Operations and Incident Response Flashcards

1
Q

Which of the following choices is not considered an exploitation framework?

Metasploit

Nessus

CANVAS

A

Nessus

Metasploit, Core Impact, and CANVAS are exploitation frameworks. Nessus is a vulnerability scanner

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Within Unix/Linux systems, the __________ tool dumps the contents of physical memory.

coredump

sysdump

memdump

A

memdump

Within Unix/Linux systems, the memdump tool dumps the contents of physical memory

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Which file-manipulation command is used to print lines that match patterns?

grep

cat

head

A

grep

The grep command is used to print lines that match patterns

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Which of the following is a Windows and Linux tool that can be used to conduct both ping sweeps and port scans, as well as acting as a packet builder?

nmap

Nessus

hping

A

hping

hping (also known as hping3, its current version) is a Windows and Linux tool that can be used to conduct both ping sweeps and port scans, can act as a packet builder, and can run many scans

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Which of the following is not a step of the incident response process?

Eradication

Preparation

Formulation

A

Formulation

Eradication, preparation, and lessons learned are all formal steps of the incident response process

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

An organization’s __________ must also contain information on succession planning for key employees.

Disaster recovery plan

Incident response plan

Communication plan

A

Disaster recovery plan

Your disaster recovery plan must also contain information on succession planning for key employees

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

According to the Diamond Model of Intrusion Analysis, which of the following is not a component of an attack?

Victim

Adversary

Environment

A

Environment

The Diamond Model underscores the relationships and characteristics of an attack’s four main components: adversary, capabilities, infrastructure, and victim

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Which of the following is used to analyze logs generated by journald?

syslog

sFlow

journalctl

A

journalctl

journalctl is used to analyze logs generated by journald

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Which of the following is based on NetFlow version 9?

IPFIX

sFlow

syslog

A

IPFIX

IPFIX is based on NetFlow version 9, which has since been deprecated

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is the term for “data about data” that provides a rich investigatory source?

Logging

Scanning

Metadata

A

Metadata

Metadata literally means “data about data” and provides insight regarding things like the creation date/time of a file, keywords, and other pertinent information

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

__________ can be largely automated and, while they can indeed include human elements, often are used to automate features such as threat response.

Playbooks

Incident response plans

Runbooks

A

Runbooks

Runbooks can be largely automated and, while they can indeed include human elements, often are used to automate features such as threat response

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Post-incident, Alex has identified an affected host that needs to be separated from the general population of users and hosts on the network. Which of these is her best approach?

Remediation

Isolation

Environment

A

Isolation

System isolation is used when you have a particularly sensitive host or system that needs to be separated from the general population of users and hosts on the network

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

You have received a call from the legal department to halt regular operations due to pending litigation by a disgruntled former employee. What is this called?

Data collection

Litigation review

Legal hold

A

Legal hold

A legal hold is a formal directive from legal counsel that puts the organization into data collection and preservation mode in the event of pending litigation, investigation, audit, or other circumstance where the data may be required

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

You are collecting forensic evidence from a recent network intrusion, including firewall logs, access logs, and screen captures of the intruder’s activity. Which of the following concepts describes the procedures for preserving the legal ownership history of evidence from the security incident?

Damage control

Audit trail

Chain of custody

A

Chain of custody

Keeping a chain of custody requires all evidence to be properly labeled with information detailing the personnel who secured and validated the evidence. This can ensure the evidence wasn’t tampered with in any way since the time it was collected

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

A web server recently crashed because of a denial-of-service attack against it. Based on the order of volatility, which of the following pieces of evidence would you preserve first?

Website data

Screen capture of crash error message

Printout of web access logs

A

Screen capture of crash error message

When collecting forensic data evidence, be aware that certain types of data are more volatile over time. In this case, the error message on the web server should be captured as a screenshot before the server is restarted. The message will disappear after restart, and unless it appears in the logs, you may have no other record of it

How well did you know this?
1
Not at all
2
3
4
5
Perfectly