CJCSM 6510.01B Cyber Incident Handling Program Flashcards
1
Q
Federal agencies are required to have in place cyber incident handling mechanisms in accordance with which act?
A
FISMA
2
Q
How many services does the Department of Defense require Tier II Computer Network Defense Service Providers (CDSPs) to provide?
A
3
3
Q
Which program was developed by the Department of Defense to provide specific guidance for CC/S/A/FAs regarding the requirements for cyber incident handling and reporting?
A
Cyber Incident Handling Program
4
Q
Joint Staff and CC/S/A/FAs will comply with DoD Cyber Incident Handling Program responsibilities in accordance with which reference?
A
CJCSI 6510.01
5
Q
Which agency must Joint Staff and CC/S/A/FAs ensure that Tier II CNDSPs are registered with to provide CND services for CC/S/A/FA information networks and ISs?
A
DISA
6
Q
Which command must Joint Staff and CC/S/A/FAs coordinate with on cyber incidents prior to taking action outside the Department of Defense?
A
USCYBERCOM
7
Q
Which command directs the operation and defense of DoD information networks IAW the UCP?
A
USSTRATCOM
8
Q
What must USSTRATCOM coordinate with on matters relating to the governance, secure operations, and defense of the IC networks?
A
IC-IRC
9
Q
What directs the actions taken, within the Department of Defense, to protect, monitor, analyze, detect, and respond to unauthorized activity within DoD information networks and ISs?
A
CND
10
Q
How many different tiers is the Department of Defense organized into to conduct CND?
A
3
11
Q
Which tier provides DoD-wide CND operational direction or support to CC/S/A/FAs?
A
Tier 1
12
Q
Which tier provides DoD component-wide CND operational direction or support?
A
Tier 2
13
Q
Which tier provides local CND operational direction or support?
A
Tier 3
14
Q
Which type of data gives the Department of Defense the ability to sense changes in DoD information networks?
A
AS&W
15
Q
Which type of data gives the Department of Defense the ability to sense changes in adversary activities?
A
I&W
16
Q
Which community investigates criminal activity and disseminates threat data that may pertain to domestic or foreign individuals and groups who constitute threats to the Department of Defense?
A
LE
17
Q
Which CND response service identifies several critical elements of an incident to determine and characterize its possible effects on DoD information networks, operational missions, and other defense programs?
A
Cyber Incident Analysis
18
Q
What ensures the acquisition and preservation of data required for tactical analysis, strategic analysis, and/or LE investigations?
A
Cyber Incident Response
19
Q
What is the DoD system of record for lessons learned?
A
JLLIS
20
Q
What is the primary vehicle for reporting and recording all cyber incidents and reportable events?
A
JIMS
21
Q
Security classifications of cyber incidents are determined in accordance with which publication?
A
DoDI O-3600.02
22
Q
How many different types of initial cyber incident reporting are there?
A
2
23
Q
What is the minimum security requirement when sending emails reporting a cyber incident?
A
digital signature
24
Q
What includes the coordinated and initial actions taken to protect the information network or IS from any further malicious activity and to acquire the data required for further analysis?
A
Preliminary response
25
What will Cyber incident containment be coordinated with?
CNDSP
26
What type of data is RAM considered?
Volatile
27
Which type of data are system images and malware considered to be?
Persistent
28
Which type of data is the configuration around the system considered to be?
Environmental
29
What is defined as a series of analytical steps taken to find out what happened in an incident?
Cyber incident analysis
30
What should any software artifacts suspected of being malware be submitted to?
Joint Malware Catalog (JMC)
31
What is the primary path or method used by the adversary to cause the cyber incident or even to occur?
Delivery vector
32
What expands upon the identified delivery vectors and system weaknesses by precisely identifying the sets of conditions allowing the incident to occur?
Root cause identification
33
What refers to a detrimental impact on an organization's ability to perform its mission?
Operational Impact (OI)
34
What refers to an incident's detrimental impact on the technical capabilities of the organization?
Technical Impact (TI)
35
What must actions that potentially affect traffic on the DoD Protected Traffic List be coordinated with?
USCYBERCOM
36
What involves understanding and accurately characterizing the relationship of incidents reported and providing awareness of the cyber security trends as observed by the affected parties?
Trending analysis
37
ISs having which categories of cyber incidents must be rebuilt from trusted media and have up-to-date AV software loaded and configured IAW STIGs and WARNORDs prior to connecting the IS to the information network?
