27.6 Digital Forensics and Incident Analysis and Response Quiz
After containing an incident that infected user workstations with malware, what are three effective remediation procedures that an organization can take for eradication?
-Update and patch the operating system and installed software of all hosts. -Rebuild hosts with installation media if no backups are available. -Use clean and recent backups to recover hosts.
Which two actions can help identify an attacking host during a security incident
-Use incident databases to research related activity. -Validate the IP address of the threat actor to determine if it is a viable one. -Use an Internet search engine to gain additional information about the attack -Monitor the communication channels that some threat actors use, such as IRC.
What is the purpose of the policy element in a computer security incident response capability of an organization, as recommended by NIST?
It details how incidents should be handled based on the organizational mission and functions.
Which statement describes the Cyber Kill Chain?
It identifies the steps that adversaries must complete to accomplish their goals.
A user is asked to create a disaster recovery plan for a company. The user needs to have a few questions answered by management to proceed. Which three questions should the user ask management as part of the process of creating the plan?
What is the process? Who is responsible for the process Where does the individual perform the process?
A user is asked to create a disaster recovery plan for a company. The user needs to have a few questions answered by management to proceed. Which three questions should the user ask management as part of the process of creating the plan?
Who is responsible for the process? Where does the individual perform the process? What is the process?
What is a MITRE ATT&CK framework?
a knowledge base of threat actor behavior
A threat actor has gained administrative access to a system and achieved the goal of controlling the system for a future DDoS attack by establishing a communication channel with a CnC owned by the threat actor. Which phase in the Cyber Kill Chain model describes the situation?
action on objectives
The company you work for has asked you to create a broad plan that includes DRP and getting critical systems to another location in case of disaster. What type of plan are you being asked to create?
business continuity plan
Which term is used in the Diamond Model of intrusion to describe a tool that a threat actor uses toward a target system?
capability
According to NIST, which step in the digital forensics process involves extracting relevant information from data?
examination
Which meta-feature element in the Diamond Model describes tools and information (such as software, black hat knowledge base, username and password) that the adversary uses for the intrusion event?
resources
After a threat actor completes a port scan of the public web server of an organization and identifies a potential vulnerability, what is the next phase for the threat actor in order to prepare and launch an attack as defined in the Cyber Kill Chain?
weaponization
