14 Monitoring and incident response Flashcards

1
Q

What are the phases of the incident response cycle?

A

Preparation, detection, analysis, containment, eradication, recovery, lessons learned

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

True or False: The incident response process phases can only move forward.

A

False

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What are some training exercises organizations conduct for incident response?

A
  • Tabletop exercises
  • Walk-throughs
  • Simulations
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What does threat hunting utilize to identify potential indicators of compromise?

A

Data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What are IoCs?

A

Indicators of compromise

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

List some examples of indicators of compromise (IoCs).

A
  • Account lockout
  • Concurrent session usage
  • Impossible travel
  • Attempted access to blocked content
  • Resource consumption
  • Resource inaccessibility
  • Out-of-cycle logging
  • Missing logs
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

How are IoCs documented and published?

A

Through threat feeds and other services and sources

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What are SIEM tools used for?

A

Gathering and analyzing data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What types of information do SIEM tools analyze?

A
  • Vulnerability scan output
  • System configuration data
  • System and device logs
  • Organizational data
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What methods are used to gather network traffic information?

A
  • NetFlow
  • sFlow
  • Packet analyzers
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What does metadata from files provide during incident investigation?

A

Useful information for incident response

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What are mitigation techniques used for?

A

To limit the impact of incidents

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Name a common task incident responders perform for endpoint security solutions.

A

Change configuration

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Fill in the blank: Incident responders may use _______ or block/deny lists.

A

Allow lists

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What techniques are used at the network and infrastructure level during an incident?

A
  • Isolation
  • Containment
  • Segmentation
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is the purpose of root cause analysis?

A

To determine why an incident occurred and guide future preparation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What are indicators of malicious activity?

A

Account lockout, Concurrent session usage, Blocked content, Impossible travel, Resource consumption, Resource inaccessibility, Out-of-cycle logging, Published/documented, Missing logs

These indicators help identify potential security breaches or unauthorized access.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What is the purpose of mitigation techniques in securing the enterprise?

A

To reduce risks and enhance security through strategies like Application allow list, Isolation, and Monitoring

Mitigation techniques are essential for preventing and responding to threats.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What are the components of security alerting and monitoring concepts?

A

Monitoring computing resources, Activities (Log aggregation, Alerting, Scanning, Reporting, Archiving, Alert response and remediation/validation), Tools (Benchmarks, Agents/agentless, SIEM, NetFlow)

Effective monitoring and alerting are crucial for maintaining security.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What is the incident response process?

A

Preparation, Detection, Analysis, Containment, Eradication, Recovery, Lessons learned

This process helps organizations effectively manage and respond to security incidents.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What types of training and testing are involved in incident response?

A

Training, Testing (Tabletop exercise, Simulation)

Regular training and testing ensure readiness for potential incidents.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What is root cause analysis in incident response?

A

A process to identify the underlying reasons for an incident

This analysis helps prevent future incidents by addressing the root issues.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What data sources support an investigation during incident response?

A

Log data (Firewall logs, Application logs, Endpoint logs, OS-specific security logs, IPS/IDS logs, Network logs, Metadata), Data sources (Vulnerability scans, Automated reports, Dashboards, Packet captures)

These sources provide critical information for understanding and responding to incidents.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

True or False: Incident response is only about stopping attackers.

A

False

Incident response also includes preparation, learning, and improving based on past incidents.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Fill in the blank: When things go wrong, organizations need a way to respond to _______.

A

[incidents]

Effective incident response minimizes impact and ensures quick recovery.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

What are common capabilities and uses for SIEM tools?

A

Ingesting and analyzing logs and data to assist incident responders

SIEM tools are integral for monitoring and detecting security incidents.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

What type of exercises can organizations conduct to prepare for incidents?

A

Tabletop exercise, Simulation

These exercises help teams practice response strategies in a controlled environment.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

What is an incident in the context of incident response?

A

A violation of the organization’s policies and procedures or security practices

An incident can arise from various sources including direct attacks, insider threats, or mistakes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

What is the difference between an incident and an event?

A

An event is an observable occurrence, while an incident is a specific type of event that violates policies

Many events occur, but only a few are classified as incidents.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

What are the six steps of the incident response process?

A
  • Preparation
  • Detection
  • Analysis
  • Containment
  • Eradication
  • Recovery

These steps are essential for developing a mature incident response capability.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

What happens during the preparation phase of incident response?

A

Building tools, processes, and procedures to respond to an incident

This includes training the incident response team and acquiring security tools.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

What is the goal of the detection phase in incident response?

A

To review events and identify incidents

This involves monitoring for indicators of compromise and analyzing logs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

What is the purpose of the analysis phase?

A

To analyze identified events and determine their impact or targets

This includes correlating related events.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

What does containment involve in incident response?

A

Preventing further issues or damage once an incident is identified

This can include quarantining affected systems.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

What is involved in the eradication phase?

A

Removing artifacts associated with the incident

This often requires rebuilding systems from backups.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

What is the recovery phase focused on?

