Practice Tests - Chapter 3: Domain 3.0: Incident Response and Management Flashcards

Question

35- During a forensic investigation, Lukas discovers that he needs to capture a virtual machine that is part of the critical operations of his company’s website. If he cannot suspend or shut down the machine for business reasons, what imaging process should he follow? * Perform a snapshot of the system, boot it, suspend the copied version, and copy the directory it resides in. * Copy the virtual disk files and then use a memory capture tool. * Escalate to management to get permission to suspend the system to allow a true forensic copy. * Use a tool like the Volatility Framework to capture the live machine completely.

Answer 1

**Copy the virtual disk files and then use a memory capture tool.** If business concerns override his ability to suspend the system, the best option that Lukas has is to copy the virtual disk files and then use a live memory imaging tool. This will give him the best forensic copy achievable under the circumstances. Snapshotting the system and booting it will result in a loss of live memory artifacts. Escalating may be possible in some circumstances, but the scenario specifies that the system must remain online. Finally, volatility can capture memory artifacts but is not designed to capture a full virtual machine.

Answer 2

**Purge, validate, and document.** Since the drives are being returned at the end of a lease, you must assume that the contract does not allow them to be destroyed. This means that purging the drives, validating that the drives have been purged, and documenting the process to ensure that all drives are included are the appropriate actions. Clearing the drives leaves the possibility of data recovery, while purging, as defined by NIST SP 800‐88, renders data recovery infeasible.

Answer 3

**Antiforensic activities** Eraser is a tool used to securely wipe files and drives. If Eraser is not typically installed on his organization’s machines, Tim should expect that the individual being investigated has engaged in some antiforensic activities including wiping files that may have been downloaded or used against company policy. This doesn’t mean he shouldn’t continue his investigation, but he may want to look at Eraser’s log for additional evidence of what was removed.

Answer 4

**Data carving** Data carving is the process of identifying files based on file signatures such as headers and footers and then pulling the information between those locations out as a file. Jessica can use common carving tools or could manually carve files if she knows common header and footer types that she can search for.

Answer 5

Slack space is leftover storage that exists because files do not take up the entire space allocated for them in a disk cluster. It is the space between the last sector containing logical data of a file and the end of the cluster. This area can contain deleted files that have not yet been overwritten, fragments of older files, and data stored on a drive before it was partitioned. Forensic analysts can recover data from slack space, and attackers can potentially hide data there

Answer 6

**file** The Linux file command shows a file’s format, encoding, what libraries it is linked to, and its file type (binary, ASCII text, etc.). Since Alex suspects that the attacker used statically linked libraries, the file command is the best command to use for this scenario. stat provides the last time accessed, permissions, UID and GID bit settings, and other details. It is useful for checking when a file was last used or modified but won’t provide details about linked libraries. strings and grep are both useful for analyzing the content of a file and may provide Alex with other hints but won’t be as useful as the file command for this purpose.

Answer 7

**Logical** A logical acquisition focuses on specific files of interest, such as a specific type of file or files from a specific location. In Eric’s case, a logical acquisition meets his needs. A sparse acquisition also collects data from unallocated space. A bit‐by‐bit acquisition is typically performed for a full drive and will take longer.

Answer 8

**Suspend the machine and copy the contents of the directory it resides in.** Suspending a virtual machine will result in the RAM and disk contents being stored to the directory where it resides. Simply copying that folder is then sufficient to provide Susan with all the information she needs. She should not turn the virtual machine off, and creating a forensic copy of the drive is not necessary (but she should still validate hashes for the copied files or directory).

Answer 9

**SQLite** Chrome stores a broad range of useful forensic information in its SQLite database, including cookies, favicons, history, logins, top sites, web form data, and other details. Knowing how to write SQL queries or having access to a forensic tool that makes these databases easy to access can provide a rich trove of information about the web browsing history of a Chrome user.

Answer 10

**The destination drive is formatted FAT32.** FTK Imager Light is shown configured to write a single large file that will fail on FAT32‐formatted drives where the largest single file is 4 GB. If Chris needs to create a single file, he should format his destination drive as NTFS. In many cases, he should simply create a raw image to a blank disk instead!

Answer 11

**certutil** Modern versions of Windows include the built‐in certutil utility. Running certutil -hashfile [file location] md5 will calculate the MD5 hash of a file. certutil also supports SHA1 and SHA256 as well as other less frequently used hashes. md5sum and sha1sum are Linux utilities, and hashcheck is a shell extension for Windows.

Answer 12

Linux utility to calculates and verifies MD5 hashes

Answer 13

Linux utility to calculates and verifies SHA-1 hashes

Answer 14

Shell extension for windows to calculate and verify checksums and hashes from Windows Explorer.

Answer 15

FTK Imager Lite is a portable imaging tool that can be run from removable media to capture a live image of a system. It is also used for validating the integrity of forensic images by displaying hash values in a report at the end of the imaging process

Answer 16

**None of the above** The Windows Quick Format option leaves data in unallocated space on the new volume, allowing the data to be carved and retrieved. This does not meet the requirements for any of the three levels of sanitization defined by NIST.

Answer 17

According to NIST SP 800-88, there are three levels of sanitization for the secure disposition of media containing sensitive information. These are: * **Clear**: This applies logical techniques to sanitize data in all user-addressable storage locations for protection against simple noninvasive data recovery techniques, **typically by rewriting data or resetting a device to its factory state**. * **Purge**: This applies physical or logical techniques that render target data recovery infeasible using state-of-the-art laboratory techniques. **Examples include overwriting, block erase, cryptographic erase using dedicated commands, and degaussing**. * **Destroy**: This renders target data recovery infeasible using state-of-the-art laboratory techniques and results in the subsequent inability to use the media for storage of data through** techniques like disintegration, pulverization, melting, and incinerating**

Answer 18

**Supplemented** The NIST recoverability effort categories call a scenario in which time to recovery is predictable with additional resources “supplemented.” The key to the NIST levels is to remember that each level of additional unknowns and resources required increases the severity level from regular to supplemented and then to extended. A nonrecoverable situation exists when the event cannot be remediated, such as when data is exposed. At that point, an investigation is launched. In a nongovernment agency, this phase might involve escalating to law enforcement.

Answer 19

* **Regular**: The time to recovery is predictable with existing resources. * **Supplemented**: The time to recovery is predictable but requires additional resources. * **Extended**: The time to recovery is unpredictable, and additional resources and outside help are needed. * **Not Recoverable**: Recovery from the incident is not possible, for example, if sensitive data has been exfiltrated and made public, necessitating the launch of an investigation

Answer 20

**Isolation** Jose can choose to isolate the compromised system, either physically or logically, leaving the attacker with access to the system while isolating it from other systems on his network. If he makes a mistake, he could leave his own systems vulnerable, but this will allow him to observe the attacker.

Answer 21

**A precursor** NIST SP 800‐61 categorizes signs of an incident into two categories, precursors and indicators. Precursors are signs that an incident may occur in the future. Since there is not an indicator that an event is in progress, this can be categorized as a precursor. Now Abdul needs to figure out how he will monitor for a potential attack.

Answer 22

* **Precursor**: signs that an incident may occur in the future * **Indiciator**: sign that an incident has already occured

Answer 23

**An adverse event** NIST describes events with negative consequences as adverse events. It might be tempting to immediately call this a security incident; however, this wouldn’t be classified that way until an investigation was conducted. If the user accidentally accessed the file, it would typically not change classification. Intentional or malicious access would cause the adverse event to become a security incident.

Answer 24

**Create documentation.** Documentation is important when tracking drives to ensure that all drives that should be sanitized are being received. Documentation can also provide evidence of proper handling for audits and internal reviews.

