Security+ Chapter 17 - Performing Incident Response

What configuration change could you make to prevent misuse of a developer account?

Disable the account.

A technician is seeing high volumes of 403 Forbidden errors in a log. What type of network appliance or server is producing these logs?

403 Forbidden is an HTTP status code, so most likely a web server. Another possibility is a web proxy or gateway.

What type of data source(s) would you look for evidence of a suspicious MTA in?

A Message Transfer Agent (MTA) is an SMTP server. You might inspect an SMTP log or the Internet header metadata of an email message.

A threat actor gained access to a remote network over a VPN. Later, you discover footage of the user of the hacked account being covertly filmed while typing their password. What type of endpoint security solution might have prevented this breach?

A mobile device management (MDM) suite can prevent use of the camera function of a smartphone.

Your consultancy includes a training segment. What type of incident response exercise will best represent a practical incident handling scenario?

A simulation exercise creates an actual intrusion scenario, with a red team performing the intrusion and a blue team attempting to identify, contain, and eradicate it.

True or false? SOAR is intended to provide wholly automated incident response solutions.

False—incident response is too complex to be wholly automated. SOAR assists the provision of runbooks, which orchestrates the sequence of response and automate parts of it, but still requires decision-making from a human responder.

True or false? It is important to publish all security alerts to all members of staff.

False—security alerts should be sent to those able to deal with them at a given level of security awareness and on a need-to-know basis.

True or false? The "first responder" is whoever first reports an incident to the CIRT.

False—the first responder would be the member of the CIRT to handle the report.

You are supporting a SIEM deployment at a customer's location. The customer wants to know whether flow records can be ingested. What type of data source is a flow record?

Flow records are generated by NetFlow or IP Flow Information Export (IPFIX) probes. A flow record is data that matches a flow record, which is a particular combination of keys (IP endpoints and protocol/port types).

Which attack framework provides descriptions of specific TTPs?

MITRE's ATT&CK framework.

Which software tool is most appropriate for forwarding Windows event logs to a Syslog-compatible server?

NXlog is designed as a multi-platform logging system.

What low-level networking feature will facilitate a segmentation-based approach to containing intrusion events?

Network segmentation is primarily achieved by virtual LANs (VLANs). A VLAN can be isolated from the rest of the network.

What are the 6 parts of Incident Response Proccess

Preparation Identification Containment Eradication Recovery Lessons Learned

What are the six phases of the incident response life cycle?

Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned.

You are providing security consultancy to assist a company with improving incident response procedures. The business manager wants to know why an out-of-band contact mechanism for responders is necessary. What do you say

The response team needs a secure channel to communicate over without alerting the threat actor. There may also be availability issues with the main communication network, if it has been affected by the incident.

You are investigating a client workstation that has not obtained updates to its endpoint protection software for days. On the workstation you discover thousands of executable files with random names. The local endpoint log reveals that all of them have been scanned and identified as malware. You can find no evidence of any further intrusion on the network. What is the likely motive of the threat actor?

This could be an offline tainted data attack against the endpoint software's identification engine.

Following a loss of critical IP exfiltrated from the local network to a public cloud storage network, you decide to implement a type of outbound filtering system. Which technology is most suitable for implementing the filter?

This task is suited to data loss prevention (DLP), which can block the transfer of tagged content over unauthorized channels.

You need to correlate intrusion detection data with web server log files. What component must you deploy to collect IDS alerts in a SIEM?

You need to deploy a sensor to send network packet captures or intrusion detection alerts to the SIEM.

What is meant by "Lessons Learned"?

analyze the incident and responses to identify whether procedures or systems could be improved. IT IS IMPORTANT THAT IT IS DOCUMENTED

Concerning Incident Response Exercises, What is a Walkthrough?

facilitator presents the scenario as for a tabletop exercise, but the incident responders demonstrate what actions they would take in response

Concerning Incident Response Exercises, What is a Simulation?

team-based exercise, where the red team attempts an intrusion, the blue team operates response and recovery controls, and a white team moderates and evaluates the exercise - Most Expensive

Concerning Incident Response Exercises, What is Tabletop

this is the least costly type of training. The facilitator presents a scenario and the responders explain what action they would take