12A - Incident Response (Analysis) Flashcards
What is the first step after the detection process reports indicators?
Investigate the data to determine if a genuine incident has been identified and assign a priority level.
This step involves distinguishing between true positives and false positives.
What is a true positive incident event often classified by?
Correlating multiple indicators.
This classification helps in determining the nature of the incident.
What happens if an incident is verified as a true positive?
Identify the type of incident and the data or resources affected.
This helps establish the incident category and impact.
What is the most important factor in prioritizing incidents?
Data integrity.
The value of data at risk often dictates the priority level.
What does downtime refer to in the context of incident impact?
The degree to which an incident disrupts business processes.
It can either degrade or interrupt availability.
What are the two types of availability disruptions that incidents can cause?
- Degrade (reduce performance)
- Interrupt (completely stop)
Understanding these helps assess the impact of the incident.
What short-term costs are associated with incidents?
- Incident response
- Lost business opportunities
These costs can have significant financial implications.
What long-term economic costs can result from incidents?
- Damage to reputation
- Damage to market standing
Long-term effects can be more damaging than short-term costs.
How is the scope of an incident defined?
The number of systems affected.
However, scope is not a direct indicator of priority.
Why might a large number of infected systems not indicate high priority?
If the malware only degrades performance without posing a data breach risk.
This situation could be a masking attack.
What is the detection time related to data breaches?
More than half of data breaches are not detected for weeks or months.
In contrast, successful intrusions can breach data within minutes.
What is essential for systems searching for intrusions?
They must be thorough, and the response to detection must be fast.
Prompt action is critical to mitigate damage.
What can trigger heightened alertness for continued or new attacks?
Lengthy remediation processes due to complex system changes.
Prolonged recovery periods can attract further threats.
What is the first stage of the Cyber Kill Chain?
Reconnaissance
The adversary gathers information about the network using network probes, Open Source Intelligence (OSINT), and social engineering.
What is the main goal of the reconnaissance stage?
To map an attack surface and identify potential attack vectors
This involves gathering information that can be exploited in later stages.
What is the second stage of the Cyber Kill Chain?
Weaponization
The adversary codes an exploit to take advantage of a discovered vulnerability.
What is coupled with the exploit code during the weaponization stage?
A payload
This payload assists the attacker in maintaining and extending covert access.
What is the third stage of the Cyber Kill Chain?
Delivery
The weaponized code is inserted into the environment using a selected attack vector.
Name three attack vectors used during the delivery stage.
- Email attachment
- Phishing website/download
- USB media
These vectors are ways to deliver the weaponized code to the target.
What occurs during the exploitation stage?
The weaponized code is executed on the target system
This execution gains the capability to deliver the payload.
What is the fifth stage of the Cyber Kill Chain?
Installation
The payload is successfully installed on the target system using methods to remain undetected.
What is the purpose of the command & control (C2) stage?
To establish a connection to a remote server
This allows the attacker to connect to the target and download or fabricate additional attack tools.
What does C2 stand for in the context of the Cyber Kill Chain?
Command & Control
C&C is also commonly used to refer to this stage.
What is the final stage of the Cyber Kill Chain?
Actions on Objectives
The adversary uses the compromised system to achieve or progress towards goals.
List three goals an adversary might pursue during the actions on objectives stage.
- Data exfiltration
- DoS/vandalism
- Escalating access across the target network
These goals represent the end objectives of an attack.