CHP 12 Flashcards
Incident Response Lifecycle
Preparation, Detection, Analysis, Containment, Eradication, Recovery, Lessons learned
SOP
standard operating procedure (SOP)
LLR
lessons learned report (LLR)
An analysis of events that can provide insight into how to improve response and support processes in the future. or after-action report (AAR).
Intelligence Fusion
In threat hunting, using sources of threat intelligence data to automate detection of adversary IoCs and TTPs.
Digital Forensics
Digital forensics is the practice of collecting evidence from computer systems to a standard that will be accepted in a court of law.
fact
Disk image acquisition refers to acquiring data from nonvolatile storage
Due Process
A term used in US and UK common law to require that people only be convicted of crimes following the fair application of the laws of the land.
Live acquisition
this means copying the data while the host is still running.
write blocker
A write blocker prevents any data on the disk or volume from being changed by filtering write commands at the driver and OS level.
EPP
Endpoint Protection Platform (EPP):
Purpose: Protects devices from threats like viruses and malware.
How It Works: Uses antivirus, anti-malware, and firewall tools to block attacks.
ESI
electronically stored information (ESI)
EDR
Endpoint Detection and Response (EDR):
Purpose: Detects and responds to advanced threats on devices.
How It Works: Monitors device activities, detects suspicious behavior, and provides tools for investigation and response.
XDR
Extended Detection and Response (XDR):
Purpose: Provides a broader security view across multiple systems.
How It Works: Collects and analyzes data from various security tools (like EPP and EDR) to detect and respond to threats more effectively.
OVAL
Open Vulnerability and Assessment Language (OVAL)—an XML schema for describing system security state and querying vulnerability reports and information.
XCCDF
Extensible Configuration Checklist Description Format (XCCDF)—an XML schema for developing and auditing best practice configuration checklists and rules.
The leader of the cybersecurity team for a major e-commerce company recently encountered a major data breach that led to the exposure of customer payment details. The team has now contained the breach and is moving toward the final phase of the incident response cycle. After completing all previous steps, what is the team’s primary objective in the final phase?
A.Identifying stakeholders and reporting it to relevant parties
B.Determining the root cause of the incident to eradicate it
C.Restoring the affected system to a secure state to reintegrate it
D.Analyzing the incident to improve procedures or systems
D
A major financial institution’s computer incident response team (CIRT) is dealing with a complex cyber attack. The attack started with several spear phishing emails sent to crucial employees in different departments. These emails had skillfully crafted messages and appeared to have legitimate attachments. However, upon opening them, the initiation of a highly evasive and previously unknown malware launched. What steps should the CIRT take in the containment phase of the incident response process to address this advanced attack?
A.Disconnect all affected hosts from the network and shut down all communication channels.
B.Use network segmentation to isolate and monitor infected systems, to analyze the attacker’s tactics.
C.Immediately restore affected systems from backups and apply patches to prevent further attacks.
D.Temporarily disable all user accounts and applications to prevent further spread of malware.
B
Which type of analysis involves deep-down, frame-by-frame scrutiny of captured network traffic to decode packet header fields and payload contents, aiding in identifying attack tools, data exfiltration attempts, and suspicious domains?
A.Retrospective network analysis
B.Protocol-level summarization
C.Security information and event management packet aggregation
D.Sensor-based traffic recording
A
What is the primary purpose of the containment phase of cybersecurity incident management during an incident response lifecycle for a user account? (Select the two best options.)
A.Remove all traces of the incident from affected systems
B.Identify the root cause of the incident and gather evidence for legal action
C.Limit the immediate impact of the incident while securing data and notifying stakeholders
D.Disable a user account
C and D
What is the primary risk when using the live acquisition method during a cybersecurity investigation?
A.It may alert the threat actor and allow time for anti-forensic actions.
B.It increases the chances of malware spreading to other systems.
C.It only captures a partial snapshot of the system’s state during the breach.
D.It renders evidence inadmissible in court.
D
In cybersecurity investigations, why is it crucial to ensure the admissibility of digital evidence collected from computer systems?
A.Digital evidence is often visible to the naked eye, ensuring its authenticity.
B.Due process and the fair application of laws require proper handling of digital evidence.
C.The location and identity of threat actors are easily identifiable through digital evidence.
D.Threat actors can tamper with digital evidence without affecting its integrity.
B