(6) Sound the Alarm: Detection and Response Flashcards
The first phase of the NIST Incident Response Lifecycle is Preparation. What are the other phases? Select three answers.
Detection and Analysis
Post-Incident Activity
Identify
Containment, Eradication, and Recovery
Detection and Analysis
Post-Incident Activity
Containment, Eradication, and Recovery
What type of process is the NIST Incident Response Lifecycle?
Cyclical
Linear
Synchronous
Observable
Cyclical
Fill in the blank: An _____ is an observable occurrence on a network, system, or device.
investigation
analysis
incident
event
event
A security professional investigates an incident. Their goal is to gain information about the 5 W’s, which include what happened and why. What are the other W’s? Select three answers.
Where the incident took place
When the incident took place
Which type of incident it was
Who triggered the incident
Where the incident took place
When the incident took place
Who triggered the incident
What are the goals of a computer security incident response team (CSIRT)? Select three answers.
To handle the public disclosure of an incident
To manage incidents
To prevent future incidents from occurring
To provide services and resources for response and recovery
To manage incidents
To prevent future incidents from occurring
To provide services and resources for response and recovery
Which document outlines the procedures to follow after an organization experiences a ransomware attack?
A security policy
A network diagram
A contact list
An incident response plan
An incident response plan
Fill in the blank: The job of _____ is to investigate alerts and determine whether an incident has occurred.
technical leads
public relations representative
incident coordinators
security analysts
security analysts
Which member of a CSIRT is responsible for tracking and managing the activities of all teams involved in the response process?
Public relations representative
Incident coordinator
Security analyst
Technical lead
Incident coordinator
What are some examples of types of documentation? Select three answers.
Alert notifications
Final reports
Policies
Playbooks
Final reports
Policies
Playbooks
Fill in the blank: Ticketing systems such as _____ can be used to document and track incidents.
Excel
Jira
Evernote
Cameras
Jira
What application monitors system activity, then produces alerts about possible intrusions?
Intrusion detection system
Playbook
Word processor
Product manual
Intrusion detection system
What actions does an intrusion prevention system (IPS) perform? Select three answers.
Detect abnormal activity
Stop intrusive activity
Manage security incidents
Monitor activity
Detect abnormal activity
Stop intrusive activity
Monitor activity
Which tool collects and analyzes log data to monitor critical activities in an organization?
Security information and event management (SIEM) tool
Intrusion prevention system (IPS) tool
Playbook
Intrusion detection system (IDS) tool
Security information and event management (SIEM) tool
Fill in the blank: Security orchestration, automation, and response (SOAR) is a collection of applications, tools, and workflows that uses automation to _____ security events.
respond to
interact with
collect
remediate
respond to
Which step in the SIEM process transforms raw data to create consistent log records?
Normalize data
Collect and aggregate data
Analyze data
Centralize data
Normalize data
What is the process of gathering data from different sources and putting it in one centralized place?
Aggregation
Notification
Analysis
Normalization
Aggregation
Which of the following is an example of a security incident?
An unauthorized user successfully changes the password of an account that does not belong to them.
A user installs a device on their computer that is allowed by an organization’s policy.
An authorized user successfully logs in to an account using their credentials and multi-factor authentication.
A software bug causes an application to crash.
An unauthorized user successfully changes the password of an account that does not belong to them.
What process is used to provide a blueprint for effective incident response?
The NIST Incident Response Lifecycle
The incident handler’s journal
The 5 W’s of an incident
The NIST Cybersecurity Framework
The NIST Incident Response Lifecycle
Which step does the NIST Incident Response Lifecycle begin with?
Preparation
Containment, Eradication and Recovery
Post-Incident Activity
Detection and Analysis
Preparation
What is a computer security incident response team (CSIRT)?
A specialized group of security professionals who focus on incident prevention
A specialized group of security professionals who are trained in incident management and response
A specialized group of security professionals who are solely dedicated to crisis management
A specialized group of security professionals who work in isolation from other departments
A specialized group of security professionals who are trained in incident management and response
Fill in the blank: Incident response plans outline the _____ to take in each step of incident response.
instructions
exercises
policies
procedures
procedures
Which of the following best describes how security analysts use security tools?
They only use documentation tools for incident response tasks.
They only use detection and management tools during incident investigations.
