Module 1: Incident Management Response and Cyberattack Frameworks

by
Contents hide
1 INTRODUCTION – Incident Management Response and Cyberattack Frameworks
2 INCIDENT MANAGEMENT KNOWLEDGE CHECK
3 CYBERATTACK FRAMEWORKS KNOWLEDGE CHECK
4 INCIDENT MANAGEMENT RESPONSE AND CYBERATTACK FRAMEWORKS GRADED ASSESSMENT
5 CONCLUSION – Incident Management Response and Cyberattack Frameworks
Spread the love

INTRODUCTION – Incident Management Response and Cyberattack Frameworks

It’s nice to have you again on this journey into the practice of Incident Management Response, along with a really profound understanding into cyberattack frameworks. The module exposes you to the common processes that Incident Management Response addresses while building your skills toward efficiently rebutting and mitigating cyber threats.

Also, you will study a specific cyberattack framework that will give you an insight into its architecture, methodologies, and contributions to cybersecurity. This module is designed to deepen your learning on how to protect oneself from digital threats and raise the skills in incident response.

Learning Outcomes:

  • Examine watering hole attacks.
  • Identify steps that might have prevented the Target Corporation data breach.
  • Explain in brief the financial implications of the Target Corporation data breach.
  • Indicate the vulnerabilities exploited during the Target Corporation data breach.
  • Summarize the timeline of the Target Corporation data breach.
  • Explain what are data breaches, including their very common characteristics.
  • Enumerate tips to prevent cyber-attacks.
  • Discuss Each phase of a Cyberattack according to the details provided in the IBM X-Force IRIS cyber-attack framework.
  • Configure automatic processing of inbound email using the IBM Resilient platform.
  • Identify requirements of every step in the lifecycle of incident response.
  • List the essential items to consider while forming an incident response team.
  • Discuss the actions recommended by the National Institute of Standards and Technology for forming an incident response capability.

INCIDENT MANAGEMENT KNOWLEDGE CHECK

1. In creating an incident response capability in your organization, NIST recommends taking 6 actions. Which three (3) actions are included on that list? (Select 3)

 
  • Establish a formal incident response capability (CORRECT)
  • ‘Create an incident response policy (CORRECT)
  • ‘Hold incident response drills on a regular basis
  • ‘Develop an incident response plan based on the incident response policy (CORRECT)

Partially correct!

2. Which incident response team model would best fit the needs of a small company that runs its business out of a single office building or campus?

  • Hybrid incident response team
  • Distributed incident response team
  • Coordinating incident response team
  • Central incident response team (CORRECT)

3. True or False. An incident response team needs a blend of members with strong technical and strong soft skills?

  • True (CORRECT)
  • False

4. Assuring systems, networks, and applications are sufficiently secure to resist an attack is part of which phase of the incident response lifecycle?

  • Detection & Analysis
  • Post-Incident Activity
  • Preparation (CORRECT)
  • Containment, Eradication & Recovery

CYBERATTACK FRAMEWORKS KNOWLEDGE CHECK

1. According to the IRIS Framework, during which stage of an attack would the attacker conduct external reconnaissance, alight tactics, techniques and procedures to target and prepare his attack infrastructure?

  • Continue the attack, expand network access
  • Continuous phases occur
  • Attack beginnings (CORRECT)
  • Attack objective execution
  • Launch and execute the attack

2. According to the IRIS Framework, during which stage of an attack would the attacker escalate evasion tactics to evade detection?

  • Attack beginnings
  • Launch and execute the attack
  • Continuous phases occur (CORRECT)
  • Continue the attack, expand network access
  • Attack objective execution

3. According to the IRIS framework, during the third phase of an attack when the attackers are attempting to escalate privileges, what should the IR team be doing as a countermeasure?

  • Build a threat profile of adversarial actors who are likely to target the company
  • Analyze all network traffic and endpoints, searching for anomalous behavior
  • Thoroughly examine available forensics to understand attack details, establish mitigation priorities, provide data to law enforcement, and plan risk reduction strategies (CORRECT)
  • Enforce strong user password policies by enabling multi-factor authentication and restricting the ability to use the same password across systems
  • Implement strong endpoint detection and mitigation strategies

4. According to the IRIS framework, during the fifth phase of an attack, the attackers will attempt execute their final objective. What should the IR team be doing as a countermeasure?

