L04 Flashcards

1
Q

Who responds to an incident?

A

An incident response team will consist of at least:
Incident Response Manager
Security Analysts
Threat Researchers

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

incident response manager

A

Oversees all operations and assigns priorities to the rest of the team.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Forensic analysts

A

Will recover any key assets and look after any evidence

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Triage analysts

A

Will analyse data, clarifying any false positives and look for further intrusions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Steps to respond to an incident

A
Prepare
Detect
Contain
Eradicate
Recover
Lessons Learnt
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Prepare

A

Make sure employees are aware of what to do
Perform regular drills and mock scenarios
Create an incident response plan

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Detect

A
When did the incident happen?
How did the incident happen?
Who discovered the incident?
What other areas have been affected?
What was the source of the incident?
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Contain

A

Restricting any further damage being caused
Quarantining infected systems
Keeping system users informed of actions being taken

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Eradicate

A

Identification and implementation of measures to eliminate any further infection
Identify the origin of the infection and rebuild devices in a sandboxed environment
Removing/Repairing any infected system files
Checks for any remaining traces of infection
Identification of the vulnerability that was exploited

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Recover

A

Retesting the functionality of networked devices in the same environment (sandboxed) that caused the infection
Networked devices are tested for malware in the above scenario
Upon successful testing of the above, devices are restored to their original state

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Lessons Learnt

A

Incident manager will write a report for the organisation with advice on recommended changes in security measures, along with confirmation of full system functionality being restored.
Organisation will consider above advice and apply where feasible
If necessary a statement to the media is released

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Cyber Security Incident Report

A

Incident title and date of incident
Target of the incident (e.g. organisation)
Incident category
Description of the incident
Type of attacker(s) (e.g. lone hacker)
Purpose of incident (e.g. financial theft)
Techniques used by the attacker(s)
Capability of attacker(s) (e.g. experienced)
Impact of the incident
Cost of the incident (e.g. significant, minimal)
Responses needed (e.g. technical, legal)
Future management(review, trends, updates on documentation, recommendations for changes)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly