3.0 Cyber Incident Response Flashcards
what does the acronym MTD denote?
maximum tolerable downtime
what is MTBF?
the estimated amount of time a device will operate before a failure occurs
what are the four types of personally identifiable information (PII)?
personal characteristics - such as full name, DoB, height, ethnicity, place of birth, mother’s maiden name, and biometric characteristicsa unique set of numbers assigned to an individual - such as government ID number, telephone number, driver’s license number, and PINdescriptions of events or points in time - such as arrest records, employment records, and medical recordsdescription of locations or places - such as GPS tracking information
what does the acronym RTO denote?
recovery time objective
what does the acronym MTBF denote?
mean time between failures
what does the acronym RPO denote?
recovery point objective
which two factors should contribute to incident severity and prioritization?
impact scope and the type of data affected
which attack is one discovered in live environments for which no current fix or patch exists?
zero-day attack
what is RTO?
the shortest time period after a disaster or disruptive event within which a resource or function must be restored to avoid unacceptable consequences
which impact scope factor refers to the amount of data corrupted or altered during the incident?
data integrity
what does the acronym PHI denote?
personal health information
what is meant by economic factor of an incident?
the cost of the incident to the organization
which impact scope factor refers to the amount of time taken to recover from the incident?
recovery time
which attack type targets a specific entity and is carried out over a long period of time?
advanced persistent threat (APT)
which impact scope factor refers to the amount of time access to resource were interrupted?
downtime
what is MTD?
the maximum amount of time that an organization can tolerate a single resource or function being down
what does the acronym PII denote?
personally identifiable information
what is RPO?
the point in time to which the disrupted resource or function must be returned
what is the best method to preserve evidence on a computer: bit stream backup or standard backup?
bit stream backup
what is the order of volatility from most volatile to least volatile?
registers, cacheswap spacerouting table, ARP cache, process table, kernel statistics, and memorytemporary file systemsdiskremote logging and monitoring data that is relevant to the system in question
what are the FOUR documents/forms that should be part of forensic kit?
chain of custody form, incident response plan, incident form, call list/escalation list
what is a write blocker?
a tool that permits read-only access to data storage devices without compromising the integrity of the data
what is the purpose of imaging utilities included in a forensic kit?
to create a bit-level copy of drives
what are the NINE components that should be included in a forensic kit?
- digital forensics workstation2. write blockers3. cables4. drive adaptors5. wiped removable media6. camera7. crime tape8. tamper-proof seals9. documentation/forms
what is the purpose of the chain of custody form?
it will indicate who has handled the evidence, when they handled it, and the order in which the handler was in possession of the evidence
which condition must be true of the hash values of a file to prove the file is unaltered?
the hash values must remain the same
what is a SCADA device?
a system operating with coded signals over communication channels that provides control of remote equipment
what is the purpose of tamper-proof seals?
to ensure that the chain of custody is maintained
what is the purpose of hashing utilities included in a forensic kit?
to create a hash value of files so that you can prove that certain evidence has not been altered during your possession of the evidence
what is the proper life cycle of evidence steps?
collection, analysis, storage, court presentation, and return to owner
what is a digital forensics workstation?
a dedicated workstation for processing an investigation that includes special tools and utilities that make the process easier and more productive
what is the purpose of an incident form?
it is used to describe the incident in detail
why should the proper chain of custody be ensured?
so that evidence will be admissible in court
what is the purpose of the analysis utilities included in a forensic kit?
to analyze the bit-level copy that is created for that purpose
what are the three basic questions answered by the chain of custody?
who controlled the evidencewho secured the evidencewho obtained the evidence
when evidence is seized, which principle should be emphasized?
chain of custody
what is indicated when the hash values on a file are different?
the file has been altered
which stakeholder in the incident response process communicates the importance of the incident response plan to all parts of the organization, creates agreements detailing the authority of the IR team to take over business systems if necessary, and creates decision systems for determining when key systems must be removed from the network?
upper management
which stakeholder in the incident response process creates newsletters and other educational materials to be used in employee response training and coordinates with the legal team to prepare media responses and internal communications regarding incidents before they occur?
marketing
what are the FOUR main stakeholder groups for the incident response process?
HR, Legal, Marketing, Management
which stakeholder in the incident response process reviews the NDA to ensure legal support for incident response efforts, develops the wording of documents used to contact sites and organizations possibly affected by an incident that originated with your company’s software, hardware, or services, and assesses site liability for illegal computer activity?
Legal
what is the role of law enforcement in the incident response process?
to assist the investigation and in some cases take over the investigation when a crime has been committed
which stakeholder in the incident response process develops job descriptions for those persons who will be hired for positions involved in incident response and creates policies and procedures that support the removal of employees found to be engaging in improper or illegal activity?
HR
what is the role of the technical IT staff in the incident response process?
to recognize, identify, and react to incidents, and to provide support in analyzing those incidents when an incident has occurred
what are the FOUR main purposes of the incident response communication process?
limit communication to trusted partiesdisclosure based on regulatory/legislative requirementsprevent inadvertent release of informationuse secure method of communication
what is data exfiltration?
the unauthorized copying, transfer or retrieval of data from a computer or server
what should you do if you discover rogue devices on the network?
locate and remove them
what happens in vertical privilege escalation?
the attacker obtains higher privileges by performing operations that allow the attacker to run unauthorized code
what are the SIX network-related symptoms of incidents?
bandwidth consumptionbeaconingirregular peer-to-peer communicationrogue devices on the networkscan sweepsunusual traffic spikes
what is meant by anomalous activity?
activity that is outside the norms
when does an escalation of privileges attack occur?
when an attacker has used a design flaw in an application to obtain unauthorized access to the application
what are scan sweeps?
an attempt by an unauthorized entity to map your network
what happens in horizontal privilege escalation?
the attacker obtains the same level of permissions as he already has but uses a different user account to do so
what are the eight host-related symptoms of an incident?
processor consumptionmemory consumptiondrive capacity consumptionunauthorized softwaremalicious processesunauthorized changes
what is beaconing?
when malware attempts to remotely connect to a command and control host or network
what are the SIX application-related symptoms of incidents?
anomalous activityintroduction of new accountsunexpected outputunexpected outbound communicationservice interruptionmemory overflows
what is the best way to determine the attack vector used by a hacker?
reverse engineering
why should a first responder be familiar with the incident response plan?
to ensure that the appropriate procedures are followed
which eradication technique reinstalling the operating system, applying all system updates, reinstalling the anti-malware software, and implementing any organizational security settings?
reconstruction or re-imaging
what are the FOUR validation techniques?
patching, verifying permissions, scanning, verifying logging/communication to security monitoring
what is the name of the security process that involves recognition, verification, classification, containment, and analysis?
incident response
what are the THREE eradication techniques?
sanitization, reconstruction or re-image, secure disposal
what are the FOUR containment techniques?
segmentation, isolation, removal, reverse engineering
which containment techniques involves limiting the scope of the incident by leveraging existing segments of the network as barriers to prevent the spread of the incident to other segments?
segmentation
which containment technique involves retracing the steps in the incident as seen from the logs in the affected devices or in logs of infrastructure devices that may have been involved?
reverse engineering
what is the name of the group of people appointed to respond to security incidents?
incident response team
which type of review should be completed last as part of incident response?
a post-mortem review
which containment technique involves either by blocking all traffic to and from the device or devices or shutting down the device or devices’ interfaces?
isolation
what are the SEVEN steps in a FORENSIC INVESTIGATION?
- identification2. preservation3. collection4. examination5. analysis6. presentation
which eradication technique removes all tracers of the threat by overwriting the drive multiple times to ensure all data is destroyed?
sanitization
in which location should all changes made to your organization’s network and computers be listed?
in the change management system
what are the FIVE steps in the INCIDENT RESPONSE PROCESS?
contain, eradicate, validate, corrective action, reporting
what is incident management?
the activities of an organization to identify, analyze, and correct risks as they are identified
