4.2 Importance of policies, processes, and procedures for incident response Flashcards

1
Q

What do you call a set of intended actions, usually mutually related through which one expects to achieve a goal? High-level, light on the details.

A

Plan

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What do you call a series of related tasks or methods that together turn inputs into outputs? Ordered task list or flow chart.

A

Process

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What do you call a prescribed way of undertaking a process or part of a process? A particular method for performing a task.

A

Procedure

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What phase of incident response is where incident response plans are written and configurations documented.

A

Phase 1: Preperation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What phase of incident response determines whether or not an organization has been breached? (Is it really an incident?)

A

Phase 2: Identification

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What phase of incident response focuses on limiting damage (scope) of the incident?

A

Phase 3: Containment

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What phase of incident response is where affected systems are identified, isolated or shutdown, and rebuilt?

A

Phase 4: Eradication

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What phase of incident response is where the root cause is addressed and time to return to normal operations estimated and executed?

A

Phase 5: Recovery

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What phase of incident response helps prevent recurrence and improves the incident response process?

A

Phase 6: Lessons Learned

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What type of incident response exercise has one distribute copies of incident response plans to the members of the incident response team for review? Team members then provide feedback about any updates needed to keep the plan current.

A

Tabletop Exercise

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What type of incident response exercise has the team members of the incident response team gather and role-play an incident scenario? Can ensure needed tools and resources are available and team members are familiar with their roles.

A

Walkthrough

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What type of incident response is similar to a structured walkthrough, except some of the response measures are then tested (on non-critical functions)? Involves some form of doing.

A

Simulation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is an online framework that can be used by commercial organizations developed by a US government-sponsored company whose aim is to help prevent cyber-attacks? Provides information about adversaries and their attack methods.

A

MITRE ATT&CK Framework

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What attack framework traces the stages of a cyberattack from early reconnaissance to the exfiltration of data?

A

Lockheed Martin Cyber Kill Chain

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What step of the Lockheed Martin Cyber Kill Chain deals with harvesting email addresses, company info, etc…?

A

Step 1. Reconnaissance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

In what step of the Lockheed Martin Cyber Kill Chain does the actor create malware tailored to the vulnerabilities of the remote target?

A

Step 2. Weaponization

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What step of the Lockheed Martin Cyber Kill Chain deals with delivering weaponized bundle to victim via email, web, USB, etc…?

A

Step 3. Delivery

18
Q

What step of the Lockheed Martin Cyber Kill Chain deals with exploiting a vulnerability to execute code on the victim’s system?

A

Step 4. Exploitation

19
Q

What step of the Lockheed Martin Cyber Kill Chain deals with installing malware on the asset?

A

Step 5. Installation

20
Q

What step of the Lockheed Martin Cyber Kill Chain deals with the command channel for remote manipulation of the victim?

A

Step 6. Command and Control

21
Q

What step of the Lockheed Martin Cyber Kill Chain deals with ‘hands on keyboard’ access, intruders accomplish their original goals?

A

Step 7. Actions on Objectives

22
Q

What is a framework for gathering intelligence on network intrusion attacks, compromised of four key elements?

A

Diamond Model of Intrusion Analysis

23
Q

In the Diamond Model of Intrusion Analysis what do you call the threat actor group?

A

Adversary

24
Q

In the Diamond Model of Intrusion Analysis what do you call where the adversary develops an exploit that they use to carry out the attack?

A

Capabilities

25
Q

In the Diamond Model of Intrusion Analysis what do you call the person targeted by the adversary?

A

Victim

26
Q

In the Diamond Model of Intrusion Analysis what do you call how the attacker can get to the victim?

A

Infrastructure

27
Q

What plan details how relevant stakeholders will be informed in the event of an incident like a security breach?

A

Communication Plan

28
Q

What do you call the overall organization plan for “how to” continue business?

A

Business Continuity Plan (BCP)

29
Q

What do you call the plan for recovering from a disaster impacting IT and returning the IT infrastructure to operation?

A

Disaster Recovery Plan (DRP)

30
Q

What do you call the plan for continuing to do business until the IT infrastructure can be restored?

A

Continuity of Operations Plan (COOP)

31
Q

What is the difference between the BCP and DRP?

A

BCP focuses on the whole business while DRP focuses more on the technical aspects of recovery. BCP will cover communications and process more broadly.

32
Q

Who on the Incident Response Team is a top-level manager who takes charge?

A

Incident Response Manager

33
Q

Who on the Incident Response Team provides technical support to the incident?

A

Security Analyst

34
Q

Who on the Incident Response Team checks that the company is compliant?

A

IT Auditor

35
Q

Who on the Incident Response Team evaluates all aspects of risk?

A

Risk Analyst

36
Q

Who on the Incident Response Team is responsible for handling when employees are involved in the incident?

A

HR

37
Q

Who on the Incident Response Team gives advice and makes decisions on legal issues?

A

Legal department

38
Q

Who on the Incident Response Team deals with the press to reduce the impact?

A

Public Relations

39
Q

What is the labeling/tagging of data based on type?

A

Data classification

40
Q

What is it called when for legal and compliance reasons, you may need to keep certain data for different periods of time?

A

Regulatory Compliance

41
Q

What retention policy is used to ensure that legal and compliance issues are addressed?

A

Data Retention policy