14 Monitoring and incident response Flashcards
What are the phases of the incident response cycle in the Security+ exam?
Preparation, detection, analysis, containment, eradication, recovery, and lessons learned.
True or False: The incident response process can only move forward through its phases.
False
What types of exercises do organizations use to train their staff for incident response?
Tabletop exercises, walk-throughs, and simulations.
What is the purpose of threat hunting?
To identify potential indicators of compromise using data.
What are IoCs in the context of threat hunting?
Indicators of compromise, which include various signs of potential security incidents.
List some examples of IoCs.
- Account lockout
- Concurrent session usage
- Impossible travel
- Attempted access to blocked content
- Resource consumption
- Resource inaccessibility
- Out-of-cycle logging
- Missing logs
What tools are commonly used for data management in incident response?
Security Information and Event Management (SIEM) tools.
What types of information do SIEM tools gather and analyze?
- Vulnerability scan output
- System configuration data
- System and device logs
- Network traffic information
How is network traffic information collected?
Using NetFlow, sFlow, and packet analyzers.
What is the purpose of collecting network traffic information?
To provide details about bandwidth usage and system communication.
What are some common mitigation techniques used by incident responders?
- Changing configurations for endpoint security solutions
- Using allow/block lists
- Quarantining files or devices
- Making firewall changes
- Using MDM or DLP tools
- Adding content or URL filtering rules
- Revoking or updating certificates
What does root cause analysis help to determine?
Why an incident was able to happen and to guide preparation work to avoid future incidents.
Fill in the blank: Incident responders use _______ to ensure that the impact of incidents are limited.
[mitigation techniques]
