Preventing and Responding to Incidents

Question 1

List and describe incident management steps

Answer 1

The CISSP Security Operations domain lists incident management steps as detection, response, mitigation, reporting, recovery, remediation, and lessons learned. After detecting and verifying an incident, the first response is to limit or contain the scope of the incident while protecting evidence. Based on governing laws, an organization may need to report an incident to official authorities, and if PII is affected, individuals need to be informed. The remediation and lessons learned stages include root cause analysis to determine the cause and recommend solutions to prevent a reoccurrence.

Question 2

Understand basic preventive measures

Answer 2

Basic preventive measures can prevent many incidents from occurring. These include keeping systems up to date, removing or disabling unneeded protocols and services, using intrusion detection and prevention systems, using antimalware software with up-to-date signatures, and enabling both host-based and network-based firewalls.

Question 3

Know the difference between whitelisting and blacklisting

Answer 3

Software whitelists provide a list of approved software and prevent the installation of any other software not on the list. Blacklists provide a list of unapproved software and prevent the installation of any softwareon the list.

Question 4

Understand sandboxing

Answer 4

Sandboxing provides an isolated environment and prevents code running in a sandbox from interacting with elements outside of a sandbox.

Question 5

Know about third-party provided security services

Answer 5

Third-party security services help an organization augment security services provided by internal employees. Many organizations use cloud-based solutions to augment their internal security.

Question 6

Understand botnets, botnet controllers, and bot herders

Answer 6

Botnets represent significant threats due to the massive number of computers that can launch attacks, so it’s important to know what they are. A botnet is a collection of compromised computing devices (often called bots or zombies) organized in a network controlled by a criminal known as a bot herder. Bot herders use a command-and-control server to remotely control the zombies and often use the botnet to launch attacks on other systems or send spam or phishing emails. Bot herders also rent botnet access out to other criminals.

Question 7

Know about denial-of-service (DoS) attacks

Answer 7

DoS attacks prevent a system from responding to legitimate requests for service. A common DoS attack is the SYN flood attack, which disrupts the TCP three-way handshake. Even though older attacks are not as common today because basic precautions block them, you may still be tested on them because many newer attacks are often variations on older methods. Smurf attacks employ an amplification network to send numerous response packets to a victim. Ping-of-death attacks send numerous oversized ping packets to the victim, causing the victim to freeze, crash, or reboot.

Question 8

Understand zero-day exploits

Answer 8

A zero-day exploit is an attack that uses a vulnerability that is either unknown to anyone but the attacker or known only to a limited group of people. On the surface, it sounds like you can’t protect against an unknown vulnerability, but basic security practices go a long way toward preventing zero-day exploits. Removing or disabling unneeded protocols and services reduces the attack surface, enabling firewalls blocks many access points, and using intrusion detection and prevention systems helps detect and block potential attacks. Additionally, using tools such as honeypots helps protect live networks.

Question 9

Understand man-in-the-middle attacks

Answer 9

A man-in-the-middle attack (sometimes called an on-path attack) occurs when a malicious user is able to gain a logical position between the two endpoints of a communications link. Although it takes a significant amount of sophistication on the part of an attacker to complete a man-in-the middle attack, the amount of data obtained from the attack can be significant.

Question 10

Understand intrusion detection and intrusion prevention

Answer 10

IDSs and IPSs are important detective and preventive measures against attacks. Know the difference between knowledgebased detection (using a database similar to antimalware signatures) and behavior-based detection. Behavior-based detection starts with a baseline to recognize normal behavior and compares activity with the baseline to detect abnormal activity. The baseline can be outdated if the network is modified, so it must be updated when the environment changes.

Question 11

Recognize IDS/IPS responses

Answer 11

An IDS can respond passively by logging and sending notifications or actively by changing the environment. Some people refer to an active IDS as an IPS. However, it’s important to recognize that an IPS is placed inline with the traffic and includes the ability to block malicious traffic before it reaches the target.

Question 12

Understand the differences between HIDSs and NIDSs

Answer 12

Host-based IDSs (HIDSs) can monitor activity on a single system only. A drawback is that attackers can discover and disable them. A network-based IDS (NIDS) can monitor activity on a network, and an NIDS isn’t as visible to attackers.

Question 13

Describe honeypots and honeynets

Answer 13

A honeypot is a system that typically has pseudo flaws and fake data to lure intruders. A honeynet is two or more honeypots in a network. Administrators can observe attackers’ activity while they are in the honeypot, and as long as attackers are in the honeypot, they are not in the live network.

Question 14

Understand the methods used to block malicious code

Answer 14

Malicious code is thwarted with a combination of tools. The obvious tool is antimalware software with up-to-date definitions installed on each system, at the boundary of the network, and on email servers. However, policies that enforce basic security principles, such as the least privilege principle, prevent regular users from installing potentially malicious software. Additionally, educating users about the risks and the methods attackers commonly use to spread viruses helps users understand and avoid dangerous behaviors.

Question 15

Know the types of log files

Answer 15

Log data is recorded in databases and different types of log files. Common log files include security logs, system logs, application logs, firewall logs, proxy logs, and change management logs. Log files should be protected by centrally storing them and using permissions to restrict access, and archived logs should be set to read-only to prevent modifications.

Question 16

Understand monitoring and uses of monitoring tools

Answer 16

Monitoring is a form of auditing that focuses on active review of the log file data. Monitoring is used to hold subjects accountable for their actions and to detect abnormal or malicious activities. It is also used to monitor system performance. Monitoring tools such as IDSs or SIEMs automate continuous monitoring and provide real-time analysis of events, including monitoring what happens inside a network, traffic entering a network, and traffic leaving a network (also known as egress monitoring). Log management includes analyzing logs and archiving logs.

Question 17

Be able to explain audit trails

Answer 17

Audit trails are the records created by recording information about events and occurrences into one or more databases or log files. They are used to reconstruct an event, extract information about an incident, and prove or disprove culpability. Using audit trails is a passive form of detective security control, and audit trails are essential evidence in criminals’ prosecution.

Question 18

Understand how to maintain accountability

Answer 18

Accountability is maintained for individual subjects through the use of auditing. Logs record user activities and users can be held accountable for their logged actions. This directly promotes good user behavior and compliance with the organization’s security policy.

Question 19

Understand sampling and clipping

Answer 19

Sampling, or data extraction, is the process of extracting elements from a large body of data to construct a meaningful representation or summary of the whole. Statistical sampling uses precise mathematical functions to extract meaningful information from a large volume of data. Clipping is a form of nonstatistical sampling that records only events that exceed a threshold.

Question 20

Describe threat feeds and threat hunting

Answer 20

Threat feeds provide organizations with a steady stream of raw data. By analyzing threat feeds, security administrators can learn of current threats. They can then use this knowledge to search through the network, looking for signs of these threats.

Question 21

Know the relationship between machine learning (ML) and artificial intelligence (AI)

Answer 21

ML is a part of AI and refers to a system’s ability to learn. AI is a broad topic that includes ML.

Question 22

Know the benefits of SOAR

Answer 22

SOAR technologies automate responses to incidents. One of the primary benefits is that this reduces the workload of administrators. It also removes the possibility of human error by having computer systems respond.