Domain 9: Incident Response

Question 1

The CSA Guidance uses which standard for describing the incident response process?
A. ISO 27035
B. ENISA strategies for incident response
C. ANSI 5756
D. NIST SP 800-61

Answer 1

Answer: D
The CSA Guidance uses NIST SP 800-61 to describe the incident response process. See page 101 of the CSA Cloud Security Guidance v4.
Answers A and B are both industry-accepted standards used for incident response process modeling, but are not used by CSA for this purpose in the Guidance. Answer C is completely made up, and used here only as a distractor.

Question 2

Which of the following is not a phase of the incident response process described in the CSA Guidance ?
A. preparation
B. isolation
C. detection and analysis
D. post-mortem

Answer 2

Answer: B
The other answers are phases described in the Guidance. See page 102 of the CSA Cloud Security Guidance v4.

Question 3

Which of the following activities should occur in the Preparation phase of the incident response lifecycle?
A. build a timeline of the attack
B. take systems offline
C. determine the extent of data loss
D. subscribing to third-party threat intelligence services

Answer 3

Answer: D
The other answers are from the second and third phases of the incident response lifecycle. See page 102 of the CSA Cloud Security Guidance v4.

Question 4

Which phase of the incident response lifecycle is used to determine ways to improve the incident response process?
A. preparation
B. detection and analysis
C. containment, eradication, and recovery
D. post-mortem

Answer 4

Answer: D
The post-mortem phase is used to optimize incident handling and response. See page 103 of the CSA Cloud Security Guidance v4.

Question 5

Which phase of the incident response lifecycle is affected by migrating from a traditional IT environment to the cloud?
A. preparation
B. isolation
C. post-mortem
D. all of them

Answer 5

Answer: D
All of the phases of the incident response process are affected by cloud operations. See page 103 of the CSA Cloud Security Guidance v4.

Question 6

Which of the following is not a recommendation from the CSA about cloud customer incident response activity during the Preparation phase?
A. test the incident response notification process
B. the provider and customer should engage in joint training sessions involving personnel from both organizations
C. ensure the provider has accurate notification contact information for the customer
D. the customer should ensure they have correct notification/escalation contact information for the provider

Answer 6

Answer: B
While joint training sessions may be a good idea, it is impractical and implausible to expect. All the other answers are recommendations made by the CSA. See page 103 of the CSA Cloud Security Guidance v4.

Question 7

In preparing for incident response for an IaaS/PaaS environment, the cloud customer should be aware…
A. of which hardware elements comprise the underlying infrastructure
B. that log data for a specific incident might be limited to what was already provided according to the contract
C. of any users logging into the environment remotely
D. of the time delay from the moment of incident detection until the arrival of armed response

Answer 7

Answer: B
Incident response log data may be limited to log data already provided prior to the incident, and additional requests might not be honored; the customer needs to understand the scope and availability of logs, as defined by the contract. See page 103 of the CSA Cloud Security Guidance v4.
Physical security and devices are typically opaque to the customer; these are the responsibility of the provider; A and D are incorrect. All user access to the cloud is remote access; C is incorrect.

Question 8

A customer should design the cloud environment in a way that optimizes the effectiveness of incident response. This includes all of the following measures except __________.
A. enable API logging to an external, secure location
B. ensure contracts include a 100% uptime guarantee
C. utilize isolation to limit potential negative impact
D. use immutable servers if possible

Answer 8

Answer: B
Nothing is 100% (risk or security or availability or anything else); avoid any provider that offers a metric of 100% (or 0%). All the other answers are methods a cloud customer should use to optimize the effectiveness of incident response actions. See page 104 of the CSA Cloud Security Guidance v4.

Question 9

Which of the following are helpful ways to determine if your architecture is suitable for incident containment? [select all that apply]
A. conduct user training at periodic intervals
B. threat modeling activities
C. tabletop exercises
D. ensure cloud provider billing is accurate
E. protect root management credentials

Answer 9

Answer: B and C
Threat modeling and tabletop exercises can aid the organization in determining if the cloud architecture is optimized for incident containment activities. See page 104 of the CSA Cloud Security Guidance v4.
User training and protecting credentials are useful in protecting the cloud environment, but do not aid in reviewing the architecture for incident response actions. Provider billing has nothing to do with incident response.

Question 10

If logs aren’t available to determine possible changes/modifications in the cloud environment, what might the customer use instead (depending on which provider the customer is using)?
A. forensic hardware
B. the cloud management console
C. digital rights management software
D. strong contract language

Answer 10

Answer: B
Close observation of the cloud management console might allow the customer to determine if unauthorized/unscheduled configuration changes have occurred. See page 104 of the CSA Cloud Security Guidance v4
Customers aren’t typically able to install hardware appliances in the cloud environment; A is incorrect. DRM and strong contract language are both useful for protecting the customer, but not for monitoring configuration changes; C and D are incorrect.

Question 11

To aid in getting information about potential attackers, the cloud customer might consider __________.
A. subscribing to an external threat intelligence service
B. sending undercover operatives into known attacker hangouts
C. paying known attackers for insight into their operations
D. offering a bounty to anyone who will attack the attackers

Answer 11

Answer: A
External threat intelligence is always useful, whether the customer runs a traditional IT environment or cloud environment. See page 105 of the CSA Cloud Security Guidance v4.
The other answers are all incorrect, and somewhat silly, if not downright counterproductive and/or illegal.

Question 12

In order to determine whether log data received from a cloud provider satisfies chain-of-custody requirements, security practitioners should consult __________.
A. their supervisors
B. senior management
C. attorneys
D. cloud providers

Answer 12

Answer: C
Nobody will be more prepared to answer legal questions than lawyers. See page 105 of the CSA Cloud Security Guidance v4.

Question 13

Because of the dynamic and high-velocity nature of cloud environments, it is best to __________ forensic/investigatory processes.
A. remove
B. replicate
C. reduce
D. automate

Answer 13

Answer: D
Automation reduces the potential for human and leverages the power of IT solutions. See page 105 of the CSA Cloud Security Guidance v4.

Question 14

Processes that might be automated in order to enhance incident response actions in the cloud include all of the following except __________.
A. snapshotting the storage of a virtual machine
B. capturing metadata at the time of an alert
C. reviewing alerts to determine their precedence
D. “pausing” a virtual machine, to retain volatile memory (if allowed by the provider)

Answer 14

Answer: C
Alert review is one task that requires human intervention; no automation tool can yet approximate human capabilities in this regard. See page 105 of the CSA Cloud Security Guidance v4.
All the other answers are tasks that can be automated.

Question 15

Cloud capabilities that might assist with determining the extent of the impact of an incident include: [select all that apply]
A. analyze network flows to determine if isolation was compromised
B. metered service
C. virtualization
D. examine configuration data to see if similar instances were exposed in the same attack
E. query intelligence-sharing centers for the industry

Answer 15

Answer: A and D
Both of these are potential ways to gauge the impact of a given incident. See page 105 of the CSA Cloud Security Guidance v4.
B and C are both characteristics of cloud computing, but not particularly useful in determining the extent of incident impact. E is not intrinsically related to cloud computing, nor is it useful to ascertain the impact of an incident.

Question 16

What part of the incident containment procedure should be conducted first?
A. shut down affected machines (real or virtual)
B. determine if an attacker has access to the management console
C. rewrite damaged data
D. terminate guilty personnel

Answer 16

Answer: B
An attacker with administrative access to the management console can subvert any other incident response actions the customer might try; making this determination should be the top priority. See page 106 of the CSA Cloud Security Guidance v4.
All the other answers may or not be elements of the incident containment process, but definitely are not the top priority.

Question 17

If the cloud customer suspects the management plane has been breached, the customer should be sure to __________.
A. notify law enforcement
B. notify shareholders
C. contract with external auditors
D. confirm that templates for new workloads have not been compromised

Answer 17

Answer: D
A known-good template will be used to replace the previous workloads, if there’s any suspicion that the management plane has been accessed in an unauthorized way; the customer must ensure that the new workloads have not been tampered with. See page 106 of the CSA Cloud Security Guidance v4.
Notifying law enforcement and investors, as well as other stakeholders, may be necessary, but is not typically an immediate response action. External auditors are very useful, but are not part of an incident response process.

Question 18

During the post-mortem phase of the incident response process, the cloud customer may want to __________ the Service Level Agreement (SLA).
A. terminate
B. violate
C. adopt
D. renegotiate

Answer 18

Answer: D
If the incident analysis reveals that the provider was contributing to the situation that caused the incident, or the SLA was insufficient in some way, the customer may want to attempt to renegotiate the terms. See page 106 of the CSA Cloud Security Guidance v4.
The customer does not typically terminate or violate the SLA. The SLA is adopted at the outset of the cloud managed services engagement, not after an incident.

Question 19

In the cloud, the use of __________ and __________ monitoring capabilities may offer incident detection earlier than similar efforts in the traditional IT environment. [select two]
A. oblique
B. inferred
C. continuous
D. serverless
E. sentient

Answer 19

Answer: C, D
Continuous and serverless monitoring in the cloud may provide incident detection capabilities that are superior (in speed of detection) than traditional detection counterparts. See page 107 of the CSA Cloud Security Guidance v4.
“Oblique,” “inferred,” and “sentient” are not types of monitoring capabilities, and are used here only as distractors.

Question 20

Data sources (such as logs) used in the incident response process should be handled in a way that __________.
A. indicts the criminals
B. terminates employees
C. severs unauthorized connections
D. preserves the chain of custody

Answer 20

Answer: D
The chain of custody provides greater reliance on the incident data for evidentiary purposes; it is worth preserving, if possible. See page 107 of the CSA Cloud Security Guidance v4.
The chain of custody may support prosecutorial or employment actions, which is why it is so important; answers A and B are less accurate than D. Logs do not, by themselves, typically affect connections.