(6) Sound the Alarm: Detection and Response Flashcards by Ho Sun Choe

The first phase of the NIST Incident Response Lifecycle is Preparation. What are the other phases? Select three answers.

Detection and Analysis

Post-Incident Activity

Identify

Containment, Eradication, and Recovery

Detection and Analysis

Post-Incident Activity

Containment, Eradication, and Recovery

How well did you know this?

Not at all

Perfectly

What type of process is the NIST Incident Response Lifecycle?

Cyclical

Linear

Synchronous

Observable

Cyclical

How well did you know this?

Not at all

Perfectly

Fill in the blank: An _____ is an observable occurrence on a network, system, or device.

investigation

analysis

incident

event

How well did you know this?

Not at all

Perfectly

A security professional investigates an incident. Their goal is to gain information about the 5 W’s, which include what happened and why. What are the other W’s? Select three answers.

Where the incident took place

When the incident took place

Which type of incident it was

Who triggered the incident

Where the incident took place

When the incident took place

Who triggered the incident

How well did you know this?

Not at all

Perfectly

What are the goals of a computer security incident response team (CSIRT)? Select three answers.

To handle the public disclosure of an incident

To manage incidents

To prevent future incidents from occurring

To provide services and resources for response and recovery

To manage incidents

To prevent future incidents from occurring

To provide services and resources for response and recovery

How well did you know this?

Not at all

Perfectly

Which document outlines the procedures to follow after an organization experiences a ransomware attack?

A security policy

A network diagram

A contact list

An incident response plan

How well did you know this?

Not at all

Perfectly

Fill in the blank: The job of _____ is to investigate alerts and determine whether an incident has occurred.

technical leads

public relations representative

incident coordinators

security analysts

How well did you know this?

Not at all

Perfectly

Which member of a CSIRT is responsible for tracking and managing the activities of all teams involved in the response process?

Public relations representative

Incident coordinator

Security analyst

Technical lead

Incident coordinator

How well did you know this?

Not at all

Perfectly

What are some examples of types of documentation? Select three answers.

Alert notifications

Final reports

Policies

Playbooks

Final reports

Policies

Playbooks

How well did you know this?

Not at all

Perfectly

Fill in the blank: Ticketing systems such as _____ can be used to document and track incidents.

Excel

Jira

Evernote

Cameras

Jira

How well did you know this?

Not at all

Perfectly

What application monitors system activity, then produces alerts about possible intrusions?

Intrusion detection system

Playbook

Word processor

Product manual

Intrusion detection system

How well did you know this?

Not at all

Perfectly

What actions does an intrusion prevention system (IPS) perform? Select three answers.

Detect abnormal activity

Stop intrusive activity

Manage security incidents

Monitor activity

Detect abnormal activity

Stop intrusive activity

Monitor activity

How well did you know this?

Not at all

Perfectly

Which tool collects and analyzes log data to monitor critical activities in an organization?

Security information and event management (SIEM) tool

Intrusion prevention system (IPS) tool

Playbook

Intrusion detection system (IDS) tool

Security information and event management (SIEM) tool

How well did you know this?

Not at all

Perfectly

Fill in the blank: Security orchestration, automation, and response (SOAR) is a collection of applications, tools, and workflows that uses automation to _____ security events.

respond to

interact with

collect

remediate

respond to

How well did you know this?

Not at all

Perfectly

Which step in the SIEM process transforms raw data to create consistent log records?

Normalize data

Collect and aggregate data

Analyze data

Centralize data

Normalize data

How well did you know this?

Not at all

Perfectly

What is the process of gathering data from different sources and putting it in one centralized place?

Aggregation

Notification

Analysis

Normalization

Aggregation

How well did you know this?

Not at all

Perfectly

Which of the following is an example of a security incident?

An unauthorized user successfully changes the password of an account that does not belong to them.

A user installs a device on their computer that is allowed by an organization’s policy.

An authorized user successfully logs in to an account using their credentials and multi-factor authentication.

A software bug causes an application to crash.

An unauthorized user successfully changes the password of an account that does not belong to them.

How well did you know this?

Not at all

Perfectly

What process is used to provide a blueprint for effective incident response?

The NIST Incident Response Lifecycle

The incident handler’s journal

The 5 W’s of an incident

The NIST Cybersecurity Framework

The NIST Incident Response Lifecycle

How well did you know this?

