Ch. 22: Incident Response - Quiz

Which infection method involves planting malware on a website that the victim employees will likely visit?

remote-access trojan (RAT) attack

Which term refers to the examination of machines to determine what operating systems, services, and vulnerabilities exist?

scanning

How is quarantine accomplished?

through the erection of firewalls that restrict communication between machines

Which indicator of compromise (IOC) standard is a method of information sharing developed by MITRE?

Cyber Observable Expression (CybOX)

What is the first rule of incident response investigation?

Do no harm.

All data is equally important, and thus equally damaging in the event of loss. True or False?

False

Data storage should be governed by what you can store. True or False?

False

Detecting that a security event is occurring or has occurred is an easy matter. True or False?

False

Large organizations typically have the resources to protect everything against all threats. True or False?

False

Operating in a state of compromise means that one must suffer significant losses. True or False?

False

How do most advanced persistent threats (APTs) begin?

Most APTs begin through a phishing or spear phishing attack.

A common technical mistake during the initial response to an incident is "killing" rogue processes. True or False?

True

What is the primary factor to assess in determining the level of incident response?

information criticality

Which attack type is common, and to a degree, relatively harmless?

port scan

What tool is the protocol/standard for the collection of network metadata on the flows of network traffic?

NetFlow

What is a key guideline to follow when designing incident response procedures?

Include appropriate business personnel.

Which indicator of compromise (IOC) standard is an open-source initiative established by Mandiant that is designed to facilitate rapid communication of specific threat information associated with known threats?

OpenIOC

What should an incident response team do when they are notified of a potential incident?

The team should confirm the existence, scope, and magnitude of the event and then respond accordingly.

Blocking lateral movement can defeat Advanced Persistent Threats(APT)-style attacks from spreading through a network and can limit their stealth. True or False?

True

Data breaches can be mitigated through minimization and encryption efforts. True or False?

True

Information criticality is defined as the relative importance of specific information to the business. True or False?

True

Recovery is the returning of the asset into the business function. True or False?

True

What are the two components comprising information criticality?

data classification and quantity of data involved

In an "old school" attack, which step is a listing of the systems and vulnerabilities to build an attack game plan?

enumeration

What two components are necessary for successful incident response?

knowledge of one's own systems and knowledge of the adversary