They only use a single tool to monitor, detect, and analyze events.
They use a combination of different tools for various tasks.
They use a combination of different tools for various tasks.
Which statement most accurately describes documentation?
It is a standardized format used to record information across all industries.
It can be audio, video, or written instructions used for a specific purpose.
It serves as legal documentation and evidence in official settings.
It is always digital and stored in a centralized database.
It can be audio, video, or written instructions used for a specific purpose.
Fill in the blank: An intrusion detection system (IDS) _____ system activity and alerts on possible intrusions.
protects
manages
analyzes
monitors
monitors
What is the difference between a security information and event management (SIEM) tool and a security orchestration, automation, and response (SOAR) tool?
SIEM tools use automation to respond to security incidents. SOAR tools collect and analyze log data, which are then reviewed by security analysts.
SIEM tools are used for case management while SOAR tools collect, analyze, and report on log data.
SIEM tools collect and analyze log data, which are then reviewed by security analysts. SOAR tools use automation to respond to security incidents.
SIEM tools and SOAR tools have the same capabilities.
SIEM tools collect and analyze log data, which are then reviewed by security analysts. SOAR tools use automation to respond to security incidents.
What happens during the data collection and aggregation step of the SIEM process? Select two answers.
Data is cleaned and transformed.
Data is centralized in one place.
Data is analyzed according to rules.
Data is collected from different sources.
Data is centralized in one place.
Data is collected from different sources.
Which core functions of the NIST Cybersecurity Framework relate to the NIST Incident Response Lifecycle? Select two answers.
Discover
Investigate
Respond
Detect
Respond
Detect
What are some roles included in a computer security incident response team (CSIRT)? Select three answers.
Technical lead
Security analyst
Incident coordinator
Incident manager
Technical lead
Security analyst
Incident coordinator
What is an incident response plan?
A document that outlines a security team’s contact information
A document that details system information
A document that contains policies, standards, and procedures
A document that outlines the procedures to take in each step of incident response
A document that outlines the procedures to take in each step of incident response
What are investigative tools used for?
Analyzing events
Managing alerts
Documenting incidents
Monitoring activity
Analyzing events
Which of the following methods can a security analyst use to create effective documentation? Select two answers.
Write documentation using technical language.
Provide clear and concise explanations of concepts and processes.
Provide documentation in a paper-based format.
Write documentation in a way that reduces confusion.
Provide clear and concise explanations of concepts and processes.
Write documentation in a way that reduces confusion.
What is the difference between an intrusion detection system (IDS) and an intrusion prevention system (IPS)?
An IDS stops intrusive activity whereas an IPS monitors system activity and alerts on intrusive activity.
An IDS monitors system activity and alerts on intrusive activity whereas an IPS stops intrusive activity.
An IDS and an IPS both have the same capabilities.
An IDS automates response and an IPS generates alerts.
An IDS monitors system activity and alerts on intrusive activity whereas an IPS stops intrusive activity.
How do indicators of compromise (IoCs) help security analysts detect network traffic abnormalities?
They capture network activity.
They confirm that a security incident happened.
They provide a way to identify an attack.
They define the attacker’s intentions.
They provide a way to identify an attack.
IoCs help security analysts detect network traffic abnormalities by providing a way to identify an attack. IoCs provide analysts with specific evidence associated with an attack, such as a known malicious IP address, which can help quickly identify and respond to a potential security incident.
Fill in the blank: Data _____ is the term for unauthorized transmission of data from a system.
infiltration
exfiltration
pivoting
network traffic
exfiltration
An attacker has infiltrated a network. Next, they spend time exploring it in order to expand and maintain their access. They look for valuable assets such as proprietary code and financial records. What does this scenario describe?
Lateral movement
Network data
Large internal file transfer
Phishing
Lateral movement
This scenario describes lateral movement. Lateral movement, also called pivoting, describes an attacker exploring a network with the goal of expanding and maintaining their access.
What can security professionals use network traffic analysis for? Select three answers.
To monitor network activity
To understand network traffic patterns
To secure critical assets
To identify malicious activity
To monitor network activity
To understand network traffic patterns
To identify malicious activity
Network traffic analysis provides security professionals with a way to monitor network activity, identify malicious activity, and understand network traffic patterns.
Which component of a packet contains the actual data that is intended to be sent to its destination?
