CJCSM 6510.01B Cyber Incident Handling Program

Question 1

Federal agencies are required to have in place cyber incident handling mechanisms in accordance with which act?

Answer 1

FISMA

Question 2

How many services does the Department of Defense require Tier II Computer Network Defense Service Providers (CDSPs) to provide?

Answer 2

3

Question 3

Which program was developed by the Department of Defense to provide specific guidance for CC/S/A/FAs regarding the requirements for cyber incident handling and reporting?

Answer 3

Cyber Incident Handling Program

Question 4

Joint Staff and CC/S/A/FAs will comply with DoD Cyber Incident Handling Program responsibilities in accordance with which reference?

Answer 4

CJCSI 6510.01

Question 5

Which agency must Joint Staff and CC/S/A/FAs ensure that Tier II CNDSPs are registered with to provide CND services for CC/S/A/FA information networks and ISs?

Answer 5

DISA

Question 6

Which command must Joint Staff and CC/S/A/FAs coordinate with on cyber incidents prior to taking action outside the Department of Defense?

Answer 6

USCYBERCOM

Question 7

Which command directs the operation and defense of DoD information networks IAW the UCP?

Answer 7

USSTRATCOM

Question 8

What must USSTRATCOM coordinate with on matters relating to the governance, secure operations, and defense of the IC networks?

Answer 8

IC-IRC

Question 9

What directs the actions taken, within the Department of Defense, to protect, monitor, analyze, detect, and respond to unauthorized activity within DoD information networks and ISs?

Answer 9

CND

Question 10

How many different tiers is the Department of Defense organized into to conduct CND?

Answer 10

3

Question 11

Which tier provides DoD-wide CND operational direction or support to CC/S/A/FAs?

Answer 11

Tier 1

Question 12

Which tier provides DoD component-wide CND operational direction or support?

Answer 12

Tier 2

Question 13

Which tier provides local CND operational direction or support?

Answer 13

Tier 3

Question 14

Which type of data gives the Department of Defense the ability to sense changes in DoD information networks?

Answer 14

AS&W

Question 15

Which type of data gives the Department of Defense the ability to sense changes in adversary activities?

Answer 15

I&W

Question 16

Which community investigates criminal activity and disseminates threat data that may pertain to domestic or foreign individuals and groups who constitute threats to the Department of Defense?

Answer 16

LE

Question 17

Which CND response service identifies several critical elements of an incident to determine and characterize its possible effects on DoD information networks, operational missions, and other defense programs?

Answer 17

Cyber Incident Analysis

Question 18

What ensures the acquisition and preservation of data required for tactical analysis, strategic analysis, and/or LE investigations?

Answer 18

Cyber Incident Response

Question 19

What is the DoD system of record for lessons learned?

Answer 19

JLLIS

Question 20

What is the primary vehicle for reporting and recording all cyber incidents and reportable events?

Answer 20

JIMS

Question 21

Security classifications of cyber incidents are determined in accordance with which publication?

Answer 21

DoDI O-3600.02

Question 22

How many different types of initial cyber incident reporting are there?

Answer 22

2

Question 23

What is the minimum security requirement when sending emails reporting a cyber incident?

Answer 23

digital signature

Question 24

What includes the coordinated and initial actions taken to protect the information network or IS from any further malicious activity and to acquire the data required for further analysis?

Answer 24

Preliminary response

Question 25

What will Cyber incident containment be coordinated with?

Answer 25

CNDSP

Question 26

What type of data is RAM considered?

Answer 26

Volatile

Question 27

Which type of data are system images and malware considered to be?

Answer 27

Persistent

Question 28

Which type of data is the configuration around the system considered to be?

Answer 28

Environmental

Question 29

What is defined as a series of analytical steps taken to find out what happened in an incident?

Answer 29

Cyber incident analysis

Question 30

What should any software artifacts suspected of being malware be submitted to?

Answer 30

Joint Malware Catalog (JMC)

Question 31

What is the primary path or method used by the adversary to cause the cyber incident or even to occur?

Answer 31

Delivery vector

Question 32

What expands upon the identified delivery vectors and system weaknesses by precisely identifying the sets of conditions allowing the incident to occur?

Answer 32

Root cause identification

Question 33

What refers to a detrimental impact on an organization’s ability to perform its mission?

Answer 33

Operational Impact (OI)

Question 34

What refers to an incident’s detrimental impact on the technical capabilities of the organization?

Answer 34

Technical Impact (TI)

Question 35

What must actions that potentially affect traffic on the DoD Protected Traffic List be coordinated with?

Answer 35

USCYBERCOM

Question 36

What involves understanding and accurately characterizing the relationship of incidents reported and providing awareness of the cyber security trends as observed by the affected parties?

Answer 36

Trending analysis

Question 37

ISs having which categories of cyber incidents must be rebuilt from trusted media and have up-to-date AV software loaded and configured IAW STIGs and WARNORDs prior to connecting the IS to the information network?

Answer 37

1, 2, and 7

Question 38

What is used to document the technical and operational impact of the cyber incident on the organization?

