Módulo 09 - Incident Response

Question 1

Acronym:
IR

Answer 1

Incident Response

Question 2

List:
Types of security incidents

Answer 2

1. Employee errors [Ignorance]
2. Insider
3. External intrusion attempts
4. Malicious software
5. Commercial Espionage
6. Denial of Service

Question 3

List:
Steps in the Incident Response Lifecycle

Answer 3

1. Preparation
2. Detection
3. Analysis
4. Containment
5. Eradication
6. Recovery
7. Lessons learned

Question 4

Define:
Security Incident.

Answer 4

An event or series of events resulting from a security policy violation, which may or may not adversely affect an organization’s ability to conduct business

Question 5

Define:
Incident Response (IR) Policy

Answer 5

A set of resources, processes, and guidelines for managing cybersecurity incidents, ensuring appropriate actions are taken during the incident lifecycle

Question 6

Define:
Isolation

Answer 6

Isolation limits the ability of a compromised process or application to harm the network or its assets by restricting access to resources.

Question 7

Define:
Containment

Answer 7

Containment is the action taken immediately after detecting and identifying an event to limit its impact, such as disconnecting a machine from the network.

Question 8

Define:
Segmentation

Answer 8

Segmentation is a network design strategy that separates network sections to prevent malicious actors from pivoting within the network.

Question 9

Define:
Security Orchestration, Automation, and Response (SOAR)

Answer 9

A platform that compiles security data from various endpoints and allows analysts to automate solutions for security incidents based on predefined criteria.

Question 10

Define:
Runbook

Answer 10

A condition-based series of protocols used to automate security incident response processes, accelerating assessment, investigation, and mitigation.”

Question 11

Define:
Playbook

Answer 11

A checklist-style document specifying step-by-step procedures to respond to a security threat or incident, ensuring a consistent approach.

Question 12

List:
Features of a SIEM system

Answer 12

1. Vulnerability scan output
2. SIEM dashboards
3. Sensors
4. Sensitivity
5. Trends
6. Alerts
7. Correlation

Question 13

Define:
SIEM

Answer 13

A system combining security information management (SIM) and security event management (SEM) functions into one security management platform.

Question 14

Define:
Vulnerability Scan Output

Answer 14

The output from scanners that identify vulnerabilities across network assets and recommend remediation steps, delivered to IT admins via the SIEM dashboard.

Question 15

Define:
SIEM Dashboard

Answer 15

A customizable interface showing real-time security and network information, allowing IT teams to monitor and respond to events effectively.\

Question 16

Define:
Sensor (in SIEM)

Answer 16

A device or software programmed to send alerts to the SIEM based on activity at critical endpoints, services, or vulnerable locations.

Question 17

Define:
Sensitivity (in SIEM)

Answer 17

The level of sensitivity configured for sensors, customizing the data sent to the SIEM based on the organization’s specific monitoring needs.

Question 18

Define:
Trends (in SIEM)

Answer 18

Patterns of activity discovered and reported to the SIEM, used to establish baselines and help analysts identify anomalies.

Question 19

Define:
Alert (in SIEM)

Answer 19

A notification sent by the SIEM to inform the IT team when a parameter is outside the acceptable range, often used for 24-hour monitoring.

Question 20

Define:
Correlation (in SIEM)

Answer 20

The process by which SIEM software analyzes data from multiple sources, compares it to known malicious behavior, and identifies potential security events.

Question 21

Acronym:
SIEM

Answer 21

Security Information and Event Management

Question 22

Define:
Log Data

Answer 22

A critical resource for investigating security incidents, containing event message data and metadata generated by processes on network appliances and hosts.

Question 23

Define:
Event Message Data

Answer 23

The specific notification or alert generated by a process, such as ‘Login failure’ or ‘Firewall rule dropped traffic.

Question 24

Define:
Event Metadata

Answer 24

Information about the source and time of an event, including host/network address, process name, categorization, and priority fields.

Question 25

Define:
Syslog

Answer 25

An open format, protocol, and server software for logging event messages, used by various hosts like routers, firewalls, and Linux servers.

Question 26

Define:
PRI Code (Syslog)

Answer 26

A code in syslog messages calculated from the facility and severity level.

Question 27

Define:
Metadata

Answer 27

Attributes of files or network activity that include information like timestamps, security attributes, permissions, and extended attributes like author or location.

Question 28

Define:
Email Metadata

Answer 28

Information in an email header that includes sender, recipient, and originating account/IP. Security devices may add X-headers for accurate tracing.

Question 29

Define:
Mobile Metadata

Answer 29

Data produced by internet-connected devices, including timestamps, geolocation, and activity information like emails, text messages, and app usage.

Question 30

Define:
NetFlow

Answer 30

A Cisco feature that works at layers 2-4, examining data flows or sampling sessions at intervals.

Question 31

Define:
sFlow

Answer 31

A stateless packet sampling technology that works at layers 2-7, providing quick, efficient sampling in sampling mode only.

Question 32

Define:
Web Metadata

Answer 32

Metadata generated by websites, including IP addresses, user requests, cookies, downloads, and attempts to gain unauthorized access.

Question 33

Define:
IPfix

Answer 33

A standardized protocol for internal protocol flows that integrates data directly from routers, servers, and appliances, using mediation systems for data export and collection.

Question 34

Acronym:
IPfix

Answer 34

IP Flow Information Export

Question 35

List:
Data sources for forensic investigations

Answer 35

1. Dashboards
2. Log data
3. Metadata

Question 36

List:
Functions of e-discovery tools

Answer 36

1. De-duplicate files and metadata
2. Search (keyword and semantic)
3. Apply tags for organization
4. Ensure security of evidence
5. Easely exported

Question 37

Define:
Digital forensic analysis

Answer 37

The examination of evidence from computer systems and networks to uncover relevant information, such as deleted files, timestamps, user activity, and unauthorized traffic.

Question 38

Define:
Due process (in digital forensics)

Answer 38

A principle ensuring fairness and procedural safeguards during investigations, crucial for evidence to be admissible in court.

Question 39

Define:
Legal hold

Answer 39

The preservation of information that may be relevant to a legal case, requiring suspension of routine deletion of records or logs.

Question 40

Define:
Chain of custody

Answer 40

The documentation and handling process that tracks evidence from collection to storage, ensuring its integrity and admissibility in court.

Question 41

Define:
E-discovery

Answer 41

The process of filtering relevant evidence from forensic data, organizing it for use in legal proceedings, and ensuring both parties in a trial have access.

Question 42

Define:
System memory acquisition

Answer 42

The process of creating an image of volatile data in RAM to analyze running processes, temporary file systems, registry data, and network connections.

Question 43

Define:
Data image acquisition

Answer 43

The process of capturing data from nonvolatile storage (e.g., HDDs, SSDs, USB drives) in a forensically sound manner using write blockers to prevent alteration.

Question 44

Acronym:
ESI

Answer 44

Electronically Stored Information

Question 45

List:
Secure network design concepts

Answer 45

1. Load balancing
2. Active/active configuration
3. Active/passive configuration
4. Power scheduling
5. Virtual IP (VIP)
6. Geographic dispersal
7. Multipath

Question 46

List:
Redundant power options

Answer 46

1. Uninterrupted power supply (UPS)
2. Generator
3. Dual supply
4. Managed power distribution unit (PDU)

Question 47

List:
Clustering benefits

Answer 47

1. Redundancy
2. High availability
3. Shared session state data
4. Seamless failover between nodes

Question 48

Define:
Load balancing

Answer 48

A process that distributes processing among multiple nodes to optimize resource use, minimize latency, and avoid overload.

Question 49

Define:
Active/active configuration

Answer 49

A setup where two load balancers work together to distribute traffic and maximize capacity, with both nodes processing connections concurrently.

Question 50

Define:
Active/passive configuration

Answer 50

A setup where one load balancer is active, and the second is passive, ready to take over if the active one fails.

Question 51

Define:
Power scheduling

Answer 51

Configuring power redundancy to provide power during outages, preventing total loss of power in catastrophic events.

Question 52

Define:
Virtual IP (VIP)

Answer 52

An IP address not assigned to a specific endpoint, used for load balancing and redundancy, often shared between clustered nodes.

Question 53

Define:
Geographic dispersal

Answer 53

The use of multiple locations to store data, mitigating downtime due to failures at a single site.

Question 54

Define:
Multipath

Answer 54

A fault-tolerance technique that provides multiple physical paths between a CPU and a storage appliance.

Question 55

Define:
Uninterrupted power supply (UPS)

Answer 55

A stand-alone bank of batteries that ensures graceful shutdowns of network appliances during power outages.

Question 56

Define:
Application clustering

Answer 56

Provisioning fault-tolerant application services by enabling servers to share session state data, ensuring seamless user experience during server faults.

Question 57

Define:
Common Address Redundancy Protocol (CARP)

Answer 57

A redundancy protocol that allows multiple hosts to share a virtual IP and ensures failover through a heartbeat mechanism.

Question 58

Acronym:
VIP

Answer 58

Virtual IP

Question 59

Acronym:
CARP

Answer 59

Common Address Redundancy Protocol

Question 60

List:
Types of snapshots

Answer 60

1. Virtual Machine (VM) snapshots
2. Filesystem snapshots
3. SAN snapshots

Question 60

List:
Critical capabilities for enterprise backup solutions

Answer 60

1. Support for various environments (virtual, physical, and cloud)
2. Data deduplication and compression
3. Instant recovery and replication
4. Ransomware protection and encryption
5. Granular restore options
6. Reporting, monitoring, and alerting tools
7. Integration with virtualization platforms, cloud providers, and storage systems

Question 61

List:
Advanced data protection methods

Answer 61

1. Remote journaling
2. SAN replication
3. VM replication

Question 62

Define:
Enterprise backups

Answer 62

Backup solutions designed to meet the scalability, performance, security, compliance, and disaster recovery needs of large organizations.

Question 63

Define:
Data deduplication

Answer 63

A compression technique that optimizes storage by identifying and eliminating redundant data, storing only a single copy and referencing it for duplicates.

Question 64

Define:
Backup frequency

Answer 64

The interval at which backups are performed, influenced by factors such as data volatility, regulatory requirements, and system performance.

Question 65

Define:
Snapshots

Answer 65

Point-in-time captures of a system’s state, used for data protection and recovery. Types include VM snapshots, filesystem snapshots, and SAN snapshots.

Question 66

Define:
Replication

Answer 66

The process of creating and maintaining exact copies of data across different locations or systems to ensure availability and integrity.

Question 67

Define:
Journaling

Answer 67

The recording of changes to data in a dedicated log, enabling tracking, monitoring, and recovery of data in case of crashes or inconsistencies.

Question 68

Define:
Remote journaling

Answer 68

A method of maintaining a journal of data changes at a remote location to ensure business continuity in case of local failures or disasters.

Question 69

Define:
SAN replication

Answer 69

The duplication of data from one storage area network (SAN) to another, providing redundancy and protection against failures or corruption.

Question 70

Define:
VM replication

Answer 70

The process of creating an up-to-date copy of a virtual machine on a separate host or location to ensure quick recovery during failures.

Question 71

Acronym:
SAN

Answer 71

Storage Area Network