3. Managing Cyber Security Incident Response Flashcards
A security breach has been reported in your organization. As a cybersecurity analyst, you have been tasked with investigating the security breach.
You decide to use the Diamond Model of Intrusion Analysis as a guide. Which of the following option lists the features of this model?
A)Adversary, Infrastructure, Capability, Victim
B)Reconnaissance, Adversary, Infrastructure, Capability, Victim
C)Adversary, Delivery, Infrastructure, Capability, Victim
D)Infrastructure, Capability, Exploitation, Victim
The diamond represents the relationship between the four core features of an intrusive event or incident.
Adversary – an individual or a group attacking your systems or network.
Infrastructure – any kind of physical or logical resources, such as email address or an IP address, used by the attacker to carry out an attack.
Capability – represents the tools and techniques used by attacker to carry out an attack.
Victim – includes people, services, and network assets the adversary has targeted for the attack.
Delivery, Reconnaissance, and Exploitation are all stages in the Cyber Kill Chain model, not the Diamond Model of Intrusion Analysis.
Your organization has developed a business-critical application and conducted an external audit before go-live.
As an auditor, you have identified an issue that focuses on application design and architecture flaws.
Which of the following should you recommend as a mitigation for the highlighted issue? (Choose all that apply.)
A)Maintain up-to-date inventory of the components used by the application.
B)Allow input validation on the server side.
C)Remove unnecessary ports and services and deploy application with minimal configuration.
D)Use built-in ready-to-use libraries and components for new applications and avoid building from scratch.
E)Integrate security from the start in all phases of the software development life cycle (SDLC).
This vulnerability is found in applications where appropriate business and security requirements are not considered during the business case phase. OWASP provides these recommendations to mitigate the vulnerabilities associated with insecure design:
Integrate security from the start in all phases of the software development life cycle (SDLC).
Use built-in ready-to-use libraries and components for new applications and avoid building from scratch.
Make use of threat modelling to design critical functions such as authentication, access control, and business logic.
Identify attack scenarios for application in each tier.
Use plausibility testing to check whether certain inputs are acceptable.
Input validation on the server side is used to mitigate injection flaws in the web application.
Closing unnecessary ports and services and deploying applications with minimal configuration is used to mitigate security misconfigurations.
Maintaining an up-to-date inventory of components along with their versions is used to mitigate the risk posed by vulnerable and outdated components.
You have been hired as a cybersecurity analyst to perform a penetration test for your organization. As part of the penetration test activities, you plan to use Wireshark and Nmap.
During which phase of the Cyber Kill Chain process will you use these tools?
A)Reconnaissance
B)Weaponization
C)Exploitation
D)Delivery
Wireshark and Nmap are tools used during the reconnaissance phase of the Cyber Kill Chain process. Wireshark is a highly accurate sniffer tool used for network analysis, and Nmap is a free tool used for network discovery and auditing.
Which of the following operations would likely take place during the eradication stage of IR?
A)rollback plan
B)isolation
C)applying compensating controls
D)reimaging
In many cases, a system can be returned to normal functionality faster by simply wiping out the old drive and reimaging the system, which is done during the eradication stage of incident response (IR).
A penetration tester was able to convince an employee to give them valid login credentials, including their username and password. You need to prevent this from happening in the future.
Which remediation step is recommended?
A)Increase password complexity requirements.
B)Implement an IPS.
C)Implement multi-factor authentication.
D)Mandate all employees take security awareness training.
Mandating that all employees take security awareness training is recommended. The penetration tester used social engineering to obtain valid login credentials. The only way to prevent this type of attack is to ensure that employees understand how to recognize and respond to social engineering attacks.
Today you received an email from a department head who informs you that data located on the Sales server has been altered and is not in the state it was last week. Upon investigation, you find that an attack on the server occurred last week, which the team knew about. Which part of determining the scope of the attack was NOT done?
A)verifying data integrity
B)economic impact assessment
C)estimating recovery time
D)determining downtime
Verifying data integrity is part of determining the scope of an attack. Data integrity refers to the correctness, completeness, and soundness of the data. One of the goals of integrity services is to protect the integrity of data, or at least to provide a means of discovering when data has been corrupted or changed without authorization. Because data does not move from its storage location in a data integrity attack, one security challenge is that the effects of the attack may not be detected for years, until there is a reason to question the data.
How to determine a scope of an attack?
Determining the scope of an attack is an important step required to prioritize responses to attacks. Scope includes the following factors:
Downtime – refers to the amount of time access to resources were interrupted
Recovery time – refers to the amount of time taken to recover from the incident
Data integrity – refers to the amount of data corrupted or altered during the incident
Economic – the cost of the incident to the organization
System process criticality – refers to the criticality of the system involved
Your organization is developing a business-critical application. As a cybersecurity advisor, you have recommended developers adopt the Open Web Application Security Project (OWASP) Top 10 framework and implement OWASP best practices to enhance web application security vulnerabilities.
Which of the following is not an OWASP Top 10 2021 web application security vulnerability?
A)Security Misconfigurations
B)Input Validation
C)Broken Access Control
D)Injections
Input Validation is not an OWASP Top 10 2021 web application security vulnerability. Input validation is a mitigation to injection vulnerabilities, which is categorized under A03:2021 – Injection.
When engaging a third-party incident responder, which of the following is the LEAST important consideration?
A)Their procedures for capturing and preserving vital attack data
B)Their procedures for providing essential logs, packet captures, and volatile memory dumps
C)The identification of security tools in use by the organization that can taint evidence
D)The exchange of contact information
While it is certainly an important process, the exchange of contact information is the least important consideration of those listed. The other three considerations directly affect the selection of and the quality of work done by the vendor.
In some cases, an organization does not have the resources to invest in maintaining a first responder capability, and they need to engage the services of a third-party incident response provider. While this may serve the organization well, there are a few considerations and decisions to be made:
What are their procedures for capturing and preserving vital attack data?
How will the organization engage with its incident response provider in terms of:
Providing essential logs, packet captures, and volatile memory dumps
Running security tools that can taint evidence
During which stage of the incident recovery process do you ensure that all security monitoring and logging is occurring correctly?
A)validation
B)containment
C)eradication
D)incident summary report
Verifying that all logging/communication for security monitoring is being done correctly occurs during the validation stage of the incident recovery process. This verification is important to ensure that investigators are able to fully investigate an incident using the logs. Log evidence may be the only indicator that an incident is occurring during a well-hidden but active security breach.
The validation stage of the recovery process includes:
The validation stage also includes patching, permissions, and scanning:
Patching – to update or at least check for updates for a variety of components. This includes all patches for the operating system, updates for any applications that may be running, and updates to all antimalware software that is installed. This is the correct action to take when you have reimaged or reinstalled the operating system.
Permissions – to ensure that all permissions are in the state they should be. This would be done when the system is not reinstalled or reimaged.
Scanning – to use a vulnerability scanner on all the devices or network of devices that were affected by the incident. This would be done when not reinstalling or reimaging the device.
Which concept involves contracting with a third party to provide a location and equipment to be used in the event of an emergency?
A)Alternate business practices
B)Alternate processing site
C)Disaster recovery plan
D)Offsite storage
Alternate processing sites involve contracting with a third party who provides a location and equipment to be used in the event of an emergency. Alternate processing sites can be referred to as hot, warm, or cold sites, depending on the level of equipment that they provide.
You are a cybersecurity analyst for your organization. You are presenting the benefits of implementing the MITRE ATT&CK framework and its use cases to organization leadership.
Which of the following is NOT a use case for the MITRE ATT&CK framework?
A)Strengthening the organization’s cybersecurity intelligence system.
B)Conducting a security gap analysis and planning security improvements.
C)Assessing the security maturity of your organization’s SOC.
D)Finding the most common web application vulnerabilities.
Finding the most common web application vulnerabilities is not a use case for the MITRE ATT&CK framework. To identify common web-application vulnerabilities, you should use the Open Web Application Security Project (OWASP) Top 10 list.
OWASP is a group that monitors cybersecurity attacks, specifically web attacks.
OWASP maintains a list of the top ten attacks which is available on an ongoing basis.
This group also holds regular meetings at chapters throughout the world, providing resources and tools such as testing procedures and code review steps.
Common use cases for the MITRE ATT&CK framework include:
Conducting security gap analysis and planning security improvements within the organization.
Assessing the security maturity for your organization’s SOC.
Strengthening the organization’s cybersecurity intelligence system.
Performing user and entity behavior analytics (UEBA).
Acquiring common knowledge useful when collaborating with consultants and vendors.
Creating more realistic scenarios for red team exercises and adversary emulations.
After some issues with damaged evidence during a forensic investigation, the team is reviewing the collection and storage of evidence to improve the process. You are reviewing the features of various tamper-evident bags to be used to hold evidence, such as hard drives and other storage devices. Which of the following is the MOST important feature?
A)Includes form on bag cover
B)Made of fireproof material
C)Made of non-translucent material
D)Provides anti-static shielding
The most important factor is that the bag is made of anti-static materials in order to prevent static buildup damaging or corrupting any of the contents of the storage device.
While some bags are marketed as fire resistant, none of them are truly fireproof. Moreover, the heat will probably damage the hard drive anyway.
Most evidence bags do include the form on bag cover, but that is not the most important feature. The most important factor is that it be made of anti-static materials.
It is not important that the bag be made of non-translucent material. The only reason for that would be to prevent seeing what is in the bag and that is relatively unimportant for evidence that is located on a drive and cannot be seen anyway.
