Chapter 14 Incident Response

Question 1

What at the 6 steps of the incident response process?

PICERL

Answer 1

Preparation
Identification
Containment
Eradication
Recovery
Lessons Learned

Question 2

Incident response team members

Answer 2

Management
Information Security
Technical experts
Communications/public relations
Legal and HR
LEO

Question 3

IR Exercises

Answer 3

Table top
walk through
simulation

Question 4

Incident response plans

Answer 4

Communication plans
stakeholder management plans
Business continuity plans
disaster recovery plans

Question 5

What is COOP

Answer 5

COOP is 4 phase continuity of operation planning.

1. readiness and preparedness
2. Activation and Relocation
3. Continuity of Operations
4. Reconstitution

Question 6

What are retention policies?

Answer 6

a retention policy determines how long you keep data and how it will be disposed of.

Question 7

What is MITRE ATT&CK

Answer 7

Its a website that explains what attack lifecycles and attack behavior looks like.
curated knowledge base and model for cyber adversary behavior.

Question 8

What are the core features of the Diamond Model of Intrusion Analysis

Answer 8

Adversary
Capability
Infrastructure
Victim

Question 9

What is the Cyber Kill Chain

RWDEICA

Answer 9

Reconnaissance
Weaponization
Delivery
Exploitation
Installation
C2
Actions on Objective

Question 10

What is SIEM

Answer 10

Security Information and Event Management
Provides real time analysis of security alerts generated by apps and hardware
Correlate data from multiple sources and provide actionable intelligence

Question 11

At the heart of alarms, alerts and correlation for SIEM is RULES.

Answer 11

rules drive each of these components and can use logic to determine rule activation and can trigger action based on these rules.

Question 12

Tools

Answer 12

Sensors deployed to gather additional data
sensitivity sets thresholds, filter rules
trends can point to new problems that start to crop up
alerts (fatigue occurs when they happen too often or false positive)
correlation matches data points

Question 13

What is the purpose of log files in incident response?

Answer 13

to provide IR staff with information about what occurred.

Question 14

What is SIP

Answer 14

Session Initiation Protocol is a signaling protocol used for initiating maintaining and terminating real time sessions such as voice, video and messaging applications.

Question 15

What is SFlow, NetFlow and IPFIX

Answer 15

network/bandwidth flow monitors, they can be useful when attempting to determine what traffic was sent to your network
- not always helpful since they provide limited data, some detail is lost.

Question 16

what is syslog, rsyslog, syslog-ng and what are the differences

Answer 16

Linux log systems.
syslog is the traditional linux log
rsyslog is the same but really fast
syslog-ng sends logs via TCP protected by TLS

Question 17

what is initrd

what is journalctl

Answer 17

initial ram disk

journalctl displays journal entries, -b flag for since last boot, -since for logs since a specified time

Question 18

What is SOAR

Answer 18

SOAR is a tool designed to automate security responses, more thorough than SIEM