Week 6 Flashcards

1
Q

Incident

A

A violation (or threat of violation) of your computer security policies or standard security practices. Some common examples include distributed denial of service (DDOS) attacks.

They are a subset of events defined as any observable occurrence in a system or network.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Incident Response (IR)

A

The process of managing and containing the aftermath of a security incident.

The goal is to minimize the damage caused by the incident, restore normal operations as quickly as possible, and prevent similar incidents from happening in the future.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Incident Response Stages

A

Preparation,
Identification,
Containment,
Eradication,
Recovery,
Lessons Learned;

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Preparation (IR)

A

This phase involves developing an incident response plan, identifying key stakeholders, and training personnel on how to respond to incidents.

Every security team should be prepared for an incident.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Identification (IR)

A

This is the first step in incidence response.

In this phase, the incident is identified, usually through monitoring and logging systems, and an initial assessment is made of the scope and nature of the incident.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Containment (IR)

A

This is the second step. Once the incident has been identified, the focus shifts to containing the damage and preventing the incident from spreading.

This might involve shutting down systems, disconnecting affected devices from the network, or blocking access to malicious domains or IP addresses.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Eradication (IR)

A

This phase involves identifying and removing the source of the incident.

This might involve cleaning up malware, patching vulnerabilities, or restoring backups.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Recovery (IR)

A

After the incident has been contained and eradicated, the focus shifts to restoring normal operations and services.

This might involve bringing systems and applications back online, testing to ensure they are working properly, and communicating with users and stakeholders about the incident.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Lessons Learned (IR)

A

In this phase, the incident is reviewed to determine what went well and what could be improved.

The incident response team will document lessons learned and make recommendations for future incident response.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Roles within an Incident Response Team

A

SOC analysts,
Malware reversal engineers,
Forensic experts,
Incident response managers,
Security analysts,
Threat researchers,
Other stakeholders,
Third parties.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Incident Response Plan (IRP)

A

A document that outlines the steps an organization will take when responding to a security incident.

It typically includes information on the roles and responsibilities of different team members, the procedures for responding to different types of incidents, and the communication protocols that will be used during an incident.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What types of incidents can occur?

A

Malicious code,
D/DOS,
Phishing
Unauthorized access,
Insider threat,
Data breach,
Targeted attack (often encompassing several of the above categories);

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Incident : Ransomware Signs

A

Files became encrypted in real-time,
Computer became locked denying the user access to its device,
Web browser became locked;

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Incident : Tools to analyze suspicious emails

A

PhishingEmail Analysis Tools,
URL/IP Reputation Check,
FIle/Attachment Analysis
Whois Record;

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Incident : Examine the logs

A

During incident response, It is important to examine logs to look out for possible Indicators of Compromise (IOC’s)

There are several types of logs these days in most organization’s network environments:
Firewall,
Proxy,
DNS,
Windows,
Office 365 (admin access can see malicious email on recipients email),
SIEM tools like Splunk, Logrhythm, and ArcSight;

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Tier 1 SOC Analyst (IR)

A

An entry-level role in which an individual is responsible for monitoring and analyzing security-related data from various sources, such as network traffic logs, security alerts, and system events.

They may also be responsible for identifying and triaging potential security incidents, and escalating them to higher-level SOC team members or incident response teams as necessary.

17
Q

Tier 2 SOC Analyst (IR)

A

A more senior role than a Tier 1 SOC analyst and typically
involves more advanced responsibilities.

They are responsible for responding to, analyzing and resolving security incidents that have been escalated from Tier 1 analysts.

They often use specialized tools and techniques to perform forensic investigations, and they may also be responsible for communicating with other teams, such as incident response teams, to coordinate and execute incident response activities.

18
Q

Tier 3 SOC Analysts (IR)

A

A more advanced role and is considered as a subject matter
expert.

They are responsible for overseeing and managing the overall incident response process, including the analysis and resolution of complex security incidents.

They often lead investigations and collaborate with other teams such as
incident response, forensic, and threat intelligence to gather and analyze data from various sources.

They are often responsible for creating and updating incident response plans, and for reporting on security incidents to senior management.

They also review and improve the incident response process, and work with other teams to address systemic security issues.

19
Q

Incident : IRP when dealing with the ransomware attack

A
  1. Lock down the network- there’s a possibility that other files and devices had been infected:

– Lock down the infected computer,
– Isolate the device,
– Block network traffic using the firewall,
– Disconnect the device from the network or pull the plug out;

  1. Disable the ransomware process using anti-malware software which removes crucial files or key files. Hitman pro and mc soft emergency kit can come in handy for this process.
  2. Check to see if files are decryptable using ID ransomware which is an open-source tool that tells you if the files are decryptable or not and also the kind of ransomware attack. E.g Jigsaw. Some are not decryptable like spora.
  3. Check to see if the Company has auto/manual backups. Restore backup storage and rebuild the machine where necessary.
20
Q

EDR (Endpoint Detection & Response)

A

Focused on protecting the endpoint, providing in-depth visibility and threat prevention for a particular device.

21
Q

XDR

A

Takes a wider view, integrating security across endpoints, cloud computing, email, and other solutions.

They are designed to detect and respond to malicious activity across various types of devices, networks, and cloud environments.

22
Q

Types of XDR

A

Endpoint,
Network,
Cloud,
Email,
IoT;

23
Q

SOAR (Security Orchestration, Automation, and Response)

A

A technology that helps organizations automate and streamline their security operations.

Used to describe three software capabilities:
– Threat and Vulnerability Management,
– Security incident response,
– Security operations automation.

Having an effective SOAR in place, you’re sure to have optimal security, reducing the tedious 24/7 SOC operations to the barest minimum.