  • Enforce strong user password policies by enabling multi-factor authentication and restricting the ability to use the same password across systems
  • Thoroughly examine available forensics to understand attack details, establish mitigation priorities, provide data to law enforcement, and plan risk reduction strategies (CORRECT)
  • Implement strong endpoint detection and mitigation strategies
  • Analyze all network traffic and endpoints, searching for anomalous behavior
  • Build a threat profile of adversarial actors who are likely to target the company

5. True or False. A data breach only has to be reported to law enforcement if external customer data was compromised?

  • True
  • False (CORRECT)

INCIDENT MANAGEMENT RESPONSE AND CYBERATTACK FRAMEWORKS GRADED ASSESSMENT

1. In creating an incident response capability in your organization, NIST recommends taking 6 actions. Which three (3) actions that are a included on that list? (Select 3)

  • Establish policies and procedures regarding incident-related information sharing (CORRECT)
  • Secure executive sponsorship for the incident response plan
  • Considering the relevant factors when selecting an incident response team model (CORRECT)
  • Develop incident response procedures (CORRECT)

Partially correct!

2. Which incident response team model would best fit the needs of a the field offices of a large distributed organizations?

  • Hybrid incident response team
  • Coordinating incident response team
  • Central incident response team
  • Distributed incident response team (CORRECT)

3. Which incident response team staffing model would be appropriate for a small retail store that has just launched an online selling platform and finds it is now under attack? The platform was put together by its very small IT department who has no experience in managing incident response.

  • Migrate all online operations to a cloud service provider so you will not have to worry about further attacks
  • Outsource the monitoring of intrusion detection systems and firewalls to an offsite managed security service provider while leaving the response to detected incidents to current IT staff
  • Use internal IT staff only, forcing them to come up to speed as quickly as possible
  • Completely outsource the incident response work to an onsite contractor with expertise in monitoring and responding to incidents (CORRECT)

4. Which three (3) technical skills are important to have in an organization’s incident response team? (Select 3)

  • Programming (CORRECT)
  • Network administration (CORRECT)
  • System administration (CORRECT)
  • Encryption

Partially correct!

5. Identifying incident precursors and indicators is part of which phase of the incident response lifecycle?

  • Detection & Analysis (CORRECT)
  • Preparation
  • Containment, Eradication & Recovery
  • Post-Incident Activity

6. Automatically isolating a system from the network when malware is detected on that system is part of which phase of the incident response lifecycle?

  • Containment, Eradication & Recovery (CORRECT)
  • Post-Incident Activity
  • Detection & Analysis
  • Preparation

7. According to the IRIS Framework, during which stage of an attack would the attacker send phishing email, steal credentials and establish a foothold in the target network?

  • Continue the attack, expand network access
  • Attack beginnings
  • Continuous phases occur
  • Attack objective execution
  • Launch and execute the attack (CORRECT)

8. According to the IRIS Framework, during which stage of an attack would the attacker execute their final objectives?

  • Attack beginnings
  • Launch and execute the attack
  • Continue the attack, expand network access
  • Continuous phases occur
  • Attack objective execution (CORRECT)

9. According to the IRIS framework, during the first stage of an attack, when the bad actors are conducting external reconnaissance and aligning their tactics, techniques and procedures, what should the IR team be doing as a countermeasure?

  • Implement strong endpoint detection and mitigation strategies
  • Thoroughly examine available forensics to understand attack details, establish mitigation priorities, provide data to law enforcement, and plan risk reduction strategies
  • Build a threat profile of adversarial actors who are likely to target the company (CORRECT)
  • Enforce strong user password policies by enabling multi-factor authentication and restricting the ability to use the same password across systems
  • Analyze all network traffic and endpoints, searching for anomalous behavior

10. According to the IRIS framework, during the fourth phase of an attack, the attackers will attempt to evade detection. What should the IR team be doing as a countermeasure?

  • Thoroughly examine available forensics to understand attack details, establish mitigation priorities, provide data to law enforcement, and plan risk reduction strategies
  • Implement strong endpoint detection and mitigation strategies
  • Enforce strong user password policies by enabling multi-factor authentication and restricting the ability to use the same password across systems
  • Build a threat profile of adversarial actors who are likely to target the company
  • Analyze all network traffic and endpoints, searching for anomalous behavior (CORRECT)

11. True or False. A data breach always has to be reported to law enforcement agencies.

  • True
  • False (CORRECT)

CONCLUSION – Incident Management Response and Cyberattack Frameworks

Well, that was really summing up a module which had the never-ending sprouting of incidents that addressed incident management on how they arise and how to respond. Such understanding becomes a good start for recognizing and probing for particular frameworks that may allow you to better determine, measure, or even counteract cyber threats.

Those under no false illusions concerning the powers of all this knowledge can even buttress their defenses against the potential future cybernetic attacks. As one walks the long road of systems, the knowledge he acquired from this module will serve him well at every turn in his journey towards safeguarding digital assets while minimizing risks.

Leave a Comment