Sound the Alarm: Detection and Response

Question 1

Computer Security Incident Response Team (CSIRT)

Answer 1

A specialized group of security professionals that are trained in incident management and response.

Question 2

Documentation

Answer 2

Any form of recorded content that is used for a specific purpose.

Question 3

Endpoint Detection and Response (EDR)

Answer 3

An application that monitors an endpoint for malicious activity.

Question 4

Event

Answer 4

An observable occurrence on a network, system, or device.

Question 5

False negative

Answer 5

A state where the presence of a threat is not detected.

Question 6

False positive

Answer 6

An alert that incorrectly detects the presence of a threat.

Question 7

Incident

Answer 7

An occurrence that actually or imminently jeopardizes, without lawful authority, the confidentiality, integrity, or availability of information or an information system.

Question 8

Incident handler’s journal

Answer 8

A form of documentation used in incident response.

Question 9

Incident response plan

Answer 9

A document that outlines the procedures to take in each step of incident response.

Question 10

NIST Incident Response Lifecycle

Answer 10

A framework for incident response consisting of four phases: Preparation; Detection and Analysis; Containment, Eradication, and Recovery; and Post-incident activity.

Question 11

Security Operations Center (SOC)

Answer 11

An organizational unit dedicated to monitoring networks, systems, and devices for security threats or attacks.

Question 12

Security Orchestration, Automation, and Response (SOAR)

Answer 12

A collection of applications, tools, and workflows that uses automation to respond to security events.

Question 13

True negative

Answer 13

A state where there is no detection of malicious activity.

Question 14

True positive

Answer 14

An alert that correctly detects the presence of an attack.

Question 15

Command

Answer 15

An objective of CSIRT. Refers to having the appropriate leadership and direction to oversee the response.

Question 15

Control

Answer 15

An objective of CSIRT. Refers to the ability to manage technical aspects during incident response, like coordinating resources and assigning tasks.

Question 16

Communication

Answer 16

An objective of CSIRT. Refers to the ability to keep stakeholders informed.

Question 17

Security analyst, Technical lead, and Incident coordinator

Answer 17

What are the three key security related roles under CSIRT?

Question 18

Security analyst

Answer 18

This job title’s role is to continuously monitor an environment for any security threats.

Question 19

Forensic investigator

Answer 19

This job title is commonly L2s and L3s (under CSIRT) who collect, preserve, and analyze digital evidence related to security incidents to determine what happened.

Question 20

Threat hunter

Answer 20

This job title is typically L3s (under CSIRT) who work to detect, analyze, and defend against new and advanced cybersecurity threats using threat intelligence.

Question 21

Endpoint

Answer 21

Any device connected on a network.

Question 22

Log analysis

Answer 22

The process of examining logs to identify events of interest.

Question 23

Command and control (C2)

Answer 23

The techniques used by malicious actors to maintain communications with compromised systems.

C2 is crucial in managing compromised devices during a cyber attack.

Question 24

Command-line interface (CLI).

Answer 24

A text-based user interface that uses commands to interact with the computer. ## Footnote CLI is often preferred for scripting and automation tasks.

Question 25

Data exfiltration

Answer 25

Unauthorized transmission of data from a system. ## Footnote Data exfiltration can lead to data breaches and loss of sensitive information.

Question 26

Indicators of compromise (IoC)

Answer 26

Observable evidence that suggests signs of a potential security incident. ## Footnote IoCs can include unusual network traffic, changes in file integrity, etc.

Question 27

Network data

Answer 27

The data that’s transmitted between devices on a network. ## Footnote Network data encompasses all forms of digital communication over a network.

Question 28

Network traffic

Answer 28

The amount of data that moves across a network. ## Footnote Network traffic can be measured in terms of bandwidth usage.

Question 29

Network Interface Card (NIC)

Answer 29

Hardware that connects computers to a network. ## Footnote NICs can be wired or wireless.

