6. Sound the alarm: detection and response

Question 1

Computer security incident response teams (CSIRT)

Answer 1

specialized group of security professionals that are trained in incident management and response

Question 2

Documentation

Answer 2

any form of recorded content that is used for a specific purpose

Question 3

Endpoint detection and response EDR

Answer 3

application that monitors an endpoint for malicious activity

Question 4

Event

Answer 4

observable occurrence on a network, system, or device

Question 5

False negative

Answer 5

state where the presence of a threat is not detected

Question 6

False positive

Answer 6

alert that incorrectly detects the presence of a threat

Question 7

Incident

Answer 7

occurrence that actually or imminently jeopardizes, without lawful authority, the confidentiality, integrity, or availability of info or an info system; or constitutes a violation or imminent threat of violation of law, security policies, a security procedures, or acceptable uses policies

Question 8

Incident handler’s journal

Answer 8

form of documentation used in incident response

Question 9

Incident response plan

Answer 9

document that outlines the procedures to take in each step of incident response

Question 10

Incident detection system IDS

Answer 10

application that monitors system activity and alerts on possible intrusions

Question 11

Intrusion prevention system IPS

Answer 11

application that monitors system activity for intrusive activity and takes action to stop the activity

Question 12

National Institute of Standards and Technology NIST Incident Response Lifecycle

Answer 12

framework for incident response consisting of four phases: preparation; detection and analysis; containment, eradication, and recovery; and post-incident activity

Question 13

Playbook

Answer 13

manual that provides details about any operational action

Question 14

Security information and event management SIEM

Answer 14

application that collects and analyzes log data to monitor critical activities in an org

Question 15

Security operations center SOC

Answer 15

org unit dedicated to monitoring networks, systems, and devices for security threats or attacks

Question 16

Security orchestration, automation, and response SOAR

Answer 16

collection of applications, tools, and workflows that uses automation to respond to security events

Question 17

True negative

Answer 17

state where there is no detection of malicious activity

Question 18

True positive

Answer 18

alert that correctly detects the presence of an attack

Question 19

Command and control C2

Answer 19

techniques used by malicious actors to maintain comms with compromised systems

Question 20

Command-line interface CLI

Answer 20

text-based user interface that uses commands to interact with the computer

Question 21

Data exfiltration

Answer 21

unauthorized transmission of data from a system

Question 22

Data packet

Answer 22

basic unit of info that travels from one device tot another within a network

Question 23

Indicators of compromise IoC

Answer 23

Observable evidence that suggests signs of a potential security incident

Question 24

Internet Protocol IP

Answer 24

set of standards used for routing and addressing data packets as they travel between devices on a network

Question 25

Intrusion detection systems IDS

Answer 25

application that monitors system activity and alerts on possible intrusions

Question 26

Media Access Control MAC address

Answer 26

unique alphanumeric identifier that is assigned to each physical device on a network

Question 27

National Institute of Standards and Technology NIST Incident Response Lifecycle

Answer 27

framework for incident response consisting of four phases: Preparation; Detection and Analysis; Containment, eradication and Recovery; and Post-incident activity

Question 28

Network data

Answer 28

data that’s transmitted between devices on a network

Question 29

Network protocol analyzer packet sniffer

Answer 29

tool designed to capture and analyze data traffic within a network

Question 30

Network traffic

Answer 30

amount of data that moves across a network

Question 31

Network Interface Card NIC

Answer 31

Hardware that connects computers to a network

Question 32

Packet capture p-cap

Answer 32

file containing data packets intercepted from an interface or network

Question 33

Packet sniffing

Answer 33

practice of capturing and inspecting data packets across a network

Question 34

Playbook

Answer 34

manual that provides details about any operational action

Question 35

Root user (or superuser)

Answer 35

user with elevated privileges to modify the system

Question 36

Sudo

Answer 36

command that temprarily grants elevated permissions to specific userst

Question 37

tcpdump

Answer 37

command-line network protocol analyzer

Question 38

wireshark

Answer 38

open-source network protocol analyzer

Question 39

Analysis

Answer 39

investigation and validation of alerts

Question 40

Broken chain of custody

Answer 40

Inconsistencies in the collection and logging of evidence in the chain of custody

Question 41

Business continuity plan BCP

Answer 41

document that outlines the procedures to sustain business operations during and after a significant disruption

