4.8

Question 1

What is the NIST code for the Computer Security Incident Handling Guide?

Includes the whole of the incident response lifecycle:
Preparation
Detection and analysis
Containment, eradication, and recovery
Post-incident activity

Answer 1

NIST SP800-61

Question 2

4 phases of incident response

Answer 2

Preparation
Detection and analysis
Containment, eradication, and recovery
Post-incident activity (lessons learned)

Question 3

5 steps for the Preparation phase of incident response

Answer 3

Communication methods (phones, contact info)

Incident handling hardware/software (laptops, removable media, forensic software, digital cameras, etc.)

Incident analysis resources (documentation, network diagrams, baselines, critical hash values)

Incident mitigation software (clean OS and app images)

Incident handling policies (so everyone knows what to do)

Question 4

Why can isolating malware be potentially problematic?

Answer 4

The malware can recognize that it’s running inside a VM/sandbox, and delete itself

Question 5

The method of determining the ultimate cause of an incident

Answer 5

Root cause analysis

Question 6

True/False

There can be more than one single root cause of a security incident

Answer 6

True

Question 7

The process of actively searching for vulnerabilities to correct. This includes vulnerability scanning, installing patches, and monitoring threat/vulnerability sharing networks.

Answer 7

Threat hunting

Question 8

A data acquisition request, normally given by lawyers, to preserve relevant information for litigation.

Answer 8

Legal hold

Question 9

When legal counsel requests a legal hold for some data, where is that data held?

Answer 9

In a separate repository for ESI (electronically stored information)

Question 10

A list of everyone who contacts the evidence, handles the evidence, where it was stored, etc

Answer 10

Chain of custody

Question 11

The fancy word for obtaining data evidence

Answer 11

Acquisition

Question 12

When acquiring data evidence of virtual systems, you can obtain a ____

Answer 12

Snapshot

Question 13

Some of the most interesting data evidence comes from ____ (5)

Answer 13

Artifacts,
recycle bins,
log information,
browser bookmarks,
saved logins,
etc.

Question 14

A documentation of how data evidence was acquired (including the incident) and stored, as well as the findings of the analysis and a conclusion with professional results.

Answer 14

Reporting

Question 15

The method of isolating and protecting the data evidence

May include making copies for analysis to prevent making changes to the original data

Answer 15

Preservation

Question 16

The process of collecting, preparing, reviewing, interpreting, and producing electronic documents

This does NOT generally involve analysis; it mainly focuses on acquisition. You might produce documents to a forensics team or other professional, though, for them to analyze.

Answer 16

E-discovery

Question 17

A SIEM feature (or a service by a third-party service) that automatically generates screens of aggregated data for comparison and correlations.

Answer 17

Automated reports

Question 18

A summary of SIEM information that produces a customized screen of important information for quick review.

Does not show long-term information; it’s mostly for giving the viewer an understanding of the current status of the network and devices.

Answer 18

Dashboard