Brainscape's Knowledge GenomeTM


Top Flashcards (Certified)
All Flashcards

2_Security+ Study Guide book > 14 Monitoring and incident response > Flashcards

14 Monitoring and incident response Flashcards

1
Q

What are the phases of the incident response cycle?

A

Preparation, detection, analysis, containment, eradication, recovery, lessons learned

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

True or False: The incident response process phases can only move forward.

A

False

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What are some training exercises organizations conduct for incident response?

A
  • Tabletop exercises
  • Walk-throughs
  • Simulations
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What does threat hunting utilize to identify potential indicators of compromise?

A

Data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What are IoCs?

A

Indicators of compromise

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

List some examples of indicators of compromise (IoCs).

A
  • Account lockout
  • Concurrent session usage
  • Impossible travel
  • Attempted access to blocked content
  • Resource consumption
  • Resource inaccessibility
  • Out-of-cycle logging
  • Missing logs
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

How are IoCs documented and published?

A

Through threat feeds and other services and sources

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What are SIEM tools used for?

A

Gathering and analyzing data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What types of information do SIEM tools analyze?

A
  • Vulnerability scan output
  • System configuration data
  • System and device logs
  • Organizational data
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What methods are used to gather network traffic information?

A
  • NetFlow
  • sFlow
  • Packet analyzers
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What does metadata from files provide during incident investigation?

A

Useful information for incident response

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What are mitigation techniques used for?

A

To limit the impact of incidents

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Name a common task incident responders perform for endpoint security solutions.

A

Change configuration

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Fill in the blank: Incident responders may use _______ or block/deny lists.

A

Allow lists

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What techniques are used at the network and infrastructure level during an incident?

A
  • Isolation
  • Containment
  • Segmentation
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is the purpose of root cause analysis?

A

To determine why an incident occurred and guide future preparation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What are indicators of malicious activity?

A

Account lockout, Concurrent session usage, Blocked content, Impossible travel, Resource consumption, Resource inaccessibility, Out-of-cycle logging, Published/documented, Missing logs

These indicators help identify potential security breaches or unauthorized access.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What is the purpose of mitigation techniques in securing the enterprise?

A

To reduce risks and enhance security through strategies like Application allow list, Isolation, and Monitoring

Mitigation techniques are essential for preventing and responding to threats.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What are the components of security alerting and monitoring concepts?

A

Monitoring computing resources, Activities (Log aggregation, Alerting, Scanning, Reporting, Archiving, Alert response and remediation/validation), Tools (Benchmarks, Agents/agentless, SIEM, NetFlow)

Effective monitoring and alerting are crucial for maintaining security.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What is the incident response process?

A

Preparation, Detection, Analysis, Containment, Eradication, Recovery, Lessons learned

This process helps organizations effectively manage and respond to security incidents.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What types of training and testing are involved in incident response?

A

Training, Testing (Tabletop exercise, Simulation)

Regular training and testing ensure readiness for potential incidents.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What is root cause analysis in incident response?

A

A process to identify the underlying reasons for an incident

This analysis helps prevent future incidents by addressing the root issues.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What data sources support an investigation during incident response?

A

Log data (Firewall logs, Application logs, Endpoint logs, OS-specific security logs, IPS/IDS logs, Network logs, Metadata), Data sources (Vulnerability scans, Automated reports, Dashboards, Packet captures)

These sources provide critical information for understanding and responding to incidents.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

True or False: Incident response is only about stopping attackers.

