Domain 4.0: Operations and Incident Response Flashcards
ping
Command-line that tests network connectivity.
nmap
network scanning tool often used in security audit
netstat
Shows network statistics including protocol, source and destination addresses, and connection state.
netcat
Network utility for gathering information from transport layer network connections
dig and nslookup
Troubleshooting tool that query DNS servers
What are common command line tools for file display and manipluation?
Head, Tail and Cat
Python
General-purpose programming
TCP
Packet analyzer tool that captures TCP/IP packets
PowerShell
Command-line shell and scripting interface for MS Windows environments
What are examples of forensic tools?
dd, memdump, WinHex, FTK Imager and Autopsy
Where can protocol analyzers be placed in network?
- Placed incline
- In between the devices which you want to capture traffic.
What are some of most common firewall configuration errors?
Permission for traffic to run from any source to any destination
Unnecessary services running
Weak authentication
Log file negligence
What problems can misconfigured web content filter can cause?
- Prevent legitimate content
- Allow prohibited content
What should happen before conducting vulnerability or penetration tests?
Written authorization should be required
Incident Response plans should include details related to what?
- Incident categorization
- Preparation
- Role
- Responsibilities
- Reporting requirements
- Escalation procedures
- Details on cyber incident response and training exercises
Incident response process should include the following:
- Preparation
- Identification
- Containment
- Eradication
- Recovery
- Post-incident events (e.g. lesson learned).
Order of volatility
Description of the order in which evidence should be collected. from the most volatile systems to least volatile.
Which is considered to be most volatile?
Data in RAM and swap or paging files is considered to be most volatile
Chain of custody
Ensures that evidence is properly handled
What type of data acquisition occurs during and after an incident?
System images, traffic logs, video, time offset, hashes, screenshots and witness interviews.
What should happen when examining computers?
Their data and time settings are recorded and compared with current time. They can be used to calculate the difference between the two. The difference is then used as an offset and applied to all the time evidence on the computer.
MITRE ATT&CK
Framework similar to a kill chain and provides reference for incident response
Diamond Model of :Intrusion Analysis
They place basic component of malicious activity at one of four points: adversary, infrastructure, capability and victim.
Two main approaches for incident response exercises
Discussion oriented and stimulation.
BCP and COOP
BCP = Business Continuity Planning COOP = Continuity of Operating Plan
They ensure restoration of organizational functions in the shortest possible time, even if services resume at a reduced level of effectiveness or availability.
