LDR 551- Book 4

Question 1

What is the Internet Storm Center?

Answer 1

Internet’s early warning system

Question 2

What are the four key elements of incident response preparation according to Brown and Roberts?

Answer 2

Telemetry, hardening, process, practice

Question 3

Why is visibility foundational in incident response?

Answer 3

It’s essential for investigation and response activities.

Question 4

What helps prioritize response efforts in incident response?

Answer 4

Analytics, key assets, users, and contextual information

Question 5

Why is having solid process documentation important in incident response?

Answer 5

Prevents figuring out procedures on the go.

Question 6

What is often the most overlooked part of incident response?

Answer 6

Practice

Question 7

What must incident response tools, services, and skillsets meet?

Answer 7

Requirements of the environment and constituency

Question 8

What informs incident response staffing strategy?

Answer 8

Incident response goals

Question 9

What is essential for effective incident response teamwork?

Answer 9

Strong interpersonal relationships and good communications

Question 10

What should your SOC consider for each device type and location?

Answer 10

Readiness for different incident scenarios

Question 11

What is a main consideration for SOC planning?

Answer 11

Scenarios the SOC is willing and capable of responding to

Question 12

What is a key aspect of prevention as preparation?

Answer 12

Preparing infrastructure to resist intrusion

Question 13

What are CIS benchmarks?

Answer 13

Best practices for secure configurations

Question 14

What are the two levels of CIS security settings?

Answer 14

Level 1 and Level 2

Question 15

What does Level 1 security setting aim to achieve?

Answer 15

Basic security with little impact on functionality

Question 16

What does Level 2 security setting aim to achieve?

Answer 16

Greater security but may reduce functionality

Question 17

What are CIS hardened images?

Answer 17

Securely configured virtual machine images

Question 18

What is NIST SP 800-123?

Answer 18

Guide to General Server Security

Question 19

What is the purpose of the NIST National Checklist Program?

Answer 19

Provides a searchable index of hardening guides

Question 20

What are DISA STIGs?

Answer 20

Step-by-step checklists for locking down systems

Question 21

What is the Australian Signals Directorate known for?

Answer 21

Detailed system configuration guides

Question 22

What are the CIS Controls?

Answer 22

Prioritized actions for defense against attacks

Question 23

How are CIS Controls organized?

Answer 23

By activities, not by who manages devices

Question 24

What should you understand about your environment for effective security?

Answer 24

Normal operations in networks, hosts, applications, users

Question 25

What is a good exercise for incident response preparation?

Answer 25

Trace “control” events through existing telemetry

Question 26

What are the three components of incident response governance?

Answer 26

Policy, Plan, Procedure

Question 27

What are the three foundational documents for incident response?

Answer 27

Policy, plan, and procedure

Question 28

What is the purpose of the incident response policy?

Answer 28

High-level direction setting document

Question 29

What does the incident response plan define?

Answer 29

Mission, strategies, and goals of the team

Question 30

What are the phases of incident response according to NIST SP 800-61r2?

Answer 30

Preparation, Detection and Analysis, Containment, Eradication and Recovery, Post-Incident Activity

Question 31

What should the incident response procedure include?

Answer 31

Technical processes, checklists, forms, templates, roles, responsibilities

Question 32

What are the common IR team structures?

Answer 32

Centralized, Distributed, Coordinating

Question 33

What is a coordinating team?

Answer 33

Provides help to other teams with higher authority.

Question 34

Which team format is ideal for large organizations with in-house capabilities and a full SOC?

Answer 34

Distributed Team

Question 35

What is the advantage of distributed teams?

Answer 35

Fastest response times.

Question 36

Which SOC model is suitable for smaller, geographically bounded organizations?

Answer 36

Single centralized SOC model

Question 37

In what scenario is a coordinating SOC commonly found?

Answer 37

Government scenarios with multiple authority levels.

Question 38

What factors should be considered when selecting an IR team type?

Answer 38

Expected workload, team size, budget, expertise, availability.

Question 39

What is the simplest staffing model for incident response?

Answer 39

Full in-house set of employees.

Question 40

When might a partially outsourced IR capability be chosen?

Answer 40

Small budget or rare large incidents.

Question 41

What is a key benefit of partially outsourcing IR capabilities?

Answer 41

Reduces costs for rarely needed specialties.

Question 42

Why might a small business fully outsource its IR capabilities?

Answer 42

Lack of staff or in-house experience.

Question 43

What is a hybrid partial outsourcing model used for?

Answer 43

To help stand up a new IR team.

Question 44

What is crucial for effective incident response in multi-team systems?

Answer 44

Technical and social processes.

Question 45

What role does a SOC lead play in communication during an incident?

Answer 45

Ensures direction and shields team from distractions.

Question 46

What did the 2016 study on incident response emphasize?

Answer 46

Integration of technical and social processes.

Question 47

What are common social failings in incident response teams?

Answer 47

Poor communication and collaboration.

Question 48

What can help minimize communication failures during an incident?

Answer 48

Communications charters, plans, protocols.

Question 49

What is the difference between taskwork and teamwork?

Answer 49

Taskwork is goal-related; teamwork is for coherence.

Question 50

What must leadership coordinate in multi-team systems?

Answer 50

Teamwork and taskwork activities.

Question 51

What is required for effective incident response?

Answer 51

Multiple teams and individuals working together

Question 52

What drives incident response outcomes?

Answer 52

Taskwork-driven results and outcomes

Question 53

Why is teamwork necessary in incident response?

Answer 53

To accomplish taskwork sustainably and repeatably

Question 54

What happens without effective teamwork in incident response?

Answer 54

Too much variance and reliance on key individuals

Question 55

What should incident response plans and training focus on?

Answer 55

Ensuring teams can work together effectively

Question 56

What is the superordinate goal in an MTS Goal Hierarchy?

Answer 56

Protect Value Generation

Question 57

What are the three main goals in incident response?

Answer 57

Identify, contain, eradicate threats; recover systems and data

Question 58

What makes incident response inherently chaotic?

Answer 58

Requires many teams to work together across boundaries

Question 59

What is a challenge if SOC team isn’t wholly responsible for incident response?

Answer 59

Conceptualizing ownership of functions

Question 60

What did Mark Orlando and Dr. Daniel Shore discuss in their Black Hat Europe 2022 talk?

Answer 60

Increasing efficiency in incident response

Question 61

What is the purpose of an MTS Goal Hierarchy Diagram?

Answer 61

Map out functions contributing to incident response goals

Question 62

What is a precursor to documenting roles and responsibilities in incident response?

Answer 62

Creating MTS Goal Hierarchy diagrams

Question 63

What does an MTS Interaction Diagram help understand?

Answer 63

Relationships needing attention in procedures and plans

Question 64

What can an MTS Interaction Diagram be used as?

Answer 64

Diagnostic for team interactions

Question 65

Why is there a very high level of interaction between the Watch and Engineering Teams?

Answer 65

Engineering supports containment and recovery tasks

Question 66

What should be done given the high interaction level between Watch and Engineering Teams?

Answer 66

Involve Engineering in preparation and training

Question 67

What is the key distinction between incident response and incident management?

Answer 67

Incident response focuses on technical activities; incident management on business risk

Question 68

When do incident response activities generally end?

Answer 68

When impacted systems and data are restored

Question 69

What do technical tasks rarely address?

Answer 69

Mitigation or remediation of business risk

Question 70

What does incident management (IM) address?

Answer 70

Business issues during an organizational crisis

Question 71

Who supports the IM process?

Answer 71

Cross-functional group of stakeholders

Question 72

When is an IM process typically initiated?

Answer 72

During incidents rising to an organizational crisis

Question 73

What might a ransomware incident require?

Answer 73

Negotiation, law enforcement coordination, third-party experts

Question 74

What should your incident response plan reference?

Answer 74

The IM process and key stakeholders

Question 75

What are foundational elements of IR capability?

Answer 75

Incident response governance, staffing models, infrastructure hardening

Question 76

What does incident response require as a multi-team effort?

Answer 76

Deliberate and effective teamwork

Question 77

What may not be enough during an organizational crisis?

Answer 77

Existing IR plans, policies, and procedures

Question 78

When is an incident identified?

Answer 78

When there is measurable/observable impact

Question 79

What is a common characteristic of incident activities?

Answer 79

Evidence demonstrating negative or impending impact

Question 80

What is important for incident detection?

Answer 80

High fidelity detections

Question 81

What should be assigned once an incident is declared?

Answer 81

Incident handler/lead

Question 82

What might the incident handler decide at the response stage?

Answer 82

Deeper forensic data collection

Question 83

Role of the IR Lead

Answer 83

Facilitates communication, collaboration, and task management

Question 84

Qualifications of an IR Lead

Answer 84

Experienced with IR best practices and decision-making

Question 85

Primary Responsibilities of IR Lead

Answer 85

Serve as primary source of truth, establish communication channels

Question 86

Who are Subject Matter Experts?

Answer 86

SOC analysts, engineers, or system owners

Question 87

Role of the Scribe

Answer 87

Collects information and documents incidents

Question 88

Intentional Evidence

Answer 88

Data created for auditability

Question 89

Unintentional Evidence

Answer 89

Byproduct of other processes, e.g., Windows event logs

Question 90

Importance of Compliance in IR

Answer 90

Avoid fines, penalties, lawsuits, and criminal penalties

Question 91

Examples of Compliance Regulations

Answer 91

HIPAA, PCI DSS, FISMA

Question 92

Incident Categorization Options

Answer 92

NIST 800-61r2, Verizon’s VERIS

Question 93

What is the benefit of the NIST 800-61 system?

Answer 93

It ranks dimensions like functional impact, information impact, and recoverability.

Question 94

What is a drawback of the VERIS system?

Answer 94

It can go into an almost absurd amount of detail.

Question 95

How can you address the complexity of the VERIS system?

Answer 95

Use only a subset of the VERIS framework.

Question 96

When can you create a custom incident recording system?

Answer 96

If you don’t need to share metrics outside your organization.

Question 97

What is the benefit of linking VERIS to MITRE ATT&CK?

Answer 97

It ties incident metrics to specific threat actors or TTPs.

Question 98

What new resource helps align VERIS with ATT&CK?

Answer 98

The ATT&CK-to-VERIS GitHub repo.

Question 99

What are the two big categories in forensic analysis?

Answer 99

Investigation and Response.

Question 100

What should you do during initial incident response?

Answer 100

Get baseline parameters and preserve volatile evidence.

Question 101

What tools can help preserve evidence quickly?

Answer 101

EDR and SOAR tools.

Question 102

What is the purpose of a playbook in incident response?

Answer 102

Guidance for responding to various scenarios.

Question 103

What should be avoided when writing playbooks?

Answer 103

Over-engineering the incident response process.

Question 104

What should a well-written playbook answer?

Answer 104

Who do I call first? and “What information do I need?”

Question 105

How often should playbooks be reviewed?

Answer 105

Periodically, for relevance and timeliness.

Question 106

What is the purpose of reference models in technical response playbooks?

Answer 106

To guide writing technical response playbooks.

Question 107

What does an example playbook standardize?

Answer 107

Actions the team takes.

Question 108

What should be done before escalation/closure as false positive?

Answer 108

Standardized actions.

Question 109

Who handles manual investigative steps in a playbook?

Answer 109

Analysts.

Question 110

Who handles automatable actions in a playbook?

Answer 110

SOAR platform.

Question 111

What does a playbook ensure when a common event occurs?

Answer 111

Thorough investigation before closure.

Question 112

What mix do playbooks often have?

Answer 112

Mandatory and optional steps.

Question 113

What should be taken by analysts in a playbook?

Answer 113

Manual steps.

Question 114

What can be performed with a SOAR platform in a playbook?

Answer 114

Simple data gathering and automated actions.

Question 115

What are common errors when making playbooks?

Answer 115

Making too many or too strict playbooks.

Question 116

What happens if playbooks are too strict?

Answer 116

Analysts work around the playbook.

Question 117

What should high-level generic playbooks focus on?

Answer 117

What to do, not necessarily how.

Question 118

What does a SOAR platform do in playbook-centric alert work?

Answer 118

Enriches data and makes decisions.

Question 119

What does a SOAR system eliminate from analyst workflow?

Answer 119

Repetitive, non-value-added steps.

Question 120

What is an example of a system similar to playbooks?

Answer 120

TheHive’s “Case templates”.

Question 121

What does Adaptive Case Management enable?

Answer 121

Flexibility without sacrificing structure.

Question 122

What does Adaptive Case Management involve?

Answer 122

Customizing the incident management system.

Question 123

What should be captured during an incident?

Answer 123

Action items, timeline, leads, and outcomes.

Question 124

What context should be tracked during an incident response?

Answer 124

Kill chain context for observed events.

Question 125

What is a key metric for incident response?

Answer 125

Time to detection after initial compromise.

Question 126

What is a common workflow for finding the initial point of compromise?

Answer 126

Move from known detection to infection point.

Question 127

What is the most common workflow in incident detection?

Answer 127

Move from detection (D) to infection (C).

Question 128

What should be scrutinized once point C is known?

Answer 128

Network and host data.

Question 129

What should you look for in a multi-machine attack?

Answer 129

Evidence of lateral movement (B).

Question 130

What should the SOC do after finding the real first point of access?

Answer 130

Time bound its search.

Question 131

What becomes easier once pivoting tactics are exposed?

Answer 131

Finding each additional effect machine.

Question 132

What is the SOC’s goal from point D to E?

Answer 132

Get there as quickly as possible.

Question 133

What is another goal of the SOC in general?

Answer 133

Minimize time between A and D.

Question 134

What defines an ideal SOC?

Answer 134

Go from A to D and D to E in zero time.

Question 135

What should be avoided in IR communications?

Answer 135

Attribution and jargon.

Question 136

What is crucial in good IR communications?

Answer 136

Be clear, timely, and responsible.

Question 137

Why should the security team provide updates?

Answer 137

To avoid dangerous assumptions.

Question 138

Who should the updates be easily understood by?

Answer 138

A non-technical audience.

Question 139

What is important in incident management?

Answer 139

Subtle distinctions in scenarios.

Question 140

What might the IR team look for if usernames and passwords are stolen?

Answer 140

Where the passwords may be stored.

Question 141

What does attackers using tokens suggest?

Answer 141

User logged in somewhere infected.

Question 142

What role might SOCs designate for non-technical updates?

Answer 142

Scribe or incident coordinator.

Question 143

What should be avoided when communicating with executives?

Answer 143

Technical jargon and vendor name-dropping.

Question 144

What is the job of a leader in IR communications?

Answer 144

Bring order to chaos.

Question 145

Why is shared understanding vital in incident response?

Answer 145

To address the same problem set.

Question 146

What should be ensured from a communications perspective in IR?

Answer 146

Response procedures are followed.

Question 147

Delegate technical tasks and collect inputs from whom?

Answer 147

Subject matter experts and other stakeholders

Question 148

What should communication channels be compared to?

Answer 148

Staging area outside a burning building

Question 149

How should productivity in communication channels be guarded?

Answer 149

Ruthlessly, even shutting down discussions

Question 150

What should documentation during an incident consider?

Answer 150

OPSEC & data privacy, archivable, accessible

Question 151

Where should findings and actions be stored during a response?

Answer 151

In a place accessible to team members

Question 152

What may be sufficient for storing case notes?

Answer 152

Ticketing system

Question 153

What features should a repository have during an incident?

Answer 153

Quick setup, organized actions, accessible

Question 154

What are examples of real-time collaboration platforms?

Answer 154

Slack, Signal, online documents

Question 155

What should text in any solution be?

Answer 155

Archivable or available for reference

Question 156

What should be documented to brief the larger team?

Answer 156

Impacted users and systems

Question 157

What should be collected during an incident?

Answer 157

Private keys, certs, API keys

Question 158

What should be identified related to malicious activity?

Answer 158

IP addresses and domains

Question 159

What should be shared in the early hours of an incident?

Answer 159

Indicators of compromise, compromised hosts

Question 160

What is crucial in the early stages of an incident?

Answer 160

Answering key questions, minimizing damage

Question 161

What can playbooks do in an incident response?

Answer 161

Reduce panic, improve quality and consistency

Question 162

What should be built into your incident management system?

Answer 162

Steps in your playbooks

Question 163

What are the objectives of Exercise 4.2?

Answer 163

Brainstorm tasks, develop playbook, build into system

Question 164

What does forensic analysis in IR often require?

Answer 164

Additional capture and analysis

Question 165

What makes forensic analysis more complex?

Answer 165

Cloud, mobile, virtualization technologies

Question 166

What are the key data types required to fully scope and respond to an intrusion?

Answer 166

Network communications, running processes, file listings, user actions.

Question 167

What combination is usually incorporated at the network layer for incident response?

Answer 167

Full packet capture and summary data.

Question 168

What tools can be used at the host layer for incident response?

Answer 168

Agent-based tools, WMI, PowerShell.

Question 169

What are the focuses of incident response tools in modern environments?

Answer 169

Live data, non-persistent and real-time data.

Question 170

What might the incident response function include?

Answer 170

Forensic capture and analysis, system restoration.

Question 171

What are the types of forensic analysis mentioned?

Answer 171

Memory, disk, network, mobile, cloud storage, data analysis.

Question 172

What does forensic analysis of volatile memory include?

Answer 172

Memory caches, active network connections, processes.

Question 173

What does network forensic analysis focus on?

Answer 173

Network packets and traffic.

Question 174

What does mobile forensic analysis involve?

Answer 174

Device internals, hardware, filesystems.

Question 175

What does cloud storage forensic analysis examine?

Answer 175

File-based, object, and block filesystems.

Question 176

What are the steps in the digital media analysis workflow?

Answer 176

Identify goals, copy artifacts, analyze, extract, report.

Question 177

What is the first step in the digital media analysis workflow?

Answer 177

Identify investigative goals or questions.

Question 178

What is the purpose of copying artifacts in digital media analysis?

Answer 178

To avoid changing original media.

Question 179

What are some tools for disk and media capture and analysis?

Answer 179

Autopsy, SleuthKit.

Question 180

What are some tools for drive reconstruction?

Answer 180

Forensic Toolkit (FTK), EnCase.

Question 181

What are some tools for malware analysis?

Answer 181

Velociraptor, Sysmon, OSQuery.

Question 182

What are some live distributions for incident response?

Answer 182

REMnux, SIFT, FLARE.

Question 183

What are the types of enterprise security tools mentioned?

Answer 183

EDR, NDR, XDR

Question 184

What should you consider when assembling your IR toolset?

Answer 184

Frequency, type, reporting requirements, team skillset

Question 185

What factors impact forensic analysis decisions?

Answer 185

Remote vs local, cost, data format, CLI/GUI, full dump or key artifacts

Question 186

Why is it risky to log into a compromised system?

Answer 186

Credentials may be stolen and used for lateral movement

Question 187

What are interactive logins?

Answer 187

Logins where you interactively use the machine (e.g., RDP, PsExec)

Question 188

What are noninteractive logins?

Answer 188

Logins like mapping a drive on a remote file share

Question 189

What can attackers do if they obtain your credentials?

Answer 189

Pivot to other systems within the organization

Question 190

What is the RDP Restricted Admin Model?

Answer 190

Connects via RDP without storing credentials in memory

Question 191

What is Windows Defender Remote Credential Guard?

Answer 191

Prevents pass-the-hash attacks, uses Kerberos

Question 192

What is a disadvantage of Windows Defender Remote Credential Guard?

Answer 192

Service tickets are vulnerable during their lifetime

Question 193

What capabilities does PowerShell provide for incident response?

Answer 193

Data collection, analysis, mitigation actions

Question 194

What data sources can PowerShell access for investigations?

Answer 194

WMI, COM, .NET, Windows API

Question 195

What types of data can PowerShell collect?

Answer 195

Files, registry artifacts, logs, volatile processes, network info

Question 196

What is PowerShell’s scripting language type?

Answer 196

Object-based

Question 197

What service does PowerShell use for remote management?

Answer 197

Windows Remote Management (WinRM)

Question 198

Why is PowerShell suitable for large scale remote operations?

Answer 198

Runs actions in parallel on targets

Question 199

What is a key benefit of PowerShell remoting?

Answer 199

Agentless, uses built-in WinRM

Question 200

What makes PowerShell a cost-effective option?

Answer 200

Low cost if skillsets are present

Question 201

Since when has Windows Remote Management been available?

Answer 201

PowerShell 2.0 and Windows 7

Question 202

What Windows versions have WinRM enabled by default?

Answer 202

Windows Server 2012 and 2016

Question 203

What is PsExec part of?

Answer 203

Microsoft’s Sysinternals suite

Question 204

What is a common use of PsExec in incident response?

Answer 204

Remote script execution

Question 205

What should you be cautious of when using PsExec?

Answer 205

May leave credentials open to theft

Question 206

What does WMI enable users to do?

Answer 206

Query WMI object instances

Question 207

Why is WMI a robust data source?

Answer 207

Almost all Windows actions generate WMI events

Question 208

What is a powerful feature of WMI for attackers and defenders?

Answer 208

WMI events for real-time notifications

Question 209

What is EDR great for?

Answer 209

Forensic analysis and threat hunting

Question 210

Who coined the term Endpoint Detection and Response (EDR)?

Answer 210

Anton Chuvakin

Question 211

What is EDR compared to traditional host-based controls?

Answer 211

EDR expands upon traditional host-based controls by providing visibility.

Question 212

What are some examples of commercial EDR platforms?

Answer 212

FireEye HS, CrowdStrike Falcon, Microsoft Defender.

Question 213

What is Wazuh?

Answer 213

An open source EDR with various capabilities.

Question 214

What is NDR?

Answer 214

A class of security technologies using non-signature-based techniques.

Question 215

What do NDR platforms often leverage?

Answer 215

Automated statistical analysis techniques.

Question 216

What does XDR stand for?

Answer 216

Extended Detection and Response.

Question 217

How does XDR improve upon EDR?

Answer 217

Incorporates cloud and network data sources.

Question 218

What is the advantage of consolidating data at the host layer in XDR?

Answer 218

More effective triage and faster response actions.

Question 219

What are the two main methods of malware analysis?

Answer 219

Automated analysis and manual analysis.

Question 220

Why might automated malware analysis fail?

Answer 220

Malware may detect the sandbox or be in an unsupported format.

Question 221

When is manual malware analysis necessary?

Answer 221

For highly complex malware with anti-analysis features.

Question 222

What is essential for extracting IOCs from malware?

Answer 222

Manual malware analysis capability

Question 223

Name three online malware analysis services.

Answer 223

VirusTotal, Joe Sandbox, Hybrid Analysis

Question 224

What should you remember when using online malware analysis services?

Answer 224

Remember your OPSEC

Question 225

What are common offline/on-prem malware analysis tools?

Answer 225

Cuckoo sandbox, Sandboxie

Question 226

Name two popular free utilities for static malware analysis.

Answer 226

YARA, FireEye’s FLOSS

Question 227

Which SANS course teaches reverse-engineering malware?

Answer 227

SANS FOR610

Question 228

What is a key consideration when choosing forensic tools for your team?

Answer 228

Service hours and SLAs for forensic analysis

Question 229

What should be documented in your Incident Response Plan?

Answer 229

Triggers and inputs for forensic analysis

Question 230

Name two immediate training courses for incident responders.

Answer 230

SANS SEC504, SEC503

Question 231

What does SANS SEC504 focus on?

