Incident Response

Question 1

List 6 types of events incident responses can be initiated by

Answer 1

1. Automated detection systems or sensor alerts
2. Agency user report
3. Contractor or third-party ICT service provider report
4. Internal or external organizational component incident report or situational awareness update
5. Third-party reporting of network activity to known compromised infrastructure, detection of malicious code, loss of services, etc.
6. Analytics or hunt teams that identify potentially malicious or otherwise unauthorized activity

Question 2

List the 7 steps that advanced persistent threats follow to accomplish their objective and a description (Cyber Kill Chain)?

Answer 2

1. Reconnaissance - harvesting email addresses, conference information and the like
2. Weaponization - coupling exploit with backdoor into deliverable payload
3. Delivery - delivering weaponized bundle to the victim via email, web, USB and others
4. Exploitation - exploiting a vulnerability to execute code on victim’s system
5. Installation - installing malware on asset
6. Command and control - using command channel for remote manipulation of victim
7. Actions on Objectives - accomplishing intruders original goals with “hands on keyboard” access

Question 3

List the 5 Vulnerability and Incident Response Categories

Answer 3

1. Incident
2. Major Incident
3. Breach
4. Event
5. Vulnerabilities

Question 4

List the 6 Incident Response Phases

Answer 4

1. Preparation
2. Identification
3. Containment
4. Eradication
5. Recovery
6. Lessons Learned

Question 5

What are 4 Preparation Questions?

Answer 5

1. Has everyone been trained on security policies?
2. Have your security policies and incident response plan been approved by appropriate management?
3. Does the Incident Response Team know their roles and the required notifications to make?
4. Have all Incident Response Team members participated in mock drills?

Question 6

What are 7 Identification Questions

Answer 6

1. When did the event happen?
2. How was it discovered?
3. Who discovered it?
4. Have any other areas been impacted?
5. What is the scope of the compromise?
6. Does it affect operations?
7. Has the source (point of entry) of the event been discovered?

Question 7

What are 7 Containment Questions?

Answer 7

1. What’s been done to contain the breach short term?
2. What’s been done to contain the breach long term?
3. Has any discovered malware been quarantined from the rest of the environment?
4. What sort of backups are in place?
5. Does your remote access require true multi-factor authentication?
6. Have all access credentials been reviewed for legitimacy, hardened and changed?
7. Have you applied all recent security patches and updates?

Question 8

What are 3 Eradication Questions?

Answer 8

1. Have artifacts/malware from the attacker been securely removed?
2. Has the system be hardened, patched, and updates applied?
3. Can the system be re-imaged?

Question 9

What are 5 Recovery Questions?

Answer 9

1. When can systems be returned to production?
2. Have systems been patched, hardened and tested?
3. Can the system be restored from a trusted back-up?
4. How long will the affected systems be monitored and what will you look for when monitoring?
5. What tools will ensure similar attacks will not reoccur? (File integrity monitoring, intrusion detection/protection, etc)

Question 10

What are 4 Lessons Learned Questions?

Answer 10

1. What changes need to be made to the security?
2. How should employee be trained differently?
3. What weakness did the breach exploit?
4. How will you ensure a similar breach doesn’t happen again?

Question 11

Based on the Experian Data Breach Response Guide what is the average cost per lost or stolen record?

Answer 11

$148

Question 12

Based on the Experian Data Breach Response Guide what is the average cost savings per record with an incident response team?

Answer 12

$14

Question 13

Based on the Experian Data Breach Response Guide what is the number of records compromised in 2017 due to employee negligence or error?

Answer 13

145,927,550

Question 14

Based on the Experian Data Breach Response Guide what is the average cost of a data breach?

Answer 14

$3.86 million

Question 15

Who makes up the response team (8)?

Answer 15

1. Customer Care
2. Executive Leaders
3. Incident Lead
4. IT
5. Legal
6. PR
7. HR
8. Key outside partners

Question 16

How can you verify your organization is ready to carry-out your response plan?

Answer 16

1. Enlist an outside facilitator
2. Schedule a healthy amount of time
3. Include everyone
4. Test multiple Scenarios
5. Debrief after the exercise
6. Conduct drills every 6 months

Question 17

What should you do in the first 24 hours

Answer 17

1. Record the moment of discovery
2. Alert and Activate everyone
3. Secure the Premises
4. Stop additional Data Loss
5. Document Everything
6. Interview involved parties
7. Review Notification Protocol
8. Assess priorities and risks
9. Notify Law enforcement

Question 18

After Day 1 what should you do?

Answer 18

1. Identify the Cause
2. Alert your External Partners
3. Continue working with forensics
4. Identify Legal Obligations
5. Report to Upper Management
6. Identify Conflicting Initiatives
7. Evaluate Response and Educate Employees

Question 19

After Day 1 what should you do?

Answer 19

1. Identify the Cause
2. Alert your External Partners
3. Continue working with forensics
4. Identify Legal Obligations
5. Report to Upper Management
6. Identify Conflicting Initiatives
7. Evaluate Response and Educate Employees

Question 20

What is the average total cost of a breach?

Answer 20

$4 million globally
$7 million in US

Question 21

What are the 10 Required Information Elements

Answer 21

1. Identify the current level of impact on agency functions or services (Functional Impact).
2. Identify the type of information lost, compromised, or corrupted (Information Impact).
3. Estimate the scope of time and resources needed to recover from the incident(Recoverability).
4. Identify when the activity was first detected.
5. Identify the number of systems, records, and users impacted.
6. Identify the network location of the observed activity.
7. Identify point of contact information for additional follow-up.
8. Identify the attack vector(s) that led to the incident.
9. Provide any indicators of compromise, including signatures or detection measures developed in relationship to the incident.
10. Provide any mitigation activities undertaken in response to the incident.

Question 22

Within one hour what will CERT provide?

Answer 22

a tracking number for the incident and a risk rating based on the NCCIC Cyber Incident Scoring System

Question 23

List the 7 Severity Levels and description

Answer 23

1. Emergency (Black): Poses an imminent threat to the provision of wide-scale critical infrastructure services, national government stability, or the lives of U.S. persons.
2. Severe (Red): Likely to result in a significant impact to public health or safety, national security, economic security, foreign relations, or civil liberties.
3. High (Orange): Likely to result in a demonstrable impact to public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence.
4. Medium (Yellow): May impact public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence.
5. Low (Green): Unlikely to impact public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence.
6. Baseline – Minor (Blue): Highly unlikely to affect public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence.
7. Baseline – Negligible (White): Unsubstantiated or inconsequential event.