Incident Response Flashcards
Objective 4.8: Explain appropriate incident response activities
1️⃣ Which of the following is the FIRST phase of the NIST incident response process?
A) Containment
B) Preparation
C) Detection & Analysis
D) Eradication
Answer: B) Preparation
Explanation:
The Preparation phase involves getting ready for security incidents by implementing security policies, setting up monitoring tools, and conducting training.
Containment (A) happens after a threat is detected.
Detection & Analysis (C) is the second phase.
Eradication (D) occurs after containment and focuses on removing threats.
2️⃣ During which phase of the incident response process would an organization analyze logs to determine the extent of an attack?
A) Preparation
B) Detection
C) Analysis
D) Recovery
Answer: C) Analysis
Explanation:
Analysis involves thoroughly examining the incident, determining its scope, and identifying affected systems.
Preparation (A) occurs before an incident happens.
Detection (B) identifies that an incident has occurred but does not involve deep investigation.
Recovery (D) is about restoring systems after the incident.
3️⃣ A company experiences a cyberattack and immediately isolates the affected systems to prevent the attack from spreading. This action is part of which incident response phase?
A) Containment
B) Eradication
C) Recovery
D) Detection
Answer: A) Containment
Explanation:
Containment focuses on preventing the spread of an attack by isolating affected systems.
Eradication (B) follows containment and involves removing the threat.
Recovery (C) restores systems after the threat has been eliminated.
Detection (D) is the phase where the attack is first identified.
4️⃣ What is the primary goal of the eradication phase in incident response?
A) To isolate the affected systems
B) To remove all traces of the malicious activity
C) To restore operations to normal
D) To analyze the root cause of the attack
Answer: B) To remove all traces of the malicious activity
Explanation:
Eradication ensures that all remnants of the attack, such as malware or unauthorized accounts, are removed.
Containment (A) is done before eradication to prevent further damage.
Recovery (C) is focused on getting systems back to normal after eradication.
Root cause analysis (D) occurs in the post-incident activity phase.
5️⃣ A security team restores a compromised system from a backup and installs the latest security patches. Which phase does this action belong to?
A) Preparation
B) Detection
C) Recovery
D) Eradication
Answer: C) Recovery
Explanation:
Recovery focuses on restoring affected systems, applying security updates, and ensuring operations return to normal.
Preparation (A) happens before an incident to strengthen security.
Detection (B) is when the attack is identified.
Eradication (D) removes the threat but does not involve system restoration.
6️⃣ What is the primary purpose of the post-incident activity phase in the incident response process?
A) To strengthen system defenses and prevent future incidents
B) To detect new security threats
C) To remove malware from affected systems
D) To notify external stakeholders of the incident
Answer: A) To strengthen system defenses and prevent future incidents
Explanation:
The Post-Incident Activity phase involves reviewing the incident, conducting root cause analysis, and making improvements.
Detection (B) happens earlier in the response process.
Eradication (C) focuses on removing threats, not analyzing the incident.
Notification (D) is part of the analysis phase but not the primary goal of post-incident activity.
7️⃣ Which of the following BEST describes the purpose of an incident response team?
A) To monitor network traffic and prevent all cyberattacks
B) To investigate and respond to security incidents when they occur
C) To configure security devices such as firewalls and intrusion detection systems
D) To report all security incidents to law enforcement agencies
Answer: B) To investigate and respond to security incidents when they occur
Explanation:
An incident response team is responsible for handling and mitigating cybersecurity incidents.
Monitoring network traffic (A) is done by security operations centers (SOC), not incident response teams specifically.
Configuring security devices (C) is part of IT security but not incident response.
Reporting to law enforcement (D) may be necessary for some incidents, but it’s not the primary function of an incident response team.
8️⃣ What is an “Out-of-Band (OOB) communication channel” in incident response?
A) A secondary channel used when the primary network is compromised
B) A primary network used for regular communications
C) A method to encrypt internal messages
D) A real-time messaging platform for IT teams
Answer: A) A secondary channel used when the primary network is compromised
Explanation:
Out-of-Band (OOB) communication is a separate and independent method used during incidents to maintain secure communication.
Primary networks (B) are often compromised during attacks, making OOB necessary.
Encryption (C) is important but not specific to OOB.
Messaging platforms (D) may be used but do not define OOB.
9️⃣ What is the purpose of a root cause analysis (RCA) after an incident?
A) To determine how the incident happened and prevent it from happening again
B) To document all actions taken during the incident
C) To notify affected stakeholders about the breach
D) To test the incident response plan
Answer: A) To determine how the incident happened and prevent it from happening again
Explanation:
Root cause analysis (RCA) helps organizations understand how an attack occurred and what changes are needed to prevent recurrence.
Documentation (B) is important but separate from RCA.
Stakeholder notification (C) happens during analysis, not RCA.
Testing the incident response plan (D) is done in the preparation phase.
🔟 Which of the following is a key challenge when outsourcing an incident response team?
A) Lack of available security tools
B) External teams may not be familiar with the organization’s network
C) The inability to detect cyber threats
D) Legal restrictions on outsourcing IT security services
Answer: B) External teams may not be familiar with the organization’s network
Explanation:
Outsourced teams specialize in incident response but often require time to understand an organization’s infrastructure.
Security tools (A) are typically available, but knowledge of the network is critical.
Cyber threat detection (C) is part of incident response, but outsourced teams are trained for it.
Legal restrictions (D) exist in some cases but are not the primary challenge.
1️⃣ How does threat hunting differ from traditional security monitoring?
A) Threat hunting is proactive, while traditional monitoring is reactive
B) Threat hunting focuses only on known threats with existing signatures
C) Traditional security monitoring is more effective than threat hunting
D) Threat hunting only investigates alerts triggered by security tools
Answer: A) Threat hunting is proactive, while traditional monitoring is reactive
Explanation:
Threat hunting is a proactive process where security analysts actively look for threats before an attack is detected.
Traditional monitoring relies on predefined rules and alerts to detect attacks.
B (incorrect): Threat hunting is not limited to known threats—it looks for unknown and undetected threats.
C (incorrect): Both methods are important, but threat hunting finds threats that traditional monitoring may miss.
D (incorrect): Threat hunting does not wait for alerts; it proactively searches for hidden threats.
2️⃣ What is the first step in the threat hunting process?
A) Blocking all traffic from untrusted sources
B) Establishing a hypothesis through threat modeling
C) Analyzing SIEM logs for unusual activity
D) Creating new firewall rules
Answer: B) Establishing a hypothesis through threat modeling
Explanation:
Threat hunting begins with hypothesis development, where analysts use threat modeling to predict potential attack methods.
A (incorrect): Blocking traffic is a security measure but not the first step in threat hunting.
C (incorrect): Log analysis is important but comes after establishing a hypothesis.
D (incorrect): Firewall rules may be updated later based on findings from threat hunting.
3️⃣ What does TTP stand for in cybersecurity?
A) Threat, Target, and Persistence
B) Tactics, Techniques, and Procedures
C) Tracking, Testing, and Prevention
D) Threats, Tools, and Protocols
Answer: B) Tactics, Techniques, and Procedures
Explanation:
TTPs describe how attackers operate, including their methods, goals, and processes used to compromise systems.
A, C, and D (incorrect): These are not standard cybersecurity terms related to TTPs.
4️⃣ Why do threat hunters assume that existing security tools may have failed?
A) Attackers may use new techniques that lack detection signatures
B) Security tools never work correctly
C) Traditional monitoring always misses threats
D) Threat hunting only focuses on internal threats
Answer: A) Attackers may use new techniques that lack detection signatures
Explanation:
Threat actors evolve their methods to bypass signature-based security tools, requiring manual threat hunting to detect new tactics.
B and C (incorrect): Security tools work but may not catch all threats.
D (incorrect): Threat hunting investigates both internal and external threats.
5️⃣ Which of the following best describes a Command and Control (C2) server?
A) A legitimate system administrator tool
B) A remote server used by attackers to control infected machines
C) A firewall system designed to block malware
D) A secure method for internal company communications
Answer: B) A remote server used by attackers to control infected machines
Explanation:
C2 servers are used by cybercriminals to send commands to malware-infected devices, steal data, or spread attacks.
A, C, and D (incorrect): C2 servers are malicious, not legitimate security tools.
6️⃣ What are the key indicators of C2 traffic in a network?
A) Increased use of legitimate cloud services
B) Frequent outbound connections to known malicious domains
C) A high number of user login attempts
D) Decrease in system performance due to software updates
Answer: B) Frequent outbound connections to known malicious domains
Explanation:
C2 traffic is often detected through unusual outbound communication to suspicious IP addresses or domains controlled by attackers.
A (incorrect): Cloud service usage is not necessarily an indicator of C2 activity.
C (incorrect): High login attempts may indicate a brute-force attack, not C2.
D (incorrect): Slow performance due to updates is normal, not necessarily linked to C2.
7️⃣ How do security teams detect and block C2 communication?
A) Using firewall rules, SIEM alerts, and threat intelligence feeds
B) Disabling all internet traffic
C) Replacing old computers with new ones
D) Installing anti-virus software on mobile phones
Answer: A) Using firewall rules, SIEM alerts, and threat intelligence feeds
Explanation:
Security teams use network monitoring, intrusion detection, and intelligence feeds to detect and block C2 communications.
B (incorrect): Blocking all internet traffic is not a practical security measure.
C and D (incorrect): Upgrading devices and installing antivirus do not specifically detect and block C2 servers.
8️⃣ Why is threat intelligence important for threat hunting?
A) It helps analysts stay updated on new TTPs and vulnerabilities
B) It automatically blocks all cyber threats
C) It eliminates the need for security analysts
D) It is only used by law enforcement agencies
Answer: A) It helps analysts stay updated on new TTPs and vulnerabilities
Explanation:
Threat intelligence provides valuable insights about new threats that security teams can use to improve detection methods.
B (incorrect): Threat intelligence does not automatically block threats; it provides information.
C (incorrect): Human analysts are still necessary to interpret and act on threat intelligence.
D (incorrect): Threat intelligence is used by companies, governments, and cybersecurity teams, not just law enforcement.
9️⃣ What is the main benefit of threat hunting?
A) It detects threats that bypass existing defenses
B) It replaces traditional security monitoring
C) It eliminates the need for security analysts
D) It automatically blocks all attacks
Answer: A) It detects threats that bypass existing defenses
Explanation:
Threat hunting identifies hidden threats that existing monitoring tools may miss.
B (incorrect): Threat hunting complements, rather than replaces, traditional monitoring.
C (incorrect): Human analysts are essential for cybersecurity.
D (incorrect): Threat hunting does not automatically block threats; it identifies them for mitigation.
🔟 What is an example of a scenario where threat hunting is needed?
A) A new zero-day vulnerability has been reported, but security tools don’t yet have a detection rule
B) A firewall is blocking all incoming traffic
C) A software patch has been successfully deployed
D) A security analyst is setting up new user accounts
Answer: A) A new zero-day vulnerability has been reported, but security tools don’t yet have a detection rule
Explanation:
Threat hunters investigate new threats like zero-day exploits where existing security tools lack signatures or rules.
B, C, and D (incorrect): These scenarios do not specifically require threat hunting.
1️⃣ What is the main objective of the Change Management Process?
A) To block all unauthorized changes permanently
B) To plan, review, approve, and implement changes with minimal risk
C) To prevent employees from making changes to systems
D) To delay system updates for as long as possible
Answer: B) To plan, review, approve, and implement changes with minimal risk
Explanation:
The Change Management Process ensures that updates, patches, or modifications do not disrupt business operations.
A (incorrect): Change management does not block all changes, but ensures they are managed properly.
C (incorrect): Employees can make changes, but they must go through the change approval process.
D (incorrect): Change management does not delay updates unnecessarily, but ensures they are properly tested and reviewed.
2️⃣ Why is a “no-blame approach” important in Root Cause Analysis (RCA)?
A) It helps identify and assign fault to the responsible individual
B) It focuses on finding solutions rather than blaming individuals
C) It ensures that security teams ignore incidents to avoid conflicts
D) It prevents organizations from implementing security measures
Answer: B) It focuses on finding solutions rather than blaming individuals
Explanation:
RCA aims to identify the root cause of incidents to prevent them from happening again.
A no-blame approach ensures that teams openly report issues without fear, allowing organizations to improve security practices.
A (incorrect): RCA does not assign blame; it focuses on solutions.
C (incorrect): Ignoring incidents is not part of RCA—it seeks to understand and resolve them.
D (incorrect): RCA strengthens security measures, not prevents them.
3️⃣ What is the first step in Root Cause Analysis (RCA)?
A) Implement and track solutions
B) Define and scope the incident
C) Determine the causal relationships
D) Identify effective solutions
Answer: B) Define and scope the incident
Explanation:
The first step in RCA is defining and scoping the incident, which includes identifying the affected systems, users, and operational impact.
A (incorrect): Implementing solutions happens at the final stage.
C (incorrect): Determining causal relationships is the second step.
D (incorrect): Identifying solutions is done after determining the cause.
4️⃣ Which of the following is an example of implementing RCA findings to prevent future incidents?
A) Reprimanding an employee for clicking a phishing link
B) Restricting USB usage after discovering malware spread via flash drives
C) Disabling security alerts to avoid false positives
D) Ignoring the root cause and only resolving immediate symptoms
Answer: B) Restricting USB usage after discovering malware spread via flash drives
Explanation:
Implementing RCA findings means taking corrective actions to prevent the same incident from happening again.
A (incorrect): Blaming employees is counterproductive and does not solve the root issue.
C (incorrect): Disabling alerts makes security less effective.
D (incorrect): Ignoring the root cause leads to repeated security incidents.