Chapter 10

Question 1

Use 3 words to describe the chapter 10 incident detection and analysis

Answer 1

Indicators of compromise

Question 2

Name a few list of indicators of compromise

Answer 2

Manipulation to files
DDOS
Something off to the network traffic
Unusual traffic behavior

Question 3

What does indicators of compromise give the organization

Answer 3

Gives you workstation names, ip addresses, behavior-based information

Question 4

Escalation of privileges, strange account behaviors, and bots are an example of which type of indicator of compromise?

Answer 4

Behavior-based

Question 5

What are ossec and tripwire an example of?

Answer 5

Host intrusion detection systems

Question 6

Explain what a DNS amplification attack is

Answer 6

Service requesting on crack
too many queries that require large responses

Question 7

How can you tell there is a DNS related IOC

Answer 7

Abnormal levels of DNS queries
Strange DNS names
Too many DNS fail requests

Question 8

Describe fast-flux in a few words. Think of Jordans on release day

Answer 8

It’s when there are several IP addresses tied to one domain name. Those IP’s switch out fast.

Question 9

List terms associated with keeping or acquiring evidence of an incident. Think of UPL stuff

Answer 9

Chain of custody
Preservation
Legal hold
Data integrity validation