Not at all

Perfectly

Which step does the NIST Incident Response Lifecycle begin with?

Preparation

Containment, Eradication and Recovery

Post-Incident Activity

Detection and Analysis

Preparation

How well did you know this?

Not at all

Perfectly

What is a computer security incident response team (CSIRT)?

A specialized group of security professionals who focus on incident prevention

A specialized group of security professionals who are trained in incident management and response

A specialized group of security professionals who are solely dedicated to crisis management

A specialized group of security professionals who work in isolation from other departments

A specialized group of security professionals who are trained in incident management and response

How well did you know this?

Not at all

Perfectly

Fill in the blank: Incident response plans outline the _____ to take in each step of incident response.

instructions

exercises

policies

procedures

How well did you know this?

Not at all

Perfectly

Which of the following best describes how security analysts use security tools?

They only use documentation tools for incident response tasks.

They only use detection and management tools during incident investigations.

They only use a single tool to monitor, detect, and analyze events.

They use a combination of different tools for various tasks.

How well did you know this?

Not at all

Perfectly

Which statement most accurately describes documentation?

It is a standardized format used to record information across all industries.

It can be audio, video, or written instructions used for a specific purpose.

It serves as legal documentation and evidence in official settings.

It is always digital and stored in a centralized database.

It can be audio, video, or written instructions used for a specific purpose.

How well did you know this?

Not at all

Perfectly

Fill in the blank: An intrusion detection system (IDS) _____ system activity and alerts on possible intrusions.

protects

manages

analyzes

monitors

How well did you know this?

Not at all

Perfectly

What is the difference between a security information and event management (SIEM) tool and a security orchestration, automation, and response (SOAR) tool? SIEM tools use automation to respond to security incidents. SOAR tools collect and analyze log data, which are then reviewed by security analysts. SIEM tools are used for case management while SOAR tools collect, analyze, and report on log data. SIEM tools collect and analyze log data, which are then reviewed by security analysts. SOAR tools use automation to respond to security incidents. SIEM tools and SOAR tools have the same capabilities.

SIEM tools collect and analyze log data, which are then reviewed by security analysts. SOAR tools use automation to respond to security incidents.

What happens during the data collection and aggregation step of the SIEM process? Select two answers. Data is cleaned and transformed. Data is centralized in one place. Data is analyzed according to rules. Data is collected from different sources.

Data is centralized in one place. Data is collected from different sources.

Which core functions of the NIST Cybersecurity Framework relate to the NIST Incident Response Lifecycle? Select two answers. Discover Investigate Respond Detect

Respond Detect

What are some roles included in a computer security incident response team (CSIRT)? Select three answers. Technical lead Security analyst Incident coordinator Incident manager

Technical lead Security analyst Incident coordinator

What is an incident response plan? A document that outlines a security team’s contact information A document that details system information A document that contains policies, standards, and procedures A document that outlines the procedures to take in each step of incident response

A document that outlines the procedures to take in each step of incident response

What are investigative tools used for? Analyzing events Managing alerts Documenting incidents Monitoring activity

Analyzing events

Which of the following methods can a security analyst use to create effective documentation? Select two answers. Write documentation using technical language. Provide clear and concise explanations of concepts and processes. Provide documentation in a paper-based format. Write documentation in a way that reduces confusion.

Provide clear and concise explanations of concepts and processes. Write documentation in a way that reduces confusion.

What is the difference between an intrusion detection system (IDS) and an intrusion prevention system (IPS)? An IDS stops intrusive activity whereas an IPS monitors system activity and alerts on intrusive activity. An IDS monitors system activity and alerts on intrusive activity whereas an IPS stops intrusive activity. An IDS and an IPS both have the same capabilities. An IDS automates response and an IPS generates alerts.

An IDS monitors system activity and alerts on intrusive activity whereas an IPS stops intrusive activity.

How do indicators of compromise (IoCs) help security analysts detect network traffic abnormalities? They capture network activity. They confirm that a security incident happened. They provide a way to identify an attack. They define the attacker's intentions.

They provide a way to identify an attack. IoCs help security analysts detect network traffic abnormalities by providing a way to identify an attack. IoCs provide analysts with specific evidence associated with an attack, such as a known malicious IP address, which can help quickly identify and respond to a potential security incident.

