Operations and Incident Response Flashcards
Which of the following choices is not considered an exploitation framework?
Metasploit
Nessus
CANVAS
Nessus
Metasploit, Core Impact, and CANVAS are exploitation frameworks. Nessus is a vulnerability scanner
Within Unix/Linux systems, the __________ tool dumps the contents of physical memory.
coredump
sysdump
memdump
memdump
Within Unix/Linux systems, the memdump tool dumps the contents of physical memory
Which file-manipulation command is used to print lines that match patterns?
grep
cat
head
grep
The grep command is used to print lines that match patterns
Which of the following is a Windows and Linux tool that can be used to conduct both ping sweeps and port scans, as well as acting as a packet builder?
nmap
Nessus
hping
hping
hping (also known as hping3, its current version) is a Windows and Linux tool that can be used to conduct both ping sweeps and port scans, can act as a packet builder, and can run many scans
Which of the following is not a step of the incident response process?
Eradication
Preparation
Formulation
Formulation
Eradication, preparation, and lessons learned are all formal steps of the incident response process
An organization’s __________ must also contain information on succession planning for key employees.
Disaster recovery plan
Incident response plan
Communication plan
Disaster recovery plan
Your disaster recovery plan must also contain information on succession planning for key employees
According to the Diamond Model of Intrusion Analysis, which of the following is not a component of an attack?
Victim
Adversary
Environment
Environment
The Diamond Model underscores the relationships and characteristics of an attack’s four main components: adversary, capabilities, infrastructure, and victim
Which of the following is used to analyze logs generated by journald?
syslog
sFlow
journalctl
journalctl
journalctl is used to analyze logs generated by journald
Which of the following is based on NetFlow version 9?
IPFIX
sFlow
syslog
IPFIX
IPFIX is based on NetFlow version 9, which has since been deprecated
What is the term for “data about data” that provides a rich investigatory source?
Logging
Scanning
Metadata
Metadata
Metadata literally means “data about data” and provides insight regarding things like the creation date/time of a file, keywords, and other pertinent information
__________ can be largely automated and, while they can indeed include human elements, often are used to automate features such as threat response.
Playbooks
Incident response plans
Runbooks
Runbooks
Runbooks can be largely automated and, while they can indeed include human elements, often are used to automate features such as threat response
Post-incident, Alex has identified an affected host that needs to be separated from the general population of users and hosts on the network. Which of these is her best approach?
Remediation
Isolation
Environment
Isolation
System isolation is used when you have a particularly sensitive host or system that needs to be separated from the general population of users and hosts on the network
You have received a call from the legal department to halt regular operations due to pending litigation by a disgruntled former employee. What is this called?
Data collection
Litigation review
Legal hold
Legal hold
A legal hold is a formal directive from legal counsel that puts the organization into data collection and preservation mode in the event of pending litigation, investigation, audit, or other circumstance where the data may be required
You are collecting forensic evidence from a recent network intrusion, including firewall logs, access logs, and screen captures of the intruder’s activity. Which of the following concepts describes the procedures for preserving the legal ownership history of evidence from the security incident?
Damage control
Audit trail
Chain of custody
Chain of custody
Keeping a chain of custody requires all evidence to be properly labeled with information detailing the personnel who secured and validated the evidence. This can ensure the evidence wasn’t tampered with in any way since the time it was collected
A web server recently crashed because of a denial-of-service attack against it. Based on the order of volatility, which of the following pieces of evidence would you preserve first?
Website data
Screen capture of crash error message
Printout of web access logs
Screen capture of crash error message
When collecting forensic data evidence, be aware that certain types of data are more volatile over time. In this case, the error message on the web server should be captured as a screenshot before the server is restarted. The message will disappear after restart, and unless it appears in the logs, you may have no other record of it