Practice Tests - Chapter 3: Domain 3.0: Incident Response and Management Flashcards

Question 1

Q

Parts of the Diamond Model

Answer

A

Adversary
Infrastructure
Capability
Victim

This analysis used the Diamond model of intrusion analysis, which describes a sequence where an adversary deploys a capability targeted at an infrastructure against a victim. The Diamond model draws its name from the shape of the diagram created during the analysis.

Question 2

Q

Cyber Kill Chain Steps

Answer

A

Reconnaissance: This phase involves the adversary identifying targets and gathering intelligence about them. This includes both open-source information and direct data acquisition through scanning.
Weaponization: In this stage, the attacker creates an exploit and a backdoor into a deliverable payload based on the intelligence gathered during reconnaissance.
Delivery: This occurs when the adversary transmits the weaponized payload to the target. Common delivery methods include email attachments, USB drives, or compromised websites.
Exploitation: This is when the adversary uses a software, hardware, or human vulnerability to gain access to the target system. This could involve zero-day exploits or victim-triggered exploits.
Installation: Once access is gained, the attacker installs persistent backdoor access, allowing them to maintain their foothold on the compromised system.
Command and Control (C2): In this phase, the attacker establishes a communication channel to remotely control the compromised system(s) [38, 365–366].
Actions on Objectives: Finally, the attacker performs their intended goals, such as data exfiltration, data destruction, or system disruption.

Question 3

Q

6- Jamal wants to leverage a framework to improve his threat hunting for network defense. What threat‐hunting framework should he select to help his team categorize and analyze threats more effectively?

MOPAR
CVSS
MITRE ATT&CK
CAPEC

Answer

A

MITRE ATT&CK

The ATT&CK framework is focused on network defense and broadly covers threat hunting. CAPEC is focused on application security. CVSS is the Common Vulnerability Scoring System, and Mopar is a parts, service, and customer care organization that is part of Fiat Chrysler.

Question 4

Q

7- Maria is an Active Directory domain administrator for her company, and she knows that a quickly spreading botnet relies on a series of domain names for command and control and that preventing access to those domain names will cause the malware infection that connects to the botnet to fail to take further action. Which of the following actions is her best option if she wants to prevent offsite Windows users from connecting to botnet command‐and‐control systems?

Force a BGP update.
Set up a DNS sinkhole.
Modify the hosts file.
Install an antimalware application.

Answer

A

Modify the hosts file.

Maria can push an updated hosts file to her domain connected systems that will direct traffic intended for known bad domains to the localhost or a safe system. She might want to work with a security analyst or other IT staff member to capture queries sent to that system to track any potentially infected workstations. A DNS sinkhole would work only if all of the systems were using local DNS, and offsite users are likely to have DNS settings set by the local networks they connect to. Antimalware applications may not have an update yet, or may fail to detect the malware, and forcing a Border Gateway Protocol (BGP) update for third‐party networks is likely a bad idea.

Question 5

Q

CAPEC

Answer

A

CAPEC (Common Attack Pattern Enumeration and Classification) is a resource that is focused on application security. It can be contrasted with the MITRE ATT&CK framework, which broadly covers threat hunting and network defense

Question 6

Q

8- While attempting to stop a rogue service, Monica issues the following Linux command on an Ubuntu system using upstart:

service rogueservice stop

After a reboot, she discovers the service running again. What happened, and what does she need to do to prevent this?

The service restarted at reboot, so she needs to include the -p, or permanent, flag.
The service restarted itself, so she needs to delete the binary associated with the service.
The service restarted at reboot, so she should add an .override file to stop the service from starting.
A malicious user restarted the service, so she needs to ensure users cannot restart services.

Answer

A

The service restarted at reboot, so she should add an .override file to stop the service from starting.

Monica issued a command that only stops a running service. It will restart at reboot unless the scripts that start it are disabled. On modern Ubuntu systems, that is handled by upstart. Other services may use init.d scripts. In either case, when asked a question like this, you can quickly identify this as a problem that occurred at reboot and remove the answer that isn’t likely to be correct.

Question 7

Q

9- Bill is reviewing the authentication logs for a Linux system that he operates and encounters the following log entries:

Aug 30 09:46:54 ip-172-30-0-62 sshd[3051]: Accepted publickey for ec2-user from
10.174.238.88 port 57478 ssh2: RSA e5:f5:c1:46:bb:49:a1:43:da:9d:50:c5:37:bd:79:22
Aug 30 09:46:54 ip-172-30-0-62 ssh[3051]: pam_unix[sshd:session]: session opened
for user ec2-user by (uid=0)
Aug 30 09:48:06 ip-172-30-0-62 sudo: ec2-user : TTY=ps/0 ; PWD=/home/ec2-user ;
USER=root; COMMAND=/bin/bash

What is the IP address of the system where the user was logged in when they initiated the connection?

172.30.0.62
62.0.30.172
10.174.238.88
9.48.6.0

Answer

A

10.174.238.88

The first entry in the log indicates that the user authenticated from the system 10.174.238.88.

Question 8

Q

11- Bill is reviewing the authentication logs for a Linux system that he operates and encounters the following log entries:

Aug 30 09:46:54 ip-172-30-0-62 sshd[3051]: Accepted publickey for ec2-user from
10.174.238.88 port 57478 ssh2: RSA e5:f5:c1:46:bb:49:a1:43:da:9d:50:c5:37:bd:79:22
Aug 30 09:46:54 ip-172-30-0-62 ssh[3051]: pam_unix[sshd:session]: session opened
for user ec2-user by (uid=0)
Aug 30 09:48:06 ip-172-30-0-62 sudo: ec2-user : TTY=ps/0 ; PWD=/home/ec2-user ;
USER=root; COMMAND=/bin/bash

What authentication technique did the user use to connect to the server?

Password
PKI
Token
Biometric

Answer

A

PKI

The first log entry indicates that the user made use of public key encryption (PKI) to authenticate the connection. The user, therefore, possessed the private key that corresponded to a public key stored on the server and associated with the user.

Question 9

Q

13- Alaina adds the openphish URL list to her SOAR tool and sees the following entries:

http://13.126.65.8/DocExaDemo/uploads/index.php/bofa/bofa/95843de35406f3cab0b2dcf2b/success.htm
http://13.126.65.8/DocExaDemo/uploads/index.php/bofa/bofa/9b094075409d3a723c7ee3d9e/sitekey.php
http://13.126.65.8/DocExaDemo/uploads/index.php/bofa/bofa/9b094075409d3a723c7ee3d9e/success.htm
http://13.126.65.8/DocExaDemo/uploads/index.php/bofa/bofa/9b094075409d3a723c7ee3d9e/
http://13.126.65.8/DocExaDemo/uploads/index.php/bofa/bofa/95843de35406f3cab0b2dcf2b/
http://13.126.65.8/DocExaDemo/uploads/index.php/bofa/bofa/95843de35406f3cab0b2dcf2b/sitekey.php

What action should she take based on phishing URLs like these?

Block the IP address at her border firewall.
Monitor for the IP address using her IDS.
Delete emails with the URL from inbound email.
Nothing, as these have not been confirmed.

Answer

A

Delete emails with the URL from inbound email.

Alaina’s best option is to delete emails with these URLs from all inbound email. Blocking or monitoring for the IP addresses can help, but mobile and offsite users will not be protected if they do not send their traffic through her firewall or IDSs.

Question 10

Q

14- Rowan wants to block drive‐by‐downloads and bot command‐and‐control channels while redirecting potentially impacted systems to a warning message. What should she implement to do this?

A DNS sinkhole
A WAF
An IDS
A UEBA

Answer

A

A DNS sinkhole

A DNS sinkhole exactly meets Rowan’s needs. It can redirect traffic intended for malicious sites and botnet controllers to a landing page, which warns the end user that something went wrong.

Question 11

Q

15- The U.S. Cybersecurity and Infrastructure Security Agency (CISA) uses a 1–100 scale for incident prioritization, with weight assigned to each of a number of categories. The functional impact score is weighted in their demonstration as follows:

Table:
Functional Impact Rating
No impact 0
No impact to services 20
Minimal impact to noncritical services 35
Minimal impact to critical services 40
Significant impact to noncritical services 50
Denial of noncritical services 60
Significant impact to critical services 70
Denial of critical services or loss of control 100

Nathan discovers a malware package on an end‐user workstation. What rating should he give this if he is considering organization impact based on the table shown?

No impact
No impact to services
Denial of noncritical services
Denial of critical services or loss of control

Answer

A

No impact to services

It may be tempting to answer “no impact,” but the better answer here is “no impact to services.” The system will still require remediation, which will consume staff time, so there will not be a total lack of impact.

Question 12

Q

16- The U.S. Cybersecurity and Infrastructure Security Agency (CISA) uses a 1–100 scale for incident prioritization, with weight assigned to each of a number of categories. The functional impact score is weighted in their demonstration as follows:

Functional Impact Rating
No impact 0
No impact to services 20
Minimal impact to noncritical services 35
Minimal impact to critical services 40
Significant impact to noncritical services 50
Denial of noncritical services 60
Significant impact to critical services 70
Denial of critical services or loss of control 100

Nathan’s organization uses a software‐as‐a‐service (SaaS) tool to manage their customer mailing lists, which they use to inform customers of upcoming sales a week in advance. The organization’s primary line of business software continues to function and merchandise can be sold. Because of a service outage, they are unable to add new customers to the list for a full business day. How should Nathan rate this local impact issue during the outage?

Minimal impact to noncritical services
Minimal impact to critical services
Significant impact to noncritical services
Denial of noncritical services

Answer

A

Denial of noncritical services

The service is noncritical because it can be used to conduct business as usual after it is restored without a meaningful business impact due to the outage. During the outage, however, this is a denial of a noncritical service.

Question 13

Q

18- Melissa is using the US‐CERT’s scale to measure the impact of the location of observed activity by a threat actor. Which of the following should be the highest rated threat activity location?

Critical system screened subnet (DMZ)
Business network
Business screened subnet (DMZ)
Safety systems

Answer

A

Safety systems

Human safety and human lives are always the most critical system or resource. Here, safety systems should receive the highest rating, and in the US‐CERT NCISS demo, they receive 100/100 points on the scale.

Question 14

Q

19- Derek’s organization has been working to recover from a recent malware infection that caused outages across the organization during an important part of their business cycle. To properly triage, what should Derek pay the most attention to first?

The immediate impact on operations so that his team can restore functionality
The total impact of the event so that his team can provide an accurate final report
The immediate impact on operations so that his team can identify the likely threat actor
The total impact of the event so that his team can build a new threat model for future use

Answer

A

The immediate impact on operations so that his team can restore functionality

During an event, incident responders often have to pay more attention to the immediate impact to triage and prioritize remediation. Once systems are back online and the business is operating, total impact can be assessed and should be included in the report and considered in new controls and practices from the lessons learned analysis of the event.

Question 15

Q

21- John has designed his network as shown here and places untrusted systems that want to connect to the network into the Guests network segment. What is this type of segmentation called?

(look up diagram in book)

Proactive network segmentation
Isolation
Quarantine
Removal

Answer

A

Proactive network segmentation

John is not responding to an incident, so this is an example of proactive network segmentation. If he discovered a system that was causing issues, he might create a dedicated quarantine network or could isolate or remove the system.

Question 16

Q

22- The organization that Jamal works for classifies security related events using NIST’s standard definitions. Which classification should he use when he discovers key logging software on one of his frequent business travelers’ laptop?

An event
An adverse event
A security incident
A policy violation

Answer

A

A security incident

NIST describes events like this as security incidents because they are a violation or imminent threat of violation of security policies and practices. An adverse event is any event with negative consequences, and an event is any observable occurrence on a system or network.

Question 17

Q

24- Lauren wants to create a backup of Linux permissions before making changes to the Linux workstation she is attempting to remediate. What Linux tool can she use to back up the permissions of an entire directory on the system?

She can use chbkup.
She can use getfacl.
She can use aclman.
There is not a common Linux permission backup tool.

Answer

A

She can use getfacl.

Linux provides a pair of useful ACL backup and restore commands: getfacl allows recursive backups of directories, including all permissions to a text file, and setfacl restores those permissions from the backup file. Both aclman and chbkup were made up for this question.

Question 18

Q

getfacl

Answer

A

The Linux command getfacl allows for

recursive backups of directory access control lists (ACLs)
including all permissions, to a text file

This is useful for backing up the permissions settings of directories and their contents.

Question 19

Q

25- While working to restore systems to their original configuration after a long‐term APT compromise, Manish has three options.

He can restore from a backup and then update patches on the system.
He can rebuild and patch the system using original installation media and application software using his organization’s build documentation.
He can remove the compromised accounts and rootkit tools and then fix the issues that allowed the attackers to access the systems.
Which option should Manish choose in this scenario?

Option A.
Option B.
Option C.
None of the above. Manish should hire a third party to assess the systems before proceeding.

Answer

A

Option B.

In cases where an advanced persistent threat (APT) has been present for an unknown period of time, backups should be assumed to be compromised. Since APTs often have tools that cannot be detected by normal anti‐malware techniques, the best option that Manish has is to carefully rebuild the systems from the ground up and then ensure that they are fully patched and secured before returning them to service.

