Lesson 12: Explain Incident Response and Monitoring Concepts Flashcards

Question 1

Q

Define an ‘Incident’

Answer

A

An event that interrupts standard operations or compromises confidentiality, integrity, or availability.

Question 2

Q

Define an ‘Incident response policy/plan (IRP)’

Answer

A

Defines the resources, processes, procedures, and guidelines for dealing with cybersecurity incidents.

Question 3

Q

What are the seven steps of CompTIA’s incident response lifecycle?

Answer

A

Preparation
Detection
Analysis
Containment
Eradication
Recovery
Lessons learned

Question 4

Q

Define the first step (preparation) of the CompTIA incident response lifecycle

Answer

A

Hardening systems, writing policies and procedures, and setting up confidential lines of communication; implies creating IRP.

Question 5

Q

What features does a security information and event management (SIEM) have to assist in preparation?

Answer

A

Incident detection for collection and analysis of environment
Digital forensics for validating data
Case management tools for logging incidents and coordinating response activities

Question 6

Q

Define the second step (detection/identification) of the CompTIA incident response lifecycle

Answer

A

The process of correlating events from network and system data sources and determining whether they are an IoC.

Question 7

Q

Define a ‘Call list’

Answer

A

A document listing authorized contacts for out-of-band notification and collaboration during a security incident.

Question 8

Q

Define the third step (analysis) of the CompTIA incident response lifecycle

Answer

A

Process in which IoCs are assessed to determine validity, impact, category, and priority.

Question 9

Q

What is necessary for an IoC to be a true positive incident?

Answer

A

Correlating multiple indicators.

Question 10

Q

What is the next step after validating a true IoC?

Answer

A

Identify the type of incident and the data or resources affected; establishing the category and impact allows determination of priority.

Question 11

Q

How does the value of data affect impact of an IoC?

Answer

A

The move valuable the data the higher the impact of the IoC.

Question 12

Q

Define ‘downtime’ and how it can affect impact

Answer

A

The degree to which an incident disrupts business processes; Longer downtime means higher impact.

Question 13

Q

When determining the scope, what factors can affect impact of the IoC?

Answer

A

The number of affected systems; the type of affected systems, and how the systems have been affected.

Question 14

Q

How does detection time affect the impact of an IoC?

Answer

A

The longer it takes to detect an IoC, the more potential damage that can take place.

Question 15

Q

What is the purpose of an incident category?

Answer

A

To ensure that all response team members and other organizational personnel have a shared understanding of the meaning of terms, concepts, and descriptions.

Question 16

Q

What does effective incident analysis depend on?

Answer

A

Threat intelligence; insight into adversary tactics, techniques, and procedures (TTPs).

Question 17

Q

Define a ‘cyber kill chain’

Answer

A

describes the stages by which a threat actor progresses to a network intrusion.

Question 18

Q

Define the first step (Reconnaissance) in the cyber kill chain

Answer

A

Mapping an attack surface and identifying potential attack vectors using network probes, Open Source Intelligence (OSINT), and social engineering.

Question 19

Q

Define the second step (weaponization) in the cyber kill chain

Answer

A

Coding an exploit to take advantage of a vulnerability discovered through reconnaissance coupled with a payload to deliver the exploit and maintain covert access.

Question 20

Q

Define the third step (Delivery) in the cyber kill chain

Answer

A

Weaponized code is inserted into the environment using a selected attack vector.

Question 21

Q

Define the fourth step (exploitation) in the cyber kill chain

Answer

A

Weaponized code is executed on the target system and gains the capability to deliver the payload.

Question 22

Q

Define the firth step (installation) in the cyber kill chain

Answer

A

Payload is successfully installed on the target system using methods to remain undetected and achieve persistence.

Question 23

Q

Define the sixth step (Command and Control) in the cyber kill chain

Answer

A

The payload establishes a connection to a remote server, enabling the attacker to connect to the target and download or fabricate additional attack tools.

Question 24

Q

Define the seventh step (Action on Objectives) in the cyber kill chain

Answer

A

Adversary uses the compromised system to achieve or progress towards goals, such as data exfiltration, DoS/vandalism, or escalating access.

Question 25

Q

Define a ‘playbook’

Answer

A

A checklist of actions to perform to detect and respond to a specific type of incident.

