14 Monitoring and incident response Flashcards
What are the phases of the incident response cycle?
Preparation, detection, analysis, containment, eradication, recovery, lessons learned
True or False: The incident response process phases can only move forward.
False
What are some training exercises organizations conduct for incident response?
- Tabletop exercises
- Walk-throughs
- Simulations
What does threat hunting utilize to identify potential indicators of compromise?
Data
What are IoCs?
Indicators of compromise
List some examples of indicators of compromise (IoCs).
- Account lockout
- Concurrent session usage
- Impossible travel
- Attempted access to blocked content
- Resource consumption
- Resource inaccessibility
- Out-of-cycle logging
- Missing logs
How are IoCs documented and published?
Through threat feeds and other services and sources
What are SIEM tools used for?
Gathering and analyzing data
What types of information do SIEM tools analyze?
- Vulnerability scan output
- System configuration data
- System and device logs
- Organizational data
What methods are used to gather network traffic information?
- NetFlow
- sFlow
- Packet analyzers
What does metadata from files provide during incident investigation?
Useful information for incident response
What are mitigation techniques used for?
To limit the impact of incidents
Name a common task incident responders perform for endpoint security solutions.
Change configuration
Fill in the blank: Incident responders may use _______ or block/deny lists.
Allow lists
What techniques are used at the network and infrastructure level during an incident?
- Isolation
- Containment
- Segmentation
What is the purpose of root cause analysis?
To determine why an incident occurred and guide future preparation
What are indicators of malicious activity?
Account lockout, Concurrent session usage, Blocked content, Impossible travel, Resource consumption, Resource inaccessibility, Out-of-cycle logging, Published/documented, Missing logs
These indicators help identify potential security breaches or unauthorized access.
What is the purpose of mitigation techniques in securing the enterprise?
To reduce risks and enhance security through strategies like Application allow list, Isolation, and Monitoring
Mitigation techniques are essential for preventing and responding to threats.
What are the components of security alerting and monitoring concepts?
Monitoring computing resources, Activities (Log aggregation, Alerting, Scanning, Reporting, Archiving, Alert response and remediation/validation), Tools (Benchmarks, Agents/agentless, SIEM, NetFlow)
Effective monitoring and alerting are crucial for maintaining security.
What is the incident response process?
Preparation, Detection, Analysis, Containment, Eradication, Recovery, Lessons learned
This process helps organizations effectively manage and respond to security incidents.
What types of training and testing are involved in incident response?
Training, Testing (Tabletop exercise, Simulation)
Regular training and testing ensure readiness for potential incidents.
What is root cause analysis in incident response?
A process to identify the underlying reasons for an incident
This analysis helps prevent future incidents by addressing the root issues.
What data sources support an investigation during incident response?
Log data (Firewall logs, Application logs, Endpoint logs, OS-specific security logs, IPS/IDS logs, Network logs, Metadata), Data sources (Vulnerability scans, Automated reports, Dashboards, Packet captures)
These sources provide critical information for understanding and responding to incidents.
True or False: Incident response is only about stopping attackers.
False
Incident response also includes preparation, learning, and improving based on past incidents.