Protocol
Footer
Header
Payload
Payload
Fill in the blank: A _____ is a file that contains data packets that have been intercepted from an interface or a network.
network protocol analyzer
protocol
packet capture
network statistic
packet capture
Which field of an IP header is used to identify whether IPv4 or IPv6 is used?
Options
Type of Service
Version
Flags
Version
Which network protocol analyzer is accessed through a graphical user interface?
Wireshark
TShark
Libpcap
tcpdump
Wireshark
Which tcpdump option is used to specify the network interface?
-c
-n
-i
-v
-i
What is needed to access the tcpdump network protocol analyzer?
Output
Graphical user interface
Packet capture
Command-line interface
Command-line interface
What is the first field found in the output of a tcpdump command?
Source IP
Protocol
Timestamp
Version
Timestamp
You are using tcpdump to capture network traffic on your local computer. You would like to save the network traffic to a packet capture file for later analysis. Which tcpdump option should you use?
-v
-w
-r
-c
-w
Fill in the blank: _____ describes the amount of data that moves across a network.
Network data
Data exfiltration
Network traffic
Traffic flow
Network traffic
Which of the following behaviors may suggest an ongoing data exfiltration attack? Select two answers.
Multiple successful multi-factor authentication logins
Network performance issues
Outbound network traffic to an unauthorized file hosting service
Unexpected modifications to files containing sensitive data
Outbound network traffic to an unauthorized file hosting service
Unexpected modifications to files containing sensitive data
What information do packet headers contain? Select three answers.
Ports
Payload data
Protocols
IP addresses
Ports
Protocols
IP addresses
Do packet capture files provide detailed snapshots of network communications?
Yes. Packet capture files provide information about network data packets that were intercepted from a network interface.
No. Packet capture files do not contain detailed information about network data packets.
Maybe. The amount of detailed information packet captures contain depends on the type of network interface that is used.
Yes. Packet capture files provide information about network data packets that were intercepted from a network interface.
Fill in the blank: tcpdump is a network protocol analyzer that uses a(n) _____ interface.
internet
Linux
graphical user
command-line
command-line
Which protocol version is considered the foundation for all internet communications?
HTTP
IPv4
UDP
ICMP
IPv4
What is used to determine whether errors have occurred in the IPv4 header?
Protocol
Flags
Checksum
Header
Checksum
Which IPv4 field uses a value to represent a standard, like TCP?
Version
Total Length
Protocol
Type of Service
Protocol
Which tcpdump option applies verbosity?
-i
-n
-c
-v
-v
Examine the following tcpdump output:
22:00:19.538395 IP (tos 0x10, ttl 64, id 33842, offset 0, flags [P], proto TCP (6), length 196) 198.168.105.1.41012 > 198.111.123.1.61012: Flags [P.], cksum 0x50af (correct), seq 169, ack 187, win 501, length 42
What is the value of the Type of Service field?
0x50af
0x10
501
6
0x10
Do detection tools have limitations in their detection capabilities?
Yes
No
Yes
Detection tools have limitations in their detection capabilities. Detection tools are an important part of incident detection and response, but they cannot detect everything. Additional methods of detection can be used to improve coverage and accuracy.
Why do security analysts refine alert rules? Select two answers.
To reduce false positive alerts
To increase alert volumes
To improve the accuracy of detection technologies
To create threat intelligence
To reduce false positive alerts
To improve the accuracy of detection technologies
Fill in the blank: _____ involves the investigation and validation of alerts.
Threat hunting
Analysis
Honeypot
Detection
Analysis
What are some causes of high alert volumes? Select two answers.
Broad detection rules
Refined detection rules
Sophisticated evasion techniques
Misconfigured alert settings
Broad detection rules
Misconfigured alert settings
A security analyst in a security operations center (SOC) receives an alert. The alert ticket describes the detection of the download of a possible malware file on an employee’s computer. Which step of the triage process does this scenario describe?
Receive and assess
Assign priority
Add context
Collect and analyze
Receive and assess
This scenario describes receive and assess, the first step of the triage process. In this step, the security analyst receives an alert and determines whether the alert is valid.
What is triage?
