LDR 551- Book 4 Flashcards

1
Q

What is the Internet Storm Center?

A

Internet’s early warning system

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What are the four key elements of incident response preparation according to Brown and Roberts?

A

Telemetry, hardening, process, practice

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Why is visibility foundational in incident response?

A

It’s essential for investigation and response activities.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What helps prioritize response efforts in incident response?

A

Analytics, key assets, users, and contextual information

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Why is having solid process documentation important in incident response?

A

Prevents figuring out procedures on the go.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is often the most overlooked part of incident response?

A

Practice

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What must incident response tools, services, and skillsets meet?

A

Requirements of the environment and constituency

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What informs incident response staffing strategy?

A

Incident response goals

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is essential for effective incident response teamwork?

A

Strong interpersonal relationships and good communications

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What should your SOC consider for each device type and location?

A

Readiness for different incident scenarios

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is a main consideration for SOC planning?

A

Scenarios the SOC is willing and capable of responding to

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is a key aspect of prevention as preparation?

A

Preparing infrastructure to resist intrusion

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What are CIS benchmarks?

A

Best practices for secure configurations

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What are the two levels of CIS security settings?

A

Level 1 and Level 2

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What does Level 1 security setting aim to achieve?

A

Basic security with little impact on functionality

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What does Level 2 security setting aim to achieve?

A

Greater security but may reduce functionality

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What are CIS hardened images?

A

Securely configured virtual machine images

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What is NIST SP 800-123?

A

Guide to General Server Security

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What is the purpose of the NIST National Checklist Program?

A

Provides a searchable index of hardening guides

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What are DISA STIGs?

A

Step-by-step checklists for locking down systems

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What is the Australian Signals Directorate known for?

A

Detailed system configuration guides

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What are the CIS Controls?

A

Prioritized actions for defense against attacks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

How are CIS Controls organized?

A

By activities, not by who manages devices

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

What should you understand about your environment for effective security?

A

Normal operations in networks, hosts, applications, users

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

What is a good exercise for incident response preparation?

A

Trace “control” events through existing telemetry

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

What are the three components of incident response governance?

A

Policy, Plan, Procedure

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

What are the three foundational documents for incident response?

A

Policy, plan, and procedure

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

What is the purpose of the incident response policy?

A

High-level direction setting document

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

What does the incident response plan define?

A

Mission, strategies, and goals of the team

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

What are the phases of incident response according to NIST SP 800-61r2?

A

Preparation, Detection and Analysis, Containment, Eradication and Recovery, Post-Incident Activity

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

What should the incident response procedure include?

A

Technical processes, checklists, forms, templates, roles, responsibilities

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

What are the common IR team structures?

A

Centralized, Distributed, Coordinating

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

What is a coordinating team?

A

Provides help to other teams with higher authority.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

Which team format is ideal for large organizations with in-house capabilities and a full SOC?

A

Distributed Team

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

What is the advantage of distributed teams?

A

Fastest response times.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

Which SOC model is suitable for smaller, geographically bounded organizations?

A

Single centralized SOC model

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

In what scenario is a coordinating SOC commonly found?

A

Government scenarios with multiple authority levels.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

What factors should be considered when selecting an IR team type?

A

Expected workload, team size, budget, expertise, availability.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

What is the simplest staffing model for incident response?

A

Full in-house set of employees.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

When might a partially outsourced IR capability be chosen?

A

Small budget or rare large incidents.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q

What is a key benefit of partially outsourcing IR capabilities?

A

Reduces costs for rarely needed specialties.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
42
Q

Why might a small business fully outsource its IR capabilities?

A

Lack of staff or in-house experience.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
43
Q

What is a hybrid partial outsourcing model used for?

A

To help stand up a new IR team.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
44
Q

What is crucial for effective incident response in multi-team systems?

A

Technical and social processes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
45
Q

What role does a SOC lead play in communication during an incident?

A

Ensures direction and shields team from distractions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
46
Q

What did the 2016 study on incident response emphasize?

A

Integration of technical and social processes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
47
Q

What are common social failings in incident response teams?

A

Poor communication and collaboration.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
48
Q

What can help minimize communication failures during an incident?

