5C

Question 1

As previously explained in Objective 5b, incident analysis is the series of analytical steps taken to find out what happened in an incident. This includes the identification of the root cause of the incident.
Incident analysis is performed while an event is ___ ___ ___.

Answer 1

still in progress

Question 2

In accordance with ____, the cyber incident process is a five-step process.

Answer 2

AFI 17-203

Question 3

What are the five steps to a root cause analysis?

Answer 3

1. Gather Information
2. Validate the Incident
3. Determine the Operational Impact
4. Coordinate
5. Determine Reporting Requirements

Question 4

The following describes which step of the cyber incident process?

All involved personnel should identify and collect all relevant information about the incident for use in incident analysis. Information gathered may include data previously acquired and preserved, external logs, personal accounts, all-source intelligence, technical information, or the current operational situation.

Answer 4

Gather Information

Question 5

The following describes which step of the cyber incident process?

Personnel should continuously review, corroborate, and update (if applicable) the reported incident to ensure the accuracy of all information.

Answer 5

Validate the incident

Question 6

The following describes which step of the cyber incident process?

Operational impact refers to detrimental impacts on an organization’s ability to perform its mission. This may include direct and/or indirect effects that diminish or incapacitate system or network capabilities, the compromise and/or loss of mission critical data, or the temporary or permanent loss of mission critical
applications or systems.

Answer 6

Determine the Operational Impact

Question 7

The following describes which step of the cyber incident process?

Coordinate with the victim system’s owning CFP, network operations and security center (NOSC) and mission control center MCCC (as appropriate) to determine the Mission Assurance Category level of the system.

Answer 7

Coordinate

Question 8

The following describes which step of the cyber incident process?

Determine within one hour if the event or incident meets AF Operational Reporting (OPREP-3) and/or USSTRATCOM or USCYBERCOM Commander’s Critical Information Requirements (CCIR) reporting requirements.

Answer 8

Determine Reporting Requirements

Question 9

What does COA stand for?

Answer 9

Course of Action

Question 10

Detailed analysis to include affected system, probable
attacker, attack vector used, and technical and operational
impacts (if known).

Answer 10

Cyber Incident Report (CIR)

Question 11

Focuses on an incident, group of incidents, or network
activity or on a foreign individual, group, or organization
identified as a threat or potential threat to DOD networks.

Answer 11

Network Intelligence Report (NIR)

Question 12

Data captured in the _____ includes lessons learned, initial root cause, problems with executing courses of action (COAs), missing policies and procedures, and inadequate infrastructure defenses.

Answer 12

postmortem

Question 13

The results of postmortem will be provided to the affected MAJCOM/unit so that corrective actions can be taken, which could include _____ existing COAs, figuring out why the COAs failed, or creating new COAs.

Answer 13

revising