CHP 12

Question 1

Incident Response Lifecycle

Answer 1

Preparation, Detection, Analysis, Containment, Eradication, Recovery, Lessons learned

Question 2

SOP

Answer 2

standard operating procedure (SOP)

Question 3

LLR

Answer 3

lessons learned report (LLR)
An analysis of events that can provide insight into how to improve response and support processes in the future. or after-action report (AAR).

Question 4

Intelligence Fusion

Answer 4

In threat hunting, using sources of threat intelligence data to automate detection of adversary IoCs and TTPs.

Question 5

Digital Forensics

Answer 5

Digital forensics is the practice of collecting evidence from computer systems to a standard that will be accepted in a court of law.

Question 6

fact

Answer 6

Disk image acquisition refers to acquiring data from nonvolatile storage

Question 7

Due Process

Answer 7

A term used in US and UK common law to require that people only be convicted of crimes following the fair application of the laws of the land.

Question 8

Live acquisition

Answer 8

this means copying the data while the host is still running.

Question 9

write blocker

Answer 9

A write blocker prevents any data on the disk or volume from being changed by filtering write commands at the driver and OS level.

Question 10

EPP

Answer 10

Endpoint Protection Platform (EPP):

Purpose: Protects devices from threats like viruses and malware.
How It Works: Uses antivirus, anti-malware, and firewall tools to block attacks.

Question 11

ESI

Answer 11

electronically stored information (ESI)

Question 12

EDR

Answer 12

Endpoint Detection and Response (EDR):

Purpose: Detects and responds to advanced threats on devices.
How It Works: Monitors device activities, detects suspicious behavior, and provides tools for investigation and response.

Question 12

XDR

Answer 12

Extended Detection and Response (XDR):

Purpose: Provides a broader security view across multiple systems.
How It Works: Collects and analyzes data from various security tools (like EPP and EDR) to detect and respond to threats more effectively.

Question 13

OVAL

Answer 13

Open Vulnerability and Assessment Language (OVAL)—an XML schema for describing system security state and querying vulnerability reports and information.

Question 14

XCCDF

Answer 14

Extensible Configuration Checklist Description Format (XCCDF)—an XML schema for developing and auditing best practice configuration checklists and rules.

Question 15

The leader of the cybersecurity team for a major e-commerce company recently encountered a major data breach that led to the exposure of customer payment details. The team has now contained the breach and is moving toward the final phase of the incident response cycle. After completing all previous steps, what is the team’s primary objective in the final phase?

A.Identifying stakeholders and reporting it to relevant parties
B.Determining the root cause of the incident to eradicate it
C.Restoring the affected system to a secure state to reintegrate it
D.Analyzing the incident to improve procedures or systems

Answer 15

D

Question 16

A major financial institution’s computer incident response team (CIRT) is dealing with a complex cyber attack. The attack started with several spear phishing emails sent to crucial employees in different departments. These emails had skillfully crafted messages and appeared to have legitimate attachments. However, upon opening them, the initiation of a highly evasive and previously unknown malware launched. What steps should the CIRT take in the containment phase of the incident response process to address this advanced attack?

A.Disconnect all affected hosts from the network and shut down all communication channels.
B.Use network segmentation to isolate and monitor infected systems, to analyze the attacker’s tactics.
C.Immediately restore affected systems from backups and apply patches to prevent further attacks.
D.Temporarily disable all user accounts and applications to prevent further spread of malware.

Answer 16

B

Question 17

Which type of analysis involves deep-down, frame-by-frame scrutiny of captured network traffic to decode packet header fields and payload contents, aiding in identifying attack tools, data exfiltration attempts, and suspicious domains?

A.Retrospective network analysis
B.Protocol-level summarization
C.Security information and event management packet aggregation
D.Sensor-based traffic recording

Answer 17

A

Question 18

What is the primary purpose of the containment phase of cybersecurity incident management during an incident response lifecycle for a user account? (Select the two best options.)

A.Remove all traces of the incident from affected systems
B.Identify the root cause of the incident and gather evidence for legal action
C.Limit the immediate impact of the incident while securing data and notifying stakeholders
D.Disable a user account

Answer 18

C and D

Question 19

What is the primary risk when using the live acquisition method during a cybersecurity investigation?

A.It may alert the threat actor and allow time for anti-forensic actions.
B.It increases the chances of malware spreading to other systems.
C.It only captures a partial snapshot of the system’s state during the breach.
D.It renders evidence inadmissible in court.

Answer 19

D

Question 20

In cybersecurity investigations, why is it crucial to ensure the admissibility of digital evidence collected from computer systems?

A.Digital evidence is often visible to the naked eye, ensuring its authenticity.
B.Due process and the fair application of laws require proper handling of digital evidence.
C.The location and identity of threat actors are easily identifiable through digital evidence.
D.Threat actors can tamper with digital evidence without affecting its integrity.

Answer 20

B