Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

Security+ > 4.8 Explain appropriate incident response activities > Flashcards

4.8 Explain appropriate incident response activities Flashcards

1
Q

Incident Response Process

A
  • Seven Phases of Incident Response
    • Preparation
      • Gets the organization ready for incidents
      • Hardens systems and networks to prevent attacks
      • Involves policies, procedures, and communication plans
    • Detection
      • Determines if an incident occurred
      • Identifies security incidents
      • Cybersecurity analysts assess incident severity
    • Analysis
      • Examines the incident’s scope and impact
      • Notifies stakeholders and initiates containment
    • Containment
      • Secures data and minimizes business impact
      • Prevents malicious activity from spreading
    • Eradication
      • Removes malicious activity after containment
      • May involve reimaging systems
    • Recovery
      • Restores systems to a secure state
      • Uses backups, patches, and updated configurations
      • Ensures resilience against future incidents
    • Post-Incident Activity
  • Post-Incident Activity Components
    • Root Cause Analysis
    • Lessons Learned
    • After-Action Report
  • Incident Response Team
    • Leader
    • Subject Matter Experts
    • IT Support
    • Legal Counsel
    • HR
    • Public Relations
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Threat Hunting

A
  • Threat Hunting
    • Proactive cybersecurity technique to detect hidden threats missed by normal monitoring
    • Actively seeks threats instead of waiting for alerts
  • Steps in Threat Hunting
    • Establishing a Hypothesis
    • Profiling Threat Actors and Activities
      • Create scenarios to understand intrusion methods
      • Identify the type of actor (e.g., insider, hacktivist, criminal, nation-state)
      • Define their objectives and potential targets
    • Threat Hunting Process
      • Uses security monitoring and incident response tools
      • Analyzes logs, system data, and registry information
      • Focuses on threats not detected by existing rules
      • Operates on the assumption that some threats may bypass current detection rules
      • Identifies new tactics, techniques, and procedures (TTPs)
  • Key Considerations
    • Threat hunters must stay updated on new threats and attack methods
    • Use advisories and bulletins from vendors and researchers
    • Combine SIEM logs with external threat feeds for intelligence fusion
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Incident Response Training and Testing

A
  • Training
    • Ensures employees understand incident response processes, procedures, and priorities
    • Tailored for different roles (e.g., first responders, managers, executives, end users)
  • Testing
    • Exercises incident response procedures to apply knowledge in practice
    • May involve complex and resource-intensive scenarios
  • Tabletop Exercise (TTX)
    • Theoretical discussion of incident response scenarios
  • Penetration Test (Pen Test)
    • Red team attempts a network intrusion based on threat modeling
    • Rules of engagement and methodologies defined beforehand
    • Common tools:
      • Metasploit
      • Cobalt Strike
      • Kali Linux
      • ParrotOS
      • Commando OS
    • Awareness of these tools is crucial as they are used by both testers and attackers
  • Simulation
    • Hands-on scenarios that mimic real incidents
    • Simple scenarios: Phishing attacks, ransomware infections
    • Complex scenarios: Multi-stage attacks, coordinated data breaches
    • Tests technical skills, decision-making under pressure, and communication
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Digital Forensic Procedures

A
  • Digital Forensics
    • Systematic process to investigate and analyze digital devices for legal evidence
  • Four Main Phases of Digital Forensic Procedures
    • Identification
      • Ensure scene safety and prevent evidence contamination
      • Secure the scene and document everything
      • Identify where relevant data might reside (e.g., smartphones, tablets, servers)
    • Collection
      • Order of Volatility - see a separate card
      • Chain of Custody - Documentation and tracking of electronic evidence from the moment of collection to its presentation in a legal context
      • Evidence Collection Techniques
        • Disk Imaging: Bit-by-bit copy preserving the entire content
        • File Carving: Extracts data from storage without relying on the file system
    • Analysis
    • Reporting
      • Document methods, tools, actions, and findings in a final report
      • The report serves as crucial legal evidence, and analysts may testify
  • Additional Concepts
    • Legal Hold
      • Ensures relevant data is preserved when litigation is expected
      • Prevents tampering, deletion, or loss of evidence
    • E-Discovery
      • Identifies and presents electronically stored information for legal use
  • Ethical Considerations
    • Avoiding Bias
      • Analysis should remain objective and based only on evidence
      • Use forensic analysts independent of the incident to prevent bias
    • Repeatable Actions
      • All actions must follow repeatable processes documented in reports
      • The original evidence must remain unchanged
    • Evidence Preservation
      • Preserve both the device (e.g., hard disk) and recovered data
      • Always perform analysis on a disk image, not the original drive
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Data Collection Procedures

A
  • Digital Forensic Collection Techniques
    • Create forensic images of data for later analysis
  • Data Collection Process
    • Capture and hash system images
    • Analyze data using forensic tools:
      • FTK (Forensic Toolkit)
      • EnCase
    • Capture screenshots of machines
    • Review network logs
    • Collect CCTV video
  • Order of Volatility see a separate card
  • Licensing and Documentation Review
    • Ensure system configurations align with design specifications
  • Data Acquisition
    • Use proper methods and tools to create a forensically sound copy from the source device
    • BYOD policies complicate acquisition since personal devices may not be searchable
    • Some data can only be collected by shutting down the system
    • Windows Registry Warning keys like HKLM/Hardware are only stored in memory and need a memory dump for analysis
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Order of Volatility

A

Collect data from most volatile to least volatile sources:

  • Cache: Most volatile; includes processor and hard drive cache data, quickly removed
  • RAM: Volatile; used by OS and applications
  • Swap File/Pagefile: Extension of RAM, rebuilt on reboot, more volatile than disk files
  • Disk: Data stored on local disk drives, remains after reboot
  • Attached Devices: USB drives and similar devices retain data when powered down
  • Network: Least volatile; stores log files and data on servers/shared folders with robust backups
How well did you know this?
1
Not at all
2
3
4
5
Perfectly

Security+ (29 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions