Study Guide - Chapter 11: Containment, Eradication, and Recover Flashcards
2- Which one of the following criteria is not normally used when evaluating the appropriateness of a cybersecurity incident containment strategy?
- Effectiveness of the strategy
- Evidence preservation requirements
- Log records generated by the strategy
- Cost of the strategy
Log records generated by the strategy
NIST recommends using six criteria to evaluate a containment strategy: the potential damage to resources, the need for evidence preservation, service availability, time and resources required (including cost), effectiveness of the strategy, and duration of the solution.
3- Alice is responding to a cybersecurity incident and notices a system that she suspects is compromised. She places this system on a quarantine VLAN with limited access to other networked systems. What containment strategy is Alice pursuing?
- Eradication
- Isolation
- Segmentation
- Removal
Segmentation
In a segmentation approach, the suspect system is placed on a separate network where it has very limited access to other networked resources.
4- Alice confers with other team members and decides that even allowing limited access to other systems is an unacceptable risk and chooses instead to prevent the quarantine VLAN from accessing any other systems by putting firewall rules in place that limit access to other enterprise systems. The attacker can still control the system to allow Alice to continue monitoring the incident. What strategy is she now pursuing?
- Eradication
- Isolation
- Segmentation
- Removal
Isolation
In the isolation strategy, the quarantine network is directly connected to the Internet or restricted severely by firewall rules so that the attacker may continue to control it but not gain access to any other networked resources.
5- After observing the attacker, Alice decides to remove the Internet connection entirely, leaving the systems running but inaccessible from outside the quarantine VLAN. What strategy is she now pursuing?
- Eradication
- Isolation
- Segmentation
- Removal
Removal
In the removal approach, Alice keeps the systems running for forensic purposes but completely cuts off their access to or from other networks, including the Internet.
7- Tamara is a cybersecurity analyst for a private business that is suffering a security breach. She believes the attackers have compromised a database containing sensitive information. Which one of the following activities should be Tamara’s first priority?
- Identifying the source of the attack
- Eradication
- Containment
- Recovery
Containment
Tamara’s first priority should be containing the attack. This will prevent it from spreading to other systems and also potentially stop the exfiltration of sensitive information. Only after containing the attack should Tamara move on to eradication and recovery activities. Identifying the source of the attack should be a low priority.
8- What should be clearly identified during a lessons learned review in order to reduce the likelihood of a similar incident escaping attention in the future?
- IOCs
- Scope
- Impact
- Reimaging
IOCs
During an incident investigation, the team may encounter new indicators of compromise (IOCs) based on the tools, techniques, and tactics used by attackers. As part of the lessons learned review, the team should clearly identify any new IOCs and make recommendations for updating the organization’s security monitoring program to include those IOCs. This will reduce the likelihood of a similar incident escaping attention in the future. Scope, impact, and reimaging should be considered during containment, eradication, and recovery.
9- Which one of the following pieces of information is most critical to conducting a solid incident recovery effort?
- Identity of the attacker
- Time of the attack
- Root cause of the attack
- Attacks on other organizations
Root cause of the attack
Understanding the root cause of an attack is critical to the incident recovery effort. Analysts should examine all available information to help reconstruct the attacker’s actions. This information is crucial to remediating security controls and preventing future similar attacks.
10- Lynda is disposing of a drive containing sensitive information that was collected during the response to a cybersecurity incident. The information is categorized as a high security risk and she wishes to reuse the media during a future incident. What is the appropriate disposition for this information?
- Clear
- Erase
- Purge
- Destroy
Purge
Lynda should consult the flowchart that appears in Figure 11.7. Following that chart, the appropriate disposition for media that contains high security risk information and will be reused within the organization is to purge it.
11- Which one of the following activities is not normally conducted during the recovery validation phase?
- Verify the permissions assigned to each account.
- Implement new firewall rules.
- Conduct vulnerability scans.
- Verify logging is functioning properly.
Implement new firewall rules.
New firewall rules, if required, would be implemented during the eradication and recovery phase. The validation phase includes verifying accounts and permissions, verifying that logging is working properly, and conducting vulnerability scans.
12- What incident response activity focuses on removing any artifacts of the incident that may remain on the organization’s network?
- Containment
- Recovery
- Post‐Incident Activities
- Eradication
Eradication
The primary purpose of eradication is to remove any of the artifacts of the incident that may remain on the organization’s network. This may include the removal of any malicious code from the network, the sanitization of compromised media, and the securing of compromised user accounts.
13- Which one of the following is not a common use of formal incident reports?
- Training new team members
- Sharing with other organizations
- Developing new security controls
- Assisting with legal action
Sharing with other organizations
There are many potential uses for written incident reports. First, it creates an institutional memory of the incident that is useful when developing new security controls and training new security team members. Second, it may serve as an important record of the incident if there is ever legal action that results from the incident. These reports should be classified and not disclosed to external parties.
Incident Response Activities
- Preparation: This phase includes training, testing, and documentation of procedures. It involves assembling hardware, software, and information required for incident investigation.
- Detection and Analysis: Security professionals monitor for indicators of compromise (IoCs). Once found, they are analyzed to determine if an incident has occurred. Common IoCs include unusual network traffic, changes to filesystems, and login irregularities.
- Containment, Eradication, and Recovery: The team takes active measures to contain the incident’s effects, eradicate it from the network, and recover normal operations. Containment strategies must be appropriate to the incident circumstances.
- Containment limits damage and gathers evidence, which may involve network segmentation, isolation, or system removal.
- Eradication removes any incident artifacts from the organization’s network, including malicious code and compromised accounts.
- Recovery involves patching systems and applications and validating data integrity to restore normal business operations.
- Post-Incident Activity: The CSIRT undertakes forensic procedures, performs root cause analysis, conducts a lessons-learned review, and ensures that they meet internal and external evidence retention requirements.
- Root cause analysis (RCA) identifies the underlying cause of the incident to prevent future occurrences.
- Lessons learned review analyzes the incident and response to improve procedures and tools.
- A formal incident report documents the incident, actions taken, and impact for future reference and potential legal action
14- Which one of the following data elements would not normally be included in an evidence log?
- Serial number
- Record of handling
- Storage location
- Malware signatures
Malware signatures
Malware signatures would not normally be included in an evidence log. The log would typically contain identifying information (e.g., the location, serial number, model number, hostname, MAC addresses and IP addresses of a computer), the name, title and phone number of each individual who collected or handled the evidence during the investigation, the time and date (including time zone) of each occurrence of evidence handling, and the locations where the evidence was stored.
15- Sondra determines that an attacker has gained access to a server containing critical business files and wishes to ensure that the attacker cannot delete those files. Which one of the following strategies would meet Sondra’s goal?
- Isolation
- Segmentation
- Removal
- None of the above
None of the above
Even removing a system from the network doesn’t guarantee that the attack will not continue. In the example given in this chapter, an attacker can run a script on the server that detects when it has been removed from the network and then proceeds to destroy data stored on the server.
Joe would like to determine the appropriate disposition of a flash drive used to gather highly sensitive evidence during an incident response effort. He does not need to reuse the drive but wants to return it to its owner, an outside contractor. What is the appropriate disposition?
- Destroy
- Clear
- Erase
- Purge
Destroy
The data disposition flowchart in Figure 11.7 directs that any media containing highly sensitive information that will leave the control of the organization must be destroyed. Joe should purchase a new replacement device to provide to the contractor.
17- Which one of the following is not typically found in a cybersecurity incident report?
- Chronology of events
- Identity of the attacker
- Estimates of impact
- Documentation of lessons learned
Identity of the attacker
Incident reports should include a chronology of events, estimates of the impact, and documentation of lessons learned, in addition to other information. Incident response efforts should not normally focus on uncovering the identity of the attacker, so this information would not be found in an incident report.
18- What NIST publication contains guidance on cybersecurity incident handling?
- SP 800-53
- SP 800‐88
- SP 800‐18
- SP 800‐61
SP 800‐61
NIST SP 800‐61 is the Computer Security Incident Handling Guide. NIST SP 800‐53 is Security and Privacy Controls for Federal Information Systems and Organizations. NIST SP 800‐88 is Guidelines for Media Sanitization. NIST SP 800‐18 is the Guide for Developing Security Plans for Federal Information Systems.
SP 800‐61
Computer Security Incident Handling Guide from NIST
SP 800‐53
Security and Privacy Controls for Federal Information Systems and Organization from NIST
SP 800‐88
Guidelines for Media Sanitization NIST
SP 800‐18
Guide for Developing Security Plans for Federal Information Systems NIST
19- Which one of the following is not a purging activity?
- Resetting to factory state
- Overwriting
- Block erase
- Cryptographic erase
Resetting to factory state
Resetting a device to factory state is an example of a data clearing activity. Data purging activities include overwriting, block erase, and cryptographic erase activities when performed through the use of dedicated, standardized device commands.
Ben is responding to a security incident and determines that the attacker is using systems on Ben’s network to attack a third party. Which one of the following containment approaches will prevent Ben’s systems from being used in this manner?
- Removal
- Isolation
- Detection
- Segmentation
Removal
Only removal of the compromised system from the network will stop the attack against other systems. Isolated and/or segmented systems are still permitted access to the Internet and could continue their attack. Detection is a purely passive activity that does not disrupt the attacker at all.