Question 26

Q

What is best practice when planning for different attack types?

Answer

A

Develop a playbook, or standard operating procedure (SOP) to assist analysts in detecting and responding to specific cyber threat scenarios.

Question 27

Q

Define the fourth step (containment) of the CompTIA incident response lifecycle

Answer

A

Isolating affected hosts/accounts; Limit the scope and magnitude of the incident; Secure data while limiting the immediate impact on customers and business partners.

Question 28

Q

When at the 4th step (containment) of CompTIA’s incident response lifecycle, what should be considered in regards to the time it will take to implement containment?

Answer

A

What damage or theft has occurred already? How much more could be inflicted and in what sort of time frame.

Question 29

Q

How could containment inadvertently be a negative approach?

Answer

A

What actions could alert the threat actor that the attack has been detected? What evidence of the attack must be gathered and preserved?

Question 30

Q

What are two forms of containment?

Answer

A

Isolation-Based Containment
Segmentation-Based Containment

Question 31

Q

Define ‘Isolation-Based Containment’

Answer

A

Isolation involves removing an affected component from whatever larger environment it is a part of; Removes any interface between the affected system and the production network or the Internet; Disabling a user account or service.

Question 32

Q

If a single host is infected, what are simple ways to isolate it?

Answer

A

Disconnect networking cables from the host or disabling the switch port.

Question 33

Q

What is the downside to pulling the plug from an infected system?

Answer

A

Least stealthy option and will reduce opportunities to analyze the attack or malware.

Question 34

Q

Define a ‘sinkhole’

Answer

A

Honeynet; DoS attack mitigation strategy that directs the traffic that is flooding a target IP address to a different network for analysis.

Question 35

Q

Define ‘Segmentation-Based Containment’

Answer

A

A means of achieving the isolation of a host or group of hosts using network technologies and architecture.

Question 36

Q

How can different layer 2/3 technologies be used to perform isolation?

Answer

A

Reconfiguring routing/firewall infrastructure to isolate infected VLANs and subnets.

Question 37

Q

Define the fifth step (eradication) of the CompTIA incident response lifecycle

Answer

A

Removes the cause of compromise and restores the affected system by applying secure configurations and/or installing patches once the incident has been contained.

Question 38

Q

Define the sixth step (recovery) of the CompTIA incident response lifecycle

Answer

A

Process in which hosts, networks, and systems are brought back to a secure baseline configuration and ensuring that the system cannot be compromised through the same attack vector.

Question 39

Q

What are the 3 steps of eradication and recovery efforts?

Answer

A

Reconstitution of affected system
Re-audit security controls
Notify affected parties

Question 40

Q

Define ‘Reconstitution of affected system’

Answer

A

Removing malicious files or tools from affected systems or restoring systems from secure backups/images.

Question 41

Q

Define ‘Re-audit security controls’

Answer

A

By ensuring no vulnerability to the same attack or from a new attack that could be launched through information gained from the initial attack; Changing cipher suites, a new system/OS, new cryptographic keys.

Question 42

Q

Why is it important to notify affected parties after reconstitution of affected system and re-audit of security controls?

Answer

A

To provide the means to remediate their own systems/accounts.

Question 43

Q

Define the seventh step (lessons learned) of the CompTIA incident response lifecycle

Answer

A

Analyzes the incident and responses to identify whether procedures or systems could be improved.

Question 44

Q

Define a ‘lessons learned report (LLR)’ or ‘after-action report (AAR)’

Answer

A

An analysis of events that can provide insight into how to improve response and support processes in the future.

Question 45

Q

What should be included in a lessons learned report (LLR)?

Answer

A

A root cause analysis.

Question 46

Q

Define ‘root cause analysis’

Answer

A

A technique used to determine the true cause of the incident, and when removed, it prevents the problem from occurring again.

Question 47

Q

Define a ‘tabletop exercise’

Answer

A

A facilitator presents a scenario, and the responders explain what action they would take to identify, contain, and eradicate the threat.

Question 48

Q

Define a ‘walkthrough exercise’

Answer

A

A facilitator presents the scenario similar to a tabletop exercise, but the incident responders demonstrate what actions they would take in response.

Question 49

Q

What separates a walkthrough from a tabletop exercise?

