Incident Handling

Question 1

What is a comprehensive incident report completed on all CAT I, II, IV and VIIs

Answer 1

AFCIR (AF Cyber Incident Report)

Question 1

Category 1

Answer 1

Root Level

Question 1

Explained Anomaly

Answer 1

Event

Question 2

User Level

Answer 2

Incident

Question 4

Investigating

Answer 4

Event

Question 5

What are the Mission Assurance Categories (MACs)

Answer 5

MAC I, II, III

Question 6

What are the phases contained in the standard AF incident response process

Answer 6

Preparation, Detection, Isolation & Containment, Secure, Recover, Lessons Learned

Question 6

What incident response phase sees 90% accomplished when the system is removed from the network

Answer 6

Isolation and Containment

Question 6

What MAC says the system is IMPORTANT to the support of deployed forces

Answer 6

MAC level II

Question 6

What incident response phase sees Operational & technical impact assessed

Answer 6

Secure

Question 6

Category 4

Answer 6

Denial Of Service

Question 6

Category 6

Answer 6

Reconnaisance

Question 7

Category 8

Answer 7

Investigating

Question 8

What incident response phase sees advanced forensic analysis, malware submitted to AV vendors, software vendors notified of exploited vulnerabilities

Answer 8

Secure

Question 9

What incident response phase sees Signatures Developed

Answer 9

Secure

Question 10

Who produces/disseminates the AFCIR

Answer 10

33rd NWS

Question 11

What incident response phase sees the SysPOC completed

Answer 11

Secure

Question 12

What incident response phase sees New TTP potentially incorporated into authorized procedures

Answer 12

Lessons Learned

Question 13

Of the 9 CAT events, which one is User Level Intrusion

Answer 13

CAT II: (Incident)

Question 13

Of the 9 CAT events, which one is Unsuccessful Activity Attempt

Answer 13

CAT III: (Event)

Question 13

What MAC says the system is VITAL to operational readiness or mission effectiveness of deployed forces

Answer 13

MAC level I

Question 14

Of the 9 CAT events, which one is NON-COMPLIANCE Activity/Poor Security Practice

Answer 14

CAT V: (Event)

Question 15

Reconnaisance

Answer 15

Event

Question 16

Hi there What does this mean?

Of the 9 CAT events, which one is Root Level Intrusion

Answer 16

CAT I: (Incident)

Question 16

Category 3

Answer 16

Unsuccessful Login Attempt

Question 17

If needed in Detection phase, who will be called for forensics?

Answer 17

33 NWS FAT (Forensic Analysis Team)

Question 19

Which CAT Events constitutes incidents

Answer 19

CAT I, II, IV, & VII

Question 20

What is the main purpose of FRED/FLUFFE

Answer 20

Find True Source IP

Question 21

What incident response phase sees Compromised system restored to pristine state

Answer 21

Recover

Question 23

Root Level

Answer 23

Incident

Question 24

Of the 9 CAT events, which one is Explained Anomaly

Answer 24

CAT IX: (Event)

Question 25

What incident response phase sees compromised credentials reset

Answer 25

Isolation and containment

Question 26

Example of: Root

Answer 26

Unrestricted Access to an Information system

Question 27

Example of: Reconnaissance

Answer 27

Nmapping Subnet

Question 29

Of the 9 CAT events, which one is Under Investigation

Answer 29

CAT VIII: (Event)

Question 32

What incident response phase sees Cyber Operational Risk Assessment provided if data extracted

Answer 32

Secure

Question 33

Of the 9 CAT events, which one is Malicious Logic

Answer 33

CAT VII: (Incident)

Question 34

What 4 units are involved with the Preparation phase of Incident Response

Answer 34

33rd NWS, AFOSI, INOSC, NCC Personnel

Question 35

What incident response phase see suspicious activity, base is tasked to investigate and run First Responder’s Evidence Disk (FRED)?

Answer 35

Detection

Question 36

What is designed to acquire data from a live system

Answer 36

FRED/FLUFFE

Question 37

Category 5

Answer 37

Non-Compliance

Question 38

Unsuccessful Login Attempt

Answer 38

Event

Question 39

What incident response phase sees the system removed if not mission critical and an upgrade determination is made?

Answer 39

Detection

Question 40

What incident response phase sees blocks accomplished (IP/MAC, Ports/DNS Blackhole)

Answer 40

Isolation and Containment

Question 41

What is a remote investigation solution to collect, process, search, analyze, and report

Answer 41

Encase

Question 42

Category 7

Answer 42

Malicious Logic

Question 43

What MAC says the INFORMATION is necessary for the conduct of day to day business

Answer 43

MAC level III

Question 44

Category 9

Answer 44

Explained Anomaly

Question 45

What incident response phase sees Mission Assurance Category ID’d

Answer 45

Secure

Question 46

Denial Of Service

Answer 46

Incident

Question 47

What is very important in finding the system during Detection

Answer 47

True Source IP (TSIP)

Question 48

How much time does the 33rd have to produce an AFCIR

Answer 48

21 days

Question 49

Of the 9 CAT events, which one is Denial of Service

Answer 49

CAT IV: (Incident)

Question 50

Of the 9 CAT events, which one is Reconnaissance

Answer 50

CAT VI: (Event)

Question 51

Malicious Logic

Answer 51

Incident

Question 52

Non-Compliance

Answer 52

Event

Question 53

What incident response phase sees AF Cyber Incident Report generated (33rd NWS)

Answer 53

Lessons Learned

Question 54

Category 2

Answer 54

User Level

Question 55

What document governs guidelines for the Preparation phase of Incident Response

Answer 55

CJCSM 6510 change 3 gives us all guidelines