Section 12: Dealing with Incident Response Procedures

Question 1

What RAID model has a minimum of three disks? How many disks can it afford to lose?

Answer 1

RAID 5. It can afford to lose one disk without losing data. It has single parity.

Question 2

What RAID models has a minimum of four disks? How many disks can it afford to lose?

Answer 2

RAID 6. It can afford to lose two disks as it has double parity.

Question 3

What is the difference between RAID 5 and RAID 6?

Answer 3

RAID 5 has single parity and can lose one disk.
RAID 6 has double parity and can lose two disks.

Question 4

Where will a diskless virtual host access its storage?

Answer 4

Storage Area Network (SAN).

Question 5

What types of disks does a SAN use?

Answer 5

Fast disks, such as SSDs.

Question 6

What is a example of cloud storage available to a personal user?

Answer 6

iCloud, Google Drive, Microsoft OneDrive, Dropbox

Question 7

At what stage of incident response procedures would you reduce the services running on a computer on a domain controller that is infected with malware?

Answer 7

Eradication: the removal of viruses and reduction of the services being used. The domain controller should be isolated, and this is the containment phase. The virus would be removed in the eradication phase, and then be placed back online. This is the recovery phase.

Question 8

During a disaster recovery exercise, the IRP team is given a scenario to respond to. What type of exercise are they likely to carry out?

Answer 8

A simulation.

Question 9

Why would a cybersecurity team use the MITRE ATT&CK Framework?

Answer 9

This is an aid to help prepare your business against different adversaries. You can drill down from an adversary into the tactics and techniques that they use. You can take mitigation steps to avoid being attacked.

Question 10

What are the four key elements of the Diamond Model of Intrusion Analysis framework?

Answer 10

1. Adversary
2. Capabilities
3. Infrastructure
4. Victims

Question 11

Why are the roles and responsibilities of the IRP team important?

Answer 11

If they understand the roles and responsibilities, it can make them more effective when a disaster happens.

Question 12

What type of file is created when your computer suffers a blue screen of death?

Answer 12

The contents of memory are saved in a dump (.dmp) file which can be used to investigate the event.

Question 13

What is the purpose of SFlow?

Answer 13

Gives you clear visibility of network traffic patterns and can identify malicious traffic.

Question 14

What type of HTTP status code lets you know you have made a successful connection to a web server?

Answer 14

200.

Question 15

What is the purpose of a SOAR system playbook?

Answer 15

Playbooks contain a set of rules to enable the SOAR to identify events and take preventative action as an event occurs.

Question 16

What is the benefit of network card teaming?

Answer 16

Helps load balance the network traffic and provide redundancy if one card fails.

Question 17

What is the purpose of a UPS?

Answer 17

UPS is a battery that is a standby device so that when the computer power fails, it kicks in. It is designed to keep the system going for a few minutes to allow the server team to close the servers down gracefully. It can also be used to clean up the power coming form the Notional Grid, such as spikes, surges, and voltage fluctuations.

Question 18

What can be installed on a node of a SAN to provide redundancy?

Answer 18

Two Host Bus Adapters (HBA) on each node will give two separate paths to them.

Question 19

Why would a company use two different vendors for their broadband?

Answer 19

To provide diversity so that if one vendor had a disaster, the other would keep providing the broadband.

Question 20

What is the purpose of an incident response plan?

Answer 20

It is written for a particular incident and lays out how it should be tackled and the key personnel required.

Question 21

Name three different categories of incident.

Answer 21

1. Unauthorized access
2. Loss of computers or data
3. Loss of availability
4. Malware attack
5. DDoS attack
6. Power failure
7. Natural disaster (flood, tornadoes, hurricanes, fires)
8. Cybersecurity incidents

Question 22

Name three different roles required to deal with an incident.

Answer 22

1. Incident response manager: A top-level manager takes charge
2. Security analyst: Provides technical support for the incident
3. IT auditor: Checks that the company is compliant
4. Risk analyst: Evaluates all aspects of risk
5. HR: Sometimes, employees are involved in the incident
6. Legal: Gives advice and makes decisions on legal issues
7. Public relations: Deals with the press to reduce the impact on the company’s reputation

Question 23

What should the help desk do when an incident has just been reported?

Answer 23

Identify the incident response plan required and the key personnel that needs to be notified.

Question 24

What is the purpose of an incident response exercise?

Answer 24

To practice carrying out the incident response plan and identify any shortfalls.

Question 25

What is the first phase of the incident response process and what happens there?

Answer 25

Preparation phase, where the plan is already written in advance of any attack.

Question 26

What is the last phase of the incident response process?

Answer 26

Lessons learned, where we review why the incident was successful. This information gathered will prevent the incident from reoccurring.

Question 27

What would happen if the last process of the incident response process was not carried out?

Answer 27

The incident may re-occur. Lessons learned is a detective control wherein we try to identify and address any weaknesses.

Question 28

What happens during the containment phase of the disaster recovery process?

Answer 28

Isolate or quarantine an infected machine. You will also disable any account used in an attack.

Question 29

What happens during the eradication phase of the disaster recovery process?

Answer 29

We remove malware and turn off services that we do not need.

Question 30

What happens during the recovery phase of the disaster recovery process?

Answer 30

We put infected machines back online, restore data, or reimage desktops.