Incident Response Flashcards
What is an “incident” in the context of information security?
a) “Any real or suspected adverse event in relation to the security of computer systems or computer networks” – Example from CERT
b) “The act of violating an explicit or implied security policy” – Another example from CERT
c) Important for a company to define what an incident is for them.
d) All of the above
d)All of the above
Incident Examples
a) Attempts (either failed or successful) to gain unauthorized access to a system or its data
b) Unwanted disruption or denial of service
c) Unauthorized use of a system for the processing or storage of data
d) Changes to system hardware, firmware, or software characteristics without the owner’s knowledge, instruction, or consent
e) Anything that violates cybercrime laws in your country
f) All of the above
f)All of the above
Incident Response Teams are not known as
a) IR
b) Blue team
c) CSIRP(Computer Security Incident Response Team)
d) Response Team
d)Response Team
An incident response team can be composed in any way suitable to the organization that operates it but a certain subset of skills should be present.
a) T
b) F
a)T
The order of building a team and centre
a) Obtain-Determine-Design-Gather-Communicate-implement-announce-evaluate
b) Gather-obtain-determine-communicate-design-announce-evaluate-implement
c) obtain-determine-gather-design-communicate-implement-announce-evaluate
d) communicate-design-gather-determine-obtain-evaluate-announce-implement
c)obtain-determine-gather-design-communicate-implement-announce-evaluate
Incident Response Processes:
a) Identification-Preparation-Containment-Eradication-Recovery-Lessons Learned
b) Preparation-Identification-Containment-Eradication-Recovery-Lessons Learned
c) Eradication-Recovery-Lessons Learned-Preparation-Identification-Containment
b)Preparation-Identification-Containment-Eradication-Recovery-Lessons Learned
Example of an Incident:
a) Brute force
b) Phishing
c) Detection of an intellectual property (IP) stealing advanced persistent threat (APT) inside your network
d) Session Hijacking
c)Detection of an intellectual property (IP) stealing advanced persistent threat (APT) inside your network
Also: Port scan SSH brute force login attempts SQL injection attempts against your web application Large scale DDoS against your network Malware
Tier 1 Analysts – The “help desk” of IR. Read the alerts and determine if it’s a false positive or an actual incident.
a) T
b) F
a)T
Tier 2 Analysts – General incident response. Receive the tickets from tier 1 and take the necessary action for large incidents (like a port scan)
a) T
b) F
b)F
for smal incidents
Tier 3 Analysts – Serious incident response. Security professionals capable of alerting and mobilizing the IR team to respond to a major breach.
a) T
b) F
a)T
Incident Response Tools
Specific Tools Remote Syslog (rsyslog – Remote collection of system logs) Windows Event Forwarding Google Rapid Response (GRR – Endpoint agent for analysis) Redline (Endpoint analysis) MozDef (Mozilla Defense Platform) Osquery (Endpoint analysis) bulk_extractor (Disk image data extraction) Hindsight (browser history analysis) Custom Built Virtual Machines Remnux (Malware) SIFT (Disk Forensics) Security Onion (Network Analysis) Kali (Misc security, Imaging)
General Categories of Incident Response Tools
Forensic Imaging & Analysis Software EnCase, FTK, DD SleuthKit Forensic Memory Capture Software Volatility, LiME, Memoryze, Rekall Malware Analysis Tools Traffic capture & Analysis TCPDump, Wireshark, tshark Timeline Tools Highlighter, Log2timeline, Plaso, Timesketch