Answer 38

BDA

Question 39

Within how many hours after the cyber incident has been resolved must the JIMS incident record be updated with the BDA?

Answer 39

24

Question 40

What are lessons learned, initial root cause, problems with executing COAs, and missing policies and procedures all part of?

Answer 40

Post-incident analysis

Question 41

Where are cyber incidents sent that require a postmortem?

Answer 41

USCYBERCOM

Question 42

What is defined as a set of scripts, programs, and other resources used to safely acquire, examine, and preserve volatile and non-volatile data from an IS?

Answer 42

First responder toolkit

Question 43

How many different types of incident response primary reporting structures are there?

Answer 43

2

Question 44

Which type of reporting structure describes the interactions between each of the tier levels and how reporting, notification, and communications shall occur?

Answer 44

Technical

Question 45

What are all reportable cyber events and incidents reported to?

Answer 45

USCYBERCOM

Question 46

What does USCYBERCOM receive reports from of all reportable cyber events and incidents?

Answer 46

JIMS

Question 47

What does USCYBERCOM disseminate information to about DoD Enterprise Incidents Sets?

Answer 47

STRATJIC

Question 48

What provides AS&W and a variety of technical alerts to USCYBERCOM that are shared with other tiers to direct response actions?

Answer 48

NTOC

Question 49

Who enters the cyber incident report into the JIMS?

Answer 49

CNDSP

Question 50

What serve as the focal points for reporting and handling cyber incidents and network management at the lowest level?

Answer 50

Network Service Centers (NSCs)

Question 51

What are issued by any unit commander to provide appropriate senior leadership immediate notification of an incident that has impacted or may impact the mission and/or operations?

Answer 51

OPREPs

Question 52

Which categories of cyber events or incidents affecting Mission Assurance Category (MAC) I or II ISs must be reported using OPREP-3 reporting procedures and structure?

Answer 52

1, 2, 4, and 7

Question 53

What does USCYBERCOM submit OPREP-3 for DoD-wide computer network incidents to?

Answer 53

USSTRATCOM

Question 54

Which categories of cyber events or incidents at a minimum are reported to DoD LE/CI IAW established CC/S/A/FA procedures?

Answer 54

1, 2, and 4

Question 55

What is the primary vehicle for reporting cyber incidents and reportable events?

Answer 55

JIMS

Question 56

What is the principal reporting vehicle for DoD SCI ISs?

Answer 56

JWICS

Question 57

What is defined as any information about an individual that is maintained by a DoD entity?

Answer 57

PII

Question 58

Reports of loss or suspected loss of PII must be submitted to the US-CERT within what time frame after the incident?

Answer 58

1 hour

Question 59

What is the classification of a cyber incident determined in accordance with?

Answer 59

DoDI O-3600.02

Question 60

What seeks to identify the root cause(s) of an incident and is required to fully understand the scope, potential implications, and extent of damage resulting from the incident?

Answer 60

Incident Analysis

Question 61

What is defined as the process of acquiring, preserving, and analyzing IS artifacts that help characterize the incident and develop COA?

Answer 61

System Analysis

Question 62

What is defined as the process of identifying , analyzing, and characterizing reported software artifacts suspected of being adversarial tradecraft to help defense in depth mitigation actions and strategies, CI activities, and LE activities?

Answer 62

Malware analysis

Question 63

What is considered the application of science to the identification, collection, examination, and analysis of data while preserving the integrity of the information and maintaining a strict chain of custody?

Answer 63

Computer forensics

Question 64

Which publication can guidance be found on integrating forensic techniques into incident response?

Answer 64

NIST SP 800-86

Question 65

How many basic phases are in the forensics process?

Answer 65

4

Question 66

Which type of data is stored in IS memory that will be lost when the IS loses power or is shutdown?

Answer 66

Volatile

Question 67

Which type of data is stored in the IS’s hard drives and removable storage media that will not be changed when the IS is powered off?

Answer 67

Persistent

Question 68

What is defined as software designed and/or deployed by adversaries without the consent or knowledge of the user in support of adversarial missions?

Answer 68

Malware

Question 69

Which type of analysis involves quick checks to characterize the malware sample within the context of the analysis mission?

Answer 69

Surface

Question 70

Which type of analysis is the controlled execution of the malware sample in an isolated environment to monitor, observe, and record run-time behavior without impacting mission-critical systems and infrastructure?

Answer 70

Run-time

Question 71

Which type of analysis focuses on examining and interrupting the contents of the malware sample in the context of an analysis mission?

Answer 71

Static

Question 72

What is the most in-depth form of malware analysis?

Answer 72

Reverse engineering

Question 73

What must any malware that is uncovered throughout the incident response process be cataloged to?

Answer 73

JMC

Question 74

Network analysis compromises data sources, data collection, along with what else?

Answer 74

Data analysis

Question 75

Which type of data can provide complete insight into the network transactions that occurred between hosts?

Answer 75

Full Packet Capture

Question 76

What is used to avoid allegations of mishandling or tampering with evidence and increases the probability of the evidence being entered into a court proceeding?

Answer 76

Chain of custody

Question 77

What is defined as an organized and coordinated series of steps to resolve or mitigate a reported incident?

Answer 77

Incident Response

Question 78

What have the primary objective to halt or minimize attack effects or damage while maintaining operational mission continuity?

Answer 78

Response Actions (RAs)

Question 79

How many different types of response activities can occur?

Answer 79

3

Question 80

Which type of RAs involve containment or eradication of any risks or threats associated with the cyber incident, and the rebuilding or restoring of affected ISs to a normal operational state?

Answer 80

Technical

Question 81

Which type of RAs require some type of administrative, supervisory, or management intervention, notification, interaction, escalation, or approval as part of any response?

Answer 81

Management

Question 82

What include the actions necessary to respond to the reportable cyber event or incident, fix the IS, return the IS to operations, and assess the risk for the IS or information network?

Answer 82

Courses of Action (COAs)

Question 83

Which command reserves the right to direct and assist CC/S/A/FAs with the response actions for incidents that fall into a DoD enterprise incident set or when actions otherwise affect multiple theater or Service information networks?

Answer 83

USCYBERCOM

Question 84

What is defined as short term, tactical actions to stop an intruder’s access to a compromised IS, limit the extent of an intrusion, and prevent an intruder from causing further damage?

Answer 84

Containment

Question 85

What is defined as using network access controls at the perimeter or enclave boundary to prevent the attacker from connecting to the other DoD information networks, ISs, or DoD data and services?

Answer 85

Blocking

Question 86

Which type of blocks are specific to the component behind the firewall?

Answer 86

Enclave

Question 87

What involves the use of network access controls to logically segment the network and restricted access to the affected hosts?

Answer 87

Network Isolation

Question 88

What is defined as the steps required to eliminate the root cause(s) of an intrusion?

Answer 88

Eradication

Question 89

Where must any malware that is uncovered throughout the incident response process be cataloged?

Answer 89

JMC

Question 90

What is defined as the steps necessary to restore the integrity of affected ISs, return the affected data, ISs, and information networks to an operational state, and implement follow up strategies to prevent the incident from happening again?

Answer 90

Recovery

Question 91

All ISs having which categories of incidents must be erased and rebuilt from trusted media, then patched and updated prior to connecting the IS to the information network?

Answer 91

1, 2, or 7

Question 92

What is defined as a review of the incident, including the detection, analysis, and response phases?

Answer 92

Postmortem

Question 93

What is the focal point for Net Defense threat data in the Department of Defense?

Answer 93

USCYBERCOM

Question 94

Which type of data consists of information that can help lead to increased defense of DoD information networks and the attribution of intent of network intruder(s)?

Answer 94

Threat

Question 95

What employs intelligence, counterintelligence, law enforcement and other military capabilities to defend DoD information and computer networks?

Answer 95

CND

Question 96

Where is the technical reporting between the incident handling program and intelligence maintained?

Answer 96

JIMS

Question 97

Which group consists of senior representatives from federal agencies that have roles and responsibilities related to preventing, investigating, defending against, responding to, mitigating, and assisting in the recovery from cyber incidents and attacks?

Answer 97

Cyber Unified Coordination Group (CUCG)

Question 98

What is an interagency forum where organizations responsible for a range of activities (technical response and recovery, LE, intelligence, and defensive measures) coordinate for the purpose of preparing for and executing an efficient and effective response to an incident?

Answer 98

NCRCG

Question 99

What is the central repository for managing all reportable events and incidents in the Department of Defense?

Answer 99

JIMS

Question 100

What is the system of record for the JLLP that provides a Web-enabled information management system to meet operational needs for reporting lessons learned?

Answer 100

Joint Lessons Learned Information System

JLLIS

Question 101

What is used by CND Analysts for collecting, processing, and storing the DoD networking sensing environment information, facilitating execution of selected COAs to mitigate and respond to attacks directed at DoD information networks?

Answer 101

Enterprise Sensor Grid (ESG)

Question 102

What is the functional owner of the JIMS and maintains and manages it?

Answer 102

USCYBERCOM

Question 103

What is the central repository for storing malware and associated analysis?

Answer 103

Joint Malware Catalog (JMC)

Question 104

What is the basis for the Department of Defense’s capability to rapidly analyze malicious code and provide an accurate understanding of its behavior and capabilities?

Answer 104

Joint Malware Catalog (JMC)

Question 105

What is the functional owner of the JMC?

Answer 105

USCYBERCOM

Question 106

What is the primary CND intelligence analysis tool suite used to derive CND intelligence information?

Answer 106

JIMS

Question 107

Which list ensures critical DoD ISs are not affected inadvertently by responses to CND events?

Answer 107

DoD Protected Traffic List

Question 108

What are defined as groups of related incidents and associated data requiring centralized management at the DoD level?

Answer 108

Incident sets

Question 109

How many progressive readiness conditions are there in the CYBERCON system?

Answer 109

5

Question 110

Operations in support of CYBERCON implementation will be executed in accordance with which publication?

Answer 110

CJCSI 3121.01B