Answer 25

**Outsource to an incident response provider.** Outsourcing to a third‐party incident response provider allows Mike to bring in experts when an incident occurs while avoiding the day‐to‐day expense of hiring a full‐time staff member. This can make a lot of financial sense if incidents occur rarely, and even large organizations bring in third‐party response providers when large incidents occur. A security operations center (SOC) would be appropriate if Mike needed day‐to‐day security monitoring and operations, and hiring an internal team does not match Mike’s funding model limitations in this scenario.

Answer 26

**It provides a block‐level snapshot and can be safely deleted.** As long as Brian is comfortable relying on another backup mechanism, he can safely disable volume shadow copies and remove the related files. For the drive he is looking at, this will result in approximately 26 GB of storage becoming available.

Answer 27

Windows Volume Shadow Copy Storage is the allocated space on a volume where the Volume Shadow Copy Service (VSS) saves point-in-time snapshots of files and folders at a block level. This allows users to recover previous versions of data and can be managed by viewing the allocated, used, and maximum storage space

Answer 28

**Collect live forensic information, take photos of each system, and power them down.** Brian should determine whether he needs live forensic information, but if he is not certain, the safest path for him is to collect live forensic information, take photos so that he knows how each system was set up and configured, and then power them down. He would then log each system as evidence and will likely create forensic copies of the drives once he reaches his forensic work area or may use a portable forensic system to make drive images onsite. Powering a running system down can result in the loss of significant forensic information, meaning that powering a system down before collecting some information is typically not recommended. Collecting a static image of a drive requires powering the system down first.

Answer 29

**E‐discovery** When forensic evidence or information is produced for a civil case, it is called e‐discovery. This type of discovery often involves massive amounts of data, including email, files, text messages, and any other electronic evidence that is relevant to the case.

Answer 30

**Providing authority and resources** The primary role of management in an incident response effort is to provide the authority and resources required to respond appropriately to the incident. They may also be asked to make business decisions, communicate with external groups, or assess the impact on key stakeholders.

Answer 31

**Maintain backups of every system and device.** NIST does not include making backups of every system and device in its documentation. Instead, NIST suggests maintaining an organizationwide knowledge base with critical information about systems and applications. Backing up every device and system can be prohibitively expensive. Backups are typically done only for specific systems and devices, with configuration and restoration data stored for the rest.

Answer 32

* **Preparation**: This phase involves training, testing, and documenting procedures to ensure the **organization is ready to handle incidents**. It also includes **assembling the necessary hardware, software, and information for incident investigation**. * **Detection and Analysis**: During this phase, the organization **monitors for signs of security incidents using various sources** like alerts, logs, publicly available information, and reports of suspicious activity. The goal is to determine if an incident is taking place that requires further activation of the incident response process. * **Containment, Eradication, and Recovery**: Once an incident is confirmed, this phase **focuses on limiting the damage** caused by the incident** through strategies like network segmentation, isolation, or removal of affected systems. It also involves removing all traces of the incident from the network and restoring normal business operations**. * **Post-Incident Activity**: After the immediate response efforts are complete, this phase includes **conducting a lessons learned** session to review the incident response process and **recommend improvements**, as well as **creating a formal written incident report**. This phase also involves **ensuring proper evidence retention**

Answer 33

**The System Reserved and C: partitions** Slack space is leftover storage that exists because files do not take up the entire space allocated for them. Since the Unallocated partition does not have a filesystem on it, space there should not be considered slack space. Both System Reserved and C: are formatted with NTFS and will have slack space between files.

Answer 34

**1 to 2 years** Without other requirements in place, many organizations select a one‐ to two‐year retention period. This allows enough time to use existing information for investigations but does not retain so much data that it cannot be managed. Regardless of the time period selected, organizations should set and consistently follow a retention policy.

Answer 35

**Ability to preserve evidence** If Alice focuses on a quick restoration, she is unlikely to preserve all of the evidence she would be able to during a longer incident response process. Since she is focusing on quick restoration, the service should be available more quickly, and the service and system should not be damaged in any significant way by the restoration process. The time required to implement the strategy will typically be less if she does not conduct a full forensic investigation and instead focuses on service restoration.

Answer 36

**RAW** A RAW image, like those created by dd, is Piper’s best option for broad compatibility. Many forensic tools support multiple image formats, but RAW files are supported almost universally by forensic tools.

Answer 37

**Deleted files** When a network share or mounted drive is captured from the system that mounts it, data such as deleted files, unallocated space, and other information that requires direct drive access will not be captured. If Scott needs that information, he will need to create a forensic image of the drive from the host server.

Answer 38

The order of volatility for common storage locations is as follows: 1. CPU cache, registers, running processes, RAM 1. Network traffic 1. Disk drives 1. Backups, printouts, optical media

Answer 39

**All of the above** MD5, SHA‐1, and SHA‐2 hashes are all considered forensically sound. Although MD5 and SHA‐1 hashes are no longer a secure means of hashing, they are still considered appropriate for validation of forensic images because it is unlikely that an attacker would intentionally create a hash collision to falsify the forensic integrity of a drive.

Answer 40

**Identifying attackers is not an important part of the incident response process.** NIST’s Computer Security Incident Handling Guide notes that identifying an attacker can be “time‐consuming and futile.” In general, spending time identifying attackers is not a valuable use of incident response time for most organizations.

Answer 41

**The backup is a differential backup.** iPhone backups to local systems can be full or differential, and in this scenario the most likely issue is that Cynthia has recovered a differential backup. She should look for additional backup files if she does not have access to the original phone. If the backup was encrypted, she would not be able to access it without a cracking tool, and if it was interrupted, she would be unlikely to have the backup file or have it be in usable condition. iCloud backups require access to the user’s computer or account and are less likely to be part of a forensic investigation.

Answer 42

**A second examiner acting as a witness and countersigning all actions** A second forensic examiner who acts as a witness, countersigning all documentation and helping document all actions, provides both strong documentation and another potential witness in court. Independent forensic action, no matter how well documented, will not be as reliable as having a witness.

Answer 43

**Isolate the system before restoring from backups.** Although it may seem obvious that the system should be isolated from the network when it is rebuilt, we have seen this exact scenario play out before. In one instance, the system was compromised twice before the system administrator learned their lesson!

Answer 44

**Slack space** The space that Saria sees is the space between the end of the file and the space allocated per cluster or block. This space may contain remnants of previous files written to the cluster or block or may simply contain random data from when the disk was formatted or initialized.

Answer 45

**A trusted system binary kit** Trusted system binary kits like those provided by the National Software Reference Library include known good hashes of many operating systems and applications. Kathleen can validate the files on her system using references like the NSRL (www.nsrl.nist.gov/new.html).

Answer 46

**IP addresses, MAC addresses, hostname** NIST specifically recommends the hostname, MAC addresses, and IP addresses of the system. Capturing the full output of an ipconfig or ifconfig command may be useful, but forensic analysis may not permit interaction with a live machine. Additional detail like the domain (or domain membership) may or may not be available for any given machine, and NIC manufacturer and similar data is not necessary under most circumstances.

Answer 47

**Endpoint forensics** Since most APTs (including this one, as specified in the question) send traffic in an encrypted form, performing network forensics or traffic analysis will only provide information about potentially infected hosts. If Ryan wants to find the actual tools that may exist on endpoint systems, he should conduct endpoint forensics. Along the way, he may use endpoint behavior analysis, network forensics, and network traffic analysis to help identify target systems.

Answer 48

**Disconnect the system from the network.** When a system is not a critical business asset that must remain online, the best response is typically to isolate it from other systems and networks that it could negatively impact. By disconnecting it from all networks, Ben can safely investigate the issue without causing undue risk. We have actually encountered this situation. After investigating, we found that the user’s text‐to‐speech application was enabled, and the microphone had the gain turned all the way up. The system was automatically typing words based on how it interpreted background noise, resulting in strange text that terrified the unsuspecting user.

Answer 49

**Hibernation file analysis** If the system that Angela is attempting to access had mounted the encrypted volume before going to sleep and there is a hibernation file, Angela can use hibernation file analysis tools to retrieve the BitLocker key. If the system did not hibernate or the volume was not mounted when the system went to sleep, she will not be able to retrieve the keys. Memory analysis won’t work with a system that is off, the boot sector does not contain keys, and brute‐force cracking is not a viable method of cracking BitLocker keys because of the time involved.

Answer 50

**Beaconing** The pseudocode tells you that Adam is trying to detect outbound packets that are part of short communications (fewer than 10 packets and fewer than 3,000 bytes) and that he believes the traffic may appear to be web traffic, be general TCP traffic, or not match known traffic types. This is consistent with the attributes of beaconing traffic. Adam also is making sure that general web traffic won’t be captured by not matching on uripath and contentencoding.

Answer 51

**As an integrity loss** NIST classifies changes or deletion of sensitive or proprietary information as an integrity loss. Proprietary breaches occur when unclassified proprietary information is accessed or exfiltrated, and privacy breaches involve personally identifiable information (PII) that is accessed or exfiltrated.

Answer 52

**Containment, eradication, and recovery** Although responders are working to contain the incident, they should also reserve forensic and incident information for future analysis. Restoration of service is often prioritized over analysis during containment activities, but taking the time to create forensic images and to preserve log and other data is important for later investigation.

Answer 53

**Use the built‐in Windows sdelete command line.** Windows does not include a built‐in secure erase tool in the GUI or at the command line. Using a third‐party program like Eraser or a bootable tool like DBAN is a reasonable option, and encrypting the entire drive and then deleting the key will have the same effect.

Answer 54

**Postmortem forensics** Postmortem forensics can typically be done after shutting down systems to ensure that a complete forensic copy is made. Live forensics imaging can help to capture memory‐resident malware. It can also aid in the capture of encrypted drives and filesystems when they are decrypted for live usage. Finally, unsupported filesystems can sometimes be imaged while the system is booted by copying data off the system to a supported filesystem type. This won’t retain some filesystem‐specific data but can allow key forensic activities to take place.

Answer 55

**Create an image using a tool like FTK Imager Lite.** Portable imaging tools like FTK Imager Lite can be run from removable media, allowing a live image to be captured. Kobe may still want to capture the system memory as well, but when systems are used for data gathering and egress, the contents of the disk will be important. Installing a tool or taking the system offline and mounting the drive are both undesirable in this type of scenario when the system must stay online and should not be modified.

Answer 56

**The original creation date, the device type, the GPS location, and manufacturer of the device** The original creation date (as shown by the GPS date), the device type (an iPhone X), the GPS location, and the manufacturer of the device (Apple) can all provide useful forensic information. Here, you know when the photo was taken, where it was taken, and what type of device it was taken on. This can help narrow down who took the photo or may provide other useful clues when combined with other forensic information or theories.

Answer 57

**A jump kit** A jump kit is a common part of an incident response plan and provides responders with the tools they will need without having to worry about where key pieces of equipment are during a stressful time. Crash carts are often used in datacenters to connect a keyboard, mouse, and monitor to a server to work on it. First‐responder kits are typically associated with medical responders, and a grab bag contains random items.

Answer 58

**None; Facebook strips almost all useful metadata from images.** Facebook, as well as many other social media sites, now strip image metadata to help protect user privacy. John would need to locate copies of the photos that have not had the metadata removed and may still find that they did not contain additional useful data.

