Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

Cybersecurity Defense > Incident Response Process > Flashcards

Incident Response Process Flashcards

1
Q

What is the incident response process based on the SANS Incident Handler’s handbook? Name them as they go from the first action until the last action.

PICERL acronym

A
  1. Preparation
  2. Identification
  3. Containment
  4. Eradication
  5. Recovery
  6. Lessons Learned
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What’s part of the Detection phase in IR?

A
  • monitoring tools
  • IPS
  • firewalls
  • user notification to management and/or helpdesk
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What’s part of the Response phase in IR?

A
  • triage - determination whether it is really an incident; it is a decision to declare
  • limiting damage
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What does CSIRT stand for?

A

Computer Security Incident Response Team

or Cyber Security Incident Response Team

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

If incident is determined to be major, what team is usually engaged?

A

CSIRT

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Which plan includes instructions about who engages CSIRT and under what conditions?

A

formal Incident Response Plan

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is the goal of containment in the Mitigation phase?

A

lay the foundation for the effective and permanent resolution of the incident

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is the main goal of the Mitigation phase?

A
  • conduct a more comprehensive investigation into the root cause of the incident and develop a long-term strategy for remediation
  • contain an incident in a strategic way
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

In what phase is a cybersecurity incident response team formed?

A

Response

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What’s part of the Reporting phase in IR?

A
  • reporting to relevant stakeholders (customers, vendors, law)
  • management decisions
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What’s part of the Recovery phase in IR?

A
  • returning to normal operations
  • management decisions
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What’s part of the Remediation phase in IR?

A
  • root cause being addressed
  • includes root cause analysis
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is the main goal of the Lessons Learnd phase?

A

help prevent recurrence, improve IR process

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is security event?

A

a security log that needs to be invevstigated further whether it is a real security incident or a false positive

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What should be included in an organization’s emergency response guidelines?

A
  • immediate response procedures
  • list of individuals who should be notified of the emergency
  • secondary response procedures for incident responders
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

During which phase of the incident response process would administrators design new security controls intended to prevent a recurrence of the incident?

A

Remediation Phase of incident handling focuses on conducting a root-cause analysis to identify the factors contributing to an incident and implementing new security controls, as needed

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Which NIST standard is considered to be “the gold standard” for incident response?

A

NIST 800-61r2

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What has to be done continuously during the incident response so proper decisions can be made?

A

documentation; when decision points are reached, the management needs to be accurately informed about the situation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What are the first questions that need to be asked during the Response phase, that then influence company’s operational and strategic response?

A
  • Is it really an incident?
  • Should devices stay connected?
  • Are there any signs of live network activity?
  • What is the intent of the malicious activity?
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What usually trigers an investigation?

A
  • EDR or AV Alert
    • create an alert for anomalous activity that has occurred on a specific host
  • Network Alerts
    • provide alerts for anomalous network activity
  • SIEM Alerts
    • could alert on a custom rule that was created by the analysts
  • user alert
    • users themselves can raise an alert about suspicious activity on their computer
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What step is required next, if the alert information is not sufficient and we have to gather more information than what is currently provided?

A

Digital Forensics

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

In order to address and close an incident, what has to be understood?

A

what is the scope of the incident

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What can happen if the scope of the incident is misunderstood?

A
  • if more drastic actions are authorized than necessary, it can damage the business
  • if not enough actions are taken to eradicate the infection, the threat actor might remain in the network
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

What is covered by Incident Management? What question does it try to address?

A

the process aspect of dealing with an incident; answers How do we respond to what happened?

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

What is covered by Incident Response? What question does it try to address?

A

technical aspect of dealing with an incident; answers What happened?

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

What are the things that Incident Management needs to take care of?

A
  • triaging the incident to accurately update the severity of the incident as new information becomes available and getting more stakeholders involved to help deal with the incident
  • guiding the incident actions through the use of playbooks
  • deciding which containment, eradication, and recovery actions will be taken to deal with the incident
  • deciding the communication that will be sent internally and externally while the team deals with the incident
  • documenting the information about the incident, such as the actions taken and the effect that they had on dealing with the incident
  • closing the incident and taking the information to learn from the incident and improve future processes and procedures
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

What are the different levels of incident response and management?

A
  • Level 1: SOC Incident
    • often not even classified as incidents
    • usually require a purely technical approach
  • Level 2: CERT (Computer Emergency Response Team) Incident
    • several analysts in the SOC may be involved in the investigation
    • performing additional investigation to determine the scope of the incident
  • Level 3: CSIRT Incident
    • entire SOC is placed on high alert and actively working to resolve the incident
    • analysts and the forensic team work to uncover the full scope of the incident and the management team is taking action against the threat actor to contain the spread of the malware, eradicate it from hosts where it is discovered, and recover affected systems
  • Level 4: CMT (Crisis Management Team) Incident
    • all hands on deck and officially a full-scale cyber crisis (legal, communication, law enforcement)
    • this team can authorise the use of nuclear actions, such as taking the entire organisation offline to limit the incident’s damage
28
Q

What is the role of a SOC Analyst during incident response?

A
  • deal with the various events and alerts that happen in the SOC
  • first members that would get involved in dealing with an incident
29
Q

What is the role of a SOC Lead during incident response?

A
  • dividing the tasks in the SOC and deciding to escalate an alert to the level of incident
  • usually, the SOC manager understands the technical information required to perform an investigation to better help them divide the different tasks during an incident
30
Q

What is the role of a Forensic Analyst during incident response?

A
  • perform an investigation to better understand what happened during an incident
  • often digital forensics that must be investigated by reviewing artefacts such as the memory or hard drive of a device
31
Q

What is the role of a Malware Analyst during incident response?

A
  • focuse on understanding how the malware works
  • often have significant technical capabilities to debug and decompile malware to understand how it works
  • uncover IoCs that are signatures of the malware that can be used to identify the malware in the environment
32
Q

What is the role of a Threat Hunter during incident response?

A
  • actively tries to uncover new threats in the environment
  • try and create new alert rules based on information available in logs and other sources
  • by performing threat hunting, an alert would be generated that could help the team discover an attacker that attempted to use the same technique
33
Q

What is the role of a First Responder during incident response?

A
  • in some cases, it isn’t SOC that is first alerted to an incident -** a cyber incident could have started as a business incident**
  • e.g. team responsible for a certain business application needs to deal with its slowness, later to realize that it is under DDoS
34
Q

What is the role of a Security Engineer during incident response?

A
  • not directly involved with the SOC, but they can often be involved in incidents
  • responsible for the security of their division, application, or system
  • often relied upon as a subject matter expert to aid in the investigation
35
Q

What is the role of a Information Security Officer (ISO) during incident response?

A
  • responsible for the security of their division, but more management focussed than technical
  • often involved in incidents as SMEs
  • responsible for acting as the bridge between the Incident Response team and their division team that will have to implement the actions provided by the Incident Manager
36
Q

What is the role of a Incident Manager during incident response?

A
  • trained in performing the management duties for Incident Response and Management
  • exceptional in note-taking and organised to ensure that everything during an incident is properly documented and that the processes are followed
37
Q

What is the role of a Project Owner during incident response?

A
  • person that takes the lead during the development of a solution
  • in Agile, since a version of the project is already live as the team is still performing development, incidents can already occur - product owner is often called in as a subject matter expert to help with the investigation
38
Q

What is the role of a Subject Matter Expert during incident response?

A
  • relied upon based on the specific incident at hand
  • e.g. if Active Directory has been compromised, one of the Domain Admins could be called in as an SME
  • relied on to provide more information that allows the blue team to better understand the incident scope and what potential actions can be taken against the threat actors
39
Q

What is the role of a Crisis Manager during incident response?

A
  • lead for the crisis management team
  • usually an executive such as the CIO or COO
  • responsible for ensuring that the CMT functions as they should and can deal with the crisis
40
Q

What is the role of a Executive during incident response?

A
  • if an incident is sufficiently severe, executives of a company will be involved in the CMT
  • includes the CEO, COO, CIO, CTO, and CISO
41
Q

What are the steps in the NIST Incident Managemetn process?

A
  1. Preparation
  2. Detection and Analysis
  3. Containment, Eradication, and Recovery
  4. Post-incident Activity
42
Q

What are the things that should be done in the Prepare phase?

