Domain 9: Incident Response Flashcards

1
Q

The CSA Guidance uses which standard for describing the incident response process?
A. ISO 27035
B. ENISA strategies for incident response
C. ANSI 5756
D. NIST SP 800-61

A

Answer: D
The CSA Guidance uses NIST SP 800-61 to describe the incident response process. See page 101 of the CSA Cloud Security Guidance v4.
Answers A and B are both industry-accepted standards used for incident response process modeling, but are not used by CSA for this purpose in the Guidance. Answer C is completely made up, and used here only as a distractor.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Which of the following is not a phase of the incident response process described in the CSA Guidance ?
A. preparation
B. isolation
C. detection and analysis
D. post-mortem

A

Answer: B
The other answers are phases described in the Guidance. See page 102 of the CSA Cloud Security Guidance v4.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Which of the following activities should occur in the Preparation phase of the incident response lifecycle?
A. build a timeline of the attack
B. take systems offline
C. determine the extent of data loss
D. subscribing to third-party threat intelligence services

A

Answer: D
The other answers are from the second and third phases of the incident response lifecycle. See page 102 of the CSA Cloud Security Guidance v4.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Which phase of the incident response lifecycle is used to determine ways to improve the incident response process?
A. preparation
B. detection and analysis
C. containment, eradication, and recovery
D. post-mortem

A

Answer: D
The post-mortem phase is used to optimize incident handling and response. See page 103 of the CSA Cloud Security Guidance v4.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Which phase of the incident response lifecycle is affected by migrating from a traditional IT environment to the cloud?
A. preparation
B. isolation
C. post-mortem
D. all of them

A

Answer: D
All of the phases of the incident response process are affected by cloud operations. See page 103 of the CSA Cloud Security Guidance v4.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Which of the following is not a recommendation from the CSA about cloud customer incident response activity during the Preparation phase?
A. test the incident response notification process
B. the provider and customer should engage in joint training sessions involving personnel from both organizations
C. ensure the provider has accurate notification contact information for the customer
D. the customer should ensure they have correct notification/escalation contact information for the provider

A

Answer: B
While joint training sessions may be a good idea, it is impractical and implausible to expect. All the other answers are recommendations made by the CSA. See page 103 of the CSA Cloud Security Guidance v4.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

In preparing for incident response for an IaaS/PaaS environment, the cloud customer should be aware…
A. of which hardware elements comprise the underlying infrastructure
B. that log data for a specific incident might be limited to what was already provided according to the contract
C. of any users logging into the environment remotely
D. of the time delay from the moment of incident detection until the arrival of armed response

A

Answer: B
Incident response log data may be limited to log data already provided prior to the incident, and additional requests might not be honored; the customer needs to understand the scope and availability of logs, as defined by the contract. See page 103 of the CSA Cloud Security Guidance v4.
Physical security and devices are typically opaque to the customer; these are the responsibility of the provider; A and D are incorrect. All user access to the cloud is remote access; C is incorrect.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

A customer should design the cloud environment in a way that optimizes the effectiveness of incident response. This includes all of the following measures except __________.
A. enable API logging to an external, secure location
B. ensure contracts include a 100% uptime guarantee
C. utilize isolation to limit potential negative impact
D. use immutable servers if possible

A

Answer: B
Nothing is 100% (risk or security or availability or anything else); avoid any provider that offers a metric of 100% (or 0%). All the other answers are methods a cloud customer should use to optimize the effectiveness of incident response actions. See page 104 of the CSA Cloud Security Guidance v4.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Which of the following are helpful ways to determine if your architecture is suitable for incident containment? [select all that apply]
A. conduct user training at periodic intervals
B. threat modeling activities
C. tabletop exercises
D. ensure cloud provider billing is accurate
E. protect root management credentials

A

Answer: B and C
Threat modeling and tabletop exercises can aid the organization in determining if the cloud architecture is optimized for incident containment activities. See page 104 of the CSA Cloud Security Guidance v4.
User training and protecting credentials are useful in protecting the cloud environment, but do not aid in reviewing the architecture for incident response actions. Provider billing has nothing to do with incident response.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

If logs aren’t available to determine possible changes/modifications in the cloud environment, what might the customer use instead (depending on which provider the customer is using)?
A. forensic hardware
B. the cloud management console
C. digital rights management software
D. strong contract language

A

Answer: B
Close observation of the cloud management console might allow the customer to determine if unauthorized/unscheduled configuration changes have occurred. See page 104 of the CSA Cloud Security Guidance v4
Customers aren’t typically able to install hardware appliances in the cloud environment; A is incorrect. DRM and strong contract language are both useful for protecting the customer, but not for monitoring configuration changes; C and D are incorrect.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

To aid in getting information about potential attackers, the cloud customer might consider __________.
A. subscribing to an external threat intelligence service
B. sending undercover operatives into known attacker hangouts
C. paying known attackers for insight into their operations
D. offering a bounty to anyone who will attack the attackers

A

Answer: A
External threat intelligence is always useful, whether the customer runs a traditional IT environment or cloud environment. See page 105 of the CSA Cloud Security Guidance v4.
The other answers are all incorrect, and somewhat silly, if not downright counterproductive and/or illegal.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

In order to determine whether log data received from a cloud provider satisfies chain-of-custody requirements, security practitioners should consult __________.
A. their supervisors
B. senior management
C. attorneys
D. cloud providers

A

Answer: C
Nobody will be more prepared to answer legal questions than lawyers. See page 105 of the CSA Cloud Security Guidance v4.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Because of the dynamic and high-velocity nature of cloud environments, it is best to __________ forensic/investigatory processes.
A. remove
B. replicate
C. reduce
D. automate

A

Answer: D
Automation reduces the potential for human and leverages the power of IT solutions. See page 105 of the CSA Cloud Security Guidance v4.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Processes that might be automated in order to enhance incident response actions in the cloud include all of the following except __________.
A. snapshotting the storage of a virtual machine
B. capturing metadata at the time of an alert
C. reviewing alerts to determine their precedence
D. “pausing” a virtual machine, to retain volatile memory (if allowed by the provider)

A

Answer: C
Alert review is one task that requires human intervention; no automation tool can yet approximate human capabilities in this regard. See page 105 of the CSA Cloud Security Guidance v4.
All the other answers are tasks that can be automated.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Cloud capabilities that might assist with determining the extent of the impact of an incident include: [select all that apply]
A. analyze network flows to determine if isolation was compromised
B. metered service
C. virtualization
D. examine configuration data to see if similar instances were exposed in the same attack
E. query intelligence-sharing centers for the industry

A

Answer: A and D
Both of these are potential ways to gauge the impact of a given incident. See page 105 of the CSA Cloud Security Guidance v4.
B and C are both characteristics of cloud computing, but not particularly useful in determining the extent of incident impact. E is not intrinsically related to cloud computing, nor is it useful to ascertain the impact of an incident.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What part of the incident containment procedure should be conducted first?
A. shut down affected machines (real or virtual)
B. determine if an attacker has access to the management console
C. rewrite damaged data
D. terminate guilty personnel

A

Answer: B
An attacker with administrative access to the management console can subvert any other incident response actions the customer might try; making this determination should be the top priority. See page 106 of the CSA Cloud Security Guidance v4.
All the other answers may or not be elements of the incident containment process, but definitely are not the top priority.

17
Q

If the cloud customer suspects the management plane has been breached, the customer should be sure to __________.
A. notify law enforcement
B. notify shareholders
C. contract with external auditors
D. confirm that templates for new workloads have not been compromised

A

Answer: D
A known-good template will be used to replace the previous workloads, if there’s any suspicion that the management plane has been accessed in an unauthorized way; the customer must ensure that the new workloads have not been tampered with. See page 106 of the CSA Cloud Security Guidance v4.
Notifying law enforcement and investors, as well as other stakeholders, may be necessary, but is not typically an immediate response action. External auditors are very useful, but are not part of an incident response process.

18
Q

During the post-mortem phase of the incident response process, the cloud customer may want to __________ the Service Level Agreement (SLA).
A. terminate
B. violate
C. adopt
D. renegotiate

A

Answer: D
If the incident analysis reveals that the provider was contributing to the situation that caused the incident, or the SLA was insufficient in some way, the customer may want to attempt to renegotiate the terms. See page 106 of the CSA Cloud Security Guidance v4.
The customer does not typically terminate or violate the SLA. The SLA is adopted at the outset of the cloud managed services engagement, not after an incident.

19
Q

In the cloud, the use of __________ and __________ monitoring capabilities may offer incident detection earlier than similar efforts in the traditional IT environment. [select two]
A. oblique
B. inferred
C. continuous
D. serverless
E. sentient

A

Answer: C, D
Continuous and serverless monitoring in the cloud may provide incident detection capabilities that are superior (in speed of detection) than traditional detection counterparts. See page 107 of the CSA Cloud Security Guidance v4.
“Oblique,” “inferred,” and “sentient” are not types of monitoring capabilities, and are used here only as distractors.

20
Q

Data sources (such as logs) used in the incident response process should be handled in a way that __________.
A. indicts the criminals
B. terminates employees
C. severs unauthorized connections
D. preserves the chain of custody

A

Answer: D
The chain of custody provides greater reliance on the incident data for evidentiary purposes; it is worth preserving, if possible. See page 107 of the CSA Cloud Security Guidance v4.
The chain of custody may support prosecutorial or employment actions, which is why it is so important; answers A and B are less accurate than D. Logs do not, by themselves, typically affect connections.