A

Restoring systems or services to normal operations

It also involves fixing vulnerabilities that allowed the incident to occur.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

What is the purpose of conducting lessons learned sessions?

A

To improve the incident response process and avoid repeating mistakes

These sessions can lead to system patches or redesigning procedures.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

True or False: Incident response processes always follow a linear progression.

A

False

Incidents may move back and forth between stages as new discoveries are made.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

What are the two major types of exercises used in incident response preparation?

A
  • Tabletop exercises
  • Simulations

These exercises help teams practice their response to incidents.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

What is a communication plan in incident response?

A

A plan that outlines how to communicate during an incident

It includes roles for internal and external communications.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q

What do stakeholder management plans focus on?

A

Groups and individuals with an interest in the systems impacted by an incident

These plans help prioritize communications and support.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
42
Q

What is the primary focus of business continuity (BC) plans?

A

Keeping an organization functional during incidents

BC plans ensure that essential services can continue despite disruptions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
43
Q

What do disaster recovery (DR) plans define?

A

Processes and procedures for restoration after disasters

DR plans focus on recovery from natural or human-made disasters.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
44
Q

What are incident response policies?

A

Formal statements about an organization’s intent regarding incident response

They include team authority, procedures, and communication requirements.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
45
Q

What is the role of training in incident response?

A

To prepare responders for handling various incidents

Training can include certifications and specialized courses.

46
Q

What does threat hunting involve?

A

Looking for indicators of compromise associated with malicious actors

It helps in the detection and analysis phases of incident response.

47
Q

What is an indicator of compromise (IoC)?

A

A sign that may suggest a security incident has occurred

IoCs can include account lockouts, impossible travel, and blocked content.

48
Q

Fill in the blank: The first step in the incident response process is _______.

A

[Preparation]

49
Q

Fill in the blank: The phase where the team analyzes the impact of an incident is called _______.

A

[Analysis]

50
Q

Fill in the blank: A plan that ensures communication during an incident is called a _______ plan.

A

[Communication]

51
Q

True or False: Legal staff are involved in all incident response situations.

A

False

Legal involvement may depend on the nature of the incident.

52
Q

What is the purpose of simulations in incident response training?

A

To practice specific functions or elements of the incident response plan

Simulations can involve the entire organization or target specific parts.

53
Q

What is the role of technical experts in the incident response team?

A

To provide specialized skills and knowledge needed during an incident

Their expertise can expedite containment and recovery efforts.

54
Q

What are indicators that have been discovered and published called?

A

Published/documented IoCs

IoCs refer to Indicators of Compromise, which help in identifying breaches.

55
Q

What should you be prepared to analyze during an exam regarding incident response?

A

An indicator through a log entry or a scenario

This helps in determining potential incidents.

56
Q

What do incident responders use to describe attacks and incidents?

A

Common language and terminology

This facilitates a clearer understanding of incidents.

57
Q

What is the purpose of attack frameworks?

A

To understand adversaries, document techniques, and categorize tactics

They provide a structured approach to analyzing incidents.

58
Q

What does the MITRE ATT&CK framework provide?

A

A knowledgebase of adversary tactics and techniques

It is crucial for understanding the threat landscape.

59
Q

What does the ATT&CK matrix include?

A

Detailed descriptions, definitions, and examples for the complete threat life cycle

This spans from reconnaissance through execution, persistence, and impact.

60
Q

What types of matrices does the ATT&CK framework include?

A

Pre-attack, enterprise matrices for Windows, macOS, Linux, cloud computing, iOS, and Android

Each matrix addresses specific platforms and environments.

61
Q

What information does an ATT&CK technique definition provide?

A

ID number, classification details, applicable platforms, user permissions, data sources, contributor, and revision level

This aids in understanding the specifics of a technique.

62
Q

What is the most popular model discussed for incident response?

A

The ATT&CK framework

It has broad support in various security tools.

63
Q

What are the other models besides the ATT&CK framework that organizations may use?

A

The Diamond Model and Lockheed Martin’s Cyber Kill Chain

These models also provide frameworks for understanding cyber threats.

64
Q

Fill in the blank: ATT&CK is the most comprehensive freely available database of _______.

A

Adversary techniques, tactics, and related information

This database is critical for cybersecurity professionals.

65
Q

True or False: The ATT&CK framework includes details of threat actor groups and software.

A

True

This enhances the framework’s utility in threat assessments.

66
Q

What is the primary focus of the Security+ Exam?

A

To validate foundational cybersecurity skills and knowledge.

67
Q

What are the main objectives covered in Exam SY0-701?

A

Cybersecurity concepts, threats, vulnerabilities, and security controls.

68
Q

What does vulnerability management encompass?

A

Identifying, classifying, remediating, and mitigating vulnerabilities.

69
Q

What are the two main types of cryptography?

A
  • Symmetric Cryptography
  • Asymmetric Cryptography
70
Q

Fill in the blank: The process of verifying the identity of a user is known as _______.

