Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

CCSK Certification > Domain 9 - Incident Response > Flashcards

Domain 9 - Incident Response Flashcards

1
Q

What are the four stages of IR plan?

A
  1. Preparation
  2. Detection and Analysis
  3. Containment, Eradication & Recovery
  4. Post Mortem.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is involved in the Preparation stage of IR?

A
  1. Process to handle incidents
  2. Who’s who - IR manager, team
  3. Documentation (arch diagram, network IP addresses and ports)
  4. Training
  5. Vulnerability assessment
  6. Third party threat intel
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is involved in the detection & analysis stage of IR?

A
  1. Alerting (endpoint protection, host monitoring, network security monitoring, anomaly detection)
  2. Validating alerts
  3. Estimating the scope of the incident
  4. Assigning an incident manager
  5. Understanding timeline of attack.
  6. Notification and coordination
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is involved in the containment & eradication stage of IR?

A
  1. Taking systems offline
  2. clean up compromised devices, restore from backup
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

How does the cloud impact the preparation stage of IR?

A
  • SLAs have to be agreed upon with CSP.
  • Understand what data and logs are available for incident management
  • Prepare tools to do remote investigation (understand what VM images, disk storage are available)
  • Architect appropriately - e.g. turn on CT logs, store logs, architect for isolation using VPCs, use immutable servers,
  • Do Threat Modeling and Gamedays
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

How does the cloud impact the Detection & Analysis stage of IR?

A
  • Monitoring must cover both the assets and the management plane
  • Leverage in-cloud monitoring and automation workflows (e.g. usage metrics, lambda functions)
  • Use Cloud Logs (CT, CW)
  • Understand logging gaps (.e.g serverless and auto scaling)
  • Is Cloud Provider activities logged?
  • Network logs (e.g. VPC flow logs) may not be packet captures
  • Understand chain of custody
  • Forensics and investigative support must be cloud-native
  • Automate - e.g. snapshot VM images, capture metadata, pause VMs to preserve volatile memory
  • Examine configuration data, data access logs, management plane logs
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

How does the cloud impact the Containment & Recovery stage of IR?

A
  • Leverage cloud capabilities to isolate the infected components (e.g. remove infected VM out of an auto-scaling group and isolate it using an SG.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly

CCSK Certification (13 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions