CySA+ Ch 14 Containment, Eradication, and Recovery
Ben is responding to a security incident and determines that the attacker is using systems on Ben's network to attack a third party. Which one of the following containment approaches with prevent Ben's systems from being used in this manner? A. Removal B. Isolation C. Detection D. Segmentation
A -Removal Only removal of the compromised system from the network will stop the attack against other systems. Isolated and/or segmented systems are still permitted access to the Internet and could continue their attack. Detection is a purely passive activity that does not disrupt the attacker at all.
Which one of the phases of incident response involves primarily active undertakings designed to limit the damage that an attacker might cause? A. Containment, Eradication, and Recovery B. Preparation C. Post incident Activity D. Detection and Analysis
A-Containment, Eradication, and Recovery The containment, eradication and recovery phase of incident response includes active undertakings designed to minimize the damage caused by the incident and restore normal operations as quickly as possible.
Joe would like to determine the appropriate disposition of a flash drive used to gather highly sensitive evidence during an incident response effort. He does not need to reuse the drive but wants to return it to its owner, an outside contractor. What is the appropriate disposition? A. Destroy B. Clear C. Erase D. Purge
A-Destroy The data disposition flowchart directs that any media containing highly sensitive information that will leave the control of the organization must be destroyed. Joe should purchase a new replacement device to provide to the contractor.
Which one of the following is not a purging activity? A. Resetting to factory state B. Overwriting C. Block erase D. Cryptographic erase
A-Resetting to factory state Resetting a device to factory state is an example of a data clearing activity. Data purging activities include overwriting, block erase, and cryptographic erase activities when performed through the use of dedicated, standardized device commands.
Which one of the following tools may be used to isolate an attacker so that they may not cause damage to production systems but may still be observed by cybersecurity analysts? A. Sandbox B. Playpen C. IDS D. DLP
A-Sandbox Sandboxes are isolation tools used to contain attackers within an environment where they believe they are conducting an attack but, in reality, are operating in a benign environment.
Which one of the following activities is not normally conducted during the recovery validation phase? A. Verify the permissions assigned to each account B. Implement new firewall rules C. Conduct vulnerability scans D. Verify logging is functioning properly
B- Implement new firewall rules New firewall rules, if required, would be implemented during the eradication and recovery phase. The validation phase includes verifying accounts and permissions, verifying that logging is working properly, and conducting vulnerability scans.
Which one of the following is not typically found in a cybersecurity incident report? A. Chronology of events B. Identity of the attacker C. Estimates of impact D. Documentation of lessons learned
B-Identity of the attacker Incident reports should include a chronology of events, estimates of the impact, and the documentation of lessons learned, in addition to their information. Incident response efforts should not normally focus on uncovering the identity of the attacker, so this information would not be found in an incident report.
Alice confers with other team members and decides that even allowing limited access to other systems is an unacceptable risk and decides instead to prevent the quarantine VLAN from accessing any other systems by putting firewall rules in place that limit access to other enterprise systems. The attacker can still control the system to allow Alice to continue monitoring the incident. What strategy is she pursuing? A. Eradication B. Isolation C. Segmentation D. Removal
B-Isolation In the isolation strategy, the quarantine network is directly connected to the Internet or restricted severely by firewall rules so that the attacker may continue to control it but not gain access to any other networked resources.
Which one of the following is not a common use of formal incident reports? A. Training new team members B. Sharing with other organizations C. Developing new security controls D. Assisting with legal action
B-Sharing with other organizations There are many potential uses for written incident reports. First, it creates an institutional memory of the incident that is useful when developing new security controls and training new security team members. Second, it may serve as an important record of the incident if there is legal action that results from the incident. These reports should be classified and not disclosed to external parties.
Tamara is a cybersecurity analyst for a private business that is suffering a security breach. She believes the attackers have compromised a database containing sensitive information. Which one of the following activities should be Tamara's first priority? A. Identifying the source of the attack B. Eradication C. Containment D. Recovery
C- Containment Tamara's first priority should be containing the attack. This will prevent it fro spreading to other systems and also potentially stop the exfiltration of sensitive information. Only after containing the attack should Tamara move on to eradication and recovery activities. Identifying the source of the attack should be a low priority.
Lynda is disposing of a drive containing sensitive information that was collected during the response to a cybersecurity incident. The information is categorized as a high security risk and she wishes to reuse the media during a future incident. What is the appropriate disposition for this information? A. Clear B. Erase C. Purge D. Destroy
C- Purge Lynda should consult the disposal flowchart. Following that chart, the appropriate disposition for media that contains high security risk information and will be reused within the organization is to purge it.
Which one of the following pieces of information is most critical to conducting a solid incident recovery effort? A. Identity of the attacker B. Time of the attack C. Root cause of the attack D. Attacks on other organizations
C- Root cause of the attack Understanding the root cause of an attack is critical to the incident recovery effort. Analysts should examine all available information to help reconstruct the attacker's actions. This information is crucial to remediating security controls and preventing future similar attacks.
Alice is responding to a cybersecurity incident and notices a system that she suspects is compromised. She places this system on a quarantine VLAN with limited access to other networked systems. What containment strategy is Alice pursuing? A. Eradication B. Isolation C. Segmentation D. Removal
C- Segmentation In segmentation approach, the suspect system is placed on a separate network, where it has very limited access to other networked resources.
Which one of the following criteria is not normally used when evaluating the appropriateness of a cybersecurity incident containment strategy? A. Effectiveness of the strategy B. Evidence preservation requirements C. Log records generated by the strategy D. Cost of the strategy
C-Evidence preservation requirements NIST recommends using six criteria to evaluate a containment strategy; the potential damage to resources, the need for evidence preservation, service availability, time and resources required (including cost), effectiveness of the strategy, and duration of the solution.
What incident response activity focuses on removing any artifacts of the incident that may remain on the organization's network? A. Containment B. Recovery C. Postincident Activities D. Eradication
D- The primary purpose of eradication is to remove any of the artifacts of the incident that ma remain on the organization's network. This may include the removal of any malicious code from the network, the sanitization of compromised media, and the securing of compromised user accounts.
Which one of the following data elements would not normally be included in an evidence log? A. Serial Number B. Record of handling C. Storage location D. Malware signatures
D- Malware signatures Malware signatures would not normally be included in an evidence log. The log would typically contain identifying information (e.g., the location, serial number, model number, hostname, MAC addresses and IP addresses of a computer), the , title and phone number of each individual who collected or handled the evidence during the investigation, the time and date (including time zone) of each occurrence of evidence handling, and the locations where the evidence was stored.
Which one of the following activities does CompTIA classify as part of the recovery validation efforts? A. Rebuilding systems B. Sanitization C. Secure disposal D. Scanning
D- Scanning CompTIA includes patching, permissions, security scanning, and verifying logging/communication to monitoring in the set of validation activities that cybersecurity analysts should undertake in the aftermath of a security incident.
Sondra determines that an attacker has gained access to a server containing critical business files and wishes to ensure that the attacker cannot delete those files. What strategy would meet Sondra's goal? A. Isolation B. Segmentation C. Removal D. None of the above
D-None of the above Even removing a system from the network doesn't guarantee that the attack will not continue. In the example given in this chapter, an attacker can run a script on the server that detects when it has been removed from the network and then proceeds to destroy data stored on the server.
After observing the attacker, Alice decides to remove the Internet connection entirely, leaving he system running but inaccessible from outside the quarantine VLAN. What strategy is she now pursuing? A. Eradiction B. Isolation C. Segmentation D. Removal
D-Removal In the removal approach, Alice keeps the systems running for forensic purposes but completely cuts off their access to or from other networks, including the internet.
What NIST publication contains guidance on cybersecurity incident handling? A. SP 800-53 B. SP 800-88 C. SP 800-18 D. SP 800-61
D-SP 800-61 NIST SP 800-61 is the Computer Security Incident Handling Guide. NIST SP 800-53 is Security and Privacy Controls for Federal Information Systems and Organizations. NIST SP 800-88 is Guidelines for Media Sanitization. NIST SP 800-18 is the Guide for Developing Security Plans for Federal Information Systems.