Domain 4, Quiz 3 Flashcards
During an incident response, what is the first stage to consider?
a. Eradication
b. Analysis
c. Preparation
d. Recovery
Preparation
Preparation is correct because it is the initial stage in the incident response, where teams ensure they have the right tools, skills, and procedures in place.
What does the “Tabletop exercise” relate to within the context of incident response?
a. Software used in threat hunting
b. Digital forensics tool
c. Testing an incident response plan
d. Automated report
Testing an incident response plan
Tabletop exercise is correct because it is a form of testing where team members walk through scenarios to see how they would respond.
In digital forensics, what ensures that evidence has remained untouched from acquisition to court presentation?
a. Metadata
b. Digital signature
c. E-discovery
d. Chain of custody
Chain of custody
Chain of custody is correct because it tracks the evidence’s possession, handling, and storage, ensuring it remains unaltered.
Which data source is best suited to provide information on potential malicious activity across an organization’s network traffic?
a. IPS/IDS logs
b. Vulnerability scans
c. Endpoint logs
d. OS-specific security logs
IPS/IDS logs
IPS/IDS logs are correct because Intrusion Prevention Systems and Intrusion Detection Systems specifically monitor and log network traffic for potential threats.
What is a primary concern when introducing automation and orchestration in security operations?
a. Complexity
b. Workforce multiplier
c. Enabling/disabling services and access
d. Continuous integration and testing
Complexity
Complexity is correct because introducing automation can make systems and processes more complex, necessitating proper management and understanding.
What step in the incident response process involves taking actions to limit the damage of an incident and prevent further damage?
a. Containment
b. Analysis
c. Detection
d. Recovery
Containment
Containment is correct because it focuses on limiting the damage and spread of an incident.
In the context of using data sources to support an investigation, which of the following would give insights into vulnerabilities present in an organization’s systems?
a. Packet captures
b. Vulnerability scans
c. Firewall logs
d. Network logs
Vulnerability scans
Vulnerability scans are correct because they are specifically designed to identify and report on system vulnerabilities.
Which term refers to proactive identification and mitigation of threats before they become incidents?
a. E-discovery
b. Root cause analysis
c. Legal hold
d. Threat hunting
Threat hunting
Threat hunting is correct because it involves actively searching for signs of malicious activity to prevent potential threats.
When considering automation in security operations, what describes the scenario where automated processes create more problems than they solve, necessitating additional work?
a. Reaction time
b. Guard rails
c. Scaling in a secure manner
d. Technical debt
Technical debt
Technical debt is correct because it refers to the future costs (in terms of time, effort, or money) incurred due to choosing a quick but potentially problematic solution now.
In the realm of security operations automation, which term best describes pre-defined configurations that are applied to ensure consistency across systems?
a. Escalation
b. Continuous integration
c. Ticket creation
d. Standard infrastructure configurations
Standard infrastructure configurations
Standard infrastructure configurations are correct because they pertain to applying a consistent set of configurations across systems for uniformity.
After an incident has been resolved, which phase of incident response focuses on identifying what went wrong and how to prevent similar incidents in the future?
a. Containment
b. Eradication
c. Recovery
d. Lessons learned
Lessons learned
Lessons learned are correct because they emphasize understanding the incident and devising strategies to prevent similar occurrences.
If an organization wants to understand the original cause of a security breach, which activity should they prioritize?
a. Digital forensics reporting
b. Threat hunting
c. Tabletop exercise
d. Root cause analysis
Root cause analysis
Root cause analysis is correct because it investigates the primary cause of an issue or incident.
Which type of log would most likely provide detailed insights into system-level events and potential security breaches on a Windows operating system?
a. Vulnerability scans
b. Firewall logs
c. OS-specific security logs
d. Application logs
OS-specific security logs
OS-specific security logs are correct because they capture events specifically related to the operating system.
Which of the following best describes a proactive approach to discovering threats in an environment before they can cause harm?
a. Threat hunting
b. Simulation
c. Root cause analysis
d. Digital forensics
Threat hunting
Threat hunting is correct because it involves actively searching for threats in an environment before they can escalate.
When capturing data packets moving across a network for analysis, which of the following is the primary data source?
a. Firewall logs
b. Dashboards
c. Automated reports
d. Packet captures
Packet captures
Packet captures are correct because they record raw data packets moving across a network.