1, 2, and 7
38
What is used to document the technical and operational impact of the cyber incident on the organization?
BDA
39
Within how many hours after the cyber incident has been resolved must the JIMS incident record be updated with the BDA?
24
40
What are lessons learned, initial root cause, problems with executing COAs, and missing policies and procedures all part of?
Post-incident analysis
41
Where are cyber incidents sent that require a postmortem?
USCYBERCOM
42
What is defined as a set of scripts, programs, and other resources used to safely acquire, examine, and preserve volatile and non-volatile data from an IS?
First responder toolkit
43
How many different types of incident response primary reporting structures are there?
2
44
Which type of reporting structure describes the interactions between each of the tier levels and how reporting, notification, and communications shall occur?
Technical
45
What are all reportable cyber events and incidents reported to?
USCYBERCOM
46
What does USCYBERCOM receive reports from of all reportable cyber events and incidents?
JIMS
47
What does USCYBERCOM disseminate information to about DoD Enterprise Incidents Sets?
STRATJIC
48
What provides AS&W and a variety of technical alerts to USCYBERCOM that are shared with other tiers to direct response actions?
NTOC
49
Who enters the cyber incident report into the JIMS?
CNDSP
50
What serve as the focal points for reporting and handling cyber incidents and network management at the lowest level?
Network Service Centers (NSCs)
51
What are issued by any unit commander to provide appropriate senior leadership immediate notification of an incident that has impacted or may impact the mission and/or operations?
OPREPs
52
Which categories of cyber events or incidents affecting Mission Assurance Category (MAC) I or II ISs must be reported using OPREP-3 reporting procedures and structure?
1, 2, 4, and 7
53
What does USCYBERCOM submit OPREP-3 for DoD-wide computer network incidents to?
USSTRATCOM
54
Which categories of cyber events or incidents at a minimum are reported to DoD LE/CI IAW established CC/S/A/FA procedures?
1, 2, and 4
55
What is the primary vehicle for reporting cyber incidents and reportable events?
JIMS
56
What is the principal reporting vehicle for DoD SCI ISs?
JWICS
57
What is defined as any information about an individual that is maintained by a DoD entity?
PII
58
Reports of loss or suspected loss of PII must be submitted to the US-CERT within what time frame after the incident?
1 hour
59
What is the classification of a cyber incident determined in accordance with?
DoDI O-3600.02
60
What seeks to identify the root cause(s) of an incident and is required to fully understand the scope, potential implications, and extent of damage resulting from the incident?
Incident Analysis
61
What is defined as the process of acquiring, preserving, and analyzing IS artifacts that help characterize the incident and develop COA?
System Analysis
62
What is defined as the process of identifying , analyzing, and characterizing reported software artifacts suspected of being adversarial tradecraft to help defense in depth mitigation actions and strategies, CI activities, and LE activities?
Malware analysis
63
What is considered the application of science to the identification, collection, examination, and analysis of data while preserving the integrity of the information and maintaining a strict chain of custody?
Computer forensics
64
Which publication can guidance be found on integrating forensic techniques into incident response?
NIST SP 800-86
65
How many basic phases are in the forensics process?
4
66
Which type of data is stored in IS memory that will be lost when the IS loses power or is shutdown?
Volatile
67
Which type of data is stored in the IS's hard drives and removable storage media that will not be changed when the IS is powered off?
Persistent
68
What is defined as software designed and/or deployed by adversaries without the consent or knowledge of the user in support of adversarial missions?
Malware
69
Which type of analysis involves quick checks to characterize the malware sample within the context of the analysis mission?
Surface
70
Which type of analysis is the controlled execution of the malware sample in an isolated environment to monitor, observe, and record run-time behavior without impacting mission-critical systems and infrastructure?
Run-time
71
Which type of analysis focuses on examining and interrupting the contents of the malware sample in the context of an analysis mission?
Static
72
What is the most in-depth form of malware analysis?
Reverse engineering
73
What must any malware that is uncovered throughout the incident response process be cataloged to?
JMC
74
Network analysis compromises data sources, data collection, along with what else?
Data analysis
75
Which type of data can provide complete insight into the network transactions that occurred between hosts?
Full Packet Capture
76
What is used to avoid allegations of mishandling or tampering with evidence and increases the probability of the evidence being entered into a court proceeding?