Question 42

Chain of custody

Answer 42

process of documenting evidence possession and control during an incident lifecycle

Question 43

Containment

Answer 43

act of limiting and preventing additional damage caused by an incident

Question 44

Crowdsourcing

Answer 44

practice of gathering info using public input and collaboration

Question 45

Detection

Answer 45

prompt discovery of security events

Question 46

Documentation

Answer 46

any form of recorded content that is sued for a specific purpose

Question 47

Eradication

Answer 47

complete removal of the incident elements from all affected systems

Question 48

Final report

Answer 48

documentation that provides a comprehensive review of an incident

Question 49

Honeypot

Answer 49

system or resource created as a decoy vulnerable to attacks with the purpose of attracting potential intruders

Question 50

Incident response plan

Answer 50

document that outlines the procedures to take in each step of incident response

Question 51

Indicators of attack IoA

Answer 51

series of observed events that indicate a real-time incident

Question 52

Indicators of compromise IoC

Answer 52

Observable evidence that suggests signs of a potential security incident

Question 53

intrusion detection system IDS

Answer 53

application that monitors system activity and alerts on possible intrusions

Question 54

Lessons learned meeting

Answer 54

meeting that includes all involved parties after a major incident

Question 55

Open-source intelligence OSINT

Answer 55

collection and analysis of info from publicly available sources to generate usable intelligence

Question 56

Playbook

Answer 56

manual that provides details about any operational action

Question 57

Post-incident activity

Answer 57

process of reviewing an incident to identify areas for improvement during incident handling

Question 58

Recovery

Answer 58

process of returning affected systems back to normal operations

Question 59

Resilience

Answer 59

ability to prepare for, respond to, and recover from disruptions

Question 60

Standards

Answer 60

references that inform how to set policies

Question 61

Threat hunting

Answer 61

proactive search for threats on a network

Question 62

Threat intelligence

Answer 62

evidence-based threat info that provides context about existing or emerging threats

Question 63

Triage

Answer 63

prioritizing of incidents according to their level of importance or urgency

Question 64

VirusTotal

Answer 64

service that allows anyone to analyze suspicious files, domains, URLs, and IP addresses for malicious content

Question 65

Anomaly-based analysis

Answer 65

detection method that identifies abnormal behavior

Question 66

Array

Answer 66

data type that stores data in a comma-separated ordered list

Question 67

Common Event Format CEF

Answer 67

log format that uses key-value pairs to structure data and identify fields and their corresponding values

Question 68

Configuration file

Answer 68

file used to configure the settings of an application

Question 69

Endpoint

Answer 69

any device connected on a network

Question 70

Endpoint detection and response EDR

Answer 70

application that monitors an endpoint for malicious activity

Question 71

False positive

Answer 71

alert that incorrectly detects the presence of a threat

Question 72

Host-based intrusion detection system HIDS

Answer 72

application that monitors the activity of the host on which it’s installed

Question 73

Intrusion detection systems IDS

Answer 73

application that monitors system activity and alerts on possible intrusions

Question 74

Key-value pair

Answer 74

set of data that represents two linked items: key, and its corresponding value

Question 75

Log

Answer 75

record of events that occur within an organization’s systems

Question 76

Log analysis

Answer 76

process of examining logs to identify events of interest

Question 77

Log management

Answer 77

process of collecting, storing, analyzing, and disposing of log data

Question 78

Logging

Answer 78

recording of events occurring on computer systems and networks

Question 79

Network-based intrusion detection system NIDS

Answer 79

application that collects and monitors network traffic and network data

Question 80

Object

Answer 80

data type that stores data in a comma-separated list of key-value pairs

Question 81

Search Processing Language SPL

Answer 81

Splunk’s query language

Question 82

Security information and event management SIEM

Answer 82

application that collects and analyzes log data to monitor critical activities in an organization

Question 83

Signature

Answer 83

pattern that is associated with malicious activity

Question 84

Signature analysis

Answer 84

detection method used to find events interest

Question 85

Suricata

Answer 85

open-source intrusion detection system, intrusion prevention system, and network analysis tool

Question 86

Telemetry

Answer 86

collect and transmission of data for analysis

Question 87

Wildcard

Answer 87

special character that can be substituted with any other character

Question 88

YARA-L

Answer 88

computer language used to create rules for searching through ingested log data

Question 89

Zero-day

Answer 89

exploit that was previously unknown