The process of returning affected systems back to normal operations
A document that outlines the procedures to sustain business operations during and after a significant disruption
The prioritizing of incidents according to their level of importance or urgency
The ability to prepare for, respond to, and recover from disruptions
The prioritizing of incidents according to their level of importance or urgency
Fill in the blank: _____ is the act of limiting and preventing additional damage caused by an incident.
Resilience
Eradication
Containment
Recovery
Containment
Which examples describe actions related to the eradication of an incident? Select two answers.
Develop a business continuity plan
Investigate logs to verify the incident
Complete a vulnerability scan
Apply a patch
Complete a vulnerability scan
Apply a patch
Which section of a final report contains a high-level overview of the security incident?
Timeline
Executive summary
Recommendations
Agenda
Executive summary
What are the goals of a lessons learned meeting? Select two answers.
Review and reflect on a security incident
Identify areas of improvement
Identify an employee to blame
Develop a final report
Review and reflect on a security incident
Identify areas of improvement
Fill in the blank: In the NIST Incident Response Lifecycle, reviewing an incident to identify areas for improvement during incident handling is known as the _____.
Preparation phase
Post-incident activity phase
Detection and Analysis phase
Containment, Eradication and Recovery phase
Post-incident activity phase
An organization has recovered from a ransomware attack that resulted in a significant disruption to their business operations. To review the incident, the security team hosts a lessons learned meeting. The team realizes that they could have restored the affected systems more quickly if they had a backup and recovery plan in place. Which question would have most likely helped the security team come to this conclusion?
Who discovered the incident?
What could have been done differently?
When did the incident happen?
How was the incident detected?
What could have been done differently?
By asking what could have been done differently, the security team can identify areas of weakness in their incident response process, such as the lack of a backup and recovery plan.
Which step of the NIST Incident Response Lifecycle involves the investigation and validation of alerts?
Detection
Discovery
Analysis
Recovery
Analysis
What are the benefits of documentation during incident response? Select three answers.
Clarity
Transparency
Quality
Standardization
Clarity
Transparency
Standardization
After a ransomware incident, an organization discovers their ransomware playbook needs improvements. A security analyst is tasked with changing the playbook documentation. Which documentation best practice does this scenario highlight?
Update regularly
Be accurate
Be concise
Know your audience
Update regularly
Chain of custody documents establish proof of which of the following? Select two answers.
Integrity
Validation
Reliability
Quality
Integrity
Reliability
An analyst is responding to a distributed denial of service attack (DDoS). They take several manual steps outlined in the organization’s DDoS playbook. Which type of playbook did they use to respond to the incident?
SOAR
Automated
Semi-automated
Non-automated
Non-automated
A security analyst gets an alert involving a phishing attempt. Which step of the triage process does this scenario outline?
Receive and assess
Add context
Assign priority
Collect and analyze
Receive and assess
Fill in the blank: Containment is the act of limiting and _____ additional damage caused by an incident.
detecting
removing
eradicating
preventing
preventing
Which of the following is an example of a recovery task?
Monitoring a network for intrusions
Applying a patch to address a server vulnerability
Disconnecting an infected system from the network
Reinstalling the operating system of a computer infected by malware
Reinstalling the operating system of a computer infected by malware
Fill in the blank: A lessons learned meeting should be held within ____ weeks of an incident.
two
three
four
five
two
What does a final report contain? Select three.
Updates
Incident details
Recommendations
Timeline
Incident details
Recommendations
Timeline
What is the primary purpose of logs during incident investigation?
To provide a record of event details
To improve user experience
To manage alert volumes
To identify and diagnose system issues
To provide a record of event details
A security analyst wants to determine whether a suspicious login was successful. Which log type would be most useful for this purpose?
System
Firewall
Authentication
Network
Authentication
An authentication log would be most useful for this purpose. Authentication logs record login attempts, including whether a login was successful.
In the following log, what action does the log entry record?
[ALLOW: wikipedia.org] Source: 192.167.1.1 Friday, 10 June 2022 11:36:12
192.167.1.1
Friday, 10 June 2022 11:36:12
ALLOW
Source
ALLOW
ALLOW refers to the action that has been recorded. In this instance, it allows access to wikipedia.org.
Fill in the blank: _____ is the process of examining logs to identify events of interest.
Log file
Logging
Log analysis
Log forwarder
Log analysis
Examine the following authentication log:
[2022/12/20 08:20:38.921286] User nuhara logged in successfully
What type of information does this log contain? Select two answers.