Question 20

Q

26- Jessica wants to access a macOS FileVault 2–encrypted drive. Which of the following methods is not a possible means of unlocking the volume?

Change the FileVault key using a trusted user account.
Retrieve the key from memory while the volume is mounted.
Acquire the recovery key.
Extract the keys from iCloud.

Answer

A

Change the FileVault key using a trusted user account.

FileVault does allow trusted accounts to unlock the drive but not by changing the key. FileVault 2 keys can be recovered from memory for mounted volumes, and much like BitLocker, it suggests that users record their recovery key, so Jessica may want to ask the user or search their office or materials if possible. Finally, FileVault keys can be recovered from iCloud, providing her with a third way to get access to the drive.

Question 21

Q

28- If Suki wants to purge a drive, which of the following options will accomplish her goal?

Cryptographic erase
Reformat
Overwrite
Repartition

Answer

A

Cryptographic erase

Purging requires complete removal of data, and cryptographic erase is the only option that will fully destroy the contents of a drive from this list. Reformatting leaves the original data in place, overwriting leaves the potential for file remnants in slack space, and repartitioning also leaves data intact in the new partitions.

Question 22

Q

29- While performing post‐rebuild validation efforts, Scott scans a server from a remote network and sees no vulnerabilities. Joanna, the administrator of the machine, runs a scan and discovers two critical vulnerabilities and five moderate issues. What is most likely causing the difference in their reports?

Different patch levels were used during the scans.
They are scanning through a load balancer.
There is a firewall between the remote network and the server.
Scott or Joanna ran the vulnerability scan with different settings.

Answer

A

There is a firewall between the remote network and the server.

Local scans often provide more information than remote scans because of network or host firewalls that block access to services. The second most likely answer is that Scott or Joanna used different settings when they scanned.

Question 23

Q

30- As part of his organization’s cooperation in a large criminal case, Adam’s forensic team has been asked to send a forensic image of a highly sensitive compromised system in RAW format to an external forensic examiner. What steps should Adam’s team take prior to sending a drive containing the forensic image?

Encode in EO1 format and provide a hash of the original file on the drive.
Encode in FTK format and provide a hash of the new file on the drive.
Encrypt the RAW file and transfer a hash and key under separate cover.
Decrypt the RAW file and transfer a hash under separate cover.

Answer

A

Encrypt the RAW file and transfer a hash and key under separate cover.

A general best practice when dealing with highly sensitive systems is to encrypt copies of the drives before they are sent to third parties. Adam should encrypt the drive image and provide both the hash of the image and the decryption key under separate cover (sent via a separate mechanism) to ensure that losing the drive itself does not expose the data. Once the image is in the third‐party examiner’s hands, they will be responsible for its security. Adam may want to check on what their agreement says about security.

Question 24

Q

33- James wants to determine whether other Windows systems on his network are infected with the same malware package that he has discovered on the workstation he is analyzing. He has removed the system from his network by unplugging its network cable, as required by corporate policy. He knows that the system has previously exhibited beaconing behavior and wants to use that behavior to identify other infected systems. How can he safely create a fingerprint for this beaconing without modifying the infected system?

Plug the system into the network and capture the traffic quickly at the firewall using Wireshark or tcpdump.
Plug the system into an isolated switch and use a span port or tap and Wireshark/tcpdump to capture traffic.
Review the ARP cache for outbound traffic.
Review the Windows Defender Firewall log for traffic logs.

Answer

A

Plug the system into an isolated switch and use a span port or tap and Wireshark/tcpdump to capture traffic.

James can temporarily create an untrusted network segment and use a span port or tap to allow him to see traffic leaving the infected workstation. Using Wireshark or tcpdump, he can build a profile of the traffic it sends, helping him build a fingerprint of the beaconing behavior. Once he has this information, he can then use it in his recovery efforts to ensure that other systems are not similarly infected.

Question 25

Q

35- During a forensic investigation, Lukas discovers that he needs to capture a virtual machine that is part of the critical operations of his company’s website. If he cannot suspend or shut down the machine for business reasons, what imaging process should he follow?

Perform a snapshot of the system, boot it, suspend the copied version, and copy the directory it resides in.
Copy the virtual disk files and then use a memory capture tool.
Escalate to management to get permission to suspend the system to allow a true forensic copy.
Use a tool like the Volatility Framework to capture the live machine completely.

Answer

A

Copy the virtual disk files and then use a memory capture tool.

If business concerns override his ability to suspend the system, the best option that Lukas has is to copy the virtual disk files and then use a live memory imaging tool. This will give him the best forensic copy achievable under the circumstances. Snapshotting the system and booting it will result in a loss of live memory artifacts. Escalating may be possible in some circumstances, but the scenario specifies that the system must remain online. Finally, volatility can capture memory artifacts but is not designed to capture a full virtual machine.

Question 26

Q

38- Lakshman needs to sanitize hard drives that will be leaving his organization after a lease is over. The drives contained information that his organization classifies as sensitive data that competitors would find valuable if they could obtain it. Which choice is the most appropriate to ensure that data exposure does not occur during this process?

Clear, validate, and document.
Purge the drives.
Purge, validate, and document.
The drives must be destroyed to ensure no data loss.

Answer

A

Purge, validate, and document.

Since the drives are being returned at the end of a lease, you must assume that the contract does not allow them to be destroyed. This means that purging the drives, validating that the drives have been purged, and documenting the process to ensure that all drives are included are the appropriate actions. Clearing the drives leaves the possibility of data recovery, while purging, as defined by NIST SP 800‐88, renders data recovery infeasible.

Question 27

Q

40- During a forensic analysis of an employee’s computer as part of a human resources investigation into misuse of company resources, Tim discovers a program called Eraser installed on the PC. What should Tim expect to find as part of his investigation?

A wiped C: drive
Antiforensic activities
All slack space cleared
Temporary files and Internet history wiped

Answer

A

Antiforensic activities

Eraser is a tool used to securely wipe files and drives. If Eraser is not typically installed on his organization’s machines, Tim should expect that the individual being investigated has engaged in some antiforensic activities including wiping files that may have been downloaded or used against company policy. This doesn’t mean he shouldn’t continue his investigation, but he may want to look at Eraser’s log for additional evidence of what was removed.

Question 28

Q

41- Jessica wants to recover deleted files from slack space and needs to identify where the files begin and end. What is this process called?

Slacking
Data carving
Disk recovery
Header manipulation

Answer

A

Data carving

Data carving is the process of identifying files based on file signatures such as headers and footers and then pulling the information between those locations out as a file. Jessica can use common carving tools or could manually carve files if she knows common header and footer types that she can search for.

