Chapter 10: Incident Response Flashcards
Understand Incident Response
What are the four steps to the NIST incident response life cycle?
- Preparation
- Detection & Analysis
- Containment, Eradication & Recovery
- Post-incident Activity
{Blank}, which includes the activities used to put together an incident response plan and team.
Preparation
{Blank}, which identifies that an incident is taking place and determines the extent of the incident’s impact.
Detection & Analysis
{Blank}, which limits the damage caused by an incident, removes the effects of the incident, and restores normal operations.
Containment, Eradication & Recovery
{Blank} which analyzes the response process and identifies lessons learned to improve future response efforts.
Post-incident Activity
Building an Incident Respeonse Team
One of the most important task that you’ll ubdertake in your incident response program is to build and staff your incident response team. This team will likely need to be available on a 24/7 basis, and should have a primary and backup personnel to cover vacations as well as extended periods of operation.
What are some of the groups that should be represented in a incident response team?
- Management
- Information security personnel
- Physical security team members
- Techinical SMEs, such a DB Admin, Developers, System Engineers, and virtualization experts
- Legal counsel
- Public relations and marketing staff
- HR team members
An incident communicatins plan should cover both {blank} and {blank} communications.
Internal; external
{Blank} hekp ensure that the appropriate people within your organization know about an incident at the right time and are provided with the right information.
Incident notification and escalation procedures
What are some information sources that can contribute data crucial to identifying and analyzing a possible security incident?
- Intrusion detection and prevention systems
- Firewalls
- Authentication systems
- System integrity monitors
- Vulnerability scanners
- System event logs
- NetFlow connections records
- Antimalware packages
{Blank} system act as centralized log repository and analysis solutions.
Security information and even management (SIEM)
The highest priority of a first responder during incident response is to?
Quickly contain the damage caused by the security incident.
Jason is monitoring his organization’s SIEM system watching for signs of unusual activity. Which phase of the NIST incident response process best describes his work?
A. Preparation
B. Detection & Analysis
C. Post-incident activity
D. Containment, eradication & recovery
Detection & analysis
During his monitoring work, Jason identifies a high-priority security incident in progress. What should be his first priority?
A. Identifying lesson learned
B. Notifying senior management
C. Recovering normal operations
D. Containing the damage
Containing the damage