Question 30

Packet capture (p-cap)

Answer 30

A file containing data packets intercepted from an interface or network. ## Footnote P-cap files are often used for analysis in tools like Wireshark.

Question 31

tcpdump

Answer 31

A command-line network protocol analyzer. ## Footnote tcpdump is commonly used for capturing and analyzing network packets.

Question 32

Wireshark

Answer 32

A GUI network protocol analyzer. ## Footnote Wireshark provides a graphical interface for packet analysis.

Question 33

Command and control

Answer 33

What does C2 stand for?

Question 34

Indicators of compromise

Answer 34

What does IoC stand for?

Question 35

Network Interface Card

Answer 35

What does NIC stand for?

Question 36

Packet capture

Answer 36

What does p-cap stand for?

Question 37

Network operations center (NOC)

Answer 37

An organizational unit that monitors the performance of a network and responds to any network disruption, such as a network outage.

Question 38

Network operations center

Answer 38

What does NOC stand for?

Question 39

Data packet

Answer 39

A basic unit of information that travels from one device to another within a network.

Question 40

Version

Answer 40

An IPv4 field. This field indicates the IP version. For an IPv4 header, IPv4 is used. ## Footnote For an IPv4 header, IPv4 is used.

Question 41

Internet Header Length (IHL) field

Answer 41

An IPv4 field. This field specifies the length of the IPv4 header including any Options.

Question 42

Type of Service (ToS)

Answer 42

An IPv4 field. This field provides information about packet priority for delivery.

Question 43

Total Length

Answer 43

An IPv4 field. This field specifies the total length of the entire IP packet including the header and the data.

Question 44

Identification field

Answer 44

An IPv4 field. Packets that are too large to send are fragmented into smaller pieces. This field specifies a unique identifier for fragments of an original IP packet so that they can be reassembled once they reach their destination.

Question 45

Flags

Answer 45

An IPv4 field. This field provides information about packet fragmentation including whether the original packet has been fragmented and if there are more fragments in transit.

Question 46

Fragment Offset

Answer 46

An IPv4 field. This field is used to identify the correct sequence of fragments.

Question 47

Time to Live (TTL)

Answer 47

An IPv4 field. This field limits how long a packet can be circulated in a network, preventing packets from being forwarded by routers indefinitely.

Question 48

Protocol

Answer 48

An IPv4 field. This field specifies the protocol used for the data portion of the packet.

Question 49

Header Checksum

Answer 49

An IPv4 field. This field specifies a checksum value which is used for error-checking the header.

Question 50

Source Address

Answer 50

An IPv4 field. This field specifies the source address of the sender.

Question 51

Destination Address

Answer 51

An IPv4 field. This field specifies the destination address of the receiver.

Question 52

Options field

Answer 52

An IPv4 field. This field is optional and can be used to apply security options to a packet.

Question 53

Traffic Class

Answer 53

An IPv6 field. This field is similar to the IPv4 Type of Service field. The Traffic Class field provides information about the packet's priority or class to help with packet delivery.

Question 54

Version

Answer 54

An IPv6 field. This field indicates the IP version. For an IPv6 header, IPv6 is used.

Question 55

Flow Label

Answer 55

An IPv6 field. This field identifies the packets of a flow. A flow is the sequence of packets sent from a specific source.

Question 56

Payload Length

Answer 56

An IPv6 field. This field specifies the length of the data portion of the packet.

Question 57

Next Header

Answer 57

An IPv6 field. This field indicates the type of header that follows the IPv6 header such as TCP.

Question 58

Hop Limit

Answer 58

An IPv6 field. This field is similar to the IPv4 Time to Live field. The Hop Limit limits how long a packet can travel in a network before being discarded.

Question 59

Source Address

Answer 59

An IPv6 field. This field specifies the source address of the sender.

Question 60

Destination Address

Answer 60

An IPv6 field. This field specifies the destination address of the receiver.

Question 61

Analysis

Answer 61

The investigation and validation of alerts.

