Module 2: Incident Response

by
Contents hide
1 INTRODUCTION – Incident Response
2 INCIDENT RESPONSE KNOWLEDGE CHECK
3 INCIDENT RESPONSE GRADED QUIZ
4 CONCLUSION – Incident Response
Spread the love

INTRODUCTION – Incident Response

It will focus on the very specific stages of incident response, the necessity for documentation during incidents, and the essential elements of an incident response policy.

Objectives of Learning:

  • Change the hierarchy settings for networks in QRadar.
  • Generate QRadar reports.
    Investigate QRadar offenses using QRadar SIEM.
  • Summarize how to govern your incident response queue in QRadar SIEM.
  • Enumerate three modern cybersecurity tools: QRadar, McAfee ePolicy Orchestrator (ePO), next-generation firewalls.
  • List common cybersecurity threats.
  • Describe ‘lessons learned’ meetings and other activities associated with post-incident analysis.
  • Recall questions from the Sysadmin, Audit, Network, and Security (SANS) Institute’s checklist for incident response.
  • Describe the aims of the eradication and recovery phases of incident response.
  • Justify why forensics are important in incident containment.
  • Summarize South for considerations in selecting an incident containment strategy.
  • List parties that may require notification of a detected incident.
  • Discuss standard topics and categories of impact to include in incident analysis documentation.
  • Describe types of monitoring systems used to detect incidents.
  • Differentiate between precursors and indicators, and list their common sources.
  • Summarize recommended practices in network security systems and applications.
  • Describe the three resource types required for a successful incident response.
  • Recoil from essential components of an incident response policy.
  • List common attack vectors for cyber incidents.
    Discuss departments within an organization that incident response teams should develop working relationships with.
  • A contrast of the three possible models of incident response teams.
  • Define incident response, what it is and why it is important.

INCIDENT RESPONSE KNOWLEDGE CHECK

1. Which three (3) of the following are phases of an incident response?

  • Containment, Eradication & Recovery (CORRECT)
  • Post Incident Analysis & Lessons Learned
  • Preparation (CORRECT)
  • Detection & Analysis (CORRECT)

Partially correct!

2. Which statement is true about an event?

  • An incident is defined as an event that takes place at a specific time and place.
  • An incident can lead to an event if it is determined to be a threat.
  • Multiple events of the same type are necessary before they can be considered an incident.
  • An event may be totally benign, like receiving an email. (CORRECT)

3. True or False: A robust automated incident response system should be able to detect and prevent loss from all incidents.

  • True
  • False (CORRECT)

4. Which three (3) are common Incident Response Team models?

  • Distributed (CORRECT)
  • Coordinating (CORRECT)
  • Central (CORRECT)
  • Control

Partially correct!

5. A good automated Incident Response system should be able to detect which three (3) of these common attack vectors?

  • An unauthorized removable drive being attached to the network. (CORRECT)
  • A brute force hacking attack. (CORRECT)
  • A former employee using his knowledge at a competitor company.
  • An email phishing attack. (CORRECT)

Partially correct!

6. Which three (3) of the following are components of an Incident Response Policy?

  • IR Policy testing responsibility. (CORRECT)
  • IR Awareness training.
  • Means, tools and resources available. (CORRECT)
  • Identity of IR team members. (CORRECT)

Partially correct!

7. Contact information, Smart phones, and Secure storage facilities all belong to which Incident Response resource category?

  • Incident Handler Communications and Facilities. (CORRECT)
  • Incident Analysis Resources.
  • Incident Post-Analysis Resources.
  • Incident Analysis Hardware and Software.

8. Which three (3) of the following would be considered an incident detection precursor?

  • Detecting the use of a vulnerability scanner (CORRECT)
  • An announced threat against your organization from an activist group. (CORRECT)
  • An application log showing numerous failed login attempts from an unknown remote system.
  • A vendor notice of a vulnerability to a product you own. (CORRECT)

Partially correct!

9. Which type of monitoring system detects anomalous network traffic but typically does not take action beyond sending an alert to an administrator?

  • IPS
  • IDS (CORRECT)
  • DLP
  • SIEM

10. True or False: The Incident Response team should keep their documentation as concise as possible so only the most important facts take up the attention of the team leadership.

  • True
  • False (CORRECT)

11. What is the proper classification for a data breach that resulted in the exposure of sensitive personally identifiable information (PII)?

