Unit 6 - Module 1 - Incident Response

Question 1

What do you call an observable occurrence on a network, system, or device?

Answer 1

An Event

Question 2

What is a form of documentation used in incident response?

Answer 2

Incident Handler’s Journal

Question 3

What incident responce process is cyclical?

Answer 3

NIST Incident Responce

Question 4

What do you call a specialized group of security professionals that are trained in incident management and responce?

Answer 4

Computer Security Incident Response Teams ( CSIRT )

Question 5

What framework are these 4 phases?

Preparation

Detection and Analysis

Containment, Eradication, and Recovery

Post-Incident Activity

Answer 5

NIST Framework

Question 6

What are the 3 Important thing incident responce teams need?

3 C’s

Answer 6

Command

Control

Communication

Question 7

What security responce teams usually have these 3 roles?

Security Analyst

Technical Lead

Incident Coordinator

Answer 7

CSIRT ( Computer Security Incident Responce Team )

Question 8

What do you call a document that outlines the procedures to take in each step of incident response?

Answer 8

Incident Responce Plan

Question 9

What is any form of recorded content that is used for a specific purpose?

Answer 9

Documentation

Question 10

What is a manual that provides details about any operational action?

Answer 10

Playbook

Question 11

What is an application that monitors system and network activity and produces alerts on possible intrusions?

Answer 11

Intrusion detection system (IDS)

Question 12

What is an application that monitors system activity for intrusions and take action to stop the activity?

Answer 12

Intrusion prevention system (IPS)

Question 13

What do you call an alert that correctly detects the presence of an attack?

Answer 13

A True Positive

Question 14

What do you call a state where there is no detection of malicious activity. This is when malicious activity exists and no alert is triggered.

Answer 14

A True Negative

Question 15

What is an alert that incorrectly detects that presence of a threat? This is when an IDS identifies an activity as malicious, but it isn’t. False positives are an inconvenience for security teams because they spend time and resources investigating an illegitimate alert.

Answer 15

A False Positive

Question 16

What is a state where the presence of a threat is not detected? This is when malicious activity happens but IDS fails to detect it. False negatives are dangerous because security teams are left unaware of legitimate attacks that they can vulnerable to.

Answer 16

A False Negative

Question 17

What is an application that monitors an endpoint for malicious activity? A tool that monitors, records, and analyzes endpoint system activity to identify, alert, and respond to suspicious activity.

Answer 17

End point Detection and Responce (EDR)

Question 18

What is an application that collects and analyzes log data to monitor critical activities in an organization?

Answer 18

Security Information and Event Management (SIEM)

Question 19

What tool uses these 4 steps?

Collect, Aggregate data, Normalize Data, and Analyze Data

Answer 19

SIEM Tool

Question 20

What is a collection of applications, tools, and workflows that uses automation to respond to security events?

Answer 20

Security Orchestration, Automation, and Response (SOAR)