Question 62

Broken chain of custody

Answer 62

Inconsistencies in the collection and logging of evidence in the chain of custody

Question 63

Business continuity plan (BCP)

Answer 63

A document that outlines the procedures to sustain business operations during and after a significant disruption.

Question 64

Chain of custody

Answer 64

The process of documenting evidence possession and control during an incident lifecycle.

Question 65

Containment

Answer 65

The act of limiting and preventing additional damage caused by an incident.

Question 66

Crowdsourcing

Answer 66

The practice of gathering information using public input and collaboration.

Question 67

Detection

Answer 67

The prompt discovery of security events.

Question 68

Eradication

Answer 68

The complete removal of the incident elements from all affected systems.

Question 69

Honeypot

Answer 69

A system or resource created as a decoy vulnerable to attacks with the purpose of attracting potential intruders.

Question 70

Final report

Answer 70

Documentation that provides a comprehensive review of an incident.

Question 71

Indicators of attack (IoA)

Answer 71

The series of observed events that indicate a real-time incident.

Question 71

Lessons learned meeting

Answer 71

A meeting that includes all involved parties after a major incident.

Question 72

Open-source intelligence (OSINT)

Answer 72

The collection and analysis of information from publicly available sources to generate usable intelligence.

Question 73

Post-incident activity

Answer 73

The process of reviewing an incident to identify areas for improvement during incident handling.

Question 74

Recovery

Answer 74

The process of returning affected systems back to normal operations.

Question 75

Resilience

Answer 75

The ability to prepare for, respond to, and recover from disruptions.

Question 76

Standards

Answer 76

References that inform how to set policies.

Question 77

Threat hunting

Answer 77

The proactive search for threats on a network.

Question 78

Threat intelligence

Answer 78

Evidence-based threat information that provides context about existing or emerging threats.

Question 79

Triage

Answer 79

The prioritizing of incidents according to their level of importance or urgency.

Question 80

VirusTotal

Answer 80

A service that allows anyone to analyze suspicious files, domains, URLs, and IP addresses for malicious content.

Question 81

What does BCP stand for?

Answer 81

Business continuity plan

Question 82

What does IoA stand for?

Answer 82

Indicators of attack

Question 83

What does OSINT stand for?

Answer 83

Open-source intelligence

Question 84

What are three common public or private threat intelligence sources?

Answer 84

Industry reports, Government advisories, and threat data feeds.

Question 84

What are different types of indicators of compromise (IoCs) found in the Pyramid of Pain?

Answer 84

Hash values, IP addresses, Domain names, Network artifacts, Host artifacts, Tools, and Tactics, techniques, and procedures (TTPs).

Question 84

What are three types of recovery sites used for site resilience?

Answer 84

Hot sites, Warm sites, and Cold sites

Question 85

What does TTP stand for?

Answer 85

Tools, and Tactics, techniques, and procedures

Question 86

Hash values

Answer 86

An IoC. They correspond to known malicious files. These are often used to provide unique references to specific samples of malware or to files involved in an intrusion.

Question 87

Domain names

Answer 87

An IoC. A web address such as www.google.com

Question 87

IP addresses

Answer 87

An IoC. An internet protocol address like 192.168.1.1

Question 87

Network artifacts

Answer 87

An IoC. Observable evidence created by malicious actors on a network. For example, information found in network protocols such as User-Agent strings.

Question 88

Host artifacts

Answer 88

An IoC. Observable evidence created by malicious actors on a host. A host is any device that’s connected on a network. For example, the name of a file created by malware.

Question 89

Tools

Answer 89

An IoC. Software that’s used by a malicious actor to achieve their goal. For example, attackers can use password cracking tools like John the Ripper to perform password attacks to gain access into an account.

Question 90

Tactics, techniques, and procedures (TTPs)

Answer 90

An IoC. This is the behavior of a malicious actor. Tactics refer to the high-level overview of the behavior. Techniques provide detailed descriptions of the behavior relating to the tactic. Procedures are highly detailed descriptions of the technique. TTPs are the hardest to detect.

Question 91

Anomaly-based analysis

Answer 91

A detection method that identifies abnormal behavior. ## Footnote Used in various security applications to detect potential threats.

Question 92

Array

Answer 92

A data type that stores data in a comma-separated ordered list. ## Footnote Commonly used in programming for organizing data.

Question 93

Common Event Format (CEF)

Answer 93

A log format that uses key-value pairs to structure data and identify fields and their corresponding values. ## Footnote Facilitates interoperability among security products.

Question 94

Configuration file

Answer 94

A file used to configure the settings of an application. ## Footnote Essential for customizing application behavior.

Question 95

Endpoint

Answer 95

Any device connected on a network. ## Footnote Includes computers, mobile devices, and IoT devices.

Question 96

Endpoint Detection and Response (EDR)

Answer 96

An application that monitors an endpoint for malicious activity. ## Footnote Helps in detecting, investigating, and responding to threats.

Question 97

Host-based Intrusion Detection System (HIDS)

Answer 97

An application that monitors the activity of the host on which it’s installed. ## Footnote Focuses on detecting malicious activity on individual machines.

Question 98

Key-value pair

Answer 98

A set of data that represents two linked items: a key, and its corresponding value. ## Footnote Fundamental in data organization and storage.

Question 99

Log Management

Answer 99

The process of collecting, storing, analyzing, and disposing of log data. ## Footnote Involves ensuring logs are available for analysis and compliance.

Question 100

Logging

Answer 100

The recording of events occurring on computer systems and networks. ## Footnote Essential for monitoring and security.

Question 101

Network-based Intrusion Detection System (NIDS)

Answer 101

An application that collects and monitors network traffic and network data. ## Footnote Focuses on detecting threats across the entire network.

Question 102

Object

Answer 102

A data type that stores data in a comma-separated list of key-value pairs. ## Footnote Commonly used in software development.

Question 103

Search Processing Language (SPL)

Answer 103

Splunk’s query language. ## Footnote Used for searching and analyzing data within Splunk.

Question 104

Signature

Answer 104

A pattern that is associated with malicious activity. ## Footnote Used in detection methods to identify threats.

Question 105

Signature analysis

Answer 105

A detection method used to find events of interest. ## Footnote Relies on known patterns to detect threats.

Question 106

Suricata

Answer 106

An open-source intrusion detection system, intrusion prevention system, and network analysis tool. ## Footnote Widely used for network security monitoring.

Question 107

Telemetry

Answer 107

The collection and transmission of data for analysis. ## Footnote Important in various fields, including IT and security.

Question 108

YARA-L

Answer 108

A computer language used to create rules for searching through ingested log data. ## Footnote Facilitates identification of specific patterns in logs.

Question 109

What does CEF stand for?

Answer 109

Common Event Format

Question 110

What does EDR stand for?

Answer 110

Endpoint detection and response

Question 111

What does HIDS stand for?

Answer 111

Host-based intrusion detection system

Question 112

What does SPL stand for?

Answer 112

Search Processing Language

Question 112

What does NIDS stand for?

Answer 112

Network-based intrusion detection system

Question 112

What types of logs are there?

Answer 112

Network, System, Application, Security, and Authentication.

Question 113

Network

Answer 113

A type of log. These logs are generated by network devices like firewalls, routers, or switches.

Question 113

System

Answer 113

A type of log. These logs are generated by operating systems like Chrome OS™, Windows, Linux, or macOS®.

Question 114

Application

Answer 114

A type of log. These logs are generated by software applications and contain information relating to the events occurring within the application such as a smartphone app.

Question 115

Security

Answer 115

A type of log. These logs are generated by various devices or systems such as antivirus software and intrusion detection systems. Security logs contain security-related information such as file deletion.

Question 115

Authentication

Answer 115

Authentication logs are generated whenever authentication occurs such as a successful login attempt into a computer.