(9) Detection And Analysis

Question 1

According to NIST 800-61, Describe the importance of profiling network and systems

Answer 1

Profiling networks and systems is important to measure how extended activity looks on a system. It will improve how an org identifies normal activity during detection and analysis

Question 2

According to NIST 800-61, describe how Understanding normal behavior of users, systems, etc works

Answer 2

Understanding normal behavior of users, systems, networks and apps work is important (also called baselining) because it helps understand and identify when something is out of the ordinary

Question 3

According to NIST 800-61, describe the importance of creating a logging policy that specifies information that must be logged by systems, apps, etc.

Answer 3

A policy that specifies the information that must be logged by systems, apps, etc. is important and it should specify where those log records should be stored and how long the data should be retained

Question 4

According to NIST 800-61, describe the point of performing event correlation

Answer 4

Performing event correlation to combine information is usually performed by Security Information Event Management (SIEM) system

Question 5

According to NIST 800-61, describe why clocks across servers, workstations, etc

Answer 5

Synchronizing clocks across servers, workstations, etc. is all about facilitating the correlation of log entries. Orgs get this by using a Network Time Protocol (NTP).

Question 6

According to NIST 800-61, what is the importance of maintaining a knowledge base of critical information

Answer 6

Maintaining a knowledge base that contains critical information about systems and apps is useful to responders of an incident. It should include information about profiles, usage patterns, and other information.

Question 7

According to NIST 800-61, What is the importance of capturing network traffic once it is suspected?

Answer 7

Capturing network traffic once it is suspected is important, because it helps provide critical details of an attackers intentions and activity

Question 8

According to NIST 800-61, why should information be filtered?

Answer 8

Information should be filtered because incident investigations involve a TON of information, and it is impossible to determine it all without both inclusion and exclusion filters. The incident response team could wish to create predefined filters to assist with future analysis efforts.

Question 9

According to NIST 800-61, Why should assistance from external sources be included?

Answer 9

Assistance from other sources should could range from a google search to contacting an infosec company depending on the situation. The parameters should be clear.