section 4.2

Question 1

What is the incident response cycle

Answer 1

Preparation,
Detection and Analysis
Containment, Eradication, and Recovery
Post-Incident Activity

Question 2

What are some ways to prepare for a security incident

Answer 2

• Communication methods
• Incident handling hardware & software
• Incident analysis resources
• Incident mitigation software
• Policies needed for incident handling

Question 3

What are some challenges of detection?

Answer 3

Attackers are incoming all the time

Incidents are always complex

Question 4

What are some Incident precursors

Answer 4

Web server log: 
- vulnerability scanner 
Exploit announcement:
- Adobe Flash update
Direct threats:
- A hacking group does not like you

Question 5

What is an incident indicator?

Answer 5

An attack is underway

Question 6

Name some incident indicators

Answer 6

Buffer overflow attempt

Anti-virus software identifies malware

Question 7

What is a sandbox? What can you do in the sandbox?

Answer 7

An isolated operating system

Run malware and analyze the results

Question 8

What is the goal of recovery after an incident?

Answer 8

Get things back to normal

Remove the bad, keep the good

Question 9

During the Recovery process, name some things you would eradicate. Name some things that you want to recover

Answer 9

Eradicate
- bug
- disable breached user account
Recover
- the system
- restore from backups
- rebuild from scratch

Question 10

What are some exercises to practice in response to an incident?

Answer 10

Tabletop exercises
Walk through
Simulation

Question 11

What are some differences between Communication plan and a Disaster Recovery plan

Answer 11

Communication plan is based on getting a contact list together. A recovery plan is based on creating a comprehensive plan that should include a communication plan

Question 12

What should you implement if the disaster recovery plan does not go as planned

Answer 12

Continuity of operations planning

Question 13

This team will determine if an event deserves a response by receiving reviewing, and then determining a response

Answer 13

Incident response team

Question 14

What does a retention policy determine

Answer 14

Determines how much and where data should be stored. Even go as far as storing copies, versions of copies

Question 15

This is an attack framework that determines the actions of an attacker. What is the name of this framework and what does it do

Answer 15

MITRE ATT&CK framework

• Identify point of intrusion
• Understand methods used to move around
• Identify potential security techniques to block future attacks

Question 16

What would you se the Diamond Model of Intrusion Analysis framework for

Answer 16

You would use the model to analyze and fill in the details when an adversary deploys a capability over some infrastructure