Answer

A

Running scans and analyzing sample files, typically on sandboxed versions of the company’s actual response and recovery tools.

Question 50

Q

Define ‘Threat hunting’

Answer

A

Insights gained from threat intelligence to proactively discover whether there is evidence of TTPs already present within the network or system.

Question 51

Q

Define ‘Intelligence fusion’

Answer

A

Using sources of threat intelligence data to automate detection of adversary IoCs and TTPs.

Question 52

Q

What can intelligence fusion be implemented with?

Answer

A

In a security information and event management (SIEM).

Question 53

Q

Define a ‘maneuver’ in threat hunting

Answer

A

Blinding attack/distraction; The concept that threat actor and defender may use deception or counterattacking strategies to gain positional advantage.

Question 54

Q

Define ‘Digital forensic analysis’

Answer

A

Examining evidence gathered from computer systems and networks to a standard that will be accepted in a court of law; Deleted files, timestamps, user activity, and unauthorized traffic.

Question 55

Q

How is digital evidence similar to DNA or fingerprints?

Answer

A

They are all latent; the evidence cannot be seen with the naked eye; It must be interpreted using a machine or process.

Question 56

Q

Because digital evidence is latent, what must be considered when using the evidence in procecution?

Answer

A

Steps must be taken to ensure the admissibility of digital evidence; Requires documentation showing how the evidence was collected and analyzed without tampering or bias.

Question 57

Q

Define a ‘legal hold’

Answer

A

A process designed to preserve all relevant information when litigation is reasonably expected to occur.

Question 58

Q

Define ‘Acquisition’ in a legal sense

Answer

A

Process of obtaining a forensically clean copy of data from a device seized as evidence.

Question 59

Q

Define ‘Data acquisition’

Answer

A

Tools used to create a forensically clean copy of data from a source device.

Question 60

Q

During the acquisition process, what is best practice when making images of volatile and nonvolatile storage?

Answer

A

To capture evidence in the order of volatility, from more volatile to less volatile.

Question 61

Q

What is the best practice order for data acquisition?

Answer

A

CPU registers and cache memory
RAM and other nonpersistent memory
HDDs, SSDs, flash memory
Remote logging and monitoring data
Physical configuration and network topology
Archival media and printed documents

Question 62

Q

Define volatile memory

Answer

A

Data is lost when power is removed.

Question 63

Q

Define a ‘dump’

Answer

A

A file containing data captured from system memory.

Question 64

Q

Define a ‘system memory dump’

Answer

A

An image file of running processes; Temporary files, registry data, network connections, cryptographic keys, etc.

Answer 65

A

Acquiring data from nonvolatile storage; HDDs, SSDs, flash memory, optical media (CD/DVD).

Answer 66

A

Live acquisition
Static acquisition by shutting down the host
Static acquisition by pulling the plug

Answer 67

A

Copying the data while the host is still running.

Answer 68

A

Captures more evidence/data for analysis and reduces the impact on overall services.

Answer 69

A

The data on the actual disks will have changed, so this method may not produce legally acceptable evidence; May also alert the bad actor and allow time to perform anti-forensics.

Answer 70

A

Runs the risk that the malware will detect the shutdown process and perform anti-forensics to try to remove traces of itself.

Answer 71

A

Most likely to preserve the storage devices in a forensically clean state, but there is the risk of corrupting data.

Answer 72

A

To document the steps taken and supply a timeline and video-recorded evidence of actions taken to acquire the evidence.

Answer 73

A

Linux command that makes a bit-by-bit copy of an input file, typically used for disk imaging.

Answer 74

A

dd if=input file of=output file

Answer 75

A

Establishes the provenance; Being able to trace the source of evidence to a crime scene and show that it has not been tampered with.

Answer 76

A

Capture tool must not alter data or metadata (properties) on the source disk or file system.

Answer 77

A

By attaching the target device to a forensics workstation or field capture device equipped with a write blocker.

Answer 78

A

A forensic tool to prevent the capture tool or analysis device from changing data on a target disk or media.

Answer 79

A

A cryptographic hash of the disk media is made, using either the MD5 or SHA hashing function.

Answer 80

A

A bit-by-bit copy of the media is made using an imaging utility.

Answer 81

A

A second hash is then made of the image, which should match the original hash of the media.

