Manage Security Risks Flashcards
module four
What is a playbook in the context of cybersecurity?
A manual that provides details about any operational action.
What is incident response?
A manual that provides details about any operational action.
What is incident response?
An organization’s quick attempt to identify an attack, contain the damage, and correct the effects of a security breach.
How are playbooks used in conjunction with SIEM tools?
Playbooks provide analysts with instructions about how to address issues flagged by SIEM tools
What are SOAR tools used for?
To automate repetitive tasks generated by tools such as a SIEM or managed detection and response (MDR).
When should playbooks be updated?
When a failure is identified, industry standards change, or the cybersecurity landscape evolves.
What is the purpose of the preparation phase in an incident response playbook?
To document procedures to be followed in the event of a security breach, establish staffing plans, and educate employees.
What does the detection and analysis phase involve in an incident response playbook?
Using tools and strategies to determine whether a breach has occurred and to evaluate its potential magnitude.
What is the goal of the containment phase in an incident response playbook?
To prevent further damage and reduce the immediate impact of a security incident.
What happens during the eradication and recovery phase of an incident response playbook?
Restoring affected data using a clean backup created before the incident.
What is the focus of the post-incident activity phase in an incident response playbook?
To document the incident, learn from it, and implement improvements to enhance overall security posture.
How do playbooks help ensure compliance with laws and regulations?
By providing detailed actions for security teams to follow, ensuring consistent and compliant responses to incidents.
What is a common misconception about playbooks?
That they should not be updated; in reality, they should be treated as living documents and updated frequently.
How do playbooks contribute to business continuity plans?
By outlining steps to recover and continue operations despite disruptions like security breaches.
What are the common steps included in incident and vulnerability playbooks?
Preparation, Detection, Analysis, Containment, Eradication, Recovery, and Post-incident activities
What is the role of the coordination phase in an incident response playbook?
To share information about the incident with relevant government agencies or stakeholders.
What type of playbooks are commonly used by entry-level cybersecurity professionals?
Incident and vulnerability response playbooks.
How do playbooks minimize errors during incident response?
By ensuring that important actions are performed within a specific timeframe and following predefined steps.
Why is a sense of urgency essential in incident response playbooks?
Because the level of risk to the organization depends on the potential damage to its assets.
How do SIEM tools and playbooks work together in incident response?
SIEM tools detect threats and generate alerts, while playbooks provide a structured response strategy.
What action can a security analyst take when assessing a SIEM alert?
Analyze log data and related metrics.
Why is it important to document incidents and responses?
To ensure the organization is better prepared to handle future security events and to improve response strategies
How do playbooks help security teams during a ransomware attack?
By providing detailed recovery procedures to follow.
What should be included in a playbook for a security incident?
Detailed steps, responsible individuals, and actions to take in response to the incident.
What is a key takeaway about the use of playbooks in cybersecurity?
They provide structure, ensure compliance, and help reduce the impact of security incidents.
What are some examples of resources for playbook templates outside the U.S.?
UK National Cyber Security Center (NCSC), Australian Government Cyber Incident Response Plan, Japan Computer Emergency Response Team (JPCERT/CC), Government of Canada Ransomware Playbook, and Scottish Government Playbook Templates.
