Incident Response

Question 1

Incident

Answer 1

Act of violating an explicit or implied security policy.

Question 2

Incident Response Procedures

Answer 2

Guidelines for handling security incidents

Question 3

What are the 7 Incident Response Phases?

Answer 3

Preparation
Detection
Analysis
Containment
Eradication
Recovery
Post-Incident Activity or Lessons Learned

Question 4

Preparation

Answer 4

Stage 1 of IRP

Involves strengthening systems and networks to resist attacks. All about getting ready for future incidents.

Question 5

Detection

Answer 5

Stage 2 of IRP

Identifies security incidents

Question 6

Analysis

Answer 6

Stage 3 of IRP

Involves a thorough examination and evaluation of the incident.

Stakeholders are informed, containment begins, and initial response actions are taken.

Question 7

Containment

Answer 7

Stage 4 of IRP

Limits the incident’s impact by securing data and protecting business operations.

Question 8

Eradication

Answer 8

Stage 5 or IRP

Starts after containment and aims to remove malicious activity from the system or network.

Question 9

Recovery

Answer 9

Stage 6 of IRP

Restores systems and services to their secure state after an incident.

Restoring from a known good backup, installing security patches, and implementing configuration updates.

Recovery procedures can involve monitoring for lingering threats to ensure a smooth return to normal operations.

Question 10

Post-Incident Activity or Lessons Learned

Answer 10

Stage 7 of IRP

Happens after containment, eradication, and full system recovery.

Root Cause Analysis to identify the incident’s source and how to prevent it in the future. Determine the casual relationships that led to the incident, identify a practical solution, and implement and track the solutions.

Lessons Learned Process - Documents experiences during incidents in a formal way

After-Action Report - collects formalized information about what occurred.

Question 11

Digital Forensics

Answer 11

Process for investigating and analyzing digital devices and data to uncover evidence for legal purposes.

Question 12

Identification

Answer 12

Ensured the safety of the scene, secures it to prevent any evidence contamination, and determines the scope of the evidence to be collected.

Question 13

Collection

Answer 13

Refers to the process of gathering, preserving, and documenting physical or digital evidence in various fields.

Question 14

Order of Volatility

Answer 14

Dictates the sequence in which data sources should be collected and preserved based on their susceptibility to modification or loss

NIST 800-56 Steps:
Collect data from systems’ memory
Capture data from the system state
Capture data from the storage devices
Capture network traffic and logs
Collect remotely stored or archived data

Question 15

Chain of Custody

Answer 15

A documented and verifiable record that tracks the handling, transfer, and preservation of digital evidence from the moment it is collected until it is presented in a court of law.

Question 16

Disk Imaging

Answer 16

It involves creating a bit-by-bit or logical copy of a storage device, preserving its entire content, including deleted files and unallocated space.

Question 17

File carving

Answer 17

Focuses on extracting files and data fragments from storage media without relying on the file system.

Question 18

Analysis

Answer 18

Involves systematically scrutinizing the data to uncover relevant information, such as potential signs of criminal activity, hidden files, timestamps, and user interactions.

Question 19

Reporting

Answer 19

Involves documenting the findings, processes, and methodologies used during a digital forensic investigation.

Question 20

Legal Hold

Answer 20

Formal notification that instructs employees to preserve all potentially relevant electronic data, documents, and records.

Ensure that preservation practices protect the systems and the potential evidence.

Preservation measures may include:
Making backup copies
Isolating critical systems
Implementing access controls

Question 21

Electronic Discovery

Answer 21

Process of identifying, collecting, and producing electronically stored information during potential legal proceedings.

Question 22

Order of Volatility

Answer 22

1. CPU registers and cache memory
2. System memory (RAM), routing tables, ARP caches, process tables, and temporary swap files.
3. Data on persistent mass storage (HDD, SDD, Flash Drive)
4. Remote logging and monitoring data
5. Physical configuration and network topology
6. Archival media