Study Guide - Chapter 10: Incident Detection and Analysis Flashcards
2- Hui wants to comply with a legal hold but knows that her organization has a regular process that purges logs after 45 days due to space limitations. What should she do if the logs are covered by the legal hold?
- Notify counsel that the logs will be deleted automatically in 45 days.
- Delete the logs now to allow longer before space is filled up.
- Identify a preservation method to comply with the hold.
- Make no changes; holds allow ongoing processes to continue as normal.
Identify a preservation method to comply with the hold.
Hui knows that she needs to preserve the logs per the legal hold notice and will need to identify a method to preserve the logs while maintaining operations for her organization. Failing to do so can have significant legal repercussions.
5- Renee wants to adopt an open IoC feed. What issue is Renee most likely to need to address when adopting it?
- The cost of the IoC feed
- The quality of the feed
- The update frequency of the feed
- The level of detail in the feed
The quality of the feed
Open feed data can vary in quality and reliability. That means Renee will have to put processes in place to assess the quality and reliability of the IoC information she is receiving. An open feed implies that it is free. Open feeds are generally active, and IoC detail levels vary as IoCs are created and updated, regardless of the type of feed.
6- Chris wants to use an active monitoring approach to test his network. Which of the following techniques is appropriate?
- Collecting NetFlow data
- Using a protocol analyzer
- Pinging remote systems
- Enabling SNMP
Pinging remote systems
Active monitoring is focused on reaching out to gather data using tools like ping and iPerf. Passive monitoring using protocol analyzers collects network traffic and router‐based monitoring using SNMP, and flows gather data by receiving or collecting logged information.
8- Cameron wants to be able to detect a denial‐of‐service attack against his web server. Which of the following tools should he avoid?
- Log analysis
- Flow monitoring
- iPerf
- IPS
iPerf
Log analysis, flow monitoring, and deploying an IPS are all appropriate solutions to help detect denial‐of‐service attacks. iPerf is a performance testing tool used to establish the maximum bandwidth available on a network connection.
iPerf
iPerf is a performance testing tool used to establish the maximum bandwidth available on a network connection.
iPerf is used for active monitoring which is focused on gathering data
12- Valentine wants to check for unauthorized access to a system. What two log types are most likely to contain this information?
- Authentication logs and user creation logs
- System logs and application logs
- Authentication logs and application logs
- System logs and authentication logs
Authentication logs and user creation logs
Valentine knows that unauthorized access often involves the creation of unauthorized user accounts and authentication events that allowed access to the system. System logs contain system events, but not authentication or user creation information. Application logs track application events and also typically won’t show this type of information.
14- While Susan is monitoring a router via network flows, she sees a sudden drop in network traffic levels to zero, and the traffic chart shows a flat line. What has likely happened?
- The sampling rate is set incorrectly.
- The router is using SNMP.
- The monitored link failed.
- A DDoS attack is occurring.
The monitored link failed.
The most likely answer is that the link has failed. Incorrectly set sampling rates will not provide a good view of traffic, and a DDoS attack is more likely to show large amounts of traffic. SNMP is a monitoring tool and would not result in flow data changing.
15- Leo wants to monitor his application for common issues. Which of the following is not a typical method of monitoring for application issues?
- Up/down logging
- System logging
- Performance logging
- Transactional logging
System logging
System logging is typically handled separately from application logging. Up/down, performance, transactional logs, and service logging are all common forms of monitoring used to ensure applications are performing correctly.
16- Greg notices that a user account on a Linux server he is responsible for has connected to 10 machines via SSH within seconds. What type of IoC best matches this type of behavior?
- Bot‐like behavior
- Port scanning
- Denial of service
- Escalation of privileges
Bot‐like behavior
Actions performed more quickly than a typical user would perform them can be an indicator of bot‐like behavior. If the user performing the actions does not typically run scripts or connect to multiple machines, Greg may want to investigate more deeply, including checking logs on the remote systems to see what authentication was attempted. SSH connections alone are not indicators of port scanning, escalation of privilege, or denial‐of‐service attacks.
17- Arun wants to monitor for unusual database usage. Which of the following is most likely to be indicative of a malicious actor?
- Increases in cached hits to the database
- Decreases in network traffic to the database
- Increases in disk reads for the database
- Decreases in database size
Increases in disk reads for the database
An attacker is likely to attempt to gather information from the entire database, meaning that cached hits will not make up the full volume of queries. Thus, disk reads from a database may be a more important indicator of compromise than an increase in cached hits that may simply be more typical usage.
Up/Down Logging
Up/down logging is a category of application and service monitoring that checks whether a service is running
19- Alex has noticed that the primary disk for his Windows server is quickly filling up. What should he do to determine what is filling up the drive?
- Check the filesystem logs.
- Check the security logs.
- Search for large files and directories.
- Search for file changes.
Search for large files and directories.
The first step in Alex’s process should be to identify where the files that are filling the drive are located and what they are. A simple search can help with this by sorting by large directories and files. Windows does not have a filesystem log that would record this, and security logs are focused on security events, not filesystem information. Searching for files that have changed requires a tool that tracks changes, which is not part of a default Windows installation.
18- Valerie is concerned that an attacker may have gained access to a system in her datacenter. Which of the following behaviors is not a common network‐based IoC that she should monitor for?
Traffic to unexpected destinations
Unusual volumes of outbound traffic
Increases in system memory consumption
Outbound traffic at unusual times
Increases in system memory consumption
Valerie is specifically looking for network‐related IoCs, and system memory consumption is a host‐ or system‐related IoC, not a network‐related IoC.
20- Joseph wants to be notified if user behaviors vary from normal on systems he maintains. He uses a tool to capture and analyze a week of user behavior and uses that to determine if unusual behavior occurs. What is this practice called?
- Pattern matching
- Baselining
- Fingerprinting
- User modeling
Baselining
Joseph has created a user behavior baseline, which will allow him to see if there are exceptions to the normal behaviors and commands that users run. Pattern matching, fingerprinting, and user modeling are not terms used to describe this process.
