring

• Lessons learned report
• Change control process
• Update incident response plan

• NIST
• ISO
• COBIT
• SABSA
• TOGAF
• ITIL

• Password policy
• Acceptable use policy
• Data ownership policy
• Data retention policy
• Account management policy
• Data classification policy

• Control selection based on criteria
• Organizationally defined parameters
• Physical controls
• Logical controls
• Administrative controls

• Continuous monitoring
• Evidence production
• Patching
• Compensating control development
• Control testing procedures
• Manage exceptions
• Remediation plans

• Audits
• Evaluations
• Assessments
• Maturity model
• Certification

• Time
• Location
• Frequency
• Behavioral

• Personnel
• Endpoints
• Servers
• Services
• Roles
• Applications

• Directory services
• TACACS+
• RADIUS

• Manual vs. automatic provisioning/deprovisioning
• Self-service password reset

• Impersonation
• Man-in-the-middle
• Session hijack
• Cross-site scripting
• Privilege escalation
• Rootkit

• Data aggregation and correlation
• Trend analysis
• Historical analysis

• Firewall log
• Syslogs
• Authentication logs
• Event logs

• Personnel
  Training
  Dual control
  Separation of duties
  Third party/consultants
  Cross training
  Mandatory vacation
  Succession planning
• Processes
  Continual improvement
  Scheduled reviews
  Retirement of processes
• Technologies
  Automated reporting
  Security appliances
  Security suites
  Outsourcing
  -Security as a Service
  Cryptography
• Other security concepts
  Network design
  Network segmentation

• Security requirements definition
• Security testing phases
  Static code analysis
  Web app vulnerability scanning
  Fuzzing
  Use interception proxy to crawl application
• Manual peer reviews
• User acceptance testing
• Stress test application
• Security regression testing
• Input validation

• OWASP
• SANS
  Center for Internet Security
  -System design recommendations
  -Benchmarks

• IPS
  Sourcefire
  Snort
  Bro
• HIPS
• Firewall
  Cisco
  Palo Alto
  Check Point
• Antivirus
• Anti-malware
• EMET
• Web proxy
• Web Application Firewall (WAF)
  ModSecurity
  NAXSI
  Imperva

• SIEM
  ArcSight
  QRadar
  Splunk
  AlienVault
  OSSIM
  Kiwi Syslog
• Network scanning
  NMAP
• Vulnerability scanning
  Qualys
  Nessus
  OpenVAS
  Nexpose
  Nikto
  Microsoft Baseline Security Analyzer
• Packet capture
  Wireshark
  tcpdump
  Network General
  Aircrack-ng
• Command line/IP utilities
  netstat
  ping
  tracert/traceroute
  ipconfig/ifconfig
  nslookup/dig
  Sysinternals
  OpenSSL
• IDS/HIDS
  Bro

• Vulnerability scanning
  Qualys
  Nessus
  OpenVAS
  Nexpose
  Nikto
  Microsoft Baseline Security Analyzer
• Monitoring tools
  MRTG
  Nagios
  SolarWinds
  Cacti
  NetFlow Analyzer
• Interception proxy
  Burp Suite
  Zap
  Vega

• Interception proxy
  Burp Suite
  Zap
  Vega
• Exploit framework
  Metasploit
  Nexpose
• Fuzzers
  Untidy
  Peach Fuzzer
  Microsoft SDL File/Regex Fuzzer

• Forensic suites
  EnCase
  FTK
  Helix
  Sysinternals
  Cellebrite
• Hashing
  MD5sum
  SHAsum
• Password cracking
  John the Ripper
  Cain & Abel
• Imaging
  DD