Answer 231

Incident handling and attacker perspective

Question 232

What does SANS SEC503 focus on?

Answer 232

Deep dive into network traffic

Question 233

Name a reference book for incident response tools and processes.

Answer 233

Applied Incident Response by Steve Anson

Question 234

What is the first action during incident response?

Answer 234

Containment

Question 235

What is of primary importance during containment?

Answer 235

Stop the bleeding

Question 236

What is the goal of containment procedures?

Answer 236

Quick, tactical actions to stop attack progression

Question 237

What should you consider when containing network traffic?

Answer 237

Cut off the system from the internet, internal network, or both.

Question 238

What are some host-based containment methods?

Answer 238

Blocking and killing malicious processes, host-based firewalls

Question 239

What should you do after identifying an active incident?

Answer 239

Take the first step to disrupt the activity: containment.

Question 240

What should containment procedures involve?

Answer 240

Understanding the threat, planning action, informing stakeholders

Question 241

What is a potential risk when blocking a primary domain or IP?

Answer 241

Malware may use backup command and control servers.

Question 242

What is the goal of eradication procedures?

Answer 242

Fully removing the attacker from the environment

Question 243

What are some eradication strategies?

Answer 243

Automated removal, surgical removal, wipe and rebuild

Question 244

When might surgical removal be preferred over wipe and rebuild?

Answer 244

When zero downtime is the priority

Question 245

What should be considered before immediate containment or eradication?

Answer 245

Context of the incident and potential OPSEC risks

Question 246

How can you identify if you’re not dealing with a highly advanced attacker?

Answer 246

If malware is publicly known or referenced in blogs.

Question 247

What should you do if dealing with a non-targeted malware infection?

Answer 247

Clean up any machine with the infection.

Question 248

What approach is recommended for a potential targeted attack?

Answer 248

Watch and learn approach.

Question 249

What is the strategy for dealing with a targeted attack?

Answer 249

Closely watch the infected asset and review its history.

Question 250

What is a risk of acting too quickly against a targeted attack?

Answer 250

Adversary may have multiple entry points and be tipped off.

Question 251

What might adversaries do once they know you’ve detected them?

Answer 251

Change tactics, spread, or go silent.

Question 252

Do real-world adversaries change tactics upon detection?

Answer 252

Yes, even penetration testers and Red Teams do this.

Question 253

What must be done with digital evidence?

Answer 253

Documented, secured, labeled, and preserved.

Question 254

Why is adhering to high standards in evidence preservation beneficial?

Answer 254

Protects from loss in insurance claims, lawsuits, or regulatory violations.

Question 255

What should you consider when gathering additional evidence from affected hosts?

Answer 255

Data acquisition strategy.

Question 256

What helps maintain consistency and reduce panic during a response?

Answer 256

Cataloging actions in playbooks.

Question 257

What should be enabled for cloud incident response preparation?

Answer 257

Non-default events logging.

Question 258

What logs are needed for cloud-based incident response?

Answer 258

Sign-in activity, data access, network flow, application/OS logs.

Question 259

What should be considered when changing default logging configurations?

Answer 259

Additional charges and processing/storage requirements.

Question 260

What should be decided regarding cloud logging?

Answer 260

How to centralize logging.

Question 261

What may result from changing default retention periods for cloud-native log storage?

Answer 261

Additional costs.

Question 262

What do incident responders require for effective investigation?

Answer 262

Enhanced access to the environment.

Question 263

Minimum access required for cloud incident response

Answer 263

Read access for logs, write access for snapshots

Question 264

Why is understanding cloud computing concepts critical for responders?

Answer 264

To interpret cloud telemetry and infrastructure

Question 265

What should you revisit for cloud forensics and incident response?

Answer 265

Team’s knowledge, skills, abilities, competencies

Question 266

What is the Open Cybersecurity Schema Framework (OCSF)?

Answer 266

Common language for threat detection and investigation

Question 267

How does OCSF simplify security logging?

Answer 267

By simplifying data ingestion and normalization

Question 268

What makes OCSF suitable for multi-cloud environments?

Answer 268

Agnostic to storage format, ETL processes

Question 269

How are OCSF schema files written?

Answer 269

As JSON, machine-readable and easy to interpret

Question 270

What is the MITRE ATT&CK Cloud Matrix used for?

Answer 270

Expanding threat models for cloud infrastructure

Question 271

What should guide SOCs preparation for cloud incident response?

Answer 271

Threat intelligence and applicability to environment

Question 272

What is recommended to ensure cloud IR effectiveness?

Answer 272

Regular purple team and red team tests

Question 273

Primary source of cloud telemetry

Answer 273

System logs via cloud utility or logging API

Question 274

Indicators of malicious activity in cloud billing

Answer 274

Unusual or unexpected spikes in usage charges

Question 275

What can help baseline cloud environment effectively?

Answer 275

Early challenging work with infrastructure support

Question 276

Considerations for deeper forensic analysis in cloud

Answer 276

Forensic toolset, evidence handling, cloud-native tools

Question 277

Concerns with exporting cloud data for analysis

Answer 277

Cost and chain of custody concerns

Question 278

Alternative to exporting cloud data for analysis

Answer 278

Cloud-native forensics using pre-built forensic VMs

Question 279

What is a potential benefit of increasing storage and processing power of machines during an incident?

Answer 279

Avoiding bulk data export during an incident

Question 280

How can read-only access to data help during an investigation?

Answer 280

Maintains chain of custody

Question 281

What types of cloud-native tools might be incorporated into a forensic toolkit?

Answer 281

Log analysis platforms, SIEMs, AWS Lambda, Google Cloud Functions, Azure Functions

Question 282

Where can you learn more about spinning up a forensics lab using cloud technologies?

Answer 282

AWS CloudFormation, Azure Resource Manager, Google Cloud Deployment Manager

Question 283

What are the three domains where containment can occur in the cloud?

Answer 283

Service domain, Infrastructure domain, Application domain

Question 284

Why is containment more challenging in the cloud compared to on-prem?

Answer 284

Control over only a portion of the impacted system

Question 285

What should you understand based on your organization’s cloud deployment model?

Answer 285

Containment options available

Question 286

How can you conceptualize your cloud environment?

Answer 286

As service domain, infrastructure domain, and application domain

Question 287

What is a key advantage of using cloud infrastructure?

Answer 287

Portability and ephemerality

Question 288

What should you do to classify security incidents in the cloud?

Answer 288

Work with infrastructure teams and site reliability engineers

Question 289

What should you know about your cloud service provider for effective incident response?

Answer 289

Telemetry enabled by default versus what is available

Question 290

What is a good first place to check for information on cloud services?

Answer 290

Accounting for billing details

Question 291

What should SOC incident leads be trained on?

Answer 291

Investigating and responding to incidents in the cloud

Question 292

What varies between different cloud service providers (CSPs)?

Answer 292

Approaches and capabilities

Question 293

What are the two main tactics to overcome short-term memory limitations in investigations?

Answer 293

Decomposition and externalization

Question 294

What is decomposition in the context of investigations?

Answer 294

Breaking down a complex problem into fundamental parts

Question 295

What is externalization in the context of investigations?

Answer 295

Getting data out of your head into a visible form

Question 296

Who recommends decomposition and externalization for analysis?

Answer 296

Richards J. Heuer, Jr.

Question 297

What is the first question in The Alexiou Principle?

Answer 297

What question are you trying to answer?

Question 298

What is the second question in The Alexiou Principle?

Answer 298

What data do you need to answer that question?

Question 299

What is the third question in The Alexiou Principle?

Answer 299

How do you extract that data?

Question 300

What is the fourth question in The Alexiou Principle?

Answer 300

What does that data tell you?

Question 301

What should analysts avoid doing immediately during an investigation?

Answer 301

Chasing the first intuitive idea

Question 302

What is the goal of breaking down the investigation task into atomic questions?

Answer 302

To lead to the conclusion of the larger question