Test Your Knowledge Questions Course 2, Module 4: Incident Response
Which of the following statements accurately describe playbooks?
A playbook improves efficiency when identifying and mitigating an incident. A playbook can be used to respond to an incident A playbook is an essential tool used in cybersecurity.
Which action can a security analyst take when they are assessing a SIEM alert?
An action that a security analyst can take when they are assessing a SIEM alert is to analyze log data and related metrics. This helps in identifying why the alert was generated by the SIEM tool and determining if the alert is valid
A security analyst reports to stakeholders about a security breach. They provide details based on the organization's established standards. What phase of an incident response playbook does this scenario describe?
Coordination
Fill in the blank: During the _____ phase, security professionals use tools and strategies to determine whether a breach has occurred and to evaluate its potential magnitude.
During the detection and analysis phase, security professionals use tools and strategies to determine whether a breach has occurred and to evaluate its potential magnitude.
In the event of a security incident, when would it be appropriate to refer to an incident response playbook?
In the event of a security incident, it is appropriate to refer to an incident response playbook throughout the entire incident. An incident response playbook is a guide with six phases used to help mitigate and manage security incidents from beginning to end.
In which incident response playbook phase would a security team document an incident to ensure that their organization is better prepared to handle future security events?
In the post-incident activity phase, a security team documents an incident to ensure that their organization is better prepared to handle future incidents.
Why is the containment phase of an incident response playbook a high priority for organizations?
It helps prevent ongoing risks to critical assets and data.
Fill in the blank: Once a security incident is resolved, security analysts perform various post-incident activities and _____ efforts with the security team.
Once a security incident is resolved, security analysts perform various post-incident activities and coordination efforts with the security team. Coordination involves reporting incidents and sharing information based on established standards.
Playbooks are permanent, best-practice documents, so a security team should not make changes to them.
Playbooks are living documents, so a security team will make frequent changes, updates, and improvements to address new threats and vulnerabilities.
A security analyst establishes incident response procedures. They also educate users on what to do in the event of a security incident. What phase of an incident response playbook does this scenario describe?
Preparation
In what ways do SIEM tools and playbooks help security teams respond to an incident?
SIEM alerts inform security teams of potential threats. SIEM tools analyze data. SIEM tools and playbooks work together to provide an efficient way of handling security incidents.
What is the relationship between SIEM tools and playbooks?
SIEM tools and playbooks work together to provide a structured and efficient way of responding to security incidents.
A business recently experienced a security breach. Security professionals are currently restoring the affected data using a clean backup that was created before the incident. What playbook phase does this scenario describe?
This scenario describes eradication and recovery. This phase involves removing the incident's artifacts and restoring the affected environment to a secure state.
Fill in the blank: A security team _____ their playbook frequently by learning from past security incidents, then refining policies and procedures.
Updates
Fill in the blank: Incident response is an organization's quick attempt to _____ an attack, contain the damage, and correct its effects
identify
Fill in the blank: During the _____ phase, security teams may conduct a full-scale analysis to determine the root cause of an incident and use what they learn to improve the company's overall security posture.
post-incident activity
