Lesson 12: Explain Incident Response and Monitoring Concepts Flashcards
What are the phases of the Incident Response Lifecycle?
Preparation: Establish policies, harden systems, and create resources to manage incidents.
Detection: Identify suspicious activities via automated systems, threat hunting, or reporting.
Analysis: Confirm incidents, assign priority, and categorize based on impact and type.
Containment: Limit damage using isolation or segmentation techniques.
Eradication: Remove malware, close vulnerabilities, and restore secure configurations.
Recovery: Reintegrate systems and monitor to ensure no recurrence.
Lessons Learned: Analyze responses to improve procedures and prevent future incidents
What should you do in Preparation of an incident?
Establish a Cyber Incident Response Team (CIRT) with expertise from cybersecurity, legal, HR, and PR teams.
Utilize tools like SIEMs, SOAR platforms, and case management databases for effective incident handling.
Develop a Communication Plan and ensure out-of-band communication methods are ready.
What should you do during the Detect and Analysis portion of an incident?
Detect incidents through log analysis, alerts, or threat hunting.
Perform Impact Analysis based on data integrity, downtime, and scope.
Leverage playbooks and frameworks like the Cyber Kill Chain for guidance.
What should you do during the Containment and Recovery portion of an incident?
Use isolation-based techniques (e.g., air gaps, disabling accounts) or segmentation-based methods (e.g., VLAN sinkholes).
Eradicate threats, restore systems, and ensure security controls are revalidated.
What should you do during the Lessons Learned portion of an incident?
Conduct root cause analysis using methods like the Five Whys or structured reviews.
Develop after-action reports and identify training/testing needs.
What can you do to test and train staff for an incident?
Use tabletop exercises, walkthroughs, and simulations to prepare for incidents.
Equip staff with the knowledge to recognize and appropriately respond to threats.
What are the key concepts of Digital Forensics?
Due Process: Ensure evidence is collected to legal standards for potential court use.
Legal Hold: Preserve all relevant data for litigation or regulatory requirements.
What is the order of volatility?
- CPU registers, Cache, and Memory (RAM)
- Routing tables, ARP cache, process tables, kernel statistics
- Temporary files and swap space
- Live network connections and data flows
- Data on hard disk
- Remotely logged data
- Physical configuration and archival media
How is evidence integrity preserved during acquisition?
Use tools like write blockers and cryptographic hashes.
What are live and static disk imaging?
Live imaging: Captures data from an active system.
Static imaging: Captures data from a powered-down system.
How can you preserve the data?
Label, bag, and document evidence with tamper-proof methods.
Why is the chain of custody important?
It ensures evidence integrity, prevents tampering, and maintains legal validity.
Use cryptographic hashes to verify data integrity and prevent repudiation.
How can you stay organized for reporting in regards to digital forensics?
Use e-discovery tools for efficient evidence organization and compliance.
What are examples of data sources for incident analysis?
System memory, file systems, network traffic, logs, and security software alerts.
Where are you getting the data from for incident analysis?
Data from endpoint protection tools, vulnerability scans, and SIEMs.
What types of logs are used in analysis?
Windows, Linux, and macOS logs, as well as application and endpoint logs.
What logs should you use for intrusion detection and response insights?
Firewall logs
IPS/IDS alerts
What is the purpose of IPS/IDS alerts in data analysis?
They provide insights into potential intrusions and help detect malicious activity.
What insights can be gained from analyzing network data?
Threat patterns can be identified by collecting packet captures and flow data (e.g., NetFlow).
What is the function of a SIEM?
Aggregates and normalizes log data for analysis, alerts, and compliance reporting.
How does alert tuning optimize the response?
It reduces false positives and ensures actionable alerts.
How do SNMP-based traps support monitoring infrastructure?
They generate alerts for device health and other critical events.
What tools analyze network flow data for behavior insights?
Tools like NetFlow.
What benchmarks are used in vulnerability scanning?
You can compare the settings against benchmarks like SCAP templates for regulatory or best-practice compliance.
What security tools aid monitoring and detection?
Endpoint protection, antivirus, and DLP systems provide actionable data for monitoring and threat detection.