A

Communications charters, plans, protocols.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
49
Q

What is the difference between taskwork and teamwork?

A

Taskwork is goal-related; teamwork is for coherence.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
50
Q

What must leadership coordinate in multi-team systems?

A

Teamwork and taskwork activities.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
51
Q

What is required for effective incident response?

A

Multiple teams and individuals working together

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
52
Q

What drives incident response outcomes?

A

Taskwork-driven results and outcomes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
53
Q

Why is teamwork necessary in incident response?

A

To accomplish taskwork sustainably and repeatably

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
54
Q

What happens without effective teamwork in incident response?

A

Too much variance and reliance on key individuals

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
55
Q

What should incident response plans and training focus on?

A

Ensuring teams can work together effectively

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
56
Q

What is the superordinate goal in an MTS Goal Hierarchy?

A

Protect Value Generation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
57
Q

What are the three main goals in incident response?

A

Identify, contain, eradicate threats; recover systems and data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
58
Q

What makes incident response inherently chaotic?

A

Requires many teams to work together across boundaries

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
59
Q

What is a challenge if SOC team isn’t wholly responsible for incident response?

A

Conceptualizing ownership of functions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
60
Q

What did Mark Orlando and Dr. Daniel Shore discuss in their Black Hat Europe 2022 talk?

A

Increasing efficiency in incident response

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
61
Q

What is the purpose of an MTS Goal Hierarchy Diagram?

A

Map out functions contributing to incident response goals

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
62
Q

What is a precursor to documenting roles and responsibilities in incident response?

A

Creating MTS Goal Hierarchy diagrams

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
63
Q

What does an MTS Interaction Diagram help understand?

A

Relationships needing attention in procedures and plans

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
64
Q

What can an MTS Interaction Diagram be used as?

A

Diagnostic for team interactions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
65
Q

Why is there a very high level of interaction between the Watch and Engineering Teams?

A

Engineering supports containment and recovery tasks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
66
Q

What should be done given the high interaction level between Watch and Engineering Teams?

A

Involve Engineering in preparation and training

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
67
Q

What is the key distinction between incident response and incident management?

A

Incident response focuses on technical activities; incident management on business risk

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
68
Q

When do incident response activities generally end?

A

When impacted systems and data are restored

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
69
Q

What do technical tasks rarely address?

A

Mitigation or remediation of business risk

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
70
Q

What does incident management (IM) address?

A

Business issues during an organizational crisis

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
71
Q

Who supports the IM process?

A

Cross-functional group of stakeholders

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
72
Q

When is an IM process typically initiated?

A

During incidents rising to an organizational crisis

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
73
Q

What might a ransomware incident require?

A

Negotiation, law enforcement coordination, third-party experts

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
74
Q

What should your incident response plan reference?

A

The IM process and key stakeholders

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
75
Q

What are foundational elements of IR capability?

A

Incident response governance, staffing models, infrastructure hardening

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
76
Q

What does incident response require as a multi-team effort?

A

Deliberate and effective teamwork

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
77
Q

What may not be enough during an organizational crisis?

A

Existing IR plans, policies, and procedures

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
78
Q

When is an incident identified?

A

When there is measurable/observable impact

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
79
Q

What is a common characteristic of incident activities?

A

Evidence demonstrating negative or impending impact

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
80
Q

What is important for incident detection?

A

High fidelity detections

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
81
Q

What should be assigned once an incident is declared?

A

Incident handler/lead

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
82
Q

What might the incident handler decide at the response stage?

A

Deeper forensic data collection

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
83
Q

Role of the IR Lead

A

Facilitates communication, collaboration, and task management

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
84
Q

Qualifications of an IR Lead

A

Experienced with IR best practices and decision-making

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
85
Q

Primary Responsibilities of IR Lead

A

Serve as primary source of truth, establish communication channels

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
86
Q

Who are Subject Matter Experts?

A

SOC analysts, engineers, or system owners

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
87
Q

Role of the Scribe

A

Collects information and documents incidents

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
88
Q

Intentional Evidence

A

Data created for auditability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
89
Q

Unintentional Evidence

A

Byproduct of other processes, e.g., Windows event logs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
90
Q

Importance of Compliance in IR

A

Avoid fines, penalties, lawsuits, and criminal penalties

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
91
Q

Examples of Compliance Regulations

A

HIPAA, PCI DSS, FISMA

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
92
Q

Incident Categorization Options

A

NIST 800-61r2, Verizon’s VERIS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
93
Q

What is the benefit of the NIST 800-61 system?

A

It ranks dimensions like functional impact, information impact, and recoverability.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
94
Q

What is a drawback of the VERIS system?

A

It can go into an almost absurd amount of detail.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
95
Q

How can you address the complexity of the VERIS system?

A

Use only a subset of the VERIS framework.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
96
Q

When can you create a custom incident recording system?

A

If you don’t need to share metrics outside your organization.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
97
Q

What is the benefit of linking VERIS to MITRE ATT&CK?

A

It ties incident metrics to specific threat actors or TTPs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
98
Q

What new resource helps align VERIS with ATT&CK?

A

The ATT&CK-to-VERIS GitHub repo.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
99
Q

What are the two big categories in forensic analysis?

A

Investigation and Response.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
100
Q

What should you do during initial incident response?

A

Get baseline parameters and preserve volatile evidence.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
101
Q

What tools can help preserve evidence quickly?

A

EDR and SOAR tools.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
102
Q

What is the purpose of a playbook in incident response?

A

Guidance for responding to various scenarios.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
103
Q

What should be avoided when writing playbooks?

A

Over-engineering the incident response process.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
104
Q

What should a well-written playbook answer?

A

Who do I call first? and “What information do I need?”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
105
Q

How often should playbooks be reviewed?

A

Periodically, for relevance and timeliness.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
106
Q

What is the purpose of reference models in technical response playbooks?

A

To guide writing technical response playbooks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
107
Q

What does an example playbook standardize?

A

Actions the team takes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
108
Q

What should be done before escalation/closure as false positive?

A

Standardized actions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
109
Q

Who handles manual investigative steps in a playbook?

A

Analysts.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
110
Q

Who handles automatable actions in a playbook?

A

SOAR platform.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
111
Q

What does a playbook ensure when a common event occurs?

A

Thorough investigation before closure.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
112
Q

What mix do playbooks often have?

A

Mandatory and optional steps.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
113
Q

What should be taken by analysts in a playbook?

A

Manual steps.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
114
Q

What can be performed with a SOAR platform in a playbook?

A

Simple data gathering and automated actions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
115
Q

What are common errors when making playbooks?

A

Making too many or too strict playbooks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
116
Q

What happens if playbooks are too strict?

A

Analysts work around the playbook.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
117
Q

What should high-level generic playbooks focus on?

A

What to do, not necessarily how.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
118
Q

What does a SOAR platform do in playbook-centric alert work?

A

Enriches data and makes decisions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
119
Q

What does a SOAR system eliminate from analyst workflow?

A

Repetitive, non-value-added steps.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
120
Q

What is an example of a system similar to playbooks?

A

TheHive’s “Case templates”.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
121
Q

What does Adaptive Case Management enable?

A

Flexibility without sacrificing structure.

122
Q

What does Adaptive Case Management involve?

A

Customizing the incident management system.

123
Q

What should be captured during an incident?

A

Action items, timeline, leads, and outcomes.

124
Q

What context should be tracked during an incident response?

A

Kill chain context for observed events.

125
Q

What is a key metric for incident response?

A

Time to detection after initial compromise.

126
Q

What is a common workflow for finding the initial point of compromise?

A

Move from known detection to infection point.

127
Q

What is the most common workflow in incident detection?

A

Move from detection (D) to infection (C).

128
Q

What should be scrutinized once point C is known?

A

Network and host data.

129
Q

What should you look for in a multi-machine attack?

A

Evidence of lateral movement (B).

130
Q

What should the SOC do after finding the real first point of access?

A

Time bound its search.

131
Q

What becomes easier once pivoting tactics are exposed?

A

Finding each additional effect machine.

132
Q

What is the SOC’s goal from point D to E?

A

Get there as quickly as possible.

133
Q

What is another goal of the SOC in general?

A

Minimize time between A and D.

134
Q

What defines an ideal SOC?

A

Go from A to D and D to E in zero time.

135
Q

What should be avoided in IR communications?

A

Attribution and jargon.

136
Q

What is crucial in good IR communications?

A

Be clear, timely, and responsible.

137
Q

Why should the security team provide updates?

A

To avoid dangerous assumptions.

138
Q

Who should the updates be easily understood by?

A

A non-technical audience.

139
Q

What is important in incident management?

A

Subtle distinctions in scenarios.

140
Q

What might the IR team look for if usernames and passwords are stolen?

A

Where the passwords may be stored.

141
Q

What does attackers using tokens suggest?

A

User logged in somewhere infected.

142
Q

What role might SOCs designate for non-technical updates?

A

Scribe or incident coordinator.

143
Q

What should be avoided when communicating with executives?

A

Technical jargon and vendor name-dropping.

144
Q

What is the job of a leader in IR communications?

A

Bring order to chaos.

145
Q

Why is shared understanding vital in incident response?

A

To address the same problem set.

146
Q

What should be ensured from a communications perspective in IR?

A

Response procedures are followed.

147
Q

Delegate technical tasks and collect inputs from whom?

A

Subject matter experts and other stakeholders

148
Q

What should communication channels be compared to?

A

Staging area outside a burning building

149
Q

How should productivity in communication channels be guarded?

A

Ruthlessly, even shutting down discussions

150
Q

What should documentation during an incident consider?

A

OPSEC & data privacy, archivable, accessible

151
Q

Where should findings and actions be stored during a response?

A

In a place accessible to team members

152
Q

What may be sufficient for storing case notes?

A

Ticketing system

153
Q

What features should a repository have during an incident?

A

Quick setup, organized actions, accessible

154
Q

What are examples of real-time collaboration platforms?

A

Slack, Signal, online documents

155
Q

What should text in any solution be?

A

Archivable or available for reference

156
Q

What should be documented to brief the larger team?

A

Impacted users and systems

157
Q

What should be collected during an incident?

A

Private keys, certs, API keys

158
Q

What should be identified related to malicious activity?

A

IP addresses and domains

159
Q

What should be shared in the early hours of an incident?

A

Indicators of compromise, compromised hosts

160
Q

What is crucial in the early stages of an incident?

A

Answering key questions, minimizing damage

161
Q

What can playbooks do in an incident response?

A

Reduce panic, improve quality and consistency

162
Q

What should be built into your incident management system?

A

Steps in your playbooks

163
Q

What are the objectives of Exercise 4.2?

A

Brainstorm tasks, develop playbook, build into system

164
Q

What does forensic analysis in IR often require?

A

Additional capture and analysis

165
Q

What makes forensic analysis more complex?

A

Cloud, mobile, virtualization technologies

166
Q

What are the key data types required to fully scope and respond to an intrusion?

A

Network communications, running processes, file listings, user actions.

167
Q

What combination is usually incorporated at the network layer for incident response?

A

Full packet capture and summary data.

168
Q

What tools can be used at the host layer for incident response?

A

Agent-based tools, WMI, PowerShell.

169
Q

What are the focuses of incident response tools in modern environments?

A

Live data, non-persistent and real-time data.

170
Q

What might the incident response function include?

A

Forensic capture and analysis, system restoration.

171
Q

What are the types of forensic analysis mentioned?

A

Memory, disk, network, mobile, cloud storage, data analysis.

172
Q

What does forensic analysis of volatile memory include?

A

Memory caches, active network connections, processes.

173
Q

What does network forensic analysis focus on?

A

Network packets and traffic.

174
Q

What does mobile forensic analysis involve?

A

Device internals, hardware, filesystems.

175
Q

What does cloud storage forensic analysis examine?

A

File-based, object, and block filesystems.

176
Q

What are the steps in the digital media analysis workflow?

A

Identify goals, copy artifacts, analyze, extract, report.

177
Q

What is the first step in the digital media analysis workflow?

A

Identify investigative goals or questions.

178
Q

What is the purpose of copying artifacts in digital media analysis?

A

To avoid changing original media.

179
Q

What are some tools for disk and media capture and analysis?

A

Autopsy, SleuthKit.

180
Q

What are some tools for drive reconstruction?

A

Forensic Toolkit (FTK), EnCase.

181
Q

What are some tools for malware analysis?

A

Velociraptor, Sysmon, OSQuery.

182
Q

What are some live distributions for incident response?

A

REMnux, SIFT, FLARE.

183
Q

What are the types of enterprise security tools mentioned?

A

EDR, NDR, XDR

184
Q

What should you consider when assembling your IR toolset?

A

Frequency, type, reporting requirements, team skillset

185
Q

What factors impact forensic analysis decisions?

A

Remote vs local, cost, data format, CLI/GUI, full dump or key artifacts

186
Q

Why is it risky to log into a compromised system?

A

Credentials may be stolen and used for lateral movement

187
Q

What are interactive logins?

A

Logins where you interactively use the machine (e.g., RDP, PsExec)

188
Q

What are noninteractive logins?

A

Logins like mapping a drive on a remote file share

189
Q

What can attackers do if they obtain your credentials?

A

Pivot to other systems within the organization

190
Q

What is the RDP Restricted Admin Model?

A

Connects via RDP without storing credentials in memory

191
Q

What is Windows Defender Remote Credential Guard?

A

Prevents pass-the-hash attacks, uses Kerberos

192
Q

What is a disadvantage of Windows Defender Remote Credential Guard?

A

Service tickets are vulnerable during their lifetime

193
Q

What capabilities does PowerShell provide for incident response?

A

Data collection, analysis, mitigation actions

194
Q

What data sources can PowerShell access for investigations?

A

WMI, COM, .NET, Windows API

195
Q

What types of data can PowerShell collect?

A

Files, registry artifacts, logs, volatile processes, network info

196
Q

What is PowerShell’s scripting language type?

A

Object-based

197
Q

What service does PowerShell use for remote management?

A

Windows Remote Management (WinRM)

198
Q

Why is PowerShell suitable for large scale remote operations?

A

Runs actions in parallel on targets

199
Q

What is a key benefit of PowerShell remoting?

A

Agentless, uses built-in WinRM

200
Q

What makes PowerShell a cost-effective option?

A

Low cost if skillsets are present

201
Q

Since when has Windows Remote Management been available?

A

PowerShell 2.0 and Windows 7

202
Q

What Windows versions have WinRM enabled by default?

A

Windows Server 2012 and 2016

203
Q

What is PsExec part of?

A

Microsoft’s Sysinternals suite

204
Q

What is a common use of PsExec in incident response?

A

Remote script execution

205
Q

What should you be cautious of when using PsExec?

A

May leave credentials open to theft

206
Q

What does WMI enable users to do?

A

Query WMI object instances

207
Q

Why is WMI a robust data source?

A

Almost all Windows actions generate WMI events

208
Q

What is a powerful feature of WMI for attackers and defenders?

A

WMI events for real-time notifications

209
Q

What is EDR great for?

A

Forensic analysis and threat hunting

210
Q

Who coined the term Endpoint Detection and Response (EDR)?

A

Anton Chuvakin

211
Q

What is EDR compared to traditional host-based controls?

A

EDR expands upon traditional host-based controls by providing visibility.

212
Q

What are some examples of commercial EDR platforms?

A

FireEye HS, CrowdStrike Falcon, Microsoft Defender.

213
Q

What is Wazuh?

A

An open source EDR with various capabilities.

214
Q

What is NDR?

A

A class of security technologies using non-signature-based techniques.

215
Q

What do NDR platforms often leverage?

A

Automated statistical analysis techniques.

216
Q

What does XDR stand for?

A

Extended Detection and Response.

217
Q

How does XDR improve upon EDR?

A

Incorporates cloud and network data sources.

218
Q

What is the advantage of consolidating data at the host layer in XDR?

A

More effective triage and faster response actions.

219
Q

What are the two main methods of malware analysis?

A

Automated analysis and manual analysis.

220
Q

Why might automated malware analysis fail?

A

Malware may detect the sandbox or be in an unsupported format.

221
Q

When is manual malware analysis necessary?

A

For highly complex malware with anti-analysis features.

222
Q

What is essential for extracting IOCs from malware?

A

Manual malware analysis capability

223
Q

Name three online malware analysis services.

A

VirusTotal, Joe Sandbox, Hybrid Analysis

224
Q

What should you remember when using online malware analysis services?

A

Remember your OPSEC

225
Q

What are common offline/on-prem malware analysis tools?

A

Cuckoo sandbox, Sandboxie

226
Q

Name two popular free utilities for static malware analysis.

A

YARA, FireEye’s FLOSS

227
Q

Which SANS course teaches reverse-engineering malware?

A

SANS FOR610

228
Q

What is a key consideration when choosing forensic tools for your team?

A

Service hours and SLAs for forensic analysis

229
Q

What should be documented in your Incident Response Plan?

A

Triggers and inputs for forensic analysis

230
Q

Name two immediate training courses for incident responders.

A

SANS SEC504, SEC503

231
Q

What does SANS SEC504 focus on?

A

Incident handling and attacker perspective

232
Q

What does SANS SEC503 focus on?

A

Deep dive into network traffic

233
Q

Name a reference book for incident response tools and processes.

A

Applied Incident Response by Steve Anson

234
Q

What is the first action during incident response?

A

Containment

235
Q

What is of primary importance during containment?

A

Stop the bleeding

236
Q

What is the goal of containment procedures?

A

Quick, tactical actions to stop attack progression

237
Q

What should you consider when containing network traffic?

A

Cut off the system from the internet, internal network, or both.

238
Q

What are some host-based containment methods?

A

Blocking and killing malicious processes, host-based firewalls

239
Q

What should you do after identifying an active incident?

A

Take the first step to disrupt the activity: containment.

240
Q

What should containment procedures involve?

A

Understanding the threat, planning action, informing stakeholders

241
Q

What is a potential risk when blocking a primary domain or IP?

A

Malware may use backup command and control servers.

242
Q

What is the goal of eradication procedures?

A

Fully removing the attacker from the environment

243
Q

What are some eradication strategies?

A

Automated removal, surgical removal, wipe and rebuild

244
Q

When might surgical removal be preferred over wipe and rebuild?

A

When zero downtime is the priority

245
Q

What should be considered before immediate containment or eradication?

A

Context of the incident and potential OPSEC risks

246
Q

How can you identify if you’re not dealing with a highly advanced attacker?

A

If malware is publicly known or referenced in blogs.

247
Q

What should you do if dealing with a non-targeted malware infection?

A

Clean up any machine with the infection.

248
Q

What approach is recommended for a potential targeted attack?

A

Watch and learn approach.

249
Q

What is the strategy for dealing with a targeted attack?

A

Closely watch the infected asset and review its history.

250
Q

What is a risk of acting too quickly against a targeted attack?

A

Adversary may have multiple entry points and be tipped off.

251
Q

What might adversaries do once they know you’ve detected them?

A

Change tactics, spread, or go silent.

252
Q

Do real-world adversaries change tactics upon detection?

A

Yes, even penetration testers and Red Teams do this.

253
Q

What must be done with digital evidence?

A

Documented, secured, labeled, and preserved.

254
Q

Why is adhering to high standards in evidence preservation beneficial?

A

Protects from loss in insurance claims, lawsuits, or regulatory violations.

255
Q

What should you consider when gathering additional evidence from affected hosts?

A

Data acquisition strategy.

256
Q

What helps maintain consistency and reduce panic during a response?

A

Cataloging actions in playbooks.

257
Q

What should be enabled for cloud incident response preparation?

A

Non-default events logging.

258
Q

What logs are needed for cloud-based incident response?

A

Sign-in activity, data access, network flow, application/OS logs.

259
Q

What should be considered when changing default logging configurations?

A

Additional charges and processing/storage requirements.

260
Q

What should be decided regarding cloud logging?

A

How to centralize logging.

261
Q

What may result from changing default retention periods for cloud-native log storage?

A

Additional costs.

262
Q

What do incident responders require for effective investigation?

A

Enhanced access to the environment.

263
Q

Minimum access required for cloud incident response

A

Read access for logs, write access for snapshots

264
Q

Why is understanding cloud computing concepts critical for responders?

A

To interpret cloud telemetry and infrastructure

265
Q

What should you revisit for cloud forensics and incident response?

A

Team’s knowledge, skills, abilities, competencies

266
Q

What is the Open Cybersecurity Schema Framework (OCSF)?

A

Common language for threat detection and investigation

267
Q

How does OCSF simplify security logging?

A

By simplifying data ingestion and normalization

268
Q

What makes OCSF suitable for multi-cloud environments?

A

Agnostic to storage format, ETL processes

269
Q

How are OCSF schema files written?

A

As JSON, machine-readable and easy to interpret

270
Q

What is the MITRE ATT&CK Cloud Matrix used for?

A

Expanding threat models for cloud infrastructure

271
Q

What should guide SOCs preparation for cloud incident response?

A

Threat intelligence and applicability to environment

272
Q

What is recommended to ensure cloud IR effectiveness?

A

Regular purple team and red team tests

273
Q

Primary source of cloud telemetry

A

System logs via cloud utility or logging API

274
Q

Indicators of malicious activity in cloud billing

A

Unusual or unexpected spikes in usage charges

275
Q

What can help baseline cloud environment effectively?

A

Early challenging work with infrastructure support

276
Q

Considerations for deeper forensic analysis in cloud

A

Forensic toolset, evidence handling, cloud-native tools

277
Q

Concerns with exporting cloud data for analysis

A

Cost and chain of custody concerns

278
Q

Alternative to exporting cloud data for analysis

A

Cloud-native forensics using pre-built forensic VMs

279
Q

What is a potential benefit of increasing storage and processing power of machines during an incident?

A

Avoiding bulk data export during an incident

280
Q

How can read-only access to data help during an investigation?

A

Maintains chain of custody

281
Q

What types of cloud-native tools might be incorporated into a forensic toolkit?

A

Log analysis platforms, SIEMs, AWS Lambda, Google Cloud Functions, Azure Functions

282
Q

Where can you learn more about spinning up a forensics lab using cloud technologies?

A

AWS CloudFormation, Azure Resource Manager, Google Cloud Deployment Manager

283
Q

What are the three domains where containment can occur in the cloud?

A

Service domain, Infrastructure domain, Application domain

284
Q

Why is containment more challenging in the cloud compared to on-prem?

A

Control over only a portion of the impacted system

285
Q

What should you understand based on your organization’s cloud deployment model?

A

Containment options available

286
Q

How can you conceptualize your cloud environment?

A

As service domain, infrastructure domain, and application domain

287
Q

What is a key advantage of using cloud infrastructure?

A

Portability and ephemerality

288
Q

What should you do to classify security incidents in the cloud?

A

Work with infrastructure teams and site reliability engineers

289
Q

What should you know about your cloud service provider for effective incident response?

A

Telemetry enabled by default versus what is available

290
Q

What is a good first place to check for information on cloud services?

A

Accounting for billing details

291
Q

What should SOC incident leads be trained on?

A

Investigating and responding to incidents in the cloud

292
Q

What varies between different cloud service providers (CSPs)?

A

Approaches and capabilities

293
Q

What are the two main tactics to overcome short-term memory limitations in investigations?

A

Decomposition and externalization

294
Q

What is decomposition in the context of investigations?

A

Breaking down a complex problem into fundamental parts

295
Q

What is externalization in the context of investigations?

A

Getting data out of your head into a visible form

296
Q

Who recommends decomposition and externalization for analysis?

A

Richards J. Heuer, Jr.

297
Q

What is the first question in The Alexiou Principle?

A

What question are you trying to answer?

298
Q

What is the second question in The Alexiou Principle?

A

What data do you need to answer that question?

299
Q

What is the third question in The Alexiou Principle?

A

How do you extract that data?

300
Q

What is the fourth question in The Alexiou Principle?

A

What does that data tell you?

301
Q

What should analysts avoid doing immediately during an investigation?

A

Chasing the first intuitive idea

302
Q

What is the goal of breaking down the investigation task into atomic questions?

A

To lead to the conclusion of the larger question