12A - Incident Response (Analysis) Flashcards

1
Q

What is the first step after the detection process reports indicators?

A

Investigate the data to determine if a genuine incident has been identified and assign a priority level.

This step involves distinguishing between true positives and false positives.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is a true positive incident event often classified by?

A

Correlating multiple indicators.

This classification helps in determining the nature of the incident.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What happens if an incident is verified as a true positive?

A

Identify the type of incident and the data or resources affected.

This helps establish the incident category and impact.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is the most important factor in prioritizing incidents?

A

Data integrity.

The value of data at risk often dictates the priority level.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What does downtime refer to in the context of incident impact?

A

The degree to which an incident disrupts business processes.

It can either degrade or interrupt availability.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What are the two types of availability disruptions that incidents can cause?

A
  • Degrade (reduce performance)
  • Interrupt (completely stop)

Understanding these helps assess the impact of the incident.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What short-term costs are associated with incidents?

A
  • Incident response
  • Lost business opportunities

These costs can have significant financial implications.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What long-term economic costs can result from incidents?

A
  • Damage to reputation
  • Damage to market standing

Long-term effects can be more damaging than short-term costs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

How is the scope of an incident defined?

A

The number of systems affected.

However, scope is not a direct indicator of priority.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Why might a large number of infected systems not indicate high priority?

A

If the malware only degrades performance without posing a data breach risk.

This situation could be a masking attack.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is the detection time related to data breaches?

A

More than half of data breaches are not detected for weeks or months.

In contrast, successful intrusions can breach data within minutes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is essential for systems searching for intrusions?

A

They must be thorough, and the response to detection must be fast.

Prompt action is critical to mitigate damage.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What can trigger heightened alertness for continued or new attacks?

A

Lengthy remediation processes due to complex system changes.

Prolonged recovery periods can attract further threats.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is the first stage of the Cyber Kill Chain?

A

Reconnaissance

The adversary gathers information about the network using network probes, Open Source Intelligence (OSINT), and social engineering.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is the main goal of the reconnaissance stage?

A

To map an attack surface and identify potential attack vectors

This involves gathering information that can be exploited in later stages.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is the second stage of the Cyber Kill Chain?

A

Weaponization

The adversary codes an exploit to take advantage of a discovered vulnerability.

17
Q

What is coupled with the exploit code during the weaponization stage?

A

A payload

This payload assists the attacker in maintaining and extending covert access.

18
Q

What is the third stage of the Cyber Kill Chain?

A

Delivery

The weaponized code is inserted into the environment using a selected attack vector.

19
Q

Name three attack vectors used during the delivery stage.

A
  • Email attachment
  • Phishing website/download
  • USB media

These vectors are ways to deliver the weaponized code to the target.

20
Q

What occurs during the exploitation stage?

A

The weaponized code is executed on the target system

This execution gains the capability to deliver the payload.

21
Q

What is the fifth stage of the Cyber Kill Chain?

A

Installation

The payload is successfully installed on the target system using methods to remain undetected.

22
Q

What is the purpose of the command & control (C2) stage?

A

To establish a connection to a remote server

This allows the attacker to connect to the target and download or fabricate additional attack tools.

23
Q

What does C2 stand for in the context of the Cyber Kill Chain?

A

Command & Control

C&C is also commonly used to refer to this stage.

24
Q

What is the final stage of the Cyber Kill Chain?

A

Actions on Objectives

The adversary uses the compromised system to achieve or progress towards goals.

25
Q

List three goals an adversary might pursue during the actions on objectives stage.

A
  • Data exfiltration
  • DoS/vandalism
  • Escalating access across the target network

These goals represent the end objectives of an attack.