A

False

Incident response also includes preparation, learning, and improving based on past incidents.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Fill in the blank: When things go wrong, organizations need a way to respond to _______.
[incidents] ## Footnote Effective incident response minimizes impact and ensures quick recovery.
26
What are common capabilities and uses for SIEM tools?
Ingesting and analyzing logs and data to assist incident responders ## Footnote SIEM tools are integral for monitoring and detecting security incidents.
27
What type of exercises can organizations conduct to prepare for incidents?
Tabletop exercise, Simulation ## Footnote These exercises help teams practice response strategies in a controlled environment.
28
What is an incident in the context of incident response?
A violation of the organization's policies and procedures or security practices ## Footnote An incident can arise from various sources including direct attacks, insider threats, or mistakes.
29
What is the difference between an incident and an event?
An event is an observable occurrence, while an incident is a specific type of event that violates policies ## Footnote Many events occur, but only a few are classified as incidents.
30
What are the six steps of the incident response process?
* Preparation * Detection * Analysis * Containment * Eradication * Recovery ## Footnote These steps are essential for developing a mature incident response capability.
31
What happens during the preparation phase of incident response?
Building tools, processes, and procedures to respond to an incident ## Footnote This includes training the incident response team and acquiring security tools.
32
What is the goal of the detection phase in incident response?
To review events and identify incidents ## Footnote This involves monitoring for indicators of compromise and analyzing logs.
33
What is the purpose of the analysis phase?
To analyze identified events and determine their impact or targets ## Footnote This includes correlating related events.
34
What does containment involve in incident response?
Preventing further issues or damage once an incident is identified ## Footnote This can include quarantining affected systems.
35
What is involved in the eradication phase?
Removing artifacts associated with the incident ## Footnote This often requires rebuilding systems from backups.
36
What is the recovery phase focused on?
Restoring systems or services to normal operations ## Footnote It also involves fixing vulnerabilities that allowed the incident to occur.
37
What is the purpose of conducting lessons learned sessions?
To improve the incident response process and avoid repeating mistakes ## Footnote These sessions can lead to system patches or redesigning procedures.
38
True or False: Incident response processes always follow a linear progression.
False ## Footnote Incidents may move back and forth between stages as new discoveries are made.
39
What are the two major types of exercises used in incident response preparation?
* Tabletop exercises * Simulations ## Footnote These exercises help teams practice their response to incidents.
40
What is a communication plan in incident response?
A plan that outlines how to communicate during an incident ## Footnote It includes roles for internal and external communications.
41
What do stakeholder management plans focus on?
Groups and individuals with an interest in the systems impacted by an incident ## Footnote These plans help prioritize communications and support.
42
What is the primary focus of business continuity (BC) plans?
Keeping an organization functional during incidents ## Footnote BC plans ensure that essential services can continue despite disruptions.
43
What do disaster recovery (DR) plans define?
Processes and procedures for restoration after disasters ## Footnote DR plans focus on recovery from natural or human-made disasters.
44
What are incident response policies?
Formal statements about an organization's intent regarding incident response ## Footnote They include team authority, procedures, and communication requirements.
45
What is the role of training in incident response?
To prepare responders for handling various incidents ## Footnote Training can include certifications and specialized courses.
46
What does threat hunting involve?
Looking for indicators of compromise associated with malicious actors ## Footnote It helps in the detection and analysis phases of incident response.
47
What is an indicator of compromise (IoC)?
A sign that may suggest a security incident has occurred ## Footnote IoCs can include account lockouts, impossible travel, and blocked content.
48
Fill in the blank: The first step in the incident response process is _______.
[Preparation]
49
Fill in the blank: The phase where the team analyzes the impact of an incident is called _______.
[Analysis]
50
Fill in the blank: A plan that ensures communication during an incident is called a _______ plan.
[Communication]
51
True or False: Legal staff are involved in all incident response situations.
False ## Footnote Legal involvement may depend on the nature of the incident.
52
What is the purpose of simulations in incident response training?
To practice specific functions or elements of the incident response plan ## Footnote Simulations can involve the entire organization or target specific parts.
53
What is the role of technical experts in the incident response team?
To provide specialized skills and knowledge needed during an incident ## Footnote Their expertise can expedite containment and recovery efforts.
54
What are indicators that have been discovered and published called?
Published/documented IoCs ## Footnote IoCs refer to Indicators of Compromise, which help in identifying breaches.
55
What should you be prepared to analyze during an exam regarding incident response?
An indicator through a log entry or a scenario ## Footnote This helps in determining potential incidents.
56
What do incident responders use to describe attacks and incidents?
Common language and terminology ## Footnote This facilitates a clearer understanding of incidents.
57
What is the purpose of attack frameworks?
To understand adversaries, document techniques, and categorize tactics ## Footnote They provide a structured approach to analyzing incidents.
58
What does the MITRE ATT&CK framework provide?
A knowledgebase of adversary tactics and techniques ## Footnote It is crucial for understanding the threat landscape.
59
What does the ATT&CK matrix include?
Detailed descriptions, definitions, and examples for the complete threat life cycle ## Footnote This spans from reconnaissance through execution, persistence, and impact.
60
What types of matrices does the ATT&CK framework include?
Pre-attack, enterprise matrices for Windows, macOS, Linux, cloud computing, iOS, and Android ## Footnote Each matrix addresses specific platforms and environments.
61
What information does an ATT&CK technique definition provide?
