Chapter 22

What two components are necessary for successful incident response?

Knowledge of one's own systems and knowledge of the adversary

Which term refers to the examination of machines to determine what operating systems, services, and vulnerabilities exist?

Scanning

What is the primary factor to assess in determining the level of incident response?

Information criticality

What is the first rule of incident response investigation?

Do no harm

Detecting that a security event is occurring or has occurred is an easy matter. True/False

False

Which indicator of compromise (IOC) standard is a method of information sharing developed by MITRE?

Cyber Observable Expression (CybOX)

All data is equally important, and thus equally damaging in the event of loss. True/False

False

Data storage should be governed by what you can store. True/False

False

What is a key guideline to follow when designing incident response procedures?

Include appropriate business personnel

How do most advanced persistent threats (APTs) begin?

Most APTs begin through a phishing or spear phishing attack

What should an incident response team do when they are notified of a potential incident?

The team should confirm the existence, scope, and magnitude of the event and then respond accordingly

How is quarantine accomplished?

Through the erection of firewalls that restrict communication between machines

A common technical mistake during the initial response to an incident is "killing" rogue processes. True/False

True

Blocking lateral movement can defeat APT-style attacks from spreading through a network and can limit their stealth. True/False

True

Recovery is the returning of the asset into the business function. True/False

True