Answer 59

**DVDs, hard drives, virtual memory, caches** The order of volatility for media from least to most volatile is often listed as backups and printouts; then disk drives like hard drives and SSDs; then virtual memory; and finally CPU cache, registers, and RAM. Artifacts stored in each of these locations can be associated with the level of volatility of that storage mechanism. For example, routing tables will typically be stored in RAM, making them highly volatile. Data stored on a rewritable media is always considered more volatile than media stored on a write‐only media.

Answer 60

**Microsoft Word files are stored in ZIP format.** Modern Microsoft Office files are actually stored in a ZIP format. Alex will need to open them using a utility that can unzip them before he can manually review their contents. He may want to use a dedicated Microsoft Office forensics tool or a forensics suite with built‐in support for Office documents.

Answer 61

**Angela cannot assess the impact with the data given.** Economic impact is calculated on a relative scale, and Angela does not have all of the information she needs. A $500,000 loss may be catastrophic for a small organization and may have a far lower impact on a Fortune 500 company. Other factors like cybersecurity insurance may also limit the economic impact of a cybersecurity incident.

Answer 62

**Validation** The NIST guidelines require validation after clearing, purging, or destroying media to ensure that the action that was taken is effective. This is an important step since improperly applying the sanitization process and leaving data partially or even fully intact can lead to a data breach.

Answer 63

**Detection and analysis, and containment, eradication, and recovery** Collecting and analyzing logs most often occurs in the detection and analysis phase, whereas connecting attacks back to attackers is typically handled in the containment, eradication, and recovery phase of the NIST incident response process.

Answer 64

**Review SSH logs.** Failed SSH logins are common, either because of a user who has mistyped their password or because of scans and random connection attempts. Liam should review his SSH logs to see what may have occurred.

Answer 65

**A playbook** Playbooks describe detailed procedures that help to ensure that organizations and individuals take the right actions during the stress of an incident. Operations guides typically cover normal operational procedures, while an incident response policy describes the high‐level organizational direction and authority for incident response. An incident response program might generate a policy and a playbook but would not include the detailed instructions itself.

Answer 66

**OpenVAS** Of the tools listed, only OpenVAS is a full‐system vulnerability scanner. Wapiti is a web application scanner, ZAP is an attack proxy used for testing web applications, and Nmap is a port scanner.

Answer 67

Wapiti is an open-source web application scanning tool

Answer 68

**Level 2: Logical extraction** Logical copies of data and volumes from an unlocked or decrypted device is the most likely mobile forensic scenario in many cases. Most forensic examiners do not have access to chip‐level forensic capabilities that physically remove flash memory from the circuit board, and JTAG‐level acquisition may involve invasive acquisition techniques like directly connecting to chips on a circuit board.

Answer 69

* **Physical**: Acquisition of the SIM card, memory cards, or device backups, aiming for a bit-by-bit copy. * **Logical**: Creating an image of the logical storage volumes, extracting user data and some system data. * **Manual access**: Reviewing the live, unlocked phone and documenting findings. * **Filesystem**: Providing details of deleted and existing files by accessing the underlying file system structure. * **Level 3: JTAG or HEX dumping**: Invasive techniques like directly connecting to chips or examining raw hexadecimal data for low-level data access. * **Level 4: Chip extraction**: Directly extracting and analyzing memory chips, the most advanced and invasive method.

Answer 70

**A packet capture tool installed on the system** Wang knows that installing additional software on Windows system to capture traffic can interfere with forensic efforts or warn attackers that they are being observed. Using packet capture from another location on the network is the more common option in this scenario.

Answer 71

**Processing, review, and analysis** With most e‐discovery cases, reviewing the large volumes of data to ensure that only needed data is presented and that all necessary data is made available takes up the most staff time. Many organizations with larger e‐discovery needs either dedicated staff or outsourced efforts like this.

Answer 72

**A call list** A call list provides a list of the personnel who should or can be contacted during an incident or response scenario. Sometimes called an escalation list, they typically include the names of the staff members who should be called if there is no response. A rotation list or call rotation is used to distribute workload among a team, typically by placing a specific person on‐call for a set time frame. This may help decide who is on the call list at any given point in time. A triage triangle is made up for this question, and responsibility matrices are sometimes created to explain who is responsible for what system or application but aren’t directly used for emergency contact lists.