Question 29

Q

Slack Space

Answer

A

Slack space is leftover storage that exists because files do not take up the entire space allocated for them in a disk cluster. It is the space between the last sector containing logical data of a file and the end of the cluster. This area can contain deleted files that have not yet been overwritten, fragments of older files, and data stored on a drive before it was partitioned. Forensic analysts can recover data from slack space, and attackers can potentially hide data there

Question 30

Q

44- Alex suspects that an attacker has modified a Linux executable using static libraries. Which of the following Linux commands is best suited to determining whether this has occurred?

file
stat
strings
grep

Answer

A

file

The Linux file command shows a file’s format, encoding, what libraries it is linked to, and its file type (binary, ASCII text, etc.). Since Alex suspects that the attacker used statically linked libraries, the file command is the best command to use for this scenario. stat provides the last time accessed, permissions, UID and GID bit settings, and other details. It is useful for checking when a file was last used or modified but won’t provide details about linked libraries. strings and grep are both useful for analyzing the content of a file and may provide Alex with other hints but won’t be as useful as the file command for this purpose.

Question 31

Q

45- Because of external factors, Eric has only a limited time period to collect an image from a workstation. If he collects only specific files of interest, what type of acquisition has he performed?

Logical
Bit‐by‐bit
Sparse
None of the above

Answer

A

Logical

A logical acquisition focuses on specific files of interest, such as a specific type of file or files from a specific location. In Eric’s case, a logical acquisition meets his needs. A sparse acquisition also collects data from unallocated space. A bit‐by‐bit acquisition is typically performed for a full drive and will take longer.

Question 32

Q

47- Susan needs to perform forensics on a virtual machine. What process should she use to ensure she gets all of the forensic data she may need?

Suspend the machine and copy the contents of the directory it resides in.
Perform a live image of the machine.
Suspend the machine and make a forensic copy of the drive it resides on.
Turn the virtual machine off and make a forensic copy of it.

Answer

A

Suspend the machine and copy the contents of the directory it resides in.

Suspending a virtual machine will result in the RAM and disk contents being stored to the directory where it resides. Simply copying that folder is then sufficient to provide Susan with all the information she needs. She should not turn the virtual machine off, and creating a forensic copy of the drive is not necessary (but she should still validate hashes for the copied files or directory).

Question 33

Q

48- Allison wants to access Chrome logs as part of a forensic investigation. What format is information about cookies, history, and saved form responses saved in?

SQLite
Plain text
Base64‐encoded text
NoSQL

Answer

A

SQLite

Chrome stores a broad range of useful forensic information in its SQLite database, including cookies, favicons, history, logins, top sites, web form data, and other details. Knowing how to write SQL queries or having access to a forensic tool that makes these databases easy to access can provide a rich trove of information about the web browsing history of a Chrome user.

Question 34

Q

49- While Chris is attempting to image a device, he encounters write issues and cannot write the image as currently set (refer to the image shown here). What issue is he most likely encountering?

(look up diagram in book)

The files need to be compressed.
The destination drive is formatted FAT32.
The destination drive is formatted NTFS.
The files are encrypted.

Answer

A

The destination drive is formatted FAT32.

FTK Imager Light is shown configured to write a single large file that will fail on FAT32‐formatted drives where the largest single file is 4 GB. If Chris needs to create a single file, he should format his destination drive as NTFS. In many cases, he should simply create a raw image to a blank disk instead!

Question 35

Q

50- Saanvi needs to validate the MD5 checksum of a file on a Windows system to ensure that there were no unauthorized changes to the binary file. He is not allowed to install any programs and cannot run files from external media or drives. What Windows utility can he use to get the MD5 hash of the file?

md5sum
certutil
sha1sum
hashcheck

Answer

A

certutil

Modern versions of Windows include the built‐in certutil utility. Running certutil -hashfile [file location] md5 will calculate the MD5 hash of a file. certutil also supports SHA1 and SHA256 as well as other less frequently used hashes. md5sum and sha1sum are Linux utilities, and hashcheck is a shell extension for Windows.

Question 36

Q

md5sum

Answer

A

Linux utility to calculates and verifies MD5 hashes

Question 37

Q

sha1sum

Answer

A

Linux utility to calculates and verifies SHA-1 hashes

Question 38

Q

hashcheck

Answer

A

Shell extension for windows to calculate and verify checksums and hashes from Windows Explorer.

Question 39

Q

FTK Imager Lite

Answer

A

FTK Imager Lite is a portable imaging tool that can be run from removable media to capture a live image of a system. It is also used for validating the integrity of forensic images by displaying hash values in a report at the end of the imaging process

Question 40

Q

51- Forensic investigation shows that the target of an investigation used the Windows Quick Format command to attempt to destroy evidence on a USB thumb drive. Which of the NIST sanitization techniques has the target of the investigation used in their attempt to conceal evidence?

Clear
Purge
Destroy
None of the above

Answer

A

None of the above

The Windows Quick Format option leaves data in unallocated space on the new volume, allowing the data to be carved and retrieved. This does not meet the requirements for any of the three levels of sanitization defined by NIST.

Question 41

Q

Levels of NIST Santization

Answer

A

According to NIST SP 800-88, there are three levels of sanitization for the secure disposition of media containing sensitive information. These are:

Clear: This applies logical techniques to sanitize data in all user-addressable storage locations for protection against simple noninvasive data recovery techniques, typically by rewriting data or resetting a device to its factory state.
Purge: This applies physical or logical techniques that render target data recovery infeasible using state-of-the-art laboratory techniques. Examples include overwriting, block erase, cryptographic erase using dedicated commands, and degaussing.
Destroy: This renders target data recovery infeasible using state-of-the-art laboratory techniques and results in the subsequent inability to use the media for storage of data through** techniques like disintegration, pulverization, melting, and incinerating**

Question 42

Q

53- Mei’s team has completed the initial phases of their incident response process and is assessing the time required to recover from the incident. Using the NIST recoverability effort categories, the team has determined that they can predict the time to recover but will require additional resources. How should she categorize this using the NIST model?

Regular
Supplemented
Extended
Not recoverable

Answer

A

Supplemented

The NIST recoverability effort categories call a scenario in which time to recovery is predictable with additional resources “supplemented.” The key to the NIST levels is to remember that each level of additional unknowns and resources required increases the severity level from regular to supplemented and then to extended. A nonrecoverable situation exists when the event cannot be remediated, such as when data is exposed. At that point, an investigation is launched. In a nongovernment agency, this phase might involve escalating to law enforcement.

Question 43

Q

NIST recoverability effort categories

Answer

A

Regular: The time to recovery is predictable with existing resources.
Supplemented: The time to recovery is predictable but requires additional resources.
Extended: The time to recovery is unpredictable, and additional resources and outside help are needed.
Not Recoverable: Recovery from the incident is not possible, for example, if sensitive data has been exfiltrated and made public, necessitating the launch of an investigation

Question 44

Q

55- Jose is aware that an attacker has compromised a system on his network but wants to continue to observe the attacker’s efforts as they continue their attack. If Jose wants to prevent additional impact on his network while watching what the attacker does, what containment method should he use?

Removal
Isolation
Segmentation
Detection

Answer

A

Isolation

Jose can choose to isolate the compromised system, either physically or logically, leaving the attacker with access to the system while isolating it from other systems on his network. If he makes a mistake, he could leave his own systems vulnerable, but this will allow him to observe the attacker.

Question 45

Q

56- When Abdul arrived at work this morning, he found an email in his inbox that read, “Your systems are weak; we will own your network by the end of the week.” How would he categorize this sign of a potential incident if he was using the NIST SP 800‐61 descriptions of incident signs?

An indicator
A threat
A risk
A precursor

Answer

A

A precursor

NIST SP 800‐61 categorizes signs of an incident into two categories, precursors and indicators. Precursors are signs that an incident may occur in the future. Since there is not an indicator that an event is in progress, this can be categorized as a precursor. Now Abdul needs to figure out how he will monitor for a potential attack.

Question 46

Q

NIST SP 800‐61 signs of an incident

Answer

A

Precursor: signs that an incident may occur in the future
Indiciator: sign that an incident has already occured

Question 47

Q

59- As the CISO of her organization, Mei is working on an incident classification scheme and wants to base her design on NIST’s definitions. Which of the following options should she use to best describe a user accessing a file that they are not authorized to view?

An incident
An event
An adverse event
A security incident

Answer

A

An adverse event

NIST describes events with negative consequences as adverse events. It might be tempting to immediately call this a security incident; however, this wouldn’t be classified that way until an investigation was conducted. If the user accidentally accessed the file, it would typically not change classification. Intentional or malicious access would cause the adverse event to become a security incident.

Question 48

Q

61- Kai has completed the validation process of her media sanitization efforts and has checked a sample of the drives she had purged using a built‐in cryptographic wipe utility. What is her next step?

Resample to validate her testing.
Destroy the drives.
Create documentation.
She is done and can send the drives on for disposition.

Answer

A

Create documentation.

Documentation is important when tracking drives to ensure that all drives that should be sanitized are being received. Documentation can also provide evidence of proper handling for audits and internal reviews.

Question 49

Q

62- In his role as a small company’s information security manager, Mike has a limited budget for hiring permanent staff. Although his team can handle simple virus infections, he does not currently have a way to handle significant information security incidents. Which of the following options should Mike investigate to ensure that his company is prepared for security incidents?

Outsource to a third‐party SOC.
Create an internal SOC.
Hire an internal incident response team.
Outsource to an incident response provider.

Answer

A

Outsource to an incident response provider.

Outsourcing to a third‐party incident response provider allows Mike to bring in experts when an incident occurs while avoiding the day‐to‐day expense of hiring a full‐time staff member. This can make a lot of financial sense if incidents occur rarely, and even large organizations bring in third‐party response providers when large incidents occur. A security operations center (SOC) would be appropriate if Mike needed day‐to‐day security monitoring and operations, and hiring an internal team does not match Mike’s funding model limitations in this scenario.

Question 50

Q

65- While reviewing storage usage on a Windows system, Brian checks the volume shadow copy storage as shown here:

    C:\WINDOWS\system32˃vssadmin list Shadowstorage
    vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool
    (C) Copyright 2001-2013 Microsoft Corp.
    Shadow Copy Storage association
       For volume: (C:)\\?\Volume{c3b53dae-0e54-13e3-97ab-806e6f6e69633}\
       Shadow Copy Storage volume: (C:)\\?\Volume{c3b53dae-0e54-13e3-97ab-806e6f6e6963}\
       Used Shadow Copy Storage space: 25.6 GB (2%)
       Allocated Shadow Copy Storage space: 26.0 GB (2%)
       Maximum Shadow Copy Storage space: 89.4 GB (10%)

What purpose does this storage serve, and can he safely delete it?

It provides a block‐level snapshot and can be safely deleted.
It provides secure hidden storage and can be safely deleted.
It provides secure hidden storage and cannot be safely deleted.
It provides a block‐level snapshot and cannot be safely deleted.

Answer

A

It provides a block‐level snapshot and can be safely deleted.

As long as Brian is comfortable relying on another backup mechanism, he can safely disable volume shadow copies and remove the related files. For the drive he is looking at, this will result in approximately 26 GB of storage becoming available.

Question 51

Q

Windows Volume Shadow Copy Storage

Answer

A

Windows Volume Shadow Copy Storage is the allocated space on a volume where the Volume Shadow Copy Service (VSS) saves point-in-time snapshots of files and folders at a block level. This allows users to recover previous versions of data and can be managed by viewing the allocated, used, and maximum storage space

Question 52

Q

67- After arriving at an investigation site, Brian determines that three powered‐on computers need to be taken for forensic examination. What steps should he take before removing the PCs?

Power them down, take pictures of how each is connected, and log each system in as evidence.
Take photos of each system, power them down, and attach a tamper‐evident seal to each PC.
Collect live forensic information, take photos of each system, and power them down.
Collect a static drive image, validate the hash of the image, and securely transport each system.

Answer

A

Collect live forensic information, take photos of each system, and power them down.

Brian should determine whether he needs live forensic information, but if he is not certain, the safest path for him is to collect live forensic information, take photos so that he knows how each system was set up and configured, and then power them down. He would then log each system as evidence and will likely create forensic copies of the drives once he reaches his forensic work area or may use a portable forensic system to make drive images onsite. Powering a running system down can result in the loss of significant forensic information, meaning that powering a system down before collecting some information is typically not recommended. Collecting a static image of a drive requires powering the system down first.

Question 53

Q

68- In his role as a forensic examiner, Lukas has been asked to produce forensic evidence related to a civil case. What is this process called?

Criminal forensics
E‐discovery
Cyber production
Civil tort

Answer

A

E‐discovery

When forensic evidence or information is produced for a civil case, it is called e‐discovery. This type of discovery often involves massive amounts of data, including email, files, text messages, and any other electronic evidence that is relevant to the case.

Question 54

Q

71- What is the primary role of management in the incident response process?

Leading the CSIRT
Acting as the primary interface with law enforcement
Providing authority and resources
Assessing impact on stakeholders

Answer

A

Providing authority and resources

The primary role of management in an incident response effort is to provide the authority and resources required to respond appropriately to the incident. They may also be asked to make business decisions, communicate with external groups, or assess the impact on key stakeholders.

Question 55

Q

72- Max wants to improve the effectiveness of the incident analysis process he is responsible for as the leader of his organization’s CSIRT. Which of the following is not a commonly recommended best practice based on NIST’s guidelines?

Profile networks and systems to measure the characteristics of expected activity.
Perform event correlation to combine information from multiple sources.
Maintain backups of every system and device.
Capture network traffic as soon as an incident is suspected.

Answer

A

Maintain backups of every system and device.

NIST does not include making backups of every system and device in its documentation. Instead, NIST suggests maintaining an organizationwide knowledge base with critical information about systems and applications. Backing up every device and system can be prohibitively expensive. Backups are typically done only for specific systems and devices, with configuration and restoration data stored for the rest.

Question 56

Q

NIST Phases of IR Lifecycle

Answer

A

Preparation: This phase involves training, testing, and documenting procedures to ensure the organization is ready to handle incidents. It also includes assembling the necessary hardware, software, and information for incident investigation.
Detection and Analysis: During this phase, the organization monitors for signs of security incidents using various sources like alerts, logs, publicly available information, and reports of suspicious activity. The goal is to determine if an incident is taking place that requires further activation of the incident response process.
Containment, Eradication, and Recovery: Once an incident is confirmed, this phase focuses on limiting the damage caused by the incident** through strategies like network segmentation, isolation, or removal of affected systems. It also involves removing all traces of the incident from the network and restoring normal business operations**.
Post-Incident Activity: After the immediate response efforts are complete, this phase includes conducting a lessons learned session to review the incident response process and recommend improvements, as well as creating a formal written incident report. This phase also involves ensuring proper evidence retention

Question 57

Q

75- Where is slack space found in the following Windows partition map?

(look up diagram in book)

The System Reserved partition
The System Reserved and Unallocated partitions
The System Reserved and C: partitions
The C: and unallocated partitions

Answer

A

The System Reserved and C: partitions

Slack space is leftover storage that exists because files do not take up the entire space allocated for them. Since the Unallocated partition does not have a filesystem on it, space there should not be considered slack space. Both System Reserved and C: are formatted with NTFS and will have slack space between files.

Question 58

Q

76- Ty needs to determine the proper retention policy for his organization’s incident data. If he wants to follow common industry practices and does not have specific legal or contractual obligations that he needs to meet, what timeframe should he select?

30 days
90 days
1 to 2 years
7 years

Answer

A

1 to 2 years

Without other requirements in place, many organizations select a one‐ to two‐year retention period. This allows enough time to use existing information for investigations but does not retain so much data that it cannot be managed. Regardless of the time period selected, organizations should set and consistently follow a retention policy.

Question 59

Q

77- The system that Alice has identified as the source of beaconing traffic is one of her organization’s critical e‐commerce servers. To maintain her organization’s operations, she needs to quickly restore the server to its original, uncompromised state. What criterion is likely to be impacted the most by this action?

Damage to the system or service
Service availability
Ability to preserve evidence
Time and resources needed to implement the strategy

Answer

A

Ability to preserve evidence

If Alice focuses on a quick restoration, she is unlikely to preserve all of the evidence she would be able to during a longer incident response process. Since she is focusing on quick restoration, the service should be available more quickly, and the service and system should not be damaged in any significant way by the restoration process. The time required to implement the strategy will typically be less if she does not conduct a full forensic investigation and instead focuses on service restoration.

Question 60

Q

78- Piper wants to create a forensic image that third‐party investigators can use but does not know what tool the third‐party investigation team that her company intends to engage will use. Which of the following forensic formats should she choose if she wants almost any forensic tool to be able to access the image?

E01
AFF
RAW
AD1

Answer

A

RAW

A RAW image, like those created by dd, is Piper’s best option for broad compatibility. Many forensic tools support multiple image formats, but RAW files are supported almost universally by forensic tools.

Question 61

Q

79- As part of his forensic investigation, Scott intends to make a forensic image of a network share that is mounted by the PC that is the focus of his investigation. What information will he be unable to capture?

File creation dates
Deleted files
File permission data
File metadata

Answer

A

Deleted files

When a network share or mounted drive is captured from the system that mounts it, data such as deleted files, unallocated space, and other information that requires direct drive access will not be captured. If Scott needs that information, he will need to create a forensic image of the drive from the host server.

Question 62

Q

order of volatility for common storage locations

Answer

A

The order of volatility for common storage locations is as follows:

CPU cache, registers, running processes, RAM
Network traffic
Disk drives
Backups, printouts, optical media

Question 63

Q

83- Scott needs to verify that the forensic image he has created is an exact duplicate of the original drive. Which of the following methods is considered forensically sound?

Create a MD5 hash
Create a SHA‐1 hash
Create a SHA‐2 hash
All of the above

Answer

A

All of the above

MD5, SHA‐1, and SHA‐2 hashes are all considered forensically sound. Although MD5 and SHA‐1 hashes are no longer a secure means of hashing, they are still considered appropriate for validation of forensic images because it is unlikely that an attacker would intentionally create a hash collision to falsify the forensic integrity of a drive.

Question 64

Q

84- What strategy does NIST suggest for identifying attackers during an incident response process?

Use geographic IP tracking to identify the attacker’s location.
Contact upstream ISPs for assistance in tracking down the attacker.
Contact local law enforcement so that they can use law enforcement–specific tools.
Identifying attackers is not an important part of the incident response process.

Answer

A

Identifying attackers is not an important part of the incident response process.

NIST’s Computer Security Incident Handling Guide notes that identifying an attacker can be “time‐consuming and futile.” In general, spending time identifying attackers is not a valuable use of incident response time for most organizations.

Answer 65

A

The backup is a differential backup.

iPhone backups to local systems can be full or differential, and in this scenario the most likely issue is that Cynthia has recovered a differential backup. She should look for additional backup files if she does not have access to the original phone. If the backup was encrypted, she would not be able to access it without a cracking tool, and if it was interrupted, she would be unlikely to have the backup file or have it be in usable condition. iCloud backups require access to the user’s computer or account and are less likely to be part of a forensic investigation.

Answer 66

A

A second examiner acting as a witness and countersigning all actions

A second forensic examiner who acts as a witness, countersigning all documentation and helping document all actions, provides both strong documentation and another potential witness in court. Independent forensic action, no matter how well documented, will not be as reliable as having a witness.

Answer 67

A

Isolate the system before restoring from backups.

Although it may seem obvious that the system should be isolated from the network when it is rebuilt, we have seen this exact scenario play out before. In one instance, the system was compromised twice before the system administrator learned their lesson!

