Investigating an Incident Flashcards
What is the purpose of dashboards in incident investigation?
Provide high-level insights
Dashboards give an initial overview of the security landscape.
What do vulnerability scans aim to identify?
System vulnerabilities
They serve as a foundation for understanding potential entry points.
What is the role of packet captures in network security?
Capture and analyze network traffic
They reveal communication patterns and potential threats.
What do firewall logs monitor?
Network traffic and detect unauthorized access
They are crucial for identifying security breaches.
What type of events do application logs record?
Application-specific events
They help identify abnormal behavior.
What do endpoint logs capture?
Activities on individual devices
They provide insights into device-level security.
What is the function of OS-specific security logs?
Monitor operating system security events
They are essential for tracking OS vulnerabilities.
What do IPS and IDS logs track?
Intrusion attempts and system compromises
They help in detecting and responding to security threats.
What do network logs record?
Network activities and connections
They are used to analyze network behavior.
What is the purpose of metadata in incident investigations?
Provide contextual information about other data sources
Useful for understanding details about events, calls, emails, and web visits.
What is a SIEM?
Security Information and Event Monitoring System
It provides real-time analysis of security alerts from applications and network hardware.
What does a vulnerability scan report include?
Report ID, scan date and time, system/software version, scan initiator, executive summary
It highlights themes and trends for large networks.
What are false positives in vulnerability scanning?
Vulnerabilities reported that don’t actually exist
Differentiating real vulnerabilities from false positives is crucial.
What is the role of automated reports in security?
Provide information about network security aspects
They are generated by computer systems, often from antivirus software.
What are the key elements of an automated security incident report?
Report ID, generation date, report period, prepared by, executive summary
These elements help in understanding the report’s relevance.
What does an executive summary in an incident report provide?
A brief overview of the report’s content
It helps readers determine the report’s relevance.
What is the purpose of packet capture?
Captures data going to or from a network device
It can reveal patterns indicating attack types.
What does NetFlow do?
Collects active IP network traffic data
It provides information on source, destination, volume, and paths.
What is the significance of MD5/SHA256 checksums?
They serve as unique digital fingerprints for file identification
This includes potential malware identification.
What does a packet capture display typically include?
Packet sequence number, elapsed time, source/destination IP addresses, protocol, length
This information helps analyze network traffic.
What is the function of JournalCTL?
Querying and displaying logs from the Journal Daemon
It is part of SystemD’s logging service.
What is the purpose of a single pane of glass in security monitoring?
A single screen for analysts to access everything across the organization
It simplifies the analysis process.