Penetration testing is planned for your organization’s network. The penetration tester is using Open-Source Security Testing Methodology Manual (OSSTMM) best practices to implement the testing.
Which type of security testing is performed when the pen testers are engaged with knowledge of the target’s processes and operational security, but the target organization is not aware of what, how, and when penetration tester will be testing?
A)Blind testing
B)Tandem testing
C)Reversal testing
D)Partially known environment testing
Reversal testing refers to testing when the pen testers are engaged with full knowledge of its processes and operational security but is NOT aware of what, how, and when penetration testing will occur. The purpose of this type of testing is to audit how prepared the target organization is for unknown attacks. This kind of testing is also called a Red Team exercise.
Blind testing refers to testing when the security analyst performing the testing is not aware of the target’s infrastructure or its controls. However, the target is aware of the testing in advance and knows when and by whom the testing will be carried out. This is an incorrect choice; it is the reverse of the parameters presented for the given scenario.
Partially known environment testing refers to testing when the cybersecurity analyst is provided with limited knowledge about the target’s current infrastructure, controls, and channels. However, the target is aware of the testing in advance and knows when and by whom the testing will be carried out. This type of test is usually done by internal security teams to perform a self-assessment of their systems, networks, or applications. This testing was previously referred to as gray box testing.
Tandem testing is also not the correct choice in the given scenario. In tandem testing, both the security analyst and the target are aware and prepared for the testing. The cybersecurity analyst has full knowledge of the target’s infrastructure, controls, and channels. The objective of tandem testing is to audit the protection and controls of the target. However, it will not test the target for preparedness against unknown attacks. This type of testing is also known as an in-house audit or a crystal box test.
Your company’s security policy states that passwords should never be transmitted in plain text. You need to determine if this policy is being followed. Which tool should you use?
A)vulnerability scanner
B)protocol analyzer
C)network mapper
D)password cracker
You would use a protocol analyzer to determine if passwords are being transmitted in plain text. Protocol analyzers capture packets as they are transmitted on the network. If a password is transmitted in plain text, you will be able to see the password in the packet. Protocol analyzers are also called network analyzers or packet sniffers.
HTTP interceptor
Another tool that you need to understand is an HTTP interceptor. An HTTP interceptor is a pseudo-proxy server that allows you to view the two-way communication that occurs between a web browser and the Internet. It controls cookies being sent and received. It allows you to view each HTTP header in its entirety and browse anonymously by withholding the Referrer tag.
Passive reconnaissance and intelligence-gathering tools
Passive reconnaissance and intelligence-gathering tools can also be used as part of your enterprise’s security assessment. Passive tools only provide information about an attacker, device, or entity, and include the following:
Social media – allows you to obtain details about individuals that are publicly available.
Whois – provides details on the owner of a web site.
Routing tables – provide details on how a packet is routed to a particular entity.
DNS records – a way to determine the host names and possible IP addresses for an organization.
Search engines – allow you to collect any publicly available information about the organization, such as organizational structure, senior management information, and email addresses.
Using passive reconnaissance and intelligence-gathering tools such as these is referred to as open-source intelligence.
During a forensic investigation, your assistant was placed in charge of maintaining the documentation for law enforcement. She needs to record the names and contact information of the person who reported the incident. Which form should be used for this purpose?
A)Chain of custody form
B)Incident response plan
C)Call/escalation list
D)Incident form
The incident form will be used to describe the incident in detail. It should include sections to record CMOS and hard drive information, image archive details, analysis platform information, and other details. It should also include the name and contact information of the person who reported the incident.
Your organization has recently undergone a hacker attack. You have been tasked with preserving the data evidence. You must follow the appropriate eDiscovery process. You are currently engaged in the Preservation and Collection process. Which of the following guidelines should you follow? (Choose all that apply.)
A)The data acquisition should include both bit-stream imaging and logical backups.
B)The chain of custody should be preserved from the data acquisition phase to the presentation phase.
C)The data acquisition should be from a live system to include volatile data when possible.
D)Hashing of acquired data should occur only when the data is acquired and when the data is modified.
When following the eDiscovery process guidelines, you should keep the following points in mind regarding the Preservation and Collection process:
The data acquisition phase should be from a live system to include volatile data when possible.
The data acquisition should include both bit-stream
imaging and logical backups.
The chain of custody should be preserved from the data acquisition phase to the presentation phase.
While it is true that the hashing of acquired data should occur when the data is acquired and when the data is modified, these are not the only situations that require hashing. Hashing should also be performed when a custody transfer of the data occurs.
Other points to keep in mind during the Preservation and Collection process include the following:
A consistent process and policy should be documented and followed at all times.
Forensic toolkits should be used.
The data should not be altered in any manner, within reason.
Logs, both paper and electronic, must be maintained.
At least two copies of collected data should be maintained.
