Incident response

Question 1

Responsible for knowing how to handle security incidents
that occur within the organization and for correcting and
documenting the security issue

Answer 1

Computer incident Response Team (CIRT)

Question 2

Ensures all team members know their role when a security incident occurs.

Answer 2

CIRT Team Leader

Question 3

builds relationships with outside resources that may be called upon

Answer 3

CIRT Team Leader

Question 4

Uses technical expertise to assess and ID scale of security incident and know how to correct issues.

Answer 4

CIRT Technical specialist

Question 5

knows how to document entire response process.

Answer 5

CIRT Documentation Specialist

Question 6

Responsible for logging each incident, causes of problem and solution

Answer 6

CIRT Documentation specialist

Question 7

Knows the laws and regulations that organization must follow when it comes to computer forensics and incident response

Answer 7

CIRT Legal Advisor

Question 8

Document created by every organization which
Define incident categories
defines team member roles and responsibilities
ID’s how/when users are supposed to report potential security incident.
plane exercises to practice for security incidents

Answer 8

Incident Response Plan

Question 9

First individual user to ID and react to an incident
Goal is to contain the incident
should be trained to know to to immediately respond to basic problems

Answer 9

first responder

Question 10

Any observable occurrence in a system/network. sometimes provides indication that an incident is occurring

Answer 10

Event

Question 11

Assessed occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system.

Answer 11

Incident

Question 12

the Phases of Incident handling process?

Answer 12

Detection and reporting of events
preliminary Analysis and ID
preliminary response
Incident Analysis
Response and recovery
Post incident analysis

Question 13

Intrusion detection systems or personnel reports
gather/report preliminary information
begin coordinating reporting/ response

Answer 13

Detection and reporting of events

Question 14

categorize the activity(if upon initial analysis you cannot determine the cause, use category 8: Investigating and update as required)
gather additional info as required
classify as required
send notification messages per SOPs

Answer 14

preliminary analysis and ID

Question 15

Contain incident/threat
preserve data to allow for further incident analysis
begin chain of custody docs

Answer 15

preliminary Response

Question 16

Analysis data to understand technical details, root causes and potential impact

Answer 16

Incident analysis

Question 17

prevent further damage
restore integrity of systems
implement follow up strategies

Answer 17

Response and recovery

Question 18

review lessons learned
root causes
problems executing COAs
missing policies/ procedures
inadequate infrastructures

Answer 18

post-incident analysis

Question 19

Series of analytical steps taken to find out what happened in an incident, to include to root cause
The cyber incident analysis process is outlined in AFI 17-203

Answer 19

Incident analysis/ root cause analysis

Question 20

Incident analysis Steps?

Answer 20

Gather Information
Validate the incident
determine the operational impact
coordinate
determine reporting requirement

Question 21

all involved personnel should identify and collect all relevant information about the incident. what Incident analysis step is this?

Answer 21

Gather Information

Question 22

Continuously review, corroborate, and update the reported incident to ensure the accuracy. what incident analysis step is this?

Answer 22

Validate the Incident

Question 23

Operational impact refers to detrimental impacts on an organizations ability to perform its mission. what incident analysis step is this?

Answer 23

determine the operational impact

Question 24

Coordinate with the victim systems owning support agencies. what incident analysis step is this?

Answer 24

Coordinate

Question 25

determine within one hour if the event or incident meets commanders critical information requirements (CCIR)
Reporting requirements. what incident analysis step is this?

Answer 25

determine reporting requirements

Question 26

Detailed analysis to include affected systems, probable attacker, attack vector used, and technical and operational impacts (if unknown)

Answer 26

Cyber Incident Report (CIR)

Question 27

Focuses on an incident, group of incidents, or network activity or on a foreign individual, group, or organization identified as a threat or potential threat to DOD networks.

Answer 27

Network Intelligence Report (NIR)