Incident response Flashcards

1
Q

What is an incident response

A

Set of procedures that an investigator follows when examining a computer security incident

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

what is an IMP

A

Incident management program - program consisting of the monitoring and detection of security events on a computer network and the execution of proper responses to those events

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What are the steps to an IMP

A

Preparation
Identification
Containment
Eradication
Recovery
Lessons learned

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Explain the preparation stage of IMP

A

Create and maintain a security posture, create a detailed IRP, and have solid repeatable procedures

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Explain the identification stage of IMP

A

recognizing whether an event should be be classified as an incident

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Explain the containment stage of IMP

A

focused on isolating the incident. If a PC is infected with virus, important to airgap the machine to prevent spread

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Explain the eradication stage of IMP

A

Remove the threat or attack

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Explain the recovery stage of IMP

A

data restoration, system repair, re-enabling any items that were taken offline during the attack

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Explain the lessons learned stage of IMP

A

document the incident response process
make changes to the process and procedures to make sure that next time you are better prepared

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What are some questions commonly posed in the lessons learned stage of an IMP

A

Was the threat detected
How was event detected
Did we respond, and how
Were our eradication methods successful

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is an IRT

A

Incident response teams consists of key people who must respond to any incident that meets severity and priority thresholds outlined by the IMP

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Describe the roles within an IRT

A

Incident response manager
Security analysts acting as either a Triage or forensic analyst
Threat researcher

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Describe the role of the incident response manager

A

Oversee and prioritize actions during detection, analysis and containment of incidents

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Describe the role of the triage security analyst

A

assigned to work on the network during the response, help filter out false positives by using IPD/IDS to monitor, analyze, and detect instrustions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Describe the role of the forensic analyst

A

detective work to piece together what has occurred on the network.
Focus on recovering artifacts and evidens from the network and use this to build a timeline of events that led up to the incident.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is a threat researcher

A

provide threat intelligence and context during incident response. Tasked with keeping up to date

17
Q

Describe cross functional support

A

People from executive management, HR, Attourneys that assist in incident response

18
Q

What is a CSIRT

A

Computer security IRT - Single point of contact for security incidents and may be part of the SOC or independant

19
Q

Best practices for a CSIRT include:

A

Out of band comms.
Up to date contact lists
Planning for how far comms go \

20
Q

True or False; It is essential to prevent unauthorized release of infomration outside the CSIRT

A

True

21
Q

Who should be identified and notified in the event of a breach or incident

A

The affected stakeholders

22
Q

What are some examples of affected stakeholders

A

Operations affected - Senior Leadership
Compliance affected - Regulatory Bodies
Risk of lawsuit - Legal
Insider threat - Human Resources
When there may be damage to image - Public Relations

23
Q

What role does LE play in incident response and who calls them

A

Law Enforcement - May provide incident handling, or gathering evidence for prosecution. Senior leadership will decide when to involve LE with guidance from Legal