Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

Sec+ Review > Operations and Incident Response > Flashcards

Operations and Incident Response Flashcards

1
Q

Your company is required to remain compliant with PCI-DSS due to the type of information processed by your systems. If there was a breach of this data, which type of disclosure would you be required to provide during your incident response efforts?

Notification to local law enforcement

Notification to your credit card processor

Notification to federal law enforcement

Notification to Visa and Mastercard

A

Notification to your credit card processor

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Which analysis framework provides the most explicit detail regarding how to mitigate or detect a given threat?

MITRE ATT&CK framework

Lockheed Martin cyber kill chain

Diamond Model of Intrusion Analysis

OpenIOC

A

MITRE ATT&CK framework

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Which of the following actions should be done FIRST after forensically imaging a hard drive for evidence in an investigation?

Encrypt the source drive to ensure an attacker cannot modify its contents

Digitally sign the image file to provide non-repudiation of the collection

Encrypt the image file to ensure it maintains data integrity

Create a hash digest of the source drive and the image file to ensure they match

A

Create a hash digest of the source drive and the image file to ensure they match

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Dion Training wants to ensure that none of its computers can run a peer-to-peer file-sharing program on its office computers. Which of the following practices should be implemented to achieve this?

MAC filtering

Application blacklisting

Application whitelisting

Enable NAC

A

Application blacklisting

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

You are the first forensic analyst to arrive on the scene of a data breach. You have been asked to begin evidence collection on the server while waiting for the rest of your team to arrive. Which of the following evidence should you capture first?

Backup tapes

L3 cache

Image of the server’s SSD

ARP cache

A

L3 cache

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What information should be recorded on a chain of custody form during a forensic investigation?

The list of individuals who made contact with files leading to the investigation

Any individual who worked with evidence during the investigation

The law enforcement agent who was first on the scene

The list of former owners/operators of the workstation involved in the investigation

A

Any individual who worked with evidence during the investigation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

You are attending a cybersecurity conference and just watched a security researcher demonstrating the exploitation of a web interface on a SCADA/ICS component. This caused the device to malfunction and be destroyed. You recognize that the same component is used throughout your company’s manufacturing plants. Which of the following mitigation strategies would provide you with the most immediate protection against this emergent threat?

Logically or physically isolate the SCADA/ICS component from the enterprise network

Evaluate if the web interface must remain open for the system to function; if it isn’t needed, block the web interface

Demand that the manufacturer of the component release a patch immediately and deploy the patch as soon as possible

Replace the affected SCADA/ICS components with more secure models from a different manufacturer

A

Evaluate if the web interface must remain open for the system to function; if it isn’t needed, block the web interface

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

During which incident response phase is the preservation of evidence performed?

Post-incident activity

Containment, eradication, and recovery

Preparation

Detection and analysis

A

Containment, eradication, and recovery

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

An attacker is searching in Google for Cisco VPN configuration files by using the filetype:pcf modifier. The attacker was able to locate several of these configuration files and now wants to decode any connectivity passwords that they might contain. What tool should the attacker use?

Nessus

Nmap

Netcat

Cain and Abel

A

Cain and Abel

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Consider the following snippet from a log file collected on the host with the IP address of 10.10.3.6. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Time: Jun 12, 2020 09:24:12 Port:20 Source: 10.10.3.2 Destination:10.10.3.6 Protocol:TCP Time: Jun 12, 2020 09:24:14 Port:21 Source: 10.10.3.2 Destination:10.10.3.6 Protocol:TCP Time: Jun 12, 2020 09:24:16 Port:22 Source: 10.10.3.2 Destination:10.10.3.6 Protocol:TCP Time: Jun 12, 2020 09:24:18 Port:23 Source: 10.10.3.2 Destination:10.10.3.6 Protocol:TCP Time: Jun 12, 2020 09:24:20 Port:25 Source: 10.10.3.2 Destination:10.10.3.6 Protocol:TCP Time: Jun 12, 2020 09:24:22 Port:80 Source: 10.10.3.2 Destination:10.10.3.6 Protocol:TCP Time: Jun 12, 2020 09:24:24 Port:135 Source: 10.10.3.2 Destination:10.10.3.6 Protocol:TCP Time: Jun 12, 2020 09:24:26 Port:443 Source: 10.10.3.2 Destination:10.10.3.6 Protocol:TCP Time: Jun 12, 2020 09:24:26 Port:445 Source: 10.10.3.2 Destination:10.10.3.6 Protocol:TCP -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- What type of activity occurred based on the output above?