A
  • identify and document key stakeholders and call trees that will be used during an incident
  • create and update playbooks that aid the team in following a set process for incidents with a known nature
  • exercise the team’s ability to deal with an incident through tabletop exercises and cyber war games
  • continuously perform threat hunting to help create new alert rules based on modern attacker techniques
43
Q

What are the steps involved in incident triage?

A
  • is the security event really an incident
    • critical as it impacts how the event is handled subsequently
  • preliminary assessment
    • identifying what systems, data, or processes are affected and determining the potential impact
  • prioritization
    • sensitivity of the affected data, the extent of the compromise, and the potential for further escalation are considered
44
Q

What is the primary NIST phase of incident management, where we try to deal with the incident?

A

Containment, Eradication, and Recovery

45
Q

What is the primary NIST phase of incident response, where we try to understand what has happend?

A

Detection and Analysis

46
Q

What are actions are typically taken during the Detection and Analysis phase?

A
  • reviewing alerts in the AV, EDR, SIEM dashboards and network security appliances logs
  • performing a forensic investigation of artefacts both on systems and the network
  • analysing malware that is discovered to better understand how it works and create new signatures that can be used to identify it
47
Q

What is the goal of the Containment phase?

A

take actions taken to “stop the bleed - meant to stop the incident from growing larger

48
Q

What is the goal of the Eradication phase?

A

take actions to eradicate the threat actor from the estate

49
Q

What is the goal of the Recovery phase?

A

take actions taken to recover the environment allow the organisation to go back to Business as Usual (BAU)

50
Q

Why are the NIST incident response phases 2 and 3 are cyclic?

A

when we start to deal with the incident, we will not understand the full scope

51
Q

What are the common pitfalls during incident management?

A
  • Insufficient Hardening
  • Insufficient Logging
  • Insufficient- and Over-Alerting
  • Insufficient Determination of Incident Scope
  • Insufficient Accountability
  • Insufficient Backups
52
Q

What is DFIR?

A

Digital Forensics and Incident Response

53
Q

What are artifacts (also correctly called artefacts in UK English)?

A

evidence that point to an activity performed on a system

54
Q

What is Incident Response Plan (IRP)?

A

document that outlines the steps an organisation will take to respond to an incident

55
Q

What should the Incident Response Plan (IRP) be like?

A

Swiss Army knife comprehensively cover all aspects of the incident response process, roles and responsibilities, communication channels between stakeholders, and metrics to capture the effectiveness of the IR process

56
Q

What kind of roles should be included in CSIRT?

A

business, technical, legal counsel, and public relations experts with relevant skills and authority to act upon decisions during a cyber attack

57
Q

What do incident responders need to be familiar with?

A

forensic imaging tools, how to read audit logs, and performing analysis using honeypots and vulnerable systems that will allow them to identify suspicious events when they occur and can conduct practical forensics when the need arises

58
Q

Why do incident respoders need to develop note-taking and detail-oriented skills

A

information gathered could be used as evidence in a criminal cyber attack or instrumental in developing mitigation plans, and lessons learned assessments

59
Q

What are the assets that need to be protected?

A
  • infrastructure
  • intellectual property
  • client and employee data
  • brand reputation
60
Q

What is a jump bag?

A

package that includes all the necessary tools for incident response

61
Q

What does a jump bag contain?

A
  • media drives to store evidence being collected
  • disk imaging and host forensic software such as FTK Imager, EnCase, and The Sleuth Kit
  • network tap to mirror and monitor traffic
  • cables and adapters such as USB, SATA, and card readers to accommodate common scenarios
  • PC repair kits that include screwdriver sets and tweezers
  • copies of incident response forms and communication playbooks
62
Q

What is covered by visibility?

A
  • collecting audit and logs data
  • monitoring threat intelligence feeds on emerging adversarial tactics, techniques, and procedures (TTPs)
  • ingesting vendor patch advisories
63
Q

What is the subsequent step once incident has been identified?

A

scoping

64
Q

What does scoping entail?

A

grasping the extent of the incident, including which systems are affected, what data is at risk, and how the incident impacts the organisation

65
Q

What is Spreadsheet of Doom (SoD)?

A

manual, spreadsheet-based methods that organizations sometimes use to track and manage security incidents and their response efforts

66
Q

Which tools are essential in scoping the extent of a security incident?

A

Asset Inventory and Spreadsheet of Doom

Cybersecurity Defense (17 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions