14 Monitoring and incident response Flashcards
What are the phases of the incident response cycle in the Security+ exam?
Preparation, detection, analysis, containment, eradication, recovery, and lessons learned.
True or False: The incident response process can only move forward through its phases.
False
What types of exercises do organizations use to train their staff for incident response?
Tabletop exercises, walk-throughs, and simulations.
What is the purpose of threat hunting?
To identify potential indicators of compromise using data.
Threat hunting is a proactive cybersecurity practice where security professionals actively search for and identify unknown or advanced cyber threats that have evaded existing security solutions and are lurking within a network.
What are IoCs in the context of threat hunting?
Indicators of compromise, which include various signs of potential security incidents.
In threat hunting, Indicators of Compromise (IoCs) are digital clues or forensic data points that suggest a system or network may have been compromised, aiding security teams in detecting, investigating, and stopping malicious activities.
Here’s a more detailed explanation:
What they are:
IoCs are essentially “breadcrumbs” left by attackers, providing evidence of potential security breaches or malicious activity.
Examples:
These can include specific file hashes, IP addresses, domain names, URLs, email addresses, unusual network traffic, or suspicious system behavior.
List some examples of IoCs.
- Account lockout
- Concurrent session usage
- Impossible travel
- Attempted access to blocked content
- Resource consumption
- Resource inaccessibility
- Out-of-cycle logging
- Missing logs
What tools are commonly used for data management in incident response?
Security Information and Event Management (SIEM) tools.
What types of information do SIEM tools gather and analyze?
- Vulnerability scan output
- System configuration data
- System and device logs
- Network traffic information
How is network traffic information collected?
Using NetFlow, sFlow, and packet analyzers.
What is the purpose of collecting network traffic information?
To provide details about bandwidth usage and system communication.
What are some common mitigation techniques used by incident responders?
- Changing configurations for endpoint security solutions
- Using allow/block lists
- Quarantining files or devices
- Making firewall changes
- Using MDM or DLP tools
- Adding content or URL filtering rules
- Revoking or updating certificates
What does root cause analysis help to determine?
Why an incident was able to happen and to guide preparation work to avoid future incidents.
Fill in the blank: Incident responders use _______ to ensure that the impact of incidents are limited.
[mitigation techniques]
