14 - Incident Response Flashcards

Explain policies, procedures, and models related to responding to cyber-attacks

1
Q

The Security+ Incident Response Cycle includes what six continuous steps?

A

Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Michael wants to log directly to a database while also using TCP and TLS to protect his log information and to ensure that it is received. What tool should he use?

A

Syslog-ng

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What tool is specifically designed to support incident responders by allowing unified automated responses across an organization?

A

Security Orchestration, Automation, and Response (SOAR)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Selah is following the Cyber Kill Chain model and has completed the delivery phase. What setup is next, according to the Kill Chain?

A

Exploitation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is the primary concern with SFlow in a large, busy network?

A

SFlow samples only network traffic, meaning that some detail will be lost

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Mark unplugs the network connection from a system that is part of an incident and places tape over its Ethernet jack with a sign that says: NO NOT RECONNECT WITHOUT APPROVAL FROM IR TEAM. How is this method best described?

A

Isolation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

As a part of their yearly incident response preparations, Ben’s org goes through a sample incident step by step to validate what each person will do in the incident. What type of exercise is this?

A

A Walk-through Exercise

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Madhuri wants to check a PNG-formatted photo for GPS coordinates. Where can she find that information if it exists in the photo?

A

In the photo’s Metadata

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Alyssa wants to prevent a known Microsoft Word file from being downloaded and accessed on devices she is responsible for. What type of tool can she use to prevent this?

A

A Deny List Tool

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Which of the following is NOT one of the phases in COOP?

  • Readiness and Preparedness
  • Activation and Relocation
  • Continuity of Operations
  • Documentation and Reporting
A

Documentation and Reporting is not a step in Continuity of Operations Planning (COOP) - the fourth phase is Reconstitution

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Ian has been receiving hundreds of false positive alerts from his SIEM every night when scheduled jobs run across his datacenter. What rate should he adjust on his SIEM to reduce the false positive rate?

A

The Sensitivity Rate

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Which team member acts as a primary conduit to senior management on an IR team?

A

Management

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Gwen is building her org’s documentation and processes and wants to create the plan for what the org would do if her datacenter burned down. What type of plan would typically cover that type of scenario?

A

A Disaster Recovery Plan (DR Plan)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Megan’s org uses the Diamond Model of Intrusion Analysis as part of their incident response process. A user in Megan’s org has discovered a compromised system. What core feature would help her determine how the compromise occurred?

A

Capability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Jim wants to view log entries that describe actions taken by applications on a CentOS Linux system. Which of the following tools can he use on the system to view those logs?

  • logger
  • syslog-ng
  • journalctl
  • tail
A

journalctl

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Chris has turned on logon auditing for a Windows system. What log will show them?

A

The Windows Security Log

17
Q

Susan has discovered that an incident took place on her network almost six months ago. As she prepares to identify useful data for the incident, which common policy is most likely to cause her difficulties during her investigation?

A

Any Retention Policies

18
Q

Hitesh wants to keep a system online but limit the impact of the malware that was found on it while an investigation occurs. What method from the following list should he use?

  • Containment
  • Isolation
  • Segmentation
  • Black Holing
A

Containment

19
Q

What phase in the incident response process leverages indicators of compromise and log analysis as part of a review of events?

A

Identification

20
Q

Henry wants to check to see if services were installed by an attacker. What commonly gathered organizational data can he use to see if a new service appeared on systems?

A

Vulnerability Scans