  • None
  • Privacy Breach (CORRECT)
  • Proprietary Breach
  • Integrity Loss

12. What is the proper classification for the recovery effort from a breach if you can estimate the total effort required but it will require bringing in additional resources?

  • Regular
  • Extended
  • Supplemented (CORRECT)
  • Not Recoverable

13. During which stage of a comprehensive Containment, Eradication & Recovery strategy does NIST recommend considering the following: Potential damange to and theft of resources, Need for evidence preservation, and Service availability?

  • Containment (CORRECT)
  • Eradication
  • Recovery
  • None of these

14. Which Post Incident activity would include ascertaining exactly what happened and at what times?

  • Utilizing collected data
  • Evidence retension 
  • Lessons learned meeting (CORRECT)
  • Documentation review & update

INCIDENT RESPONSE GRADED QUIZ

1. Select the missing phase of Incident Response: Preparation, _____, Containment, Eradication & Recovery, Post Incident Activity.

  • Detection and Analysis (CORRECT)
  • Execution
  • Root Cause Analysis
  • Acquire Data

2. Which statement is true about an incident?

  • An incident is an event that negatively affects IT systems. (CORRECT)
  • An incident is any collection of 3 or more related events.
  • Incidents involved external actors while events involved internal actors.
  • An incident becomes an event if a threat is identified.

3. True or False: A Coordinating Incidents Response Team provides advice and guidance to the Distributed IR teams in each department, but generally does not have specific authority over those teams.

  • True (CORRECT)
  • False

4. Which Incident Response Team model describes a team that has authority over all aspects of IR within the entire organization?

  • Distributed
  • Coordinating
  • Central (CORRECT)
  • Control

5. In what way will having a set of predefined baseline questions will help you in the event of an incident?

  • Trap the bad actors.
  • Interrogate suspects.
  • Coordinate with other teams and the media. (CORRECT)
  • Avoid events turning into Incidents.

6. Incident Response team resources can be divided into which three (3) of the following categories?

  • Incident Analysis Resources (CORRECT)
  • Incident Handler Communications and Facilities (CORRECT)
  • Incident Post-Analysis Resources
  • Incident Analysis Hardware and Software (CORRECT)

Partially correct!

7. Port lists, Documentation, and Cryptographic hashes all belong to which Incident Response resource category?

  • Incident Post-Analysis Resources
  • Incident Analysis Resources (CORRECT)
  • Incident Analysis Hardware and Software
  • Incident Handler Communications and Facilities

8. Which three (3) of the following would be considered an incident detection indicator?

  • Detecting the use of a vulnerability scanner.
  • An application log showing numerous failed login attempts from an unknown remote system. (CORRECT)
  • A significant deviation from typical network traffic flow patterns. (CORRECT)
  • The discovery of a file containing unusual characters by a system administrator. (CORRECT)

Partially correct!

9. Which type of monitoring system analyzes logs and events in real time?

  • IPS
  • IDS
  • DLP
  • SIEM (CORRECT)

10. True or False: Highly detailed and thorough documentation is needed to support the analysis of current and future incidents.

  • True (CORRECT)
  • False

11. What is the proper classification for a breach that results in sensitive or proprietary information being changed or deleted.

  • Proprietary Breach
  • Privacy Breach
  • Integrity Loss (CORRECT)
  • None

12. What is the proper classification for the recovery effort from a breach if sensitive data was stolen and posted on a public web site?

  • Not Recoverable (CORRECT)
  • Supplemented
  • Regular
  • Extended

13. During which stage of a comprehensive Containment, Eradication & Recovery strategy does NIST recommend considering the following: Eliminate components of the incident, Disable compromised accounts, and Identify and mitigate vulnerabilities?

  • Containment
  • Eradication (CORRECT)
  • Recovery
  • None of these.

14. Which Post Incident activity would include reviewing response times, which systems were impacted and other metrics associated with the incident?

  • Lessons learned meeting 
  • Evidence retention
  • Documentation review & update
  • Utilizing collected data (CORRECT)

CONCLUSION – Incident Response

To conclude, this module has offered an exhaustive view of what incident response is all about, its various phases, the critical part played by documentation, as well as the key elements that should make up a highly effective incident response policy.

This will now prepare you better for responding competently and efficiently to incidents of a security nature within your own organization.

Leave a Comment