Answer 82

A

A copy is made of the reference image, validated again by the checksum. Analysis is performed on the copy.

Answer 83

A

Record of handling evidence from collection to presentation in court to disposal.

Answer 84

A

Establishes the integrity and proper handling of evidence; Protects an organization against accusations that evidence has either been tampered with.

Answer 85

A

Filtering relevant evidence produced from all the data gathered in a forensic examination and storing it in a database in a format such that it can be used as evidence in a trial.

Answer 86

A

Unused space in an extended partition.

Answer 87

A

Something that can be subjected to analysis to discover indicators.

Answer 88

A

Log files from a network device, host/OS, application, system memory, etc.

Answer 89

A

Alerts/Alarms to detect the presence of an IoC
Status reports

Answer 90

A

Information stored or recorded as a property of an object, state of a system, or transaction.

Answer 91

A

PRI code
Header
Message

Answer 92

A

Calculated from the facility and a severity level.

Answer 93

A

Contains a timestamp, host name, app name, process ID, and message ID fields.

Answer 94

A

Contains a tag showing the source process plus content.

Answer 95

A

Audit events, such as a failed login or access to a file being denied.

Answer 96

A

A target for security-related events generated by host-based malware and intrusion detection agents.`

Answer 97

A

A record of the email servers involved in transferring an email message from a sender to a recipient.

Answer 98

A

Establish timeline questions, such as when and where a breach occurred, as well as containing other types of evidence.

Answer 99

A

Via commands on a mail client or from a message transfer agent (MTA).

Answer 100

A

Provides real-time or near-real-time analysis of security alerts generated by network hardware and applications.

Answer 101

A

Agent-based
Listener/Collector
Sensor

Answer 102

A

A network appliance that gathers or receives log and/or state data from other network systems.

Answer 103

A

Parsing information from multiple data sources so that it can be presented in a consistent and searchable format.

Answer 104

A

A function of log analysis that links log and state data to identify a pattern that should be logged or alerted as an event.

Answer 105

A

High-level summary for decision-makers. This guides planning and investment activity.

Answer 106

A

Provides cybersecurity and department leaders with detailed information. This guides day-to-day operational decision-making.

Answer 107

A

Process of adjusting detection and correlation rules to reduce incidence of false positives and low-priority alerts.

Answer 108

A

Adjust the parameter of the rules, adding more correlation factors, setting to log only/no alert, or to produce a notification for x amount of events.

Answer 109

A

By redirecting alerts to a different group based on the type of alert.

Answer 110

A

Deploying machine learning (ML) to rapidly analyze the sort of data sets produced by SIEM and how analysts respond to alerts and tuning the ruleset in a way that reduces alert.

Answer 111

A

Auditing software that collects status and configuration information from network devices typically based on SNMP.

Answer 112

A

Records metadata and network traffic statistics rather than recording each frame for analysis.

Answer 113

A

Highlight patters in traffic; Alert based on anomalies, flow patterns or custom rules; Visualization of network.

Answer 114

A

By packets sharing the same characteristics, referred to as keys.

Answer 115

A

A flow label.

Answer 116

A

A flow record.

Answer 117

A

Packets that share the same key characteristics, such as IP source and destination addresses and protocol type; Also known as a 5-tuple.

Answer 118

A

Software that tracks the health of a computer’s subsystems using metrics reported by system hardware or sensors; high temperature, chassis intrusion, and so on.

Answer 119

A

Security Content Automation Protocol (SCAP) allows compatible scanners to determine whether a computer meets a configuration baseline.

Answer 120

A

Open Vulnerability and Assessment Language (OVAL)
Extensible Configuration Checklist Description Format (XCCDF)

Answer 121

A

A SIEM collector receives log data from a remote host and parses it into a standard format that can be recorded within the SIEM; A sensor (or sniffer) copies data frames from the network, using a mirror port or a TAP.

Answer 122

A

Retrospective network analysis (RNA)

Answer 123

A

Recording the totality of network events at a packet header or payload level.

Answer 124

A

Detailed analysis of captured traffic to identify attack tools, data exfiltration attempts, and suspicious domains.

Brainscape's Knowledge GenomeTM

Lesson 12: Explain Incident Response and Monitoring Concepts Flashcards

Brainscape's Knowledge Genome^TM