Operations and Incident Response

Question 1

Which of the following choices is not considered an exploitation framework?

Metasploit

Nessus

CANVAS

Answer 1

Nessus

Metasploit, Core Impact, and CANVAS are exploitation frameworks. Nessus is a vulnerability scanner

Question 2

Within Unix/Linux systems, the __________ tool dumps the contents of physical memory.

coredump

sysdump

memdump

Answer 2

memdump

Within Unix/Linux systems, the memdump tool dumps the contents of physical memory

Question 3

Which file-manipulation command is used to print lines that match patterns?

grep

cat

head

Answer 3

grep

The grep command is used to print lines that match patterns

Question 4

Which of the following is a Windows and Linux tool that can be used to conduct both ping sweeps and port scans, as well as acting as a packet builder?

nmap

Nessus

hping

Answer 4

hping

hping (also known as hping3, its current version) is a Windows and Linux tool that can be used to conduct both ping sweeps and port scans, can act as a packet builder, and can run many scans

Question 5

Which of the following is not a step of the incident response process?

Eradication

Preparation

Formulation

Answer 5

Formulation

Eradication, preparation, and lessons learned are all formal steps of the incident response process

Question 6

An organization’s __________ must also contain information on succession planning for key employees.

Disaster recovery plan

Incident response plan

Communication plan

Answer 6

Disaster recovery plan

Your disaster recovery plan must also contain information on succession planning for key employees

Question 7

According to the Diamond Model of Intrusion Analysis, which of the following is not a component of an attack?

Victim

Adversary

Environment

Answer 7

Environment

The Diamond Model underscores the relationships and characteristics of an attack’s four main components: adversary, capabilities, infrastructure, and victim

Question 8

Which of the following is used to analyze logs generated by journald?

syslog

sFlow

journalctl

Answer 8

journalctl

journalctl is used to analyze logs generated by journald

Question 9

Which of the following is based on NetFlow version 9?

IPFIX

sFlow

syslog

Answer 9

IPFIX

IPFIX is based on NetFlow version 9, which has since been deprecated

Question 10

What is the term for “data about data” that provides a rich investigatory source?

Logging

Scanning

Metadata

Answer 10

Metadata

Metadata literally means “data about data” and provides insight regarding things like the creation date/time of a file, keywords, and other pertinent information

Question 11

__________ can be largely automated and, while they can indeed include human elements, often are used to automate features such as threat response.

Playbooks

Incident response plans

Runbooks

Answer 11

Runbooks

Runbooks can be largely automated and, while they can indeed include human elements, often are used to automate features such as threat response

Question 12

Post-incident, Alex has identified an affected host that needs to be separated from the general population of users and hosts on the network. Which of these is her best approach?

Remediation

Isolation

Environment

Answer 12

Isolation

System isolation is used when you have a particularly sensitive host or system that needs to be separated from the general population of users and hosts on the network

Question 13

You have received a call from the legal department to halt regular operations due to pending litigation by a disgruntled former employee. What is this called?

Data collection

Litigation review

Legal hold

Answer 13

Legal hold

A legal hold is a formal directive from legal counsel that puts the organization into data collection and preservation mode in the event of pending litigation, investigation, audit, or other circumstance where the data may be required

Question 14

You are collecting forensic evidence from a recent network intrusion, including firewall logs, access logs, and screen captures of the intruder’s activity. Which of the following concepts describes the procedures for preserving the legal ownership history of evidence from the security incident?

Damage control

Audit trail

Chain of custody

Answer 14

Chain of custody

Keeping a chain of custody requires all evidence to be properly labeled with information detailing the personnel who secured and validated the evidence. This can ensure the evidence wasn’t tampered with in any way since the time it was collected

Question 15

A web server recently crashed because of a denial-of-service attack against it. Based on the order of volatility, which of the following pieces of evidence would you preserve first?

Website data

Screen capture of crash error message

Printout of web access logs

Answer 15

Screen capture of crash error message

When collecting forensic data evidence, be aware that certain types of data are more volatile over time. In this case, the error message on the web server should be captured as a screenshot before the server is restarted. The message will disappear after restart, and unless it appears in the logs, you may have no other record of it