A

Authentication

71
Q

True or False: Social engineering attacks rely solely on technical exploits.

72
Q

What are the key components of identity and access management?

A
  • Identity
  • Authentication
  • Authorization
  • Accounts
  • Access Control Schemes
73
Q

What does the term ‘malware’ refer to?

A

Malicious software designed to harm, exploit, or otherwise compromise systems.

74
Q

What is the goal of cryptography?

A

To protect information through encryption and decryption.

75
Q

What are common types of password attacks?

A
  • Brute-force attacks
  • Dictionary attacks
  • Phishing
76
Q

Fill in the blank: The process of testing a system for vulnerabilities by simulating attacks is called _______.

A

Penetration Testing

77
Q

What are some methods of securing endpoints?

A
  • Operating System Hardening
  • Asset Management
  • Protecting Endpoints
78
Q

What is the purpose of cloud security?

A

To protect cloud infrastructure and data from threats and vulnerabilities.

79
Q

What is a key aspect of digital forensics?

A

Collecting and analyzing digital evidence.

80
Q

What does security governance involve?

A

Establishing policies and procedures for effective security management.

81
Q

What are the phases of incident response?

A
  • Preparation
  • Detection and Analysis
  • Containment, Eradication, and Recovery
  • Post-Incident Activity
82
Q

What are common physical security controls?

A
  • Access control systems
  • Surveillance cameras
  • Security guards
83
Q

Fill in the blank: The practice of ensuring that software is developed and maintained securely is known as _______.

A

Software Assurance

84
Q

What do hash functions accomplish in cryptography?

A

They create a fixed-size output from input data of variable size, ensuring data integrity.

85
Q

What is the primary purpose of risk management?

A

To identify, assess, and mitigate risks to assets and operations.

86
Q

What are the components of cloud infrastructure?

A
  • Servers
  • Storage
  • Networking
  • Virtualization
87
Q

What is the function of public key infrastructure (PKI)?

A

To manage digital keys and certificates for secure communications.

88
Q

What is the primary goal of an organization during an active incident?

A

To mitigate the incident and recover from it without creating new risks or vulnerabilities.

89
Q

What does SOAR stand for in security management?

A

Security Orchestration, Automation, and Response.

90
Q

What is the purpose of SOAR platforms?

A

To quickly assess the attack surface, state of systems, and automate remediation and restoration workflows.

91
Q

What is an application allow list?

A

A list of applications and files that are allowed to be on a system, preventing anything not on the list from being installed or run.

92
Q

What is an application deny list?

A

A list of applications or files that are not allowed on a system, preventing them from being installed or copied.

93
Q

What is the role of monitoring in containment and mitigation efforts?

A

To validate mitigation efforts and provide information about remaining issues or compromised devices.

94
Q

True or False: The Security+ exam focuses on recovery rather than mitigation efforts.

95
Q

What happens when a system is isolated during an incident?

A

It is moved into a protected space or network to keep it away from other systems.

96
Q

What is the main purpose of root cause analysis (RCA) after an incident?

A

To identify the underlying cause of an issue and fix the problems that allowed the incident to occur.

97
Q

Fill in the blank: Application allow lists are sometimes referred to as _______.

A

[whitelisting]

98
Q

Fill in the blank: Application deny lists are sometimes referred to as _______.

A

[blacklists]

99
Q

What are common techniques used in root cause analysis?

A
  • Five whys
  • Event analysis
  • Diagramming cause and effect
100
Q

What is the danger of using quarantine in incident response?

A

It may allow malicious files to remain on the system even in a safe location.

101
Q

What is segmentation in the context of incident response?

A

The process of using security, network, or physical boundaries to separate environments, systems, or networks.

102
Q

What is one common remediation action that may be taken during an incident?

A
  • Firewall rule changes
  • Mobile device management changes
  • Data loss prevention tool changes
  • Content filter and URL filtering changes
  • Updating or revoking certificates
103
Q

What is the significance of tracking configuration changes during incident response?

A

They need to be carefully tracked and recorded as they may have to be rolled back after the incident.

104
Q

What can monitoring reveal after remediation is completed?

A

It can show other actions taken by attackers after remediation, helping identify compromised resources.

105
Q

What is the impact of containment on forensic data?

A

Containment decisions can affect future investigative work and forensic data collection.

106
Q

What is a common issue that can arise from improperly configured antivirus settings?

A

The deletion of critical files, leading to chaos and data loss.

107
Q

True or False: Configuration changes are rarely used in containment and remediation efforts.

108
Q

What is the focus of the incident response cycle preparation phase?

A

To avoid future issues of the same type.

109
Q

What is the role of stakeholders during incident response decision-making?

A

They should be made aware of changes or involved in the decision, depending on the urgency.

110
Q

What should organizations consider when faced with an incident response scenario?

A

What was targeted, how it was targeted, the impact, and what controls or changes can be applied.