Containment, Eradication, and Recovery Flashcards
Which one of the phases of incident response involves primarily active undertakings designed to limit the damage that an attacker might cause?
A. Containment, Eradication, and Recovery
B. Preparation
C. Postincident Activity
D. Detection and Analysis
Answer:
A. The containment, eradication, and recovery phase of incident response includes active undertakings designed to minimize the damage caused by the incident and restore normal operations as quickly as possible.
Which one of the following criteria is not normally used when evaluating the appropriateness of a cybersecurity incident containment strategy?
A. Effectiveness of the strategy
B. Evidence preservation requirements
C. Log records generated by the strategy
D. Cost of the strategy
Answer:
C. NIST recommends using six criteria to evaluate a containment strategy: the potential damage to resources, the need for evidence preservation, service availability, time and resources required (including cost), effectiveness of the strategy, and duration of the solution.
Alice is responding to a cybersecurity incident and notices a system that she suspects is compromised. She places this system on a quarantine VLAN with limited access to other networked systems. What containment strategy is Alice pursuing?
A. Eradication
B. Isolation
C. Segmentation
D. Removal
Answer:
C. In a segmentation approach, the suspect system is placed on a separate network, where it has very limited access to other networked resources.
Alice confers with other team members and decides that even allowing limited access to other systems is an unacceptable risk and decides instead to prevent the quarantine VLAN from accessing any other systems by putting firewall rules in place that limit access to other enterprise systems. The attacker can still control the system to allow Alice to continue monitoring the incident. What strategy is she now pursuing?
A. Eradication
B. Isolation
C. Segmentation
D. Removal
Answer:
B. In the isolation strategy, the quarantine network is directly connected to the Internet or restricted severely by firewall rules so that the attacker may continue to control it but not gain access to any other networked resources.
After observing the attacker, Alice decides to remove the Internet connection entirely, leaving the systems running but inaccessible from outside the quarantine VLAN. What strategy is she now pursuing?
A. Eradication
B. Isolation
C. Segmentation
D. Removal
Answer:
D. In the removal approach, Alice keeps the systems running for forensic purposes but completely cuts off their access to or from other networks, including the Internet.
Which one of the following tools may be used to isolate an attacker so that they may not cause damage to production systems but may still be observed by cybersecurity analysts?
A. Sandbox
B. Playpen
C. IDS
D. DLP
Answer:
A. Sandboxes are isolation tools used to contain attackers within an environment where they believe they are conducting an attack but, in reality, are operating in a benign environment.
Tamara is a cybersecurity analyst for a private business that is suffering a security breach. She believes the attackers have compromised a database containing sensitive information. Which one of the following activities should be Tamara’s first priority?
A. Identifying the source of the attack
B. Eradication
C. Containment
D. Recovery
Answer:
C. Tamara’s first priority should be containing the attack. This will prevent it from spreading to other systems and also potentially stop the exfiltration of sensitive information. Only after containing the attack should Tamara move on to eradication and recovery activities. Identifying the source of the attack should be a low priority.
Which one of the following activities does CompTIA classify as part of the recovery validation effort?
A. Rebuilding systems
B. Sanitization
C. Secure disposal
D. Scanning
Answer:
D. CompTIA includes patching, permissions, security scanning, and verifying logging/communication to monitoring in the set of validation activities that cybersecurity analysts should undertake in the aftermath of a security incident.
Which one of the following pieces of information is most critical to conducting a solid incident recovery effort?
A. Identity of the attacker
B. Time of the attack
C. Root cause of the attack
D. Attacks on other organizations
Answer:
C. Understanding the root cause of an attack is critical to the incident recovery effort. Analysts should examine all available information to help reconstruct the attacker’s actions. This information is crucial to remediating security controls and preventing future similar attacks.
Lynda is disposing of a drive containing sensitive information that was collected during the response to a cybersecurity incident. The information is categorized as a high security risk and she wishes to reuse the media during a future incident. What is the appropriate disposition for this information?
A. Clear
B. Erase
C. Purge
D. Destroy
Answer:
C. Lynda should consult the disposal flowchart. Following that chart, the appropriate disposition for media that contains high security risk information and will be reused within the organization is to purge it.
Which one of the following activities is not normally conducted during the recovery validation phase?
A. Verify the permissions assigned to each account
B. Implement new firewall rules
C. Conduct vulnerability scans
D. Verify logging is functioning properly
Answer:
B. New firewall rules, if required, would be implemented during the eradication and recovery phase. The validation phase includes verifying accounts and permissions, verifying that logging is working properly, and conducting vulnerability scans.
What incident response activity focuses on removing any artifacts of the incident that may remain on the organization’s network?
A. Containment
B. Recovery
C. Postincident Activities
D. Eradication
Answer:
D. The primary purpose of eradication is to remove any of the artifacts of the incident that may remain on the organization’s network. This may include the removal of any malicious code from the network, the sanitization of compromised media, and the securing of compromised user accounts.
Which one of the following is not a common use of formal incident reports?
A. Training new team members
B. Sharing with other organizations
C. Developing new security controls
D. Assisting with legal action
Answer:
B. There are many potential uses for written incident reports. First, it creates an institutional memory of the incident that is useful when developing new security controls and training new security team members. Second, it may serve as an important record of the incident if there is legal action that results from the incident. These reports should be classified and not disclosed to external parties.
Which one of the following data elements would not normally be included in an evidence log?
A. Serial number
B. Record of handling
C. Storage location
D. Malware signatures
Answer:
D. Malware signatures would not normally be included in an evidence log. The log would typically contain identifying information (e.g., the location, serial number, model number, hostname, MAC addresses and IP addresses of a computer), the name, title and phone number of each individual who collected or handled the evidence during the investigation, the time and date (including time zone) of each occurrence of evidence handling, and the locations where the evidence was stored.
Sondra determines that an attacker has gained access to a server containing critical business files and wishes to ensure that the attacker cannot delete those files. Which one of the following strategies would meet Sondra’s goal?
A. Isolation
B. Segmentation
C. Removal
D. None of the above
Answer:
D. Even removing a system from the network doesn’t guarantee that the attack will not continue. In the example given in this chapter, an attacker can run a script on the server that detects when it has been removed from the network and then proceeds to destroy data stored on the server.