Port scan targeting 10.10.3.2

Port scan targeting 10.10.3.6

Denial of service attack targeting 10.10.3.6

Fragmentation attack targeting 10.10.3.6

A

Port scan targeting 10.10.3.6

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

You have discovered that an employee has been conducting illegal activities using his workplace computer. You have taken possession of the employee’s laptop according to your company’s procedures and are waiting to give it law enforcement authorities. What should you do when turning over the laptop to the police?

Maintain the chain of custody

Quarantine the system

Preserve the evidence

Document the changes

A

Maintain the chain of custody

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

You have been hired to conduct an investigation into a possible insider threat from a user named Terri. Which command would you use to review all sudo commands ever issued by Terri (whose login account is terri and UID=1003) on a Linux system? (Select the MOST efficient command)

journalctl _UID=1003 | grep -e [Tt]erri | grep -e 1003 | grep sudo

journalctl _UID=1003 | grep -e 1003 | grep sudo

journalctl _UID=1003 | grep -e [Tt]erri | grep sudo

journalctl _UID=1003 | grep sudo

A

journalctl _UID=1003 | grep sudo

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

An attacker is using the nslookup interactive mode to locate information on a Domain Name Service (DNS). What command should they type to request the appropriate records for only name servers?

transfer type=ns

set type=ns

request type=ns

locate type=ns

A

set type=ns

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

You are working as a junior cybersecurity analyst and utilize a SIEM to support investigations into ongoing incidents. The SIEM is configured to collect data from numerous sources across the network, including network sensors, routers, switches, firewalls, hosts, and servers. Unfortunately, due to the number of data sources, you have data about a particular event being detected by different sensors and devices. Which of the following must you ensure to make sense of all the data being collected by your SIEM prior to analyzing it?

Data recovery

Data sanitization

Data retention

Data correlation

A

Data correlation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Which of the following command-line tools would you use to identify open ports and services on a host along with the version of the application that is associated with them?

ping

netstat

Wireshark

nmap

A

nmap

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

You have been asked to assist with an investigation into a malicious user’s activities. Unfortunately, your organization did not have full packet capture available for the time period of the suspected activities. Instead, you have received netflow data that contains statistics and information about the network traffic during that time period. Which of the following best represents the type of data you can obtain from this netflow data to support the investigation?

File contents

Metadata

Email messages

Application logs

A

Metadata

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

You are an analyst and have been asked to review and categorize the following output from a packet analysis in Wireshark: -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Source Destination Protocol Length Info 192.168.3.145 4.4.2.2 DNS 74 Standard query 0xaed A test.diontraining.com 4.4.2.2 192.168.3.145 DNS 90 Standard query response 0x3aed A test.diontraining.com A 173.12.15.23 192.168.3.145 173.12.15.23 TCP 78 48134 -80 [SYN] seq=0 Win=65635 Len=0 MSS=1426 WS=16 TSVal=486234134 Tsecr=0 SACK_PERM=1 173.12.15.23 192.168.3.145 TCP 78 80-48134 [SYN,ACK] seq=0 Ack=1 Win=65535 Len=0 MSS=1426 WS=4 TSVal=0 Tsecr=0 SACK_PERM=1 a1=486234134 Tsecr=240612 192.168.3.145 192.168.3.255 NBNS 92 Namequery NB WORKGROUP 34.250.23.14 192.168.3.145 TCP 60 443 - 48134 [RST] Seq=1 Win=0 Len=0 34.250.23.14 192.168.3.145 TCP 60 8080 - 48134 [RST] Seq=1 Win=0 Len=0 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Based on your review, what does this scan indicate?

This appears to be normal network traffic

192.168.3.145 might be infected and beaconing to a C2 server

192.168.3.145 might be infected with malware

173.12.15.23 might be infected and beaconing to a C2 server

173.12.15.23 might be infected with malware

A

173.12.15.23 might be infected and beaconing to a C2 server

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Which analysis framework provides a graphical depiction of the attacker’s approach relative to a kill chain?

OpenIOC

Diamond Model of Intrusion Analysis

MITRE ATT&CK framework

Lockheed Martin cyber kill chain

A

Diamond Model of Intrusion Analysis

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Which of the following security controls provides Windows system administrators with an efficient way to deploy system configuration settings across a large number of devices?

Anti-malware

Patch management

GPO

HIPS

A

GPO (Microsoft’s Group Policy Object)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Dion Training wants to implement a technology within their corporate network to BEST mitigate the risk that a zero-day virus might infect their workstations. Which of the following should be implemented FIRST?

Intrusion detection system

Application whitelisting

Anti-malware solution

Host-based firewall

A

Application whitelisting

Application whitelisting will only allow a program to execute if it is specifically listed in the approved exception list. All other programs are blocked from running. This makes it the BEST mitigation again a zero-day virus

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

You have been asked by the incident response team leader to perform a forensic examination on a workstation that is suspected to have been infected with malware. You remember from your training that you must collect digital evidence in the proper order to protect it from being changed during your evidence collection efforts. Which of the following describes the correct sequence to collect the data from the workstation?

Swap, RAML, CPU cache, Hard drive

CPU cache, RAM, Swap, Hard drive

Hard drive, Swap, CPU cache, RAM

RAM, CPU cache, Swap, Hard drive

A

CPU cache, RAM, Swap, Hard drive

22
Q

Dion Training requires that the staff simulate their response to a potential data breach. During this simulation, the staff gathers in the conference room and discusses each action they would take as part of their response. This information is then analyzed to ensure the company’s data breach response playbook is up to date and would work properly when needed. Which of the following best describes what the staff did?

Incident response

Disaster recovery planning

Business impact analysis

Tabletop exercise

A

Tabletop exercise

23
Q

You are reviewing the logs in your IDS and see that there were entries showing SYN packets received from a remote host targeting each port on your web server from 1 to 1024. Which of the following MOST likely occurred?

SYN flood

Remote host cannot find the right service port

UDP probe

Port scan

A

Port scan

24
Q

Which of the following Wireshark filters should be applied to a packet capture to detect applications that are sending passwords in cleartext to a REST API located at 10.1.2.3?

http.request.methd==”POST” && ip.dst=10.1.2.3

http.request.method==”POST”

ip.proto=tcp

ip.dst=10.1.2.3

A

http.request.methd==”POST” && ip.dst=10.1.2.3

25
Q

An analyst just completed a port scan and received the following results of open ports: -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- TCP: 80 TCP: 110 TCP: 443 TCP: 1433 TCP: 3306 TCP: 3389 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Based on these scan results, which of the following services are NOT currently operating?

Web

RDP

Database

SSH

A

SSH

26
Q

Which of the following type of digital forensic investigations is most challenging due to the on-demand nature of the assets being analyzed?

Employee workstations

On-premise servers

Cloud services

Mobile devices

A

Cloud services

27
Q

During which phase of the incident response process does an organization assemble an incident response toolkit?

Preparation

Detection and analysis

Post-incident activity

Containment, eradication, and recovery

A

Preparation

During the preparation phase, the incident response team conducts training, prepares their incident response kits, and researches threats and intelligence.

28
Q

If you are unable to ping a target because you are receiving no response or a response that states the destination is unreachable, then ICMP may be disabled on the remote end. If you wanted to try to elicit a response from a host using TCP, what tool would you use?

Broadcast ping

Hping

TCP ping

Traceroute

A

Hping

Hping is a handy little utility that assembles and sends custom ICMP, UDP, or TCP packets and then displays any replies.

29
Q

An attacker has compromised a virtualized server. You are conducting forensic analysis as part of the recovery effort but found that the attacker deleted a virtual machine image as part of their malicious activity. Which of the following challenges do you now have to overcome as part of the recovery and remediation efforts?

All log files are stored within the VM disk image, therefore, they are lost

File formats used by some hypervisors cannot be analyzed with traditional forensic tools

The attack widely fragmented the image across the host file system

You will need to roll back to an early snapshot and then merge any checkpoints to the main image

A

The attack widely fragmented the image across the host file system

30
Q

You have discovered that an employee has been conducting illegal activities using his workplace computer. You have taken possession of the employee’s laptop according to your company’s procedures and are waiting to give it law enforcement authorities. What should you do when turning over the laptop to the police?

Maintain the chain of custody

Quarantine the system

Preserve the evidence

Document the changes

A

Maintain the chain of custody

31
Q

You have been hired to conduct an investigation into a possible insider threat from a user named Terri. Which command would you use to review all sudo commands ever issued by Terri (whose login account is terri and UID=1003) on a Linux system? (Select the MOST efficient command)

journalctl _UID=1003 | grep -e [Tt]erri | grep -e 1003 | grep sudo

journalctl _UID=1003 | grep -e 1003 | grep sudo

journalctl _UID=1003 | grep -e [Tt]erri | grep sudo

journalctl _UID=1003 | grep sudo

A

journalctl _UID=1003 | grep sudo

32
Q

Which analysis framework provides a graphical depiction of the attackers approach relative to a kill chain

OpenIOC
Lockheed Martin cyber kill chain
MITRE ATT&CK framework
Diamond Model of Intrusion Analysis

A

Diamond Model of Intrusion Analysis

Diamond Model provides an excellent methodology for communicating cyber events and allowing analysts to implicitly derive mitigation strategies. The Diamond Model is constructed around a graphical representation of an attacker’s behavior. The MITRE ATT&CK framework provides explicit pseudo-code examples for how to detect or mitigate a given threat within a network and ties specific behaviors back to individual actors. The Lockheed Martin cyber kill chain provides a general life cycle description of how attacks occur but does not deal with the specifics of how to mitigate. OpenIOC contains a depth of research on APTs but does not integrate the detections and mitigation strategy.

33
Q

An attacker is using the nslookup interactive mode to locate information on a Domain Name Service. What command should they type to request the appropriate records for only name servers

transfer type=ns
set type=ns
locate type=ns
request type=ns

A

set type=ns

The “set type=ns” tells nslookup to only report information on name servers. If you used “set type=mx” instead, you would receive information only about mail exchange servers.

34
Q

Dion Training wants to implement a technology within their corporate network to BEST mitigate the risk that a zero-day virus might infect their workstations. Which of the following should be implemented FIRST?

Anti-malware solution
Application whitelisting
Intrusion detection system
Host-based firewall

A

Application whitelisting

Application whitelisting will only allow a program to execute if it is specifically listed in the approved exception list. All other programs are blocked from running. This makes it the BEST mitigation again a zero-day virus.

35
Q

You work as the incident response team lead at Fail to Pass Systems. Sierra, a system administrator, believes an incident has occurred on the network and contacts the SOC. At 2:30 am, you are woken up by a phone call from the CEO of Fail to Pass stating an incident has occurred and that you need to solve this immediately. As you are getting dressed to drive into the office, your phone rings again. This time, it is the CIO who starts asking you a lot of technical questions about the incident. The first you heard of this incident was 5 minutes ago from the CEO, so you obviously don’t have the answers to the CIO’s questions. Based on this scenario, which of the following issues needs to be documented in your lessons learned report once this incident is resolved?

An established incident response form for all employees to use to collect data

A robust method of incident detection

A call list/escalation list

An offline incident response jump bag or kit
Overall explanation

A

A call list/escalation list

36
Q

What does the bs=1M signify in the command list above?

Removes error messages and other incorrect data

Sets the block size

Sets the beginning sector

Sends output to a blank sector

A

Sets the block size

bs

37
Q

You have been asked by the incident response team leader to perform a forensic examination on a workstation that is suspected to have been infected with malware. You remember from your training that you must collect digital evidence in the proper order to protect it from being changed during your evidence collection efforts. Which of the following describes the correct sequence to collect the data from the workstation?

Swap, RAML, CPU cache, Hard drive
RAM, CPU cache, Swap, Hard drive
CPU cache, RAM, Swap, Hard drive
Hard drive, Swap, CPU cache, RAM

A

CPU cache, RAM, Swap, Hard drive

38
Q

Which of the following Wireshark filters should be applied to a packet capture to detect applications that are sending passwords in cleartext to a REST API located at 10.1.2.3?

ip.dst=10.1.2.3
ip.proto=tcp
http.request.method==”POST”
http.request.methd==”POST” && ip.dst=10.1.2.3

A

http.request.methd==”POST” && ip.dst=10.1.2.3

39
Q

Which of the following type of digital forensic investigations is most challenging due to the on-demand nature of the assets being analyzed?

Employee workstations
On-premise servers
Cloud services
Mobile devices

A

Cloud services

40
Q

Dion Training wants to implement a technology within their corporate network to BEST mitigate the risk that a zero-day virus might infect their workstations. Which of the following should be implemented FIRST?

Application whitelisting
Host-based firewall
Intrusion detection system
Anti-malware solution

A

Application whitelisting

Application whitelisting will only allow a program to execute if it is specifically listed in the approved exception list

41
Q

What does the bs=1M signify in the command list above?