Chain of custody
77
What is defined as an organized and coordinated series of steps to resolve or mitigate a reported incident?
Incident Response
78
What have the primary objective to halt or minimize attack effects or damage while maintaining operational mission continuity?
Response Actions (RAs)
79
How many different types of response activities can occur?
3
80
Which type of RAs involve containment or eradication of any risks or threats associated with the cyber incident, and the rebuilding or restoring of affected ISs to a normal operational state?
Technical
81
Which type of RAs require some type of administrative, supervisory, or management intervention, notification, interaction, escalation, or approval as part of any response?
Management
82
What include the actions necessary to respond to the reportable cyber event or incident, fix the IS, return the IS to operations, and assess the risk for the IS or information network?
Courses of Action (COAs)
83
Which command reserves the right to direct and assist CC/S/A/FAs with the response actions for incidents that fall into a DoD enterprise incident set or when actions otherwise affect multiple theater or Service information networks?
USCYBERCOM
84
What is defined as short term, tactical actions to stop an intruder's access to a compromised IS, limit the extent of an intrusion, and prevent an intruder from causing further damage?
Containment
85
What is defined as using network access controls at the perimeter or enclave boundary to prevent the attacker from connecting to the other DoD information networks, ISs, or DoD data and services?
Blocking
86
Which type of blocks are specific to the component behind the firewall?
Enclave
87
What involves the use of network access controls to logically segment the network and restricted access to the affected hosts?
Network Isolation
88
What is defined as the steps required to eliminate the root cause(s) of an intrusion?
Eradication
89
Where must any malware that is uncovered throughout the incident response process be cataloged?
JMC
90
What is defined as the steps necessary to restore the integrity of affected ISs, return the affected data, ISs, and information networks to an operational state, and implement follow up strategies to prevent the incident from happening again?
Recovery
91
All ISs having which categories of incidents must be erased and rebuilt from trusted media, then patched and updated prior to connecting the IS to the information network?
1, 2, or 7
92
What is defined as a review of the incident, including the detection, analysis, and response phases?
Postmortem
93
What is the focal point for Net Defense threat data in the Department of Defense?
USCYBERCOM
94
Which type of data consists of information that can help lead to increased defense of DoD information networks and the attribution of intent of network intruder(s)?
Threat
95
What employs intelligence, counterintelligence, law enforcement and other military capabilities to defend DoD information and computer networks?
CND
96
Where is the technical reporting between the incident handling program and intelligence maintained?
JIMS
97
Which group consists of senior representatives from federal agencies that have roles and responsibilities related to preventing, investigating, defending against, responding to, mitigating, and assisting in the recovery from cyber incidents and attacks?
Cyber Unified Coordination Group (CUCG)
98
What is an interagency forum where organizations responsible for a range of activities (technical response and recovery, LE, intelligence, and defensive measures) coordinate for the purpose of preparing for and executing an efficient and effective response to an incident?
NCRCG
99
What is the central repository for managing all reportable events and incidents in the Department of Defense?
JIMS
100
What is the system of record for the JLLP that provides a Web-enabled information management system to meet operational needs for reporting lessons learned?
Joint Lessons Learned Information System
| JLLIS
101
What is used by CND Analysts for collecting, processing, and storing the DoD networking sensing environment information, facilitating execution of selected COAs to mitigate and respond to attacks directed at DoD information networks?
Enterprise Sensor Grid (ESG)
102
What is the functional owner of the JIMS and maintains and manages it?
USCYBERCOM
103
What is the central repository for storing malware and associated analysis?
Joint Malware Catalog (JMC)
104
What is the basis for the Department of Defense's capability to rapidly analyze malicious code and provide an accurate understanding of its behavior and capabilities?
Joint Malware Catalog (JMC)
105
What is the functional owner of the JMC?
USCYBERCOM
106
What is the primary CND intelligence analysis tool suite used to derive CND intelligence information?
JIMS
107
Which list ensures critical DoD ISs are not affected inadvertently by responses to CND events?
DoD Protected Traffic List
108
What are defined as groups of related incidents and associated data requiring centralized management at the DoD level?
Incident sets
109
How many progressive readiness conditions are there in the CYBERCON system?
5
110
Operations in support of CYBERCON implementation will be executed in accordance with which publication?
CJCSI 3121.01B