Answer 68

A

Slack space

The space that Saria sees is the space between the end of the file and the space allocated per cluster or block. This space may contain remnants of previous files written to the cluster or block or may simply contain random data from when the disk was formatted or initialized.

Answer 69

A

A trusted system binary kit

Trusted system binary kits like those provided by the National Software Reference Library include known good hashes of many operating systems and applications. Kathleen can validate the files on her system using references like the NSRL (www.nsrl.nist.gov/new.html).

Answer 70

A

IP addresses, MAC addresses, hostname

NIST specifically recommends the hostname, MAC addresses, and IP addresses of the system. Capturing the full output of an ipconfig or ifconfig command may be useful, but forensic analysis may not permit interaction with a live machine. Additional detail like the domain (or domain membership) may or may not be available for any given machine, and NIC manufacturer and similar data is not necessary under most circumstances.

Answer 71

A

Endpoint forensics

Since most APTs (including this one, as specified in the question) send traffic in an encrypted form, performing network forensics or traffic analysis will only provide information about potentially infected hosts. If Ryan wants to find the actual tools that may exist on endpoint systems, he should conduct endpoint forensics. Along the way, he may use endpoint behavior analysis, network forensics, and network traffic analysis to help identify target systems.

Answer 72

A

Disconnect the system from the network.

When a system is not a critical business asset that must remain online, the best response is typically to isolate it from other systems and networks that it could negatively impact. By disconnecting it from all networks, Ben can safely investigate the issue without causing undue risk.

We have actually encountered this situation. After investigating, we found that the user’s text‐to‐speech application was enabled, and the microphone had the gain turned all the way up. The system was automatically typing words based on how it interpreted background noise, resulting in strange text that terrified the unsuspecting user.

Answer 73

A

Hibernation file analysis

If the system that Angela is attempting to access had mounted the encrypted volume before going to sleep and there is a hibernation file, Angela can use hibernation file analysis tools to retrieve the BitLocker key. If the system did not hibernate or the volume was not mounted when the system went to sleep, she will not be able to retrieve the keys. Memory analysis won’t work with a system that is off, the boot sector does not contain keys, and brute‐force cracking is not a viable method of cracking BitLocker keys because of the time involved.

Answer 74

A

Beaconing

The pseudocode tells you that Adam is trying to detect outbound packets that are part of short communications (fewer than 10 packets and fewer than 3,000 bytes) and that he believes the traffic may appear to be web traffic, be general TCP traffic, or not match known traffic types. This is consistent with the attributes of beaconing traffic. Adam also is making sure that general web traffic won’t be captured by not matching on uripath and contentencoding.

Answer 75

A

As an integrity loss

NIST classifies changes or deletion of sensitive or proprietary information as an integrity loss. Proprietary breaches occur when unclassified proprietary information is accessed or exfiltrated, and privacy breaches involve personally identifiable information (PII) that is accessed or exfiltrated.

Answer 76

A

Containment, eradication, and recovery

Although responders are working to contain the incident, they should also reserve forensic and incident information for future analysis. Restoration of service is often prioritized over analysis during containment activities, but taking the time to create forensic images and to preserve log and other data is important for later investigation.

Answer 77

A

Use the built‐in Windows sdelete command line.

Windows does not include a built‐in secure erase tool in the GUI or at the command line. Using a third‐party program like Eraser or a bootable tool like DBAN is a reasonable option, and encrypting the entire drive and then deleting the key will have the same effect.

Answer 78

A

Postmortem forensics

Postmortem forensics can typically be done after shutting down systems to ensure that a complete forensic copy is made. Live forensics imaging can help to capture memory‐resident malware. It can also aid in the capture of encrypted drives and filesystems when they are decrypted for live usage. Finally, unsupported filesystems can sometimes be imaged while the system is booted by copying data off the system to a supported filesystem type. This won’t retain some filesystem‐specific data but can allow key forensic activities to take place.

Answer 79

A

Create an image using a tool like FTK Imager Lite.

Portable imaging tools like FTK Imager Lite can be run from removable media, allowing a live image to be captured. Kobe may still want to capture the system memory as well, but when systems are used for data gathering and egress, the contents of the disk will be important. Installing a tool or taking the system offline and mounting the drive are both undesirable in this type of scenario when the system must stay online and should not be modified.

Answer 80

A

The original creation date, the device type, the GPS location, and manufacturer of the device

The original creation date (as shown by the GPS date), the device type (an iPhone X), the GPS location, and the manufacturer of the device (Apple) can all provide useful forensic information. Here, you know when the photo was taken, where it was taken, and what type of device it was taken on. This can help narrow down who took the photo or may provide other useful clues when combined with other forensic information or theories.

Answer 81

A

A jump kit

A jump kit is a common part of an incident response plan and provides responders with the tools they will need without having to worry about where key pieces of equipment are during a stressful time. Crash carts are often used in datacenters to connect a keyboard, mouse, and monitor to a server to work on it. First‐responder kits are typically associated with medical responders, and a grab bag contains random items.

Answer 82

A

None; Facebook strips almost all useful metadata from images.

Facebook, as well as many other social media sites, now strip image metadata to help protect user privacy. John would need to locate copies of the photos that have not had the metadata removed and may still find that they did not contain additional useful data.

Answer 83

A

DVDs, hard drives, virtual memory, caches

The order of volatility for media from least to most volatile is often listed as backups and printouts; then disk drives like hard drives and SSDs; then virtual memory; and finally CPU cache, registers, and RAM. Artifacts stored in each of these locations can be associated with the level of volatility of that storage mechanism. For example, routing tables will typically be stored in RAM, making them highly volatile. Data stored on a rewritable media is always considered more volatile than media stored on a write‐only media.

Answer 84

A

Microsoft Word files are stored in ZIP format.

Modern Microsoft Office files are actually stored in a ZIP format. Alex will need to open them using a utility that can unzip them before he can manually review their contents. He may want to use a dedicated Microsoft Office forensics tool or a forensics suite with built‐in support for Office documents.

Answer 85

A

Angela cannot assess the impact with the data given.

Economic impact is calculated on a relative scale, and Angela does not have all of the information she needs. A $500,000 loss may be catastrophic for a small organization and may have a far lower impact on a Fortune 500 company. Other factors like cybersecurity insurance may also limit the economic impact of a cybersecurity incident.

Answer 86

A

Validation

The NIST guidelines require validation after clearing, purging, or destroying media to ensure that the action that was taken is effective. This is an important step since improperly applying the sanitization process and leaving data partially or even fully intact can lead to a data breach.

