3.0 Detect

Question 1

Analyze security system logs, security tools, and data

Question 2

IP networking/Ip resolving

Question 3

Dos attacks/DDos attacks

Question 4

Security vulnerability databases

Question 5

Intrusion detection systems

Question 6

Network encryption

Question 7

SSL decryption

Question 8

SIEM

Question 9

Firewalls

Question 10

DLP

Question 11

IPS

Question 12

IDS

Question 13

Evaluate and interpret metada

Question 14

Malware

Question 15

Network topology

Question 16

Anomalies

Question 17

False positives

Question 18

Superhuman logins/geo-velocity

Question 19

APT activity

Question 20

Botnets

Question 21

Unauthorized programs in the startup menu

Question 22

Presence of attack tools

Question 23

Registry entries

Question 24

Unusual network traffic

Answer 24

Bandwidth usage
Malicious network communication

Question 25

Off hour usage

Question 26

New administrator/user accounts

Question 27

Guest account usage

Question 28

Unknown open ports

Question 29

Unknown use of protocols

Question 30

Service disruption

Question 31

Website defacement

Question 32

Unauthorized changes/modifications

Answer 32

Suspicious files
Patches

Question 33

Recipient of suspicious emails

Question 34

Unauthorized sessions

Question 35

Failed logins

Question 36

Rogue hardware

Question 37

Agent-based log collection

Question 38

Agentless log collection

Question 39

Syslog log collection

Question 40

Source validation

Question 41

Verification of log integrity

Question 42

Evidence collection

Question 43

Ip address and hostname resolution

Question 44

Field name consistency

Question 45

Time zones

Question 46

Threat hunting

Question 47

Long tail analysis

Question 48

Intrusion detection

Question 49

Behavioral monitoring

Question 50

Log retention

Question 51

Log aggregator and analytics tools

Answer 51

SIEM

Question 52

Linux tools

Answer 52

grep
cut
diff

Question 53

grep

Question 54

cut

Question 55

diff

Question 56

Windows tools

Answer 56

find
WMIC
Event viewer

Question 57

find

Question 58

WMIC

Question 59

Event Viewer

Question 60

Bash

Question 61

Powershell

Question 62

Network-based

Question 63

WAP logs

Question 64

WIPS logs

Question 65

Controller logs

Question 66

Packet capture

Question 67

Traffic log

Question 68

Flow data

Question 69

Device state data

Question 70

SDN

Question 71

Host-based

Question 72

Linux syslog

Question 73

Application logs

Question 74

Cloud Audit logs

Question 75

Threat feeds

Question 76

Asset discovery methods and tools

Question 77

Alerting systems

Question 78

Intrusion prevention or detections systems (IDS/IPS)

Question 79

Firewalls

Question 80

Endpoint detection and response (EDR)

Question 81

Common indicators of potential compromise, anomalies, and patterns

Question 82

Analysis tools

Question 83

Document and communicate results

Question 84

Communication and documentation policies and processes

Question 85

Security incident reports

Answer 85

Description
Potential impact
Sensitivity of information
Logs

Question 86

Escalation processes and procedures

Answer 86

Specific technical processes
Techniques
Checklists
Forms

Question 87

Incident response teams

Question 88

Levels of authority

Question 89

Personnel roles and responsibilities

Question 90

Document and communicate results

Question 91

Command and control

Question 92

Data exfiltration

Question 93

Pivoting

Question 94

Lateral movement

Question 95

Persistence/maintaining access

Question 96

Keylogging

Question 97

Anti-forensics

Question 98

Covering tracks

Question 99

Prioritization or severity ratings of incidents

Question 100

Communication policies and procedures

Question 101

Levels of authority

Question 102

Communicate recommended courses of action and countermeasures