Chapter 13 Dealing with Incidents Flashcards
What are the four major objectives for incident response in the Security+ SY0-601 exam?
Incident Response, Digital Forensics, Continuity of Operations, and Disaster Recovery.
What does incident response involve?
Planning and setting up teams to respond to security incidents and involving the right stakeholders.
What is digital forensics?
Collecting and securing evidence from compromised systems or incidents following legal procedures.
What is continuity of operations?
Developing strategies and plans to ensure business operations can continue during disruptive events.
What is disaster recovery?
Restoring systems and operations to normalcy after a disruptive event or incident.
What is an Incident Response Plan (IRP)?
An IRP is a document that outlines the step-by-step procedures to respond to security incidents effectively.
What triggers the activation of an incident response plan?
Indicators of compromise (IOCs) or suspicious activities such as excessive traffic, unknown devices on the network, or alerts from intrusion detection systems.
What are the objectives of an incident response plan?
Detecting, containing, eradicating, and recovering from security incidents.
How can an incident response plan be improved?
Through periodic reviews, assigning roles and responsibilities, regular training and drills, and incorporating lessons learned from previous incidents.
Can incident response be automated?
Yes, incident response can involve automated responses based on predefined configurations in intrusion prevention systems or scripting.
What is the Cyber Kill Chain?
The Cyber Kill Chain is a framework used to trace the steps taken by attackers in a successful compromise or data event. It consists of eight phases: reconnaissance, intrusion, exploitation, privilege escalation, lateral movement, obfuscation, denial of service, and exfiltration.
What is the purpose of analyzing security incidents using the Cyber Kill Chain?
The analysis helps identify how the attack occurred and what steps were taken by the attacker. This knowledge can be used to prevent similar incidents from happening in the future.
What is the MITRE ATT&CK framework?
The MITRE ATT&CK framework is a model used to detect and analyze threats by identifying the techniques and tactics employed by adversaries. It helps understand how attackers exploit vulnerabilities and provides insights for improving security measures.
What is the Diamond Model?
The Diamond Model is a visualization of the relationships and interactions among the attacker, victim, infrastructure, and capabilities of the adversaries. It helps analyze security incidents by examining how adversaries exploited vulnerabilities.
What is Security Orchestration, Automation, and Response (SOAR)?
SOAR is a solution that automates incident response by using scripts and workflows. It helps reduce incident response time and can automate tasks such as remediation and configuration changes during an attack.
What is digital forensics?
Digital forensics is the application of computer science to collect, preserve, and analyze digital evidence for legal purposes. It involves following proper evidence gathering and retention policies to ensure the admissibility of the evidence in a court of law.
What is e-discovery?
E-discovery, or electronic discovery, refers to the process of discovering and collecting electronic information for legal purposes. It involves identifying and preserving relevant data, whether stored on premises or in the cloud, during the legal discovery phase.
How does digital forensics apply to mobile devices?
In mobile device forensics, techniques are used to preserve the state of a smartphone or mobile device during the collection of evidence. This can include enabling airplane mode, using Faraday bags to block wireless communications, and having mobile charging units to prevent the device from running out of power during the forensic analysis.
What is steganography?
Steganography is a form of obfuscation where data or files are hidden within other seemingly innocent files, such as embedding a secret file within a JPEG image. Digital forensic analysts need to be aware of steganography techniques and tools to detect and analyze such hidden information.