Answer 87

A

Detection and analysis, and containment, eradication, and recovery

Collecting and analyzing logs most often occurs in the detection and analysis phase, whereas connecting attacks back to attackers is typically handled in the containment, eradication, and recovery phase of the NIST incident response process.

Answer 88

A

Review SSH logs.

Failed SSH logins are common, either because of a user who has mistyped their password or because of scans and random connection attempts. Liam should review his SSH logs to see what may have occurred.

Answer 89

A

A playbook

Playbooks describe detailed procedures that help to ensure that organizations and individuals take the right actions during the stress of an incident. Operations guides typically cover normal operational procedures, while an incident response policy describes the high‐level organizational direction and authority for incident response. An incident response program might generate a policy and a playbook but would not include the detailed instructions itself.

Answer 90

A

OpenVAS

Of the tools listed, only OpenVAS is a full‐system vulnerability scanner. Wapiti is a web application scanner, ZAP is an attack proxy used for testing web applications, and Nmap is a port scanner.

Answer 91

A

Wapiti is an open-source web application scanning tool

Answer 92

A

Level 2: Logical extraction

Logical copies of data and volumes from an unlocked or decrypted device is the most likely mobile forensic scenario in many cases. Most forensic examiners do not have access to chip‐level forensic capabilities that physically remove flash memory from the circuit board, and JTAG‐level acquisition may involve invasive acquisition techniques like directly connecting to chips on a circuit board.

Answer 93

A

Physical: Acquisition of the SIM card, memory cards, or device backups, aiming for a bit-by-bit copy.
Logical: Creating an image of the logical storage volumes, extracting user data and some system data.
Manual access: Reviewing the live, unlocked phone and documenting findings.
Filesystem: Providing details of deleted and existing files by accessing the underlying file system structure.
Level 3: JTAG or HEX dumping: Invasive techniques like directly connecting to chips or examining raw hexadecimal data for low-level data access.
Level 4: Chip extraction: Directly extracting and analyzing memory chips, the most advanced and invasive method.

Answer 94

A

A packet capture tool installed on the system

Wang knows that installing additional software on Windows system to capture traffic can interfere with forensic efforts or warn attackers that they are being observed. Using packet capture from another location on the network is the more common option in this scenario.

Answer 95

A

Processing, review, and analysis

With most e‐discovery cases, reviewing the large volumes of data to ensure that only needed data is presented and that all necessary data is made available takes up the most staff time. Many organizations with larger e‐discovery needs either dedicated staff or outsourced efforts like this.

Answer 96

A

A call list

A call list provides a list of the personnel who should or can be contacted during an incident or response scenario. Sometimes called an escalation list, they typically include the names of the staff members who should be called if there is no response. A rotation list or call rotation is used to distribute workload among a team, typically by placing a specific person on‐call for a set time frame. This may help decide who is on the call list at any given point in time. A triage triangle is made up for this question, and responsibility matrices are sometimes created to explain who is responsible for what system or application but aren’t directly used for emergency contact lists.

Answer 97

A

A buffer overflow attack

Overflowing a memory location by placing a string longer than the program expects into a variable is a form of buffer overflow attack. Attackers may choose to use a string of the same letters to make the overflow easier to spot when testing the exploit.

Answer 98

A

IaaS

Generally speaking, analysts may obtain more forensic information when their organization has greater control over the underlying cloud resources. Infrastructure as a service (IaaS) environments provide the greatest level of control and, therefore, typically provide access to the most detailed information.

Answer 99

A

Checklist review

Any of these exercises may be used to help remind incident responders of their responsibilities. Checklist reviews have the least impact on the organization because they may be done asynchronously by individual employees. The other training/exercise types listed here would require a more substantial commitment of time.

Answer 100

A

This type of exercise can be used to remind incident responders of their responsibilities with the least impact on other organizational priorities because it can be done asynchronously by individual employees.

Answer 101

A

a step-by-step review of procedures or plans, possibly requiring more coordination than a checklist review.

Answer 102

A

typically involve participants competing to find and exploit vulnerabilities in systems or defend their own systems. This would likely require significant time and resources, having a higher impact on organizational priorities.

Answer 103

A

where the incident response team gathers to walk through an incident scenario and discuss their roles, responsibilities, and the steps they would take. This requires bringing the team together and thus has a greater impact than a checklist review but less than a full simulation.

Answer 104

A

Analysis of drive capacity consumption

Vulnerability mitigation, restoration of permissions, and the verification of logging and communication to security monitoring are all activities that normally occur during the eradication and recovery phase of incident response. The analysis of drive capacity consumption is the assessment of an indicator of compromise (IoC), which occurs during the detection and analysis phase of incident response.

Answer 105

A

involve the activation of incident response procedures without stopping normal business operations. Because normal operations continue, parallel tests have a lower likelihood of disrupting regular activities compared to full interruption tests.

Answer 106

A

involve the activation of incident response procedures, but they carry more risk because they require stopping normal business operations. This type of test assesses the incident response capabilities under conditions of complete operational disruption

Answer 107

A

Web servers

The Open Source Security Testing Methodology Manual (OSS TMM), published by the Institute for Security and Open Methodologies provides guidance on testing the security of physical locations, human interactions, and communications. While web servers may fall under the general category of communications, they are not one of the specific testing objectives of OSS TMM.

Answer 108

A

Annually

Individuals with specific business continuity roles should receive training on at least an annual basis. While it is always preferable to offer more frequent training, annual training is sufficient to meet the requirements of most organizations.

Answer 109

A

Preparation

Organizations should build solid, defense‐in‐depth approaches to cybersecurity during the preparation phase of the incident response process. The controls built during this phase serve to reduce the likelihood and impact of future incidents.

Answer 110

A

It includes actions outside the defended network.

The Cyber Kill Chain includes actions outside the defended network, which many defenders cannot take action on, resulting in one of the common criticisms of the model. Other criticisms include the focus on a traditional perimeter and on antimalware‐based techniques, as well as a lack of focus on insider threats.

Answer 111

A

CEO

The incident response policy provides the CSIRT with the authority needed to do their job. Therefore, it should be approved by the highest possible level of authority within the organization, preferably the CEO.

Answer 112

A

Detect an incident in progress.

Detection of a potential incident occurs during the detection and analysis phase of incident response. The other activities listed are all objectives of the containment, eradication, and recovery phase.

Answer 113

A

Domination

MITRE provides the ATT&CK, or Adversarial Tactics, Techniques, and Common Knowledge, knowledge base of adversary tactics and techniques. The ATT&CK matrices include detailed descriptions, definitions, and examples for the complete threat life cycle, from initial access through execution, persistence, privilege escalation, and exfiltration. Domination is not one of the phases.