Fill in the blank: Data _____ is the term for unauthorized transmission of data from a system. infiltration exfiltration pivoting network traffic

exfiltration

An attacker has infiltrated a network. Next, they spend time exploring it in order to expand and maintain their access. They look for valuable assets such as proprietary code and financial records. What does this scenario describe? Lateral movement Network data Large internal file transfer Phishing

Lateral movement This scenario describes lateral movement. Lateral movement, also called pivoting, describes an attacker exploring a network with the goal of expanding and maintaining their access.

What can security professionals use network traffic analysis for? Select three answers. To monitor network activity To understand network traffic patterns To secure critical assets To identify malicious activity

To monitor network activity To understand network traffic patterns To identify malicious activity Network traffic analysis provides security professionals with a way to monitor network activity, identify malicious activity, and understand network traffic patterns.

Which component of a packet contains the actual data that is intended to be sent to its destination? Protocol Footer Header Payload

Payload

Fill in the blank: A _____ is a file that contains data packets that have been intercepted from an interface or a network. network protocol analyzer protocol packet capture network statistic

packet capture

Which field of an IP header is used to identify whether IPv4 or IPv6 is used? Options Type of Service Version Flags

Version

Which network protocol analyzer is accessed through a graphical user interface? Wireshark TShark Libpcap tcpdump

Wireshark

Which tcpdump option is used to specify the network interface? -c -n -i -v

-i

What is needed to access the tcpdump network protocol analyzer? Output Graphical user interface Packet capture Command-line interface

Command-line interface

What is the first field found in the output of a tcpdump command? Source IP Protocol Timestamp Version

Timestamp

You are using tcpdump to capture network traffic on your local computer. You would like to save the network traffic to a packet capture file for later analysis. Which tcpdump option should you use? -v -w -r -c

-w

Fill in the blank: _____ describes the amount of data that moves across a network. Network data Data exfiltration Network traffic Traffic flow

Network traffic

Which of the following behaviors may suggest an ongoing data exfiltration attack? Select two answers. Multiple successful multi-factor authentication logins Network performance issues Outbound network traffic to an unauthorized file hosting service Unexpected modifications to files containing sensitive data

Outbound network traffic to an unauthorized file hosting service Unexpected modifications to files containing sensitive data

What information do packet headers contain? Select three answers. Ports Payload data Protocols IP addresses

Ports Protocols IP addresses

Do packet capture files provide detailed snapshots of network communications? Yes. Packet capture files provide information about network data packets that were intercepted from a network interface. No. Packet capture files do not contain detailed information about network data packets. Maybe. The amount of detailed information packet captures contain depends on the type of network interface that is used.

Yes. Packet capture files provide information about network data packets that were intercepted from a network interface.

Fill in the blank: tcpdump is a network protocol analyzer that uses a(n) _____ interface. internet Linux graphical user command-line

command-line

Which protocol version is considered the foundation for all internet communications? HTTP IPv4 UDP ICMP

IPv4

What is used to determine whether errors have occurred in the IPv4 header? Protocol Flags Checksum Header

Checksum

Which IPv4 field uses a value to represent a standard, like TCP? Version Total Length Protocol Type of Service

Protocol

Which tcpdump option applies verbosity? -i -n -c -v

-v

Examine the following tcpdump output: 22:00:19.538395 IP (tos 0x10, ttl 64, id 33842, offset 0, flags [P], proto TCP (6), length 196) 198.168.105.1.41012 > 198.111.123.1.61012: Flags [P.], cksum 0x50af (correct), seq 169, ack 187, win 501, length 42 What is the value of the Type of Service field? 0x50af 0x10 501 6

0x10

Do detection tools have limitations in their detection capabilities? Yes No

Yes Detection tools have limitations in their detection capabilities. Detection tools are an important part of incident detection and response, but they cannot detect everything. Additional methods of detection can be used to improve coverage and accuracy.

Why do security analysts refine alert rules? Select two answers. To reduce false positive alerts To increase alert volumes To improve the accuracy of detection technologies To create threat intelligence

To reduce false positive alerts To improve the accuracy of detection technologies

Fill in the blank: _____ involves the investigation and validation of alerts. Threat hunting Analysis Honeypot Detection

Analysis

What are some causes of high alert volumes? Select two answers. Broad detection rules Refined detection rules Sophisticated evasion techniques Misconfigured alert settings

Broad detection rules Misconfigured alert settings

A security analyst in a security operations center (SOC) receives an alert. The alert ticket describes the detection of the download of a possible malware file on an employee's computer. Which step of the triage process does this scenario describe? Receive and assess Assign priority Add context Collect and analyze

Receive and assess This scenario describes receive and assess, the first step of the triage process. In this step, the security analyst receives an alert and determines whether the alert is valid.

What is triage? The process of returning affected systems back to normal operations A document that outlines the procedures to sustain business operations during and after a significant disruption The prioritizing of incidents according to their level of importance or urgency The ability to prepare for, respond to, and recover from disruptions

The prioritizing of incidents according to their level of importance or urgency

Fill in the blank: _____ is the act of limiting and preventing additional damage caused by an incident. Resilience Eradication Containment Recovery

Containment

Which examples describe actions related to the eradication of an incident? Select two answers. Develop a business continuity plan Investigate logs to verify the incident Complete a vulnerability scan Apply a patch

Complete a vulnerability scan Apply a patch

Which section of a final report contains a high-level overview of the security incident? Timeline Executive summary Recommendations Agenda

Executive summary

What are the goals of a lessons learned meeting? Select two answers. Review and reflect on a security incident Identify areas of improvement Identify an employee to blame Develop a final report

Review and reflect on a security incident Identify areas of improvement

Fill in the blank: In the NIST Incident Response Lifecycle, reviewing an incident to identify areas for improvement during incident handling is known as the _____. Preparation phase Post-incident activity phase Detection and Analysis phase Containment, Eradication and Recovery phase

Post-incident activity phase

An organization has recovered from a ransomware attack that resulted in a significant disruption to their business operations. To review the incident, the security team hosts a lessons learned meeting. The team realizes that they could have restored the affected systems more quickly if they had a backup and recovery plan in place. Which question would have most likely helped the security team come to this conclusion? Who discovered the incident? What could have been done differently? When did the incident happen? How was the incident detected?

What could have been done differently? By asking what could have been done differently, the security team can identify areas of weakness in their incident response process, such as the lack of a backup and recovery plan.

Which step of the NIST Incident Response Lifecycle involves the investigation and validation of alerts? Detection Discovery Analysis Recovery

Analysis

What are the benefits of documentation during incident response? Select three answers. Clarity Transparency Quality Standardization

Clarity Transparency Standardization

After a ransomware incident, an organization discovers their ransomware playbook needs improvements. A security analyst is tasked with changing the playbook documentation. Which documentation best practice does this scenario highlight? Update regularly Be accurate Be concise Know your audience

Update regularly

Chain of custody documents establish proof of which of the following? Select two answers. Integrity Validation Reliability Quality

Integrity Reliability

An analyst is responding to a distributed denial of service attack (DDoS). They take several manual steps outlined in the organization’s DDoS playbook. Which type of playbook did they use to respond to the incident? SOAR Automated Semi-automated Non-automated

Non-automated

A security analyst gets an alert involving a phishing attempt. Which step of the triage process does this scenario outline? Receive and assess Add context Assign priority Collect and analyze

Receive and assess

Fill in the blank: Containment is the act of limiting and _____ additional damage caused by an incident. detecting removing eradicating preventing

preventing

Which of the following is an example of a recovery task? Monitoring a network for intrusions Applying a patch to address a server vulnerability Disconnecting an infected system from the network Reinstalling the operating system of a computer infected by malware

Reinstalling the operating system of a computer infected by malware

Fill in the blank: A lessons learned meeting should be held within ____ weeks of an incident. two three four five

two

What does a final report contain? Select three. Updates Incident details Recommendations Timeline

Incident details Recommendations Timeline

What is the primary purpose of logs during incident investigation? To provide a record of event details To improve user experience To manage alert volumes To identify and diagnose system issues

To provide a record of event details

A security analyst wants to determine whether a suspicious login was successful. Which log type would be most useful for this purpose? System Firewall Authentication Network

Authentication An authentication log would be most useful for this purpose. Authentication logs record login attempts, including whether a login was successful.

In the following log, what action does the log entry record? [ALLOW: wikipedia.org] Source: 192.167.1.1 Friday, 10 June 2022 11:36:12 192.167.1.1 Friday, 10 June 2022 11:36:12 ALLOW Source

ALLOW ALLOW refers to the action that has been recorded. In this instance, it allows access to wikipedia.org.

Fill in the blank: _____ is the process of examining logs to identify events of interest. Log file Logging Log analysis Log forwarder

Log analysis

Examine the following authentication log: [2022/12/20 08:20:38.921286] User nuhara logged in successfully What type of information does this log contain? Select two answers. Event description Syslog Timestamp Message ID

Event description Timestamp

Which of the following capabilities can syslog be used for? Select three answers. Log format Service Extension Protocol

Log format Service Protocol

What are examples of log formats? Select three answers. Common Event Format (CEF) Gramm-Leach-Bliley Act (GLBA) eXtensible Markup Language (XML) JavaScript Object Notation (JSON)

Common Event Format (CEF) eXtensible Markup Language (XML) JavaScript Object Notation (JSON)

Which log format uses tags to structure data? Syslog Verbose eXtensible Markup Language (XML) Comma Separated Values (CSV)

eXtensible Markup Language (XML)

A security analyst uses a network protocol analyzer to capture HTTP traffic to analyze patterns. What type of data are they using? False positive Signature-based Host-based Network telemetry

Network telemetry They are using network telemetry data. Network telemetry refers to the collection and transmission of network data for analysis, such as HTTP traffic.

Which statement accurately describes the difference between a network-based intrusion detection system (NIDS) and a host-based intrusion detection system (HIDS)? A NIDS only detects known threats; a HIDS detects unknown threats. A NIDS uses signature analysis to detect threats; a HIDS uses agents. A NIDS is installed on a network; a HIDS is installed on individual devices. A NIDS is installed on individual devices; a HIDS is installed on a network.

A NIDS is installed on a network; a HIDS is installed on individual devices.

Fill in the blank: The _____ component of an IDS signature includes network traffic information. rule options header signature ID action

header

A security analyst creates a Suricata signature to identify and detect security threats based on the direction of network traffic. Which of the following rule options should they use? Message Rev Content Flow

Flow They should use flow. The flow option matches the direction of network traffic flow.

In Search Processing Language (SPL), which special character is a wildcard that can be used to substitute with any other character? != | = *

Which of the following steps are part of the security information and event management (SIEM) process? Select three answers. Monitor activity and alerts related to intrusions Normalize data so it is ready to read and analyze Collect and process data Index data to improve search performance

Normalize data so it is ready to read and analyze Collect and process data Index data to improve search performance

Fill in the blank: Chronicle uses _____ to search through unstructured logs. raw log search metadata entity search unified data model

raw log search

Which of the following is Splunk’s query language? SPL SQL UDM IDS

SPL

Which software collects and sends logs to a security information and event management (SIEM) tool? Forwarder Intrusion detection system (IDS) Firewall Network protocol analyzer

Forwarder

Examine the following log: LoginEvent[2021/10/13 10:32:08.958711] auth_session_authenticator.cc:304 Regular user login 1 Which type of log is this? Network Location Application Authentication

Authentication

Fill in the blank: A syslog entry contains a header, _____, and a message. eXtensible Markup Language tag object structured-data

structured-data

Consider the following scenario: A security analyst at a midsized company is tasked with installing and configuring a host-based intrusion detection system (HIDS) on a laptop. The security analyst installs the HIDS and wants to test whether it is working properly by simulating malicious activity. The security analyst runs unauthorized programs on the laptop, which the HIDS successfully detects and alerts on. What is the laptop an example of? An agent A signature An endpoint A log forwarder

An endpoint

What information is included in a signature’s header? Select all that apply. IP address Action Port number Protocol

IP address Port number Protocol

Examine this Suricata signature: alert http 167.215.72.95 any -> 156.150.71.141 80 (msg:"GET on wire"; flow:established,to_server; content:"GET"; sid:12345; rev:2;) What is the destination port? 2 12345 80 141

Fill in the blank: Suricata uses the _____ format for event and alert output. CEF HTTP HTML EVE JSON

EVE JSON

Which querying language does Splunk use? Search Processing Language Structured Querying Language SIEM Processing Language Structured Processing Language

Search Processing Language

Which Unified Data Model (UDM) field search specifies a security action? security_result.action metadata.event_type action block

security_result.action

What are the steps in the SIEM process for data collection? Select three answers. Collect Index Unify Normalize

Collect Index Normalize