Módulo 09 - Incident Response Flashcards
Acronym:
IR
Incident Response
List:
Types of security incidents
- Employee errors [Ignorance]
- Insider
- External intrusion attempts
- Malicious software
- Commercial Espionage
- Denial of Service
List:
Steps in the Incident Response Lifecycle
- Preparation
- Detection
- Analysis
- Containment
- Eradication
- Recovery
- Lessons learned
Define:
Security Incident.
An event or series of events resulting from a security policy violation, which may or may not adversely affect an organization’s ability to conduct business
Define:
Incident Response (IR) Policy
A set of resources, processes, and guidelines for managing cybersecurity incidents, ensuring appropriate actions are taken during the incident lifecycle
Define:
Isolation
Isolation limits the ability of a compromised process or application to harm the network or its assets by restricting access to resources.
Define:
Containment
Containment is the action taken immediately after detecting and identifying an event to limit its impact, such as disconnecting a machine from the network.
Define:
Segmentation
Segmentation is a network design strategy that separates network sections to prevent malicious actors from pivoting within the network.
Define:
Security Orchestration, Automation, and Response (SOAR)
A platform that compiles security data from various endpoints and allows analysts to automate solutions for security incidents based on predefined criteria.
Define:
Runbook
A condition-based series of protocols used to automate security incident response processes, accelerating assessment, investigation, and mitigation.”
Define:
Playbook
A checklist-style document specifying step-by-step procedures to respond to a security threat or incident, ensuring a consistent approach.
List:
Features of a SIEM system
- Vulnerability scan output
- SIEM dashboards
- Sensors
- Sensitivity
- Trends
- Alerts
- Correlation
Define:
SIEM
A system combining security information management (SIM) and security event management (SEM) functions into one security management platform.
Define:
Vulnerability Scan Output
The output from scanners that identify vulnerabilities across network assets and recommend remediation steps, delivered to IT admins via the SIEM dashboard.
Define:
SIEM Dashboard
A customizable interface showing real-time security and network information, allowing IT teams to monitor and respond to events effectively.\
Define:
Sensor (in SIEM)
A device or software programmed to send alerts to the SIEM based on activity at critical endpoints, services, or vulnerable locations.
Define:
Sensitivity (in SIEM)
The level of sensitivity configured for sensors, customizing the data sent to the SIEM based on the organization’s specific monitoring needs.
Define:
Trends (in SIEM)
Patterns of activity discovered and reported to the SIEM, used to establish baselines and help analysts identify anomalies.
Define:
Alert (in SIEM)
A notification sent by the SIEM to inform the IT team when a parameter is outside the acceptable range, often used for 24-hour monitoring.
Define:
Correlation (in SIEM)
The process by which SIEM software analyzes data from multiple sources, compares it to known malicious behavior, and identifies potential security events.
Acronym:
SIEM
Security Information and Event Management
Define:
Log Data
A critical resource for investigating security incidents, containing event message data and metadata generated by processes on network appliances and hosts.
Define:
Event Message Data
The specific notification or alert generated by a process, such as ‘Login failure’ or ‘Firewall rule dropped traffic.
Define:
Event Metadata
Information about the source and time of an event, including host/network address, process name, categorization, and priority fields.
Define:
Syslog
An open format, protocol, and server software for logging event messages, used by various hosts like routers, firewalls, and Linux servers.
Define:
PRI Code (Syslog)
A code in syslog messages calculated from the facility and severity level.
Define:
Metadata
Attributes of files or network activity that include information like timestamps, security attributes, permissions, and extended attributes like author or location.
Define:
Email Metadata
Information in an email header that includes sender, recipient, and originating account/IP. Security devices may add X-headers for accurate tracing.
Define:
Mobile Metadata
Data produced by internet-connected devices, including timestamps, geolocation, and activity information like emails, text messages, and app usage.
Define:
NetFlow
A Cisco feature that works at layers 2-4, examining data flows or sampling sessions at intervals.
Define:
sFlow
A stateless packet sampling technology that works at layers 2-7, providing quick, efficient sampling in sampling mode only.
Define:
Web Metadata
Metadata generated by websites, including IP addresses, user requests, cookies, downloads, and attempts to gain unauthorized access.
Define:
IPfix
A standardized protocol for internal protocol flows that integrates data directly from routers, servers, and appliances, using mediation systems for data export and collection.
Acronym:
IPfix
IP Flow Information Export
List:
Data sources for forensic investigations
- Dashboards
- Log data
- Metadata
List:
Functions of e-discovery tools
- De-duplicate files and metadata
- Search (keyword and semantic)
- Apply tags for organization
- Ensure security of evidence
- Easely exported
Define:
Digital forensic analysis
The examination of evidence from computer systems and networks to uncover relevant information, such as deleted files, timestamps, user activity, and unauthorized traffic.
Define:
Due process (in digital forensics)
A principle ensuring fairness and procedural safeguards during investigations, crucial for evidence to be admissible in court.
Define:
Legal hold
The preservation of information that may be relevant to a legal case, requiring suspension of routine deletion of records or logs.
Define:
Chain of custody
The documentation and handling process that tracks evidence from collection to storage, ensuring its integrity and admissibility in court.
Define:
E-discovery
The process of filtering relevant evidence from forensic data, organizing it for use in legal proceedings, and ensuring both parties in a trial have access.
Define:
System memory acquisition
The process of creating an image of volatile data in RAM to analyze running processes, temporary file systems, registry data, and network connections.
Define:
Data image acquisition
The process of capturing data from nonvolatile storage (e.g., HDDs, SSDs, USB drives) in a forensically sound manner using write blockers to prevent alteration.
Acronym:
ESI
Electronically Stored Information
List:
Secure network design concepts
- Load balancing
- Active/active configuration
- Active/passive configuration
- Power scheduling
- Virtual IP (VIP)
- Geographic dispersal
- Multipath
List:
Redundant power options
- Uninterrupted power supply (UPS)
- Generator
- Dual supply
- Managed power distribution unit (PDU)
List:
Clustering benefits
- Redundancy
- High availability
- Shared session state data
- Seamless failover between nodes
Define:
Load balancing
A process that distributes processing among multiple nodes to optimize resource use, minimize latency, and avoid overload.
Define:
Active/active configuration
A setup where two load balancers work together to distribute traffic and maximize capacity, with both nodes processing connections concurrently.
Define:
Active/passive configuration
A setup where one load balancer is active, and the second is passive, ready to take over if the active one fails.
Define:
Power scheduling
Configuring power redundancy to provide power during outages, preventing total loss of power in catastrophic events.
Define:
Virtual IP (VIP)
An IP address not assigned to a specific endpoint, used for load balancing and redundancy, often shared between clustered nodes.
Define:
Geographic dispersal
The use of multiple locations to store data, mitigating downtime due to failures at a single site.
Define:
Multipath
A fault-tolerance technique that provides multiple physical paths between a CPU and a storage appliance.
Define:
Uninterrupted power supply (UPS)
A stand-alone bank of batteries that ensures graceful shutdowns of network appliances during power outages.
Define:
Application clustering
Provisioning fault-tolerant application services by enabling servers to share session state data, ensuring seamless user experience during server faults.
Define:
Common Address Redundancy Protocol (CARP)
A redundancy protocol that allows multiple hosts to share a virtual IP and ensures failover through a heartbeat mechanism.
Acronym:
VIP
Virtual IP
Acronym:
CARP
Common Address Redundancy Protocol
List:
Types of snapshots
- Virtual Machine (VM) snapshots
- Filesystem snapshots
- SAN snapshots
List:
Critical capabilities for enterprise backup solutions
- Support for various environments (virtual, physical, and cloud)
- Data deduplication and compression
- Instant recovery and replication
- Ransomware protection and encryption
- Granular restore options
- Reporting, monitoring, and alerting tools
- Integration with virtualization platforms, cloud providers, and storage systems
List:
Advanced data protection methods
- Remote journaling
- SAN replication
- VM replication
Define:
Enterprise backups
Backup solutions designed to meet the scalability, performance, security, compliance, and disaster recovery needs of large organizations.
Define:
Data deduplication
A compression technique that optimizes storage by identifying and eliminating redundant data, storing only a single copy and referencing it for duplicates.
Define:
Backup frequency
The interval at which backups are performed, influenced by factors such as data volatility, regulatory requirements, and system performance.
Define:
Snapshots
Point-in-time captures of a system’s state, used for data protection and recovery. Types include VM snapshots, filesystem snapshots, and SAN snapshots.
Define:
Replication
The process of creating and maintaining exact copies of data across different locations or systems to ensure availability and integrity.
Define:
Journaling
The recording of changes to data in a dedicated log, enabling tracking, monitoring, and recovery of data in case of crashes or inconsistencies.
Define:
Remote journaling
A method of maintaining a journal of data changes at a remote location to ensure business continuity in case of local failures or disasters.
Define:
SAN replication
The duplication of data from one storage area network (SAN) to another, providing redundancy and protection against failures or corruption.
Define:
VM replication
The process of creating an up-to-date copy of a virtual machine on a separate host or location to ensure quick recovery during failures.
Acronym:
SAN
Storage Area Network
