Domain 9: Incident Response Flashcards
The CSA Guidance uses which standard for describing the incident response process?
A. ISO 27035
B. ENISA strategies for incident response
C. ANSI 5756
D. NIST SP 800-61
Answer: D
The CSA Guidance uses NIST SP 800-61 to describe the incident response process. See page 101 of the CSA Cloud Security Guidance v4.
Answers A and B are both industry-accepted standards used for incident response process modeling, but are not used by CSA for this purpose in the Guidance. Answer C is completely made up, and used here only as a distractor.
Which of the following is not a phase of the incident response process described in the CSA Guidance ?
A. preparation
B. isolation
C. detection and analysis
D. post-mortem
Answer: B
The other answers are phases described in the Guidance. See page 102 of the CSA Cloud Security Guidance v4.
Which of the following activities should occur in the Preparation phase of the incident response lifecycle?
A. build a timeline of the attack
B. take systems offline
C. determine the extent of data loss
D. subscribing to third-party threat intelligence services
Answer: D
The other answers are from the second and third phases of the incident response lifecycle. See page 102 of the CSA Cloud Security Guidance v4.
Which phase of the incident response lifecycle is used to determine ways to improve the incident response process?
A. preparation
B. detection and analysis
C. containment, eradication, and recovery
D. post-mortem
Answer: D
The post-mortem phase is used to optimize incident handling and response. See page 103 of the CSA Cloud Security Guidance v4.
Which phase of the incident response lifecycle is affected by migrating from a traditional IT environment to the cloud?
A. preparation
B. isolation
C. post-mortem
D. all of them
Answer: D
All of the phases of the incident response process are affected by cloud operations. See page 103 of the CSA Cloud Security Guidance v4.
Which of the following is not a recommendation from the CSA about cloud customer incident response activity during the Preparation phase?
A. test the incident response notification process
B. the provider and customer should engage in joint training sessions involving personnel from both organizations
C. ensure the provider has accurate notification contact information for the customer
D. the customer should ensure they have correct notification/escalation contact information for the provider
Answer: B
While joint training sessions may be a good idea, it is impractical and implausible to expect. All the other answers are recommendations made by the CSA. See page 103 of the CSA Cloud Security Guidance v4.
In preparing for incident response for an IaaS/PaaS environment, the cloud customer should be aware…
A. of which hardware elements comprise the underlying infrastructure
B. that log data for a specific incident might be limited to what was already provided according to the contract
C. of any users logging into the environment remotely
D. of the time delay from the moment of incident detection until the arrival of armed response
Answer: B
Incident response log data may be limited to log data already provided prior to the incident, and additional requests might not be honored; the customer needs to understand the scope and availability of logs, as defined by the contract. See page 103 of the CSA Cloud Security Guidance v4.
Physical security and devices are typically opaque to the customer; these are the responsibility of the provider; A and D are incorrect. All user access to the cloud is remote access; C is incorrect.
A customer should design the cloud environment in a way that optimizes the effectiveness of incident response. This includes all of the following measures except __________.
A. enable API logging to an external, secure location
B. ensure contracts include a 100% uptime guarantee
C. utilize isolation to limit potential negative impact
D. use immutable servers if possible
Answer: B
Nothing is 100% (risk or security or availability or anything else); avoid any provider that offers a metric of 100% (or 0%). All the other answers are methods a cloud customer should use to optimize the effectiveness of incident response actions. See page 104 of the CSA Cloud Security Guidance v4.
Which of the following are helpful ways to determine if your architecture is suitable for incident containment? [select all that apply]
A. conduct user training at periodic intervals
B. threat modeling activities
C. tabletop exercises
D. ensure cloud provider billing is accurate
E. protect root management credentials
Answer: B and C
Threat modeling and tabletop exercises can aid the organization in determining if the cloud architecture is optimized for incident containment activities. See page 104 of the CSA Cloud Security Guidance v4.
User training and protecting credentials are useful in protecting the cloud environment, but do not aid in reviewing the architecture for incident response actions. Provider billing has nothing to do with incident response.
If logs aren’t available to determine possible changes/modifications in the cloud environment, what might the customer use instead (depending on which provider the customer is using)?
A. forensic hardware
B. the cloud management console
C. digital rights management software
D. strong contract language
Answer: B
Close observation of the cloud management console might allow the customer to determine if unauthorized/unscheduled configuration changes have occurred. See page 104 of the CSA Cloud Security Guidance v4
Customers aren’t typically able to install hardware appliances in the cloud environment; A is incorrect. DRM and strong contract language are both useful for protecting the customer, but not for monitoring configuration changes; C and D are incorrect.
To aid in getting information about potential attackers, the cloud customer might consider __________.
A. subscribing to an external threat intelligence service
B. sending undercover operatives into known attacker hangouts
C. paying known attackers for insight into their operations
D. offering a bounty to anyone who will attack the attackers
Answer: A
External threat intelligence is always useful, whether the customer runs a traditional IT environment or cloud environment. See page 105 of the CSA Cloud Security Guidance v4.
The other answers are all incorrect, and somewhat silly, if not downright counterproductive and/or illegal.
In order to determine whether log data received from a cloud provider satisfies chain-of-custody requirements, security practitioners should consult __________.
A. their supervisors
B. senior management
C. attorneys
D. cloud providers
Answer: C
Nobody will be more prepared to answer legal questions than lawyers. See page 105 of the CSA Cloud Security Guidance v4.
Because of the dynamic and high-velocity nature of cloud environments, it is best to __________ forensic/investigatory processes.
A. remove
B. replicate
C. reduce
D. automate
Answer: D
Automation reduces the potential for human and leverages the power of IT solutions. See page 105 of the CSA Cloud Security Guidance v4.
Processes that might be automated in order to enhance incident response actions in the cloud include all of the following except __________.
A. snapshotting the storage of a virtual machine
B. capturing metadata at the time of an alert
C. reviewing alerts to determine their precedence
D. “pausing” a virtual machine, to retain volatile memory (if allowed by the provider)
Answer: C
Alert review is one task that requires human intervention; no automation tool can yet approximate human capabilities in this regard. See page 105 of the CSA Cloud Security Guidance v4.
All the other answers are tasks that can be automated.
Cloud capabilities that might assist with determining the extent of the impact of an incident include: [select all that apply]
A. analyze network flows to determine if isolation was compromised
B. metered service
C. virtualization
D. examine configuration data to see if similar instances were exposed in the same attack
E. query intelligence-sharing centers for the industry
Answer: A and D
Both of these are potential ways to gauge the impact of a given incident. See page 105 of the CSA Cloud Security Guidance v4.
B and C are both characteristics of cloud computing, but not particularly useful in determining the extent of incident impact. E is not intrinsically related to cloud computing, nor is it useful to ascertain the impact of an incident.