Lesson 17: Performing Incident Response

Question 1

The IT team at a company discovers that a Windows server is infected with malware. As a result, the server is not functioning properly. Which event log does the team review to find errors from failing services related to newly installed software?

A. Setup

B. Security

C. System

D. Application

Answer 1

D

Question 2

A security expert needs to review systems information to conclude what may have occurred during a breach. The expert reviews NetFlow data. What samples does the expert review?

A. Protocol usage and endpoint activity

B. Traffic statistics at any layer of the OSI model

C. Statistics about network traffic

D. Bandwidth usage and comparative baselines.

Answer 2

C

Question 3

Incident management relies heavily on the efficient allocation of resources. Which of the following factors should an IT manager consider as it relates to the overall scope of dealing with an incident? (Select all that apply.)

A. Planning time

B. Downtime

C. Detection time

D. Recovery time

Answer 3

B,C,D

Question 4

During weekly scans, a system administrator identifies a system that has software installed that goes against security policy. The system administrator removes the system from the network in an attempt to limit the effect of the incident on the remainder of the network. Apply the Computer Security Incident Handling Guide principles to determine which stage of the incident response life cycle the administrator has entered.

A. Preparation

B. Identification

C. Containment, eradication and recovery

D. Lessons learned

Answer 4

C

Question 5

A security analyst needs to contain a compromised system. The analyst would be most successful using which containment approach?

A. Black hole

B. VLAN

C. ACL

D. Airgap

Answer 5

D

Question 6

When endpoint security experiences a breach, there are several classes of vector to consider for mitigation. Which type relates to exploiting an unauthorized service port change?

A. Configuration drift

B. Weak configuration

C. Lack of controls

D. Social Engineering

Answer 6

A

Question 7

Successful adversarial attacks mostly depend on knowledge of the algorithms used by the target AI. In an attempt to keep an algorithm secret, which method does an engineer use when hiding the secret?

A. AI training

B. Obscurity

C. Filtering

D. Analytics

Answer 7

B

Question 8

A user calls the help desk to report that Microsoft Excel continues to crash when used. The technician would like to review the logs in an attempt to determine the cause. Analyze the types of logs to determine which would contain the information the technician needs.

A. Event log

B. Audit log

C. Security log

D. Access log

Answer 8

A

Question 9

The first responder to a security incident decides the issue requires escalation. Consider the following and select the scenario that best describes escalation in this issue.

A. The first responder calls the company’s legal team.

B. The first responder shuts down the affected system.

C. The first responder calls senior staff to get them involved.

D. The first responder reviews user privileges to look for users who may have gained unauthorized privileges.

Answer 9

C

Question 10

An engineer needs to review systems metadata to conclude what may have occurred during a breach. The first step the engineer takes in the investigation is to review MTA information in an Internet header. Which data type does the engineer review?

A. Web

B. Email

C. File

D. Cell

Answer 10

B

Question 11

A system compromise prompts the IT department to harden all systems. The technicians look to block communications to potential command and control servers. Which solutions apply to working with egress filtering? (Select all that apply.)

A. Mediate the copying of tagged data

B. Restrict DNS lookups

C. Remove compromised root certificates

D. Allow only authorized application ports

Answer 11

B,D

Question 12

A security team desires to modify event logging for several network devices. One team member suggests using the configuration files from the current logging system with another open format that uses TCP with a secure connection. Which format does the team member suggest?

A. Syslog-ng

B. Rsyslog

C. Syslog

D. NXlog

Answer 12

B

Question 13

A systems administrator suspects that a virus has infected a critical server. In which step of the incident response process does the administrator notify stakeholders of the issue?

A. Recovery

B. Identification

C. Containment

D. Eradication

Answer 13

B

Question 14

Arrange the following stages of the incident response life cycle in the correct order.

A. Preparation; Identification; Containment, Eradication, and Recovery; Lessons Learned

B. Identification; Preparation; Containment, Eradication, and Recovery; Lessons Learned

C. Containment, Eradication, and Recovery; Identification; Preparation; Lessons Learned

D. Identification; Containment, Eradication, and Recovery; Preparation; Lessons Learned

Answer 14

A

Question 15

An administrator uses data from a Security Information and Event Management (SIEM) system to identify potential malicious activity. Which feature does the administrator utilize when implementing rules to interpret relationships between datapoints to diagnose incidents?

A. Retention

B. Trend Analysis

C. Baseline

D. Correlation

Answer 15

D

Question 16

An engineer creates a set of tasks that queries information and runs some PowerShell commands to automate several stages of the process, including the identification of threats and other malicious activity on multiple servers. The engineer defines these tasks using which of the following?

A. Runbook

B. Playbook

C. Orchestration

D. Automation

Answer 16

A