Module 4 - 02-1 Flashcards
Phases of incident response playbooks
Define Playbook
A manual that provides details about any operational action,
clarify what tools should be used in response to a security incident,
and ensure that people follow a consistent list of actions in a prescribed way
Which statements are true about playbooks? Select three answers.
- Playbooks clarify what tools should be used to respond to security incidents.
- Playbooks categorize and analyze large amounts of data to help security teams identify risk.
- Playbooks are manuals that provide details about any operational action.
- Playbooks ensure that people follow a consistent list of actions in a prescribed way.
- Playbooks clarify what tools should be used to respond to security incidents.
- Playbooks are manuals that provide details about any operational action.
- Playbooks ensure that people follow a consistent list of actions in a prescribed way.
Playbooks are manuals that provide details about any operational action, clarify what tools should be used, and ensure people follow a consistent list of actions to address security incidents.
Define Living document
They are frequently updated by security team members to address industry changes and new threats
When how often would a playbook be updated (3)?
- A failure is identified, such as an oversight in the outlined policies and procedures, or in the playbook itself.
- There is a change in industry standards, such as changes in laws or regulatory compliance.
- The cybersecurity landscape changes due to evolving threat actor tactics and techniques.
What is are common playbooks used in cybersecurity?
- Incident response playbooks
- Vulnerability response playbooks
Define Incident response
An organization’s quick attempt to identify an attack, contain the damage, and correct the effects of a security breach
What is an Incident response playbook?
A guide with phases used to help mitigate and manage security incidents from beginning to end
How many phases does incident response playbook have?
Six (6)
What are the incident response playbook phases?
1) Preparation
2) Detection and analysis
3) Containment
4) Eradication and recovery
5) Post incident activity
6) Coordination
What is the (1st) first phase of an incident response playbook?
1) Preparation
What is the (2nd) second phase of an incident response playbook?
2) Detection and analysis
What is the (3rd) third phase of an incident response playbook?
3) Containment
What is the (4th) fourth phase of an incident response playbook?
4) Eradication and recovery
What is the (5th) fifth phase of an incident response playbook?
5) Post incident activity
What is the (6th) sixth phase of an incident response playbook?
6) Coordination
Explain the Preparation phase of an incident response playbook
Organizations must prepare to mitigate the likelihood, risk, and impact of a security incident by documenting procedures, establishing staffing plans, and educating users.
Preparation sets the foundation for successful incident response.
Explain the Detection and Analysis phase of an incident response playbook
The objective of this phase is to detect and analyze events using defined processes and technology.
Using appropriate tools and strategies during this phase helps security analysts determine whether a breach has occurred and analyze its possible magnitude.
Explain the Containment phase of an incident response playbook
The goal of containment is to prevent further damage and reduce the immediate impact of a security incident.
During this phase, security professionals take actions to contain an incident and minimize damage. Containment is a high priority for organizations because it helps prevent ongoing risks to critical assets and data.
Explain the Eradication and Recovery phase of an incident response playbook
This phase involves the complete removal of an incident’s artifacts so that an organization can return to normal operations.
During this phase, security professionals eliminate artifacts of the incident by removing malicious code and mitigating vulnerabilities. Once they’ve exercised due diligence, they can begin to restore the affected environment to a secure state. This is also known as IT restoration.
Explain the Post Incident Activity phase of an incident response playbook
This phase includes documenting the incident, informing organizational leadership, and applying lessons learned to ensure that an organization is better prepared to handle future incidents.
Depending on the severity of the incident, organizations can conduct a full-scale incident analysis to determine the root cause of the incident and implement various updates or improvements to enhance its overall security posture.
Explain the Coordination phase of an incident response playbook
Coordination involves reporting incidents and sharing information, throughout the incident response process, based on the organization’s established standards.
Coordination is important for many reasons. It ensures that organizations meet compliance requirements and it allows for coordinated response and resolution.
Define Business continuity plan
An established path forward allowing a business to recover and continue to operate as normal, despite a disruption like a security breach
What is a basic formula for determining the level of risk?
Risk equals the likelihood of a threat
In the event of a security incident, when would it be appropriate to refer to an incident response playbook?
- Only when the incident first occurs
- At least one month after the incident is over
- Throughout the entire incident
- Only prior to the incident occurring
Throughout the entire incident
In the event of a security incident, it is appropriate to refer to an incident response playbook throughout the entire incident. An incident response playbook is a guide with six phases used to help mitigate and manage security incidents from beginning to end.
During the _____ phase, security professionals use tools and strategies to determine whether a breach has occurred and to evaluate its potential magnitude.
- coordination
- containment
- preparation
- detection and analysis
detection and analysis
In which incident response playbook phase would a security team document an incident to ensure that their organization is better prepared to handle future security events?
- Eradication and recovery
- Post-incident activity
- Containment
- Coordination
Post-incident activity
In the post-incident activity phase, a security team documents an incident to ensure that their organization is better prepared to handle future incidents.
What is the relationship between SIEM tools and playbooks?
- Playbooks detect threats and generate alerts, then SIEM tools provide the security team with a proven strategy.
- Playbooks collect and analyze data, then SIEM tools guide the response process.
- They work together to predict future threats and eliminate the need for human intervention.
- They work together to provide a structured and efficient way of responding to security incidents.
SIEM tools and playbooks work together to provide a structured and efficient way of responding to security incidents.
They work together to provide a structured and efficient way of responding to security incidents.
SIEM tools and playbooks work together to provide a structured and efficient way of responding to security incidents.
