Module 4 - 02-1

Question 1

Define Playbook

Answer 1

A manual that provides details about any operational action,

clarify what tools should be used in response to a security incident,

and ensure that people follow a consistent list of actions in a prescribed way

Question 2

Which statements are true about playbooks? Select three answers.

• Playbooks clarify what tools should be used to respond to security incidents.
• Playbooks categorize and analyze large amounts of data to help security teams identify risk.
• Playbooks are manuals that provide details about any operational action.
• Playbooks ensure that people follow a consistent list of actions in a prescribed way.

Answer 2

• Playbooks clarify what tools should be used to respond to security incidents.
• Playbooks are manuals that provide details about any operational action.
• Playbooks ensure that people follow a consistent list of actions in a prescribed way.

Playbooks are manuals that provide details about any operational action, clarify what tools should be used, and ensure people follow a consistent list of actions to address security incidents.

Question 3

Define Living document

Answer 3

They are frequently updated by security team members to address industry changes and new threats

Question 4

When how often would a playbook be updated (3)?

Answer 4

• A failure is identified, such as an oversight in the outlined policies and procedures, or in the playbook itself.
• There is a change in industry standards, such as changes in laws or regulatory compliance.
• The cybersecurity landscape changes due to evolving threat actor tactics and techniques.

Question 5

What is are common playbooks used in cybersecurity?

Answer 5

• Incident response playbooks
• Vulnerability response playbooks

Question 6

Define Incident response

Answer 6

An organization’s quick attempt to identify an attack, contain the damage, and correct the effects of a security breach

Question 7

What is an Incident response playbook?

Answer 7

A guide with phases used to help mitigate and manage security incidents from beginning to end

Question 8

How many phases does incident response playbook have?

Answer 8

Six (6)

Question 9

What are the incident response playbook phases?

Answer 9

1) Preparation
2) Detection and analysis
3) Containment
4) Eradication and recovery
5) Post incident activity
6) Coordination

Question 10

What is the (1st) first phase of an incident response playbook?

Answer 10

1) Preparation

Question 11

What is the (2nd) second phase of an incident response playbook?

Answer 11

2) Detection and analysis

Question 12

What is the (3rd) third phase of an incident response playbook?

Answer 12

3) Containment

Question 13

What is the (4th) fourth phase of an incident response playbook?

Answer 13

4) Eradication and recovery

Question 14

What is the (5th) fifth phase of an incident response playbook?

Answer 14

5) Post incident activity

Question 15

What is the (6th) sixth phase of an incident response playbook?

Answer 15

6) Coordination

Question 16

Explain the Preparation phase of an incident response playbook

Answer 16

Organizations must prepare to mitigate the likelihood, risk, and impact of a security incident by documenting procedures, establishing staffing plans, and educating users.

Preparation sets the foundation for successful incident response.

Question 17

Explain the Detection and Analysis phase of an incident response playbook

Answer 17

The objective of this phase is to detect and analyze events using defined processes and technology.

Using appropriate tools and strategies during this phase helps security analysts determine whether a breach has occurred and analyze its possible magnitude.

Question 18

Explain the Containment phase of an incident response playbook

Answer 18

The goal of containment is to prevent further damage and reduce the immediate impact of a security incident.

During this phase, security professionals take actions to contain an incident and minimize damage. Containment is a high priority for organizations because it helps prevent ongoing risks to critical assets and data.

Question 19

Explain the Eradication and Recovery phase of an incident response playbook

Answer 19

This phase involves the complete removal of an incident’s artifacts so that an organization can return to normal operations.

During this phase, security professionals eliminate artifacts of the incident by removing malicious code and mitigating vulnerabilities. Once they’ve exercised due diligence, they can begin to restore the affected environment to a secure state. This is also known as IT restoration.

Question 20

Explain the Post Incident Activity phase of an incident response playbook

Answer 20

This phase includes documenting the incident, informing organizational leadership, and applying lessons learned to ensure that an organization is better prepared to handle future incidents.

Depending on the severity of the incident, organizations can conduct a full-scale incident analysis to determine the root cause of the incident and implement various updates or improvements to enhance its overall security posture.

Question 21

Explain the Coordination phase of an incident response playbook

Answer 21

Coordination involves reporting incidents and sharing information, throughout the incident response process, based on the organization’s established standards.

Coordination is important for many reasons. It ensures that organizations meet compliance requirements and it allows for coordinated response and resolution.

Question 22

Define Business continuity plan

Answer 22

An established path forward allowing a business to recover and continue to operate as normal, despite a disruption like a security breach

Question 23

What is a basic formula for determining the level of risk?

Answer 23

Risk equals the likelihood of a threat

Question 24

In the event of a security incident, when would it be appropriate to refer to an incident response playbook?

• Only when the incident first occurs
• At least one month after the incident is over
• Throughout the entire incident
• Only prior to the incident occurring

Answer 24

Throughout the entire incident

In the event of a security incident, it is appropriate to refer to an incident response playbook throughout the entire incident. An incident response playbook is a guide with six phases used to help mitigate and manage security incidents from beginning to end.

Question 25

During the _____ phase, security professionals use tools and strategies to determine whether a breach has occurred and to evaluate its potential magnitude.

• coordination
• containment
• preparation
• detection and analysis

Answer 25

detection and analysis

Question 26

In which incident response playbook phase would a security team document an incident to ensure that their organization is better prepared to handle future security events?

• Eradication and recovery
• Post-incident activity
• Containment
• Coordination

Answer 26

Post-incident activity

In the post-incident activity phase, a security team documents an incident to ensure that their organization is better prepared to handle future incidents.

Question 27

What is the relationship between SIEM tools and playbooks?

• Playbooks detect threats and generate alerts, then SIEM tools provide the security team with a proven strategy.
• Playbooks collect and analyze data, then SIEM tools guide the response process.
• They work together to predict future threats and eliminate the need for human intervention.
• They work together to provide a structured and efficient way of responding to security incidents.

SIEM tools and playbooks work together to provide a structured and efficient way of responding to security incidents.

Answer 27

They work together to provide a structured and efficient way of responding to security incidents.

SIEM tools and playbooks work together to provide a structured and efficient way of responding to security incidents.