Answer 73

**A buffer overflow attack** Overflowing a memory location by placing a string longer than the program expects into a variable is a form of buffer overflow attack. Attackers may choose to use a string of the same letters to make the overflow easier to spot when testing the exploit.

Answer 74

**IaaS** Generally speaking, analysts may obtain more forensic information when their organization has greater control over the underlying cloud resources. Infrastructure as a service (IaaS) environments provide the greatest level of control and, therefore, typically provide access to the most detailed information.

Answer 75

**Checklist review** Any of these exercises may be used to help remind incident responders of their responsibilities. Checklist reviews have the least impact on the organization because they may be done asynchronously by individual employees. The other training/exercise types listed here would require a more substantial commitment of time.

Answer 76

This type of exercise can be used to remind incident responders of their responsibilities with the least impact on other organizational priorities because it can be done asynchronously by individual employees.

Answer 77

a step-by-step review of procedures or plans, possibly requiring more coordination than a checklist review.

Answer 78

typically involve participants competing to find and exploit vulnerabilities in systems or defend their own systems. This would likely require significant time and resources, having a higher impact on organizational priorities.

Answer 79

where the incident response team gathers to walk through an incident scenario and discuss their roles, responsibilities, and the steps they would take. This requires bringing the team together and thus has a greater impact than a checklist review but less than a full simulation.

Answer 80

**Analysis of drive capacity consumption** Vulnerability mitigation, restoration of permissions, and the verification of logging and communication to security monitoring are all activities that normally occur during the eradication and recovery phase of incident response. The analysis of drive capacity consumption is the assessment of an indicator of compromise (IoC), which occurs during the detection and analysis phase of incident response.

Answer 81

involve the activation of incident response procedures without stopping normal business operations. Because normal operations continue, parallel tests have a lower likelihood of disrupting regular activities compared to full interruption tests.

Answer 82

involve the activation of incident response procedures, but they carry more risk because they require stopping normal business operations. This type of test assesses the incident response capabilities under conditions of complete operational disruption

Answer 83

**Web servers** The Open Source Security Testing Methodology Manual (OSS TMM), published by the Institute for Security and Open Methodologies provides guidance on testing the security of physical locations, human interactions, and communications. While web servers may fall under the general category of communications, they are not one of the specific testing objectives of OSS TMM.

Answer 84

**Annually** Individuals with specific business continuity roles should receive training on at least an annual basis. While it is always preferable to offer more frequent training, annual training is sufficient to meet the requirements of most organizations.

Answer 85

**Preparation** Organizations should build solid, defense‐in‐depth approaches to cybersecurity during the preparation phase of the incident response process. The controls built during this phase serve to reduce the likelihood and impact of future incidents.

Answer 86

**It includes actions outside the defended network.** The Cyber Kill Chain includes actions outside the defended network, which many defenders cannot take action on, resulting in one of the common criticisms of the model. Other criticisms include the focus on a traditional perimeter and on antimalware‐based techniques, as well as a lack of focus on insider threats.

Answer 87

**CEO** The incident response policy provides the CSIRT with the authority needed to do their job. Therefore, it should be approved by the highest possible level of authority within the organization, preferably the CEO.

Answer 88

**Detect an incident in progress.** Detection of a potential incident occurs during the detection and analysis phase of incident response. The other activities listed are all objectives of the containment, eradication, and recovery phase.

Answer 89

**Domination** MITRE provides the ATT&CK, or Adversarial Tactics, Techniques, and Common Knowledge, knowledge base of adversary tactics and techniques. The ATT&CK matrices include detailed descriptions, definitions, and examples for the complete threat life cycle, from initial access through execution, persistence, privilege escalation, and exfiltration. Domination is not one of the phases.