A

Sets the block size

42
Q

If you are unable to ping a target because you are receiving no response or a response that states the destination is unreachable, then ICMP may be disabled on the remote end. If you wanted to try to elicit a response from a host using TCP, what tool would you use?

Traceroute
Hping
Broadcast ping
TCP ping

A

Hping

Hping is a handy little utility that assembles and sends custom ICMP, UDP, or TCP packets and then displays any replies.

43
Q

Which analysis framework makes no allowance for an adversary retreat in its analysis?

MITRE ATT&CK framework
Lockheed Martin cyber kill chain
AlienVault (AT&T Cybersecurity) Cyber Kill Chain
Diamond Model of Intrusion Analysis

A

Lockheed Martin cyber kill chain

44
Q

You are notified by an external organization that an IP address associated with your company’s email server has been sending spam emails requesting funds as part of a lottery collection scam. An investigation into the incident reveals the email account used was Connor from the sales department, and that Connor’s email account was only used from one workstation. You analyze Connor’s workstation and discover several unknown processes running, but netflow analysis reveals no attempted lateral movement to other workstations on the network. Which containment strategy would be most effective to use in this scenario?

Request disciplinary action for Connor for causing this incident

Isolate the workstation computer by disabling the switch port and reset Connor’s username/password

Unplug the workstation’s network cable and conduct a complete reimaging of the workstation

Isolate the network segment Connor is on and conduct a forensic review of all workstations in the sales department

A

Isolate the workstation computer by disabling the switch port and reset Connor’s username/password

45
Q

What information should be recorded on a chain of custody form during a forensic investigation?

The list of individuals who made contact with files leading to the investigation

The law enforcement agent who was first on the scene
Correct answer

Any individual who worked with evidence during the investigation

The list of former owners/operators of the workstation involved in the investigation

A

Any individual who worked with evidence during the investigation

46
Q

During which incident response phase is the preservation of evidence performed?

Preparation
Detection and analysis
Containment, eradication, and recovery
Post-incident activity

A

Containment, eradication, and recovery

A cybersecurity analyst must preserve evidence during the containment, eradication, and recovery phase. They must preserve forensic and incident information for future needs, to prevent future attacks, or to bring up an attacker on criminal charges

47
Q

You are in the recovery steps of an incident response. Your analysis revealed that the attacker exploited an unpatched vulnerability on a public-facing web server as the initial intrusion vector in this incident. Which of the following mitigations should be implemented first during the recovery?

Disable unused user account and reset the administrator credentials

Restrict shell commands per user or per host for least privilege purposes

Scan the network for additional instances of this vulnerability and patch the affected assets

Restrict host access to peripheral protocols like USB and Bluetooth

A

Scan the network for additional instances of this vulnerability and patch the affected assets

48
Q

You have been hired to conduct an investigation into a possible insider threat from a user named Terri. Which command would you use to review all sudo commands ever issued by Terri (whose login account is terri and UID=1003) on a Linux system? (Select the MOST efficient command)

journalctl _UID=1003 | grep sudo
journalctl _UID=1003 | grep -e 1003 | grep sudo
journalctl _UID=1003 | grep -e [Tt]erri | grep -e 1003 | grep sudo
journalctl _UID=1003 | grep -e [Tt]erri | grep sudo

A

journalctl _UID=1003 | grep sudo

49
Q

Which of the following tools is useful for capturing Windows memory data for forensic analysis?

Nessus
dd
Wireshark
Memdump

A

Memdump

50
Q

You are conducting an incident response and want to determine if any account-based indicators of compromise (IoC) exist on a compromised server. Which of the following would you NOT search for on the server?

Failed logins
Unauthorized sessions
Malicious processes
Off-hours usage

A

Malicious processes

51
Q

What containment techniques is the strongest possible response to an incident?

Segmentation
Enumeration
Isolating affected systems
Isolating the attacker

A

Isolating affected systems

Obj-4.4: Given an incident, apply mitigation technique or controls to secure environment

52
Q

Which of the following elements is LEAST likely to be included in an organization’s data retention policy?

Maximum retention period
Minimum retention period
Classification of information
Description of information that needs to be retained

A

Classification of information

Data retention policies highlight what types of information an organization will maintain and the length of time they will maintain it.

Sec+ Review (12 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions