Domain 4.0: Operations and Incident Response

Question 1

ping

Answer 1

Command-line that tests network connectivity.

Question 2

nmap

Answer 2

network scanning tool often used in security audit

Question 3

netstat

Answer 3

Shows network statistics including protocol, source and destination addresses, and connection state.

Question 4

netcat

Answer 4

Network utility for gathering information from transport layer network connections

Question 5

dig and nslookup

Answer 5

Troubleshooting tool that query DNS servers

Question 6

What are common command line tools for file display and manipluation?

Answer 6

Head, Tail and Cat

Question 7

Python

Answer 7

General-purpose programming

Question 8

TCP

Answer 8

Packet analyzer tool that captures TCP/IP packets

Question 9

PowerShell

Answer 9

Command-line shell and scripting interface for MS Windows environments

Question 10

What are examples of forensic tools?

Answer 10

dd, memdump, WinHex, FTK Imager and Autopsy

Question 11

Where can protocol analyzers be placed in network?

Answer 11

• Placed incline

- In between the devices which you want to capture traffic.

Question 12

What are some of most common firewall configuration errors?

Answer 12

Permission for traffic to run from any source to any destination

Unnecessary services running

Weak authentication

Log file negligence

Question 13

What problems can misconfigured web content filter can cause?

Answer 13

• Prevent legitimate content

- Allow prohibited content

Question 14

What should happen before conducting vulnerability or penetration tests?

Answer 14

Written authorization should be required

Question 15

Incident Response plans should include details related to what?

Answer 15

• Incident categorization
• Preparation
• Role
• Responsibilities
• Reporting requirements
• Escalation procedures
• Details on cyber incident response and training exercises

Question 16

Incident response process should include the following:

Answer 16

• Preparation
• Identification
• Containment
• Eradication
• Recovery
• Post-incident events (e.g. lesson learned).

Question 17

Order of volatility

Answer 17

Description of the order in which evidence should be collected. from the most volatile systems to least volatile.

Question 18

Which is considered to be most volatile?

Answer 18

Data in RAM and swap or paging files is considered to be most volatile

Question 19

Chain of custody

Answer 19

Ensures that evidence is properly handled

Question 20

What type of data acquisition occurs during and after an incident?

Answer 20

System images, traffic logs, video, time offset, hashes, screenshots and witness interviews.

Question 21

What should happen when examining computers?

Answer 21

Their data and time settings are recorded and compared with current time. They can be used to calculate the difference between the two. The difference is then used as an offset and applied to all the time evidence on the computer.

Question 22

MITRE ATT&CK

Answer 22

Framework similar to a kill chain and provides reference for incident response

Question 23

Diamond Model of :Intrusion Analysis

Answer 23

They place basic component of malicious activity at one of four points: adversary, infrastructure, capability and victim.

Question 24

Two main approaches for incident response exercises

Answer 24

Discussion oriented and stimulation.

Question 25

BCP and COOP

Answer 25

BCP = Business Continuity Planning
COOP = Continuity of Operating Plan

They ensure restoration of organizational functions in the shortest possible time, even if services resume at a reduced level of effectiveness or availability.