14 - Incident Response Flashcards
Explain policies, procedures, and models related to responding to cyber-attacks
The Security+ Incident Response Cycle includes what six continuous steps?
Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned
Michael wants to log directly to a database while also using TCP and TLS to protect his log information and to ensure that it is received. What tool should he use?
Syslog-ng
What tool is specifically designed to support incident responders by allowing unified automated responses across an organization?
Security Orchestration, Automation, and Response (SOAR)
Selah is following the Cyber Kill Chain model and has completed the delivery phase. What setup is next, according to the Kill Chain?
Exploitation
What is the primary concern with SFlow in a large, busy network?
SFlow samples only network traffic, meaning that some detail will be lost
Mark unplugs the network connection from a system that is part of an incident and places tape over its Ethernet jack with a sign that says: NO NOT RECONNECT WITHOUT APPROVAL FROM IR TEAM. How is this method best described?
Isolation
As a part of their yearly incident response preparations, Ben’s org goes through a sample incident step by step to validate what each person will do in the incident. What type of exercise is this?
A Walk-through Exercise
Madhuri wants to check a PNG-formatted photo for GPS coordinates. Where can she find that information if it exists in the photo?
In the photo’s Metadata
Alyssa wants to prevent a known Microsoft Word file from being downloaded and accessed on devices she is responsible for. What type of tool can she use to prevent this?
A Deny List Tool
Which of the following is NOT one of the phases in COOP?
- Readiness and Preparedness
- Activation and Relocation
- Continuity of Operations
- Documentation and Reporting
Documentation and Reporting is not a step in Continuity of Operations Planning (COOP) - the fourth phase is Reconstitution
Ian has been receiving hundreds of false positive alerts from his SIEM every night when scheduled jobs run across his datacenter. What rate should he adjust on his SIEM to reduce the false positive rate?
The Sensitivity Rate
Which team member acts as a primary conduit to senior management on an IR team?
Management
Gwen is building her org’s documentation and processes and wants to create the plan for what the org would do if her datacenter burned down. What type of plan would typically cover that type of scenario?
A Disaster Recovery Plan (DR Plan)
Megan’s org uses the Diamond Model of Intrusion Analysis as part of their incident response process. A user in Megan’s org has discovered a compromised system. What core feature would help her determine how the compromise occurred?
Capability
Jim wants to view log entries that describe actions taken by applications on a CentOS Linux system. Which of the following tools can he use on the system to view those logs?
- logger
- syslog-ng
- journalctl
- tail
journalctl