Event description
Syslog
Timestamp
Message ID
Event description
Timestamp
Which of the following capabilities can syslog be used for? Select three answers.
Log format
Service
Extension
Protocol
Log format
Service
Protocol
What are examples of log formats? Select three answers.
Common Event Format (CEF)
Gramm-Leach-Bliley Act (GLBA)
eXtensible Markup Language (XML)
JavaScript Object Notation (JSON)
Common Event Format (CEF)
eXtensible Markup Language (XML)
JavaScript Object Notation (JSON)
Which log format uses tags to structure data?
Syslog
Verbose
eXtensible Markup Language (XML)
Comma Separated Values (CSV)
eXtensible Markup Language (XML)
A security analyst uses a network protocol analyzer to capture HTTP traffic to analyze patterns. What type of data are they using?
False positive
Signature-based
Host-based
Network telemetry
Network telemetry
They are using network telemetry data. Network telemetry refers to the collection and transmission of network data for analysis, such as HTTP traffic.
Which statement accurately describes the difference between a network-based intrusion detection system (NIDS) and a host-based intrusion detection system (HIDS)?
A NIDS only detects known threats; a HIDS detects unknown threats.
A NIDS uses signature analysis to detect threats; a HIDS uses agents.
A NIDS is installed on a network; a HIDS is installed on individual devices.
A NIDS is installed on individual devices; a HIDS is installed on a network.
A NIDS is installed on a network; a HIDS is installed on individual devices.
Fill in the blank: The _____ component of an IDS signature includes network traffic information.
rule options
header
signature ID
action
header
A security analyst creates a Suricata signature to identify and detect security threats based on the direction of network traffic. Which of the following rule options should they use?
Message
Rev
Content
Flow
Flow
They should use flow. The flow option matches the direction of network traffic flow.
In Search Processing Language (SPL), which special character is a wildcard that can be used to substitute with any other character?
!=
|
=
*
*
Which of the following steps are part of the security information and event management (SIEM) process? Select three answers.
Monitor activity and alerts related to intrusions
Normalize data so it is ready to read and analyze
Collect and process data
Index data to improve search performance
Normalize data so it is ready to read and analyze
Collect and process data
Index data to improve search performance
Fill in the blank: Chronicle uses _____ to search through unstructured logs.
raw log search
metadata
entity search
unified data model
raw log search
Which of the following is Splunk’s query language?
SPL
SQL
UDM
IDS
SPL
Which software collects and sends logs to a security information and event management (SIEM) tool?
Forwarder
Intrusion detection system (IDS)
Firewall
Network protocol analyzer
Forwarder
Examine the following log:
LoginEvent[2021/10/13 10:32:08.958711] auth_session_authenticator.cc:304 Regular user login 1
Which type of log is this?
Network
Location
Application
Authentication
Authentication
Fill in the blank: A syslog entry contains a header, _____, and a message.
eXtensible Markup Language
tag
object
structured-data
structured-data
Consider the following scenario:
A security analyst at a midsized company is tasked with installing and configuring a host-based intrusion detection system (HIDS) on a laptop. The security analyst installs the HIDS and wants to test whether it is working properly by simulating malicious activity. The security analyst runs unauthorized programs on the laptop, which the HIDS successfully detects and alerts on.
What is the laptop an example of?
An agent
A signature
An endpoint
A log forwarder
An endpoint
What information is included in a signature’s header? Select all that apply.
IP address
Action
Port number
Protocol
IP address
Port number
Protocol
Examine this Suricata signature:
alert http 167.215.72.95 any -> 156.150.71.141 80 (msg:”GET on wire”; flow:established,to_server; content:”GET”; sid:12345; rev:2;)
What is the destination port?
2
12345
80
141
80
Fill in the blank: Suricata uses the _____ format for event and alert output.
CEF
HTTP
HTML
EVE JSON
EVE JSON
Which querying language does Splunk use?
Search Processing Language
Structured Querying Language
SIEM Processing Language
Structured Processing Language
Search Processing Language
Which Unified Data Model (UDM) field search specifies a security action?
security_result.action
metadata.event_type
action
block
security_result.action
What are the steps in the SIEM process for data collection? Select three answers.
Collect
Index
Unify
Normalize
Collect
Index
Normalize
