9 - 1: Incident Response Programs

Question 1

NIST Special Publication 800-61

Answer 1

Standard incident handling process

Question 2

Incident Response Plan

Answer 2

Structure and guidance for responding to incidents

Question 3

Incident Response Plan elements

Answer 3

1) Statement of purpose/scope 2) clear strategies and goals 3) Approach to responses 4) Approval from Sr management

Question 4

Service providers

Answer 4

Round out areas where services within the organization are needed

Question 5

Communication plan

Answer 5

Ensure the right people are informed of and during a cybersecurity incident. Who AND how

Question 6

Involving law enforcement

Answer 6

Complex question as it may make some details public

Question 7

Incident communications

Answer 7

Make sure they’re confidential and don’t risk alerting attackers

Question 8

SIEM

Answer 8

Security Incident and Event Manager, coordinates information from a variety of sources - firewalls, IDS/IPS, event logs - to collect and analyze data for activity

Question 9

Incidents may also be reported from ____ sources

Answer 9

External

Question 10

Incident first response

Answer 10

Isolate the system, allow it to continue to run, but do not keep it connected to the network

Question 11

Incident first response priority

Answer 11

Contain damage through isolation

Question 12

Counterintelligence

Answer 12

As adversaries are trying to learn about your network, some organizations have programs to hinder or provide false information

Question 13

Escalation and notification objectives

Answer 13

1) Evaluate severity 2) Escalate appropriately 3) Notify stakeholders

Question 14

Low-impact events

Answer 14

Usually would not involve an after-hours response

Question 15

Medium-impact events

Answer 15

Likely to have a security impact

Question 16

High-impact events

Answer 16

May risk organizational security

Question 17

NIST containment criteria

Answer 17

1) Potential for damage and theft 2) Evidence preservation 3) Service availability 4) Resource requirements 5) Expected effectiveness 6) Solution time frame

Question 18

Mitigation ends with:

Answer 18

stability

Question 19

3 stages of containment

Answer 19

segmentation, isolation, removal

Question 20

Segmentation

Answer 20

Logically separating compromised systems using VLANs

Question 21

Isolation

Answer 21

Separating a breached system from others

Question 22

Removal

Answer 22

Detaching breached systems from the entire platform

Question 23

Eradication

Answer 23

Removes traces of an incident

Question 24

Recovery

Answer 24

Return to normal operations

Question 25

Validation

Answer 25

Checking the system has returned to its pre-compromise/breach state

Question 26

Post-incident response steps

Answer 26

1) Lessons learned 2) Evidence retention 3) Generation of indicators of compromise

Question 27

Who are best for lessons learned sessions?

Answer 27

Independent facilitators

Question 28

Configuration manager

Answer 28

Assists with automated system validation