Writing Assignment: Module 08

Question 1

What is an IR reaction strategy?

Answer 1

procedures for regaining control of systems and restoring operations to normalcy are the heart of the IR plan and the CSIRT’s operations.

Question 2

If an organization chooses the protect and forget approach instead of the apprehend and prosecute philosophy, what aspect of IR will be most affected?

Answer 2

The aspect of IR that will be most affected is the data collection tasks.

Question 3

What is the first task the CSIRT leader will undertake on arrival?

Answer 3

Determine whether an incident occured

Question 4

What is the second task the CSIRT leader will undertake?

Answer 4

Analyze precursors and indicators.

Question 5

What is the best thing an organization can do to make its CSIRT most effective?

Answer 5

Be prepared by having a risk assessment and good security measures.

Question 6

What is the first imperative of the CSIRT when there is a confirmed incident?

Answer 6

Incident Containment

Question 7

Why might an organization forego trying to identify the attacking host during an incident response?

Answer 7

To prevent concurrent recurrence and protect assets.

Question 8

What is the phase after containment during incident response?

Answer 8

Eradicate

Question 9

What is a concurrent recurrence?

Answer 9

an incident happening while trying to solve another incident

Question 10

What is the phase after eradication during incident response?

Answer 10

Contain and Mitigate vulnerabilities

Question 11

What is the primary determinant of which containment and eradication strategies are chosen for a specific incident?

Answer 11

●Type
●Method of incursion
●Current level of success
●Expected or projected level of success
●Current level of loss
●Expected or projected level of loss
●Target
●Target’s level of classification and/or sensitivity
●Any legal or regulatory impacts mandating a specific response

Question 12

What is watchful waiting and why might we use it?

Answer 12

a tactic that deliberately permits the attack to continue while the entire event is observed and additional evidence is collected. The use of this type of delayed containment may need to be previewed with legal counsel to see if it is feasible.

Question 13

Why is delayed containment not recommended for most CSIRTs?

Answer 13

may increase attack intensity

Question 14

What is a DoS attack and how does it differ from a DDoS attack?

Answer 14

the main difference between a DoS and a DDoS attack is the number of sources used to carry out the attack. A DoS attack is typically a single source, while a DDoS attack involves multiple sources.

Question 15

What is the first and most important step in preparing for DoS and DDoS attack responses?

Answer 15

Coordinating with the ISP

Question 16

What is malware?

Answer 16

software designed to damage, destroy, or deny service to target systems

Question 17

What is spam? Can it cause an incident?

Answer 17

unwanted e-mail traffic and is a common carrier of malware and a source of phishing attacks.

spam can cause incidents like posing security risks if employees accidentally click on malicious links or download infected attachments, or with large volumes of spam it can cause email servers to crash.

Question 18

What is unauthorized access?

Answer 18

when an individual, an applications, or another program,through access to the operation system’s application programming interface (API), attempts to and/or gains access to an information asset without explicit permission or authorization to do so.

Question 19

What is inappropriate use?

Answer 19

is characterized as a violation of policy’s or an effort to abuse existing systems

Question 20

What is a hybrid incident?

Answer 20

begins as an IU incident, then may quickly change into a malware incident.