ID number, classification details, applicable platforms, user permissions, data sources, contributor, and revision level ## Footnote This aids in understanding the specifics of a technique.
62
What is the most popular model discussed for incident response?
The ATT&CK framework ## Footnote It has broad support in various security tools.
63
What are the other models besides the ATT&CK framework that organizations may use?
The Diamond Model and Lockheed Martin's Cyber Kill Chain ## Footnote These models also provide frameworks for understanding cyber threats.
64
Fill in the blank: ATT&CK is the most comprehensive freely available database of _______.
Adversary techniques, tactics, and related information ## Footnote This database is critical for cybersecurity professionals.
65
True or False: The ATT&CK framework includes details of threat actor groups and software.
True ## Footnote This enhances the framework's utility in threat assessments.
66
What is the primary focus of the Security+ Exam?
To validate foundational cybersecurity skills and knowledge.
67
What are the main objectives covered in Exam SY0-701?
Cybersecurity concepts, threats, vulnerabilities, and security controls.
68
What does vulnerability management encompass?
Identifying, classifying, remediating, and mitigating vulnerabilities.
69
What are the two main types of cryptography?
* Symmetric Cryptography * Asymmetric Cryptography
70
Fill in the blank: The process of verifying the identity of a user is known as _______.
Authentication
71
True or False: Social engineering attacks rely solely on technical exploits.
False
72
What are the key components of identity and access management?
* Identity * Authentication * Authorization * Accounts * Access Control Schemes
73
What does the term 'malware' refer to?
Malicious software designed to harm, exploit, or otherwise compromise systems.
74
What is the goal of cryptography?
To protect information through encryption and decryption.
75
What are common types of password attacks?
* Brute-force attacks * Dictionary attacks * Phishing
76
Fill in the blank: The process of testing a system for vulnerabilities by simulating attacks is called _______.
Penetration Testing
77
What are some methods of securing endpoints?
* Operating System Hardening * Asset Management * Protecting Endpoints
78
What is the purpose of cloud security?
To protect cloud infrastructure and data from threats and vulnerabilities.
79
What is a key aspect of digital forensics?
Collecting and analyzing digital evidence.
80
What does security governance involve?
Establishing policies and procedures for effective security management.
81
What are the phases of incident response?
* Preparation * Detection and Analysis * Containment, Eradication, and Recovery * Post-Incident Activity
82
What are common physical security controls?
* Access control systems * Surveillance cameras * Security guards
83
Fill in the blank: The practice of ensuring that software is developed and maintained securely is known as _______.
Software Assurance
84
What do hash functions accomplish in cryptography?
They create a fixed-size output from input data of variable size, ensuring data integrity.
85
What is the primary purpose of risk management?
To identify, assess, and mitigate risks to assets and operations.
86
What are the components of cloud infrastructure?
* Servers * Storage * Networking * Virtualization
87
What is the function of public key infrastructure (PKI)?
To manage digital keys and certificates for secure communications.
88
What is the primary goal of an organization during an active incident?
To mitigate the incident and recover from it without creating new risks or vulnerabilities.
89
What does SOAR stand for in security management?
Security Orchestration, Automation, and Response.
90
What is the purpose of SOAR platforms?
To quickly assess the attack surface, state of systems, and automate remediation and restoration workflows.
91
What is an application allow list?
A list of applications and files that are allowed to be on a system, preventing anything not on the list from being installed or run.
92
What is an application deny list?
A list of applications or files that are not allowed on a system, preventing them from being installed or copied.
93
What is the role of monitoring in containment and mitigation efforts?
To validate mitigation efforts and provide information about remaining issues or compromised devices.
94
True or False: The Security+ exam focuses on recovery rather than mitigation efforts.
False.
95
What happens when a system is isolated during an incident?
It is moved into a protected space or network to keep it away from other systems.
96
What is the main purpose of root cause analysis (RCA) after an incident?
To identify the underlying cause of an issue and fix the problems that allowed the incident to occur.
97
Fill in the blank: Application allow lists are sometimes referred to as _______.
[whitelisting]
98
Fill in the blank: Application deny lists are sometimes referred to as _______.
[blacklists]
99
What are common techniques used in root cause analysis?
* Five whys * Event analysis * Diagramming cause and effect
100
What is the danger of using quarantine in incident response?
It may allow malicious files to remain on the system even in a safe location.
101
What is segmentation in the context of incident response?
The process of using security, network, or physical boundaries to separate environments, systems, or networks.
102
What is one common remediation action that may be taken during an incident?
* Firewall rule changes * Mobile device management changes * Data loss prevention tool changes * Content filter and URL filtering changes * Updating or revoking certificates
103
What is the significance of tracking configuration changes during incident response?
They need to be carefully tracked and recorded as they may have to be rolled back after the incident.
104
What can monitoring reveal after remediation is completed?
It can show other actions taken by attackers after remediation, helping identify compromised resources.
105
What is the impact of containment on forensic data?
Containment decisions can affect future investigative work and forensic data collection.
106
What is a common issue that can arise from improperly configured antivirus settings?
The deletion of critical files, leading to chaos and data loss.
107
True or False: Configuration changes are rarely used in containment and remediation efforts.
False.
108
What is the focus of the incident response cycle preparation phase?
To avoid future issues of the same type.
109
What is the role of stakeholders during incident response decision-making?
They should be made aware of changes or involved in the decision, depending on the urgency.
110
What should organizations consider when faced with an incident response scenario?
What was targeted, how it was targeted, the impact, and what controls or changes can be applied.

2_Security+ Study Guide book (17 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2025 Bold Learning Solutions. Terms and Conditions