Module 4 - 02-2 Flashcards
Explore incident response
What does MDR stand for?
Managed detection and response
What is another name that Playbooks are referred to as?
Runbooks
Choose the appropriate playbook response to address a SIEM alert.
Incident:
You’re monitoring a SIEM dashboard and receive an alert about a suspicious file download. What’s the first thing you should do?
Playbook response:
* Use a tool to contain the incident
* Assess the alert by gathering more information
* Report the alert to cyber crime agencies
Assess the alert by gathering more information
The first thing you should do is assess the alert to determine if it’s valid.
Choose the appropriate playbook response to address a SIEM alert.
Incident:
You determine that the suspicious file download alert is valid, so you follow the steps in your organization’s playbook to contain and eliminate traces of the incident. What should you do next?
Playbook response:
* Analyze log data
* Isolate the infected network system
* Restore affected systems
Restore affected systems
After containing and eliminating traces of the incident, you should restore affected systems.
Choose the appropriate playbook response to address a SIEM alert.
Incident:
After you’ve taken all the necessary steps outlined in your organization’s playbook to resolve the incident, what should you do?
Playbook response:
* Communicate the incident to stakeholders
* Investigate the suspicious file download
* Restore affected data using a clean backup
Communicate the incident to stakeholders
After the incident is resolved, you should perform post-incident and coordination efforts.
Playbooks are permanent, best-practice documents, so a security team should not make changes to them.
- True
- False
False
Playbooks are living documents, so a security team will make frequent changes, updates, and improvements to address new threats and vulnerabilities.
A business recently experienced a security breach. Security professionals are currently restoring the affected data using a clean backup that was created before the incident. What playbook phase does this scenario describe?
- Post-incident activity
- Detection and analysis
- Eradication and recovery
- Containment
This scenario describes eradication and recovery. This phase involves removing the incident’s artifacts and restoring the affected environment to a secure state.
Once a security incident is resolved, security analysts perform various post-incident activities and _____ efforts with the security team.
- coordination
- detection
- eradication
- preparation
coordination
Once a security incident is resolved, security analysts perform various post-incident activities and coordination efforts with the security team. Coordination involves reporting incidents and sharing information based on established standards.
Which action can a security analyst take when they are assessing a SIEM alert?
- Analyze log data and related metrics
- Isolate an infected network system
- Restore the affected data with a clean backup
- Create a final report
An action that a security analyst can take when they are assessing a SIEM alert is to analyze log data and related metrics. This helps in identifying why the alert was generated by the SIEM tool and determining if the alert is valid.
