14 Monitoring and incident response Flashcards
What are the phases of the incident response cycle?
Preparation, detection, analysis, containment, eradication, recovery, lessons learned
True or False: The incident response process phases can only move forward.
False
What are some training exercises organizations conduct for incident response?
- Tabletop exercises
- Walk-throughs
- Simulations
What does threat hunting utilize to identify potential indicators of compromise?
Data
What are IoCs?
Indicators of compromise
List some examples of indicators of compromise (IoCs).
- Account lockout
- Concurrent session usage
- Impossible travel
- Attempted access to blocked content
- Resource consumption
- Resource inaccessibility
- Out-of-cycle logging
- Missing logs
How are IoCs documented and published?
Through threat feeds and other services and sources
What are SIEM tools used for?
Gathering and analyzing data
What types of information do SIEM tools analyze?
- Vulnerability scan output
- System configuration data
- System and device logs
- Organizational data
What methods are used to gather network traffic information?
- NetFlow
- sFlow
- Packet analyzers
What does metadata from files provide during incident investigation?
Useful information for incident response
What are mitigation techniques used for?
To limit the impact of incidents
Name a common task incident responders perform for endpoint security solutions.
Change configuration
Fill in the blank: Incident responders may use _______ or block/deny lists.
Allow lists
What techniques are used at the network and infrastructure level during an incident?
- Isolation
- Containment
- Segmentation
What is the purpose of root cause analysis?
To determine why an incident occurred and guide future preparation
What are indicators of malicious activity?
Account lockout, Concurrent session usage, Blocked content, Impossible travel, Resource consumption, Resource inaccessibility, Out-of-cycle logging, Published/documented, Missing logs
These indicators help identify potential security breaches or unauthorized access.
What is the purpose of mitigation techniques in securing the enterprise?
To reduce risks and enhance security through strategies like Application allow list, Isolation, and Monitoring
Mitigation techniques are essential for preventing and responding to threats.
What are the components of security alerting and monitoring concepts?
Monitoring computing resources, Activities (Log aggregation, Alerting, Scanning, Reporting, Archiving, Alert response and remediation/validation), Tools (Benchmarks, Agents/agentless, SIEM, NetFlow)
Effective monitoring and alerting are crucial for maintaining security.
What is the incident response process?
Preparation, Detection, Analysis, Containment, Eradication, Recovery, Lessons learned
This process helps organizations effectively manage and respond to security incidents.
What types of training and testing are involved in incident response?
Training, Testing (Tabletop exercise, Simulation)
Regular training and testing ensure readiness for potential incidents.
What is root cause analysis in incident response?
A process to identify the underlying reasons for an incident
This analysis helps prevent future incidents by addressing the root issues.
What data sources support an investigation during incident response?
Log data (Firewall logs, Application logs, Endpoint logs, OS-specific security logs, IPS/IDS logs, Network logs, Metadata), Data sources (Vulnerability scans, Automated reports, Dashboards, Packet captures)
These sources provide critical information for understanding and responding to incidents.
True or False: Incident response is only about stopping attackers.
False
Incident response also includes preparation, learning, and improving based on past incidents.
Fill in the blank: When things go wrong, organizations need a way to respond to _______.
[incidents]
Effective incident response minimizes impact and ensures quick recovery.
What are common capabilities and uses for SIEM tools?
Ingesting and analyzing logs and data to assist incident responders
SIEM tools are integral for monitoring and detecting security incidents.
What type of exercises can organizations conduct to prepare for incidents?
Tabletop exercise, Simulation
These exercises help teams practice response strategies in a controlled environment.
What is an incident in the context of incident response?
A violation of the organization’s policies and procedures or security practices
An incident can arise from various sources including direct attacks, insider threats, or mistakes.
What is the difference between an incident and an event?
An event is an observable occurrence, while an incident is a specific type of event that violates policies
Many events occur, but only a few are classified as incidents.
What are the six steps of the incident response process?
- Preparation
- Detection
- Analysis
- Containment
- Eradication
- Recovery
These steps are essential for developing a mature incident response capability.
What happens during the preparation phase of incident response?
Building tools, processes, and procedures to respond to an incident
This includes training the incident response team and acquiring security tools.
What is the goal of the detection phase in incident response?
To review events and identify incidents
This involves monitoring for indicators of compromise and analyzing logs.
What is the purpose of the analysis phase?
To analyze identified events and determine their impact or targets
This includes correlating related events.
What does containment involve in incident response?
Preventing further issues or damage once an incident is identified
This can include quarantining affected systems.
What is involved in the eradication phase?
Removing artifacts associated with the incident
This often requires rebuilding systems from backups.
What is the recovery phase focused on?
Restoring systems or services to normal operations
It also involves fixing vulnerabilities that allowed the incident to occur.
What is the purpose of conducting lessons learned sessions?
To improve the incident response process and avoid repeating mistakes
These sessions can lead to system patches or redesigning procedures.
True or False: Incident response processes always follow a linear progression.
False
Incidents may move back and forth between stages as new discoveries are made.
What are the two major types of exercises used in incident response preparation?
- Tabletop exercises
- Simulations
These exercises help teams practice their response to incidents.
What is a communication plan in incident response?
A plan that outlines how to communicate during an incident
It includes roles for internal and external communications.
What do stakeholder management plans focus on?
Groups and individuals with an interest in the systems impacted by an incident
These plans help prioritize communications and support.
What is the primary focus of business continuity (BC) plans?
Keeping an organization functional during incidents
BC plans ensure that essential services can continue despite disruptions.
What do disaster recovery (DR) plans define?
Processes and procedures for restoration after disasters
DR plans focus on recovery from natural or human-made disasters.
What are incident response policies?
Formal statements about an organization’s intent regarding incident response
They include team authority, procedures, and communication requirements.
What is the role of training in incident response?
To prepare responders for handling various incidents
Training can include certifications and specialized courses.
What does threat hunting involve?
Looking for indicators of compromise associated with malicious actors
It helps in the detection and analysis phases of incident response.
What is an indicator of compromise (IoC)?
A sign that may suggest a security incident has occurred
IoCs can include account lockouts, impossible travel, and blocked content.
Fill in the blank: The first step in the incident response process is _______.
[Preparation]
Fill in the blank: The phase where the team analyzes the impact of an incident is called _______.
[Analysis]
Fill in the blank: A plan that ensures communication during an incident is called a _______ plan.
[Communication]
True or False: Legal staff are involved in all incident response situations.
False
Legal involvement may depend on the nature of the incident.
What is the purpose of simulations in incident response training?
To practice specific functions or elements of the incident response plan
Simulations can involve the entire organization or target specific parts.
What is the role of technical experts in the incident response team?
To provide specialized skills and knowledge needed during an incident
Their expertise can expedite containment and recovery efforts.
What are indicators that have been discovered and published called?
Published/documented IoCs
IoCs refer to Indicators of Compromise, which help in identifying breaches.
What should you be prepared to analyze during an exam regarding incident response?
An indicator through a log entry or a scenario
This helps in determining potential incidents.
What do incident responders use to describe attacks and incidents?
Common language and terminology
This facilitates a clearer understanding of incidents.
What is the purpose of attack frameworks?
To understand adversaries, document techniques, and categorize tactics
They provide a structured approach to analyzing incidents.
What does the MITRE ATT&CK framework provide?
A knowledgebase of adversary tactics and techniques
It is crucial for understanding the threat landscape.
What does the ATT&CK matrix include?
Detailed descriptions, definitions, and examples for the complete threat life cycle
This spans from reconnaissance through execution, persistence, and impact.
What types of matrices does the ATT&CK framework include?
Pre-attack, enterprise matrices for Windows, macOS, Linux, cloud computing, iOS, and Android
Each matrix addresses specific platforms and environments.
What information does an ATT&CK technique definition provide?
ID number, classification details, applicable platforms, user permissions, data sources, contributor, and revision level
This aids in understanding the specifics of a technique.
What is the most popular model discussed for incident response?
The ATT&CK framework
It has broad support in various security tools.
What are the other models besides the ATT&CK framework that organizations may use?
The Diamond Model and Lockheed Martin’s Cyber Kill Chain
These models also provide frameworks for understanding cyber threats.
Fill in the blank: ATT&CK is the most comprehensive freely available database of _______.
Adversary techniques, tactics, and related information
This database is critical for cybersecurity professionals.
True or False: The ATT&CK framework includes details of threat actor groups and software.
True
This enhances the framework’s utility in threat assessments.
What is the primary focus of the Security+ Exam?
To validate foundational cybersecurity skills and knowledge.
What are the main objectives covered in Exam SY0-701?
Cybersecurity concepts, threats, vulnerabilities, and security controls.
What does vulnerability management encompass?
Identifying, classifying, remediating, and mitigating vulnerabilities.
What are the two main types of cryptography?
- Symmetric Cryptography
- Asymmetric Cryptography
Fill in the blank: The process of verifying the identity of a user is known as _______.
Authentication
True or False: Social engineering attacks rely solely on technical exploits.
False
What are the key components of identity and access management?
- Identity
- Authentication
- Authorization
- Accounts
- Access Control Schemes
What does the term ‘malware’ refer to?
Malicious software designed to harm, exploit, or otherwise compromise systems.
What is the goal of cryptography?
To protect information through encryption and decryption.
What are common types of password attacks?
- Brute-force attacks
- Dictionary attacks
- Phishing
Fill in the blank: The process of testing a system for vulnerabilities by simulating attacks is called _______.
Penetration Testing
What are some methods of securing endpoints?
- Operating System Hardening
- Asset Management
- Protecting Endpoints
What is the purpose of cloud security?
To protect cloud infrastructure and data from threats and vulnerabilities.
What is a key aspect of digital forensics?
Collecting and analyzing digital evidence.
What does security governance involve?
Establishing policies and procedures for effective security management.
What are the phases of incident response?
- Preparation
- Detection and Analysis
- Containment, Eradication, and Recovery
- Post-Incident Activity
What are common physical security controls?
- Access control systems
- Surveillance cameras
- Security guards
Fill in the blank: The practice of ensuring that software is developed and maintained securely is known as _______.
Software Assurance
What do hash functions accomplish in cryptography?
They create a fixed-size output from input data of variable size, ensuring data integrity.
What is the primary purpose of risk management?
To identify, assess, and mitigate risks to assets and operations.
What are the components of cloud infrastructure?
- Servers
- Storage
- Networking
- Virtualization
What is the function of public key infrastructure (PKI)?
To manage digital keys and certificates for secure communications.
What is the primary goal of an organization during an active incident?
To mitigate the incident and recover from it without creating new risks or vulnerabilities.
What does SOAR stand for in security management?
Security Orchestration, Automation, and Response.
What is the purpose of SOAR platforms?
To quickly assess the attack surface, state of systems, and automate remediation and restoration workflows.
What is an application allow list?
A list of applications and files that are allowed to be on a system, preventing anything not on the list from being installed or run.
What is an application deny list?
A list of applications or files that are not allowed on a system, preventing them from being installed or copied.
What is the role of monitoring in containment and mitigation efforts?
To validate mitigation efforts and provide information about remaining issues or compromised devices.
True or False: The Security+ exam focuses on recovery rather than mitigation efforts.
False.
What happens when a system is isolated during an incident?
It is moved into a protected space or network to keep it away from other systems.
What is the main purpose of root cause analysis (RCA) after an incident?
To identify the underlying cause of an issue and fix the problems that allowed the incident to occur.
Fill in the blank: Application allow lists are sometimes referred to as _______.
[whitelisting]
Fill in the blank: Application deny lists are sometimes referred to as _______.
[blacklists]
What are common techniques used in root cause analysis?
- Five whys
- Event analysis
- Diagramming cause and effect
What is the danger of using quarantine in incident response?
It may allow malicious files to remain on the system even in a safe location.
What is segmentation in the context of incident response?
The process of using security, network, or physical boundaries to separate environments, systems, or networks.
What is one common remediation action that may be taken during an incident?
- Firewall rule changes
- Mobile device management changes
- Data loss prevention tool changes
- Content filter and URL filtering changes
- Updating or revoking certificates
What is the significance of tracking configuration changes during incident response?
They need to be carefully tracked and recorded as they may have to be rolled back after the incident.
What can monitoring reveal after remediation is completed?
It can show other actions taken by attackers after remediation, helping identify compromised resources.
What is the impact of containment on forensic data?
Containment decisions can affect future investigative work and forensic data collection.
What is a common issue that can arise from improperly configured antivirus settings?
The deletion of critical files, leading to chaos and data loss.
True or False: Configuration changes are rarely used in containment and remediation efforts.
False.
What is the focus of the incident response cycle preparation phase?
To avoid future issues of the same type.
What is the role of stakeholders during incident response decision-making?
They should be made aware of changes or involved in the decision, depending on the urgency.
What should organizations consider when faced with an incident response scenario?
What was targeted, how it was targeted, the impact, and what controls or changes can be applied.
