Chapter 8 Recovery and Post-Incident Response
Which one of the phases of incident response involves primarily active undertakings designed to limit the damage that an attacker might cause? A.Containment, Eradication and Recovery B.Preparation C.Post-Incident Activity D.Detection and Analysis
A. Containment, Eradication and Recovery Explanation: The containment, eradication and recovery phase of incident response includes active undertakings designed to minimize the damage caused by the incident and restore normal operations as quickly as possible
Joe would like to determine the appropriate disposition of a flash drive used to gather highly sensitive evidence during an incident response effort. He does not need to reuse the drive but wants to return it to its owner, an outside contractor. What is the appropriate disposition? A.Destroy B.Clear C.Erase D.Purge
A.Destroy Explanation: The data disposition flowchat in Figure 8.7 directs that any media containing highly sensitive information that will leave the control of the organization must be destroyed. Joe should purchase a new replacement device to provide to the contractor
Ben is responding to a security incident and determines that the attacker is using systems on Ben's network to attack a third party. Which one of the following containment approaches will prevent Ben's systems from being used in this manner? A.Removal B.Isolation C.Detection D.Segmentation
A.Removal Explanation: Only removal of the compromised system from the network will stop the attack against other systems. Isolated and/or segmented systems are still permitted access to the Internet and could continue their attack Detection is a purely passive activity that does not disrupt the attacker at all
Which one of the following is not a purging activity? A.Resetting to factory state B.Overwriting C.Block erase D.Crytographic erase
A.Resetting to factory state Explanation: Resetting a device to factory state is an example of a data clearing acitivity. Data purging activities include overwriting, block erase, and cryptographic erase activities when performed through the use of dedicated, standardized device commands
Which one of the following tools may be used to isolate an attacker so that he or she mat not cause damage to production systems but may still be observed by cybersecurity analyst? A.Sandbox B.Playpen C.IDS D.DLP
A.Sandbox Explanation: Sandboxes are isolation tools used to contain attackers within an environment where they believe they are conducting an attack but in reality are operating in a benign environment
Which one of the following is not typically found in a cybersecurity incident report? A. Chronology of events B.Identity of the attacker C.Estimates of impact D.Documentation of lessons learned
B.Identity of the attacker Explanation: Incident reports should include a chronology of events, estimates of the impact, and documentation of lessons learned, in addition to other information. Incident response efforts should not normally focus on uncovering the identity of the attacker, so this information would not be found in an incident report
Which one of the following activities is not normally conducted during the recovery validation phase? A.Verify the permissions assigned to each account B.Implement new firewall rules C.Conduct vulnerability scans D.Verify logging is functioning properly
B.Implement new firewall rules Explanation: New firewall rules, if required, would be implemented during the eradication and recovery phase. The validation phase includes verifying accounts and permissions, verifying that logging is working properly and conducting vulnerability scans
Alice confers with other team members and decides that even allowing limited access to other systems is an unacceptable risk and decides instead to prevent the quarantine VLAN from accessing any other systems by putting firewall rules in place that limit access to other enterprise systems. The attacker can still control the system to allow Alice to continue monitoring the incident. What strategy is she now pursuing? A.Eradication B.Isolation C.Segmentation D.Removal
B.Isolation Explanation: In the isolation strategy, the quarantine network is directly connected to the Internet or restricted severely by firewall rules so that the attacker may continue to control it but not gain access to any other networked resources
Which one of the follow is not a common use of formal incident reports? A.Training new team members B.Sharing with other organizations C.Developing new security controls D. Assissting with legal action
B.Sharing with other organzations. Explanation: There are many potential uses for written incident reports. First, it creates an institutional memory of the incident that is useful when developing new security controls and training new security team members. Second, it may serve as an important record of the incident if there is ever legal action that results from the incident. These reports should be classified and not disclosed to external parties
Tamara is a cybersecurity analyst for a private business that is suffering a security breach. She believes the attackers have compromised a database containing sensitive information. Which one of the following activities should be Tamara's first priority? A.Identifying the source of the attack B.Eradication C.Containment D.Recovery
C.Containment Explanation: Tamaras first priority should be containing the attack. This will prevent it from spreading to other systems and also potentially stop the ex filtration of sensitive information. Only after containing the attack should Tamara move on to eradication and recovery activities. Identifying the source of the attack should be a low priority
Which one of the following criteria is not normally used when evaluating the appropriateness of a cybersecurity incident containment strategy? A.Effectiveness of the strategy B.Evidence preservation requirements C.Log records generated by the strategy D.Cost of the strategy
C.Log records generated by the strategy Explanation: NIST recommends using six criteria to evaluate a containment strategy; the potential damage to resources, the need for evidence preservation, service availability, time and resources required (including cost) effectiveness of the strategy, and duration of the solution
Lynda is disposing of a drive containing sensitive information that was collected during the response to a cybersecurity incident. The information is categorized as a high security risk and she wishes to reuse the media during a future incident. What is the appropriate disposition for this information? A.Clear B.Erase C.Purge D.Destroy
C.Purge Explanation: Lynda should consult the flowchart that appear in Figure 8.7. Following that chart, the appropriate disposition for media that contains high security risk information and will be reused within the organizations is to purge it
Which one of the following pieces of information is most critical to conducting a solid incident recovery efforts? A.Identify the attacker B.TIme of the attack C.Root cause of the attack D.Attacks on other organization
C.Root cause of the attack Explanation: Understanding the root cause of an attack is critical to the incident recovery effort. Analysts should examine all available information to help reconstruct the attackers actions. This information is critical to remediating security controls and preventing future similar attacks
Alice is responding to a cybersecurity incident and notices a system that she suspects is compromised. She places this system on a quarantine VLAN with limited access to other networked systems. What containment strategy is ALice pursuing? A.Eradication B.Isolation C.Segmentation D.Removal
C.Segmentation Explanation: In a segmentation approach, the suspect system is placed on a separate network where it has very limited access to other networked resources
What incident response activity focuses on removing any artifacts of the incident that may remain on the organizations network? A.Containment B.Recovery C.Post-Incident Activites D.Eradication
D.Eradication Explanation: The primary purpose of eradication is to remove any of the artifacts of the incident that may remain on the organizations network. This may include the removal of any malicious code from the network, the sensitization of compromised media, and the securing of compromised user accounts
Which one of the follow data elements would not normally be included in an evidence log? A.Serial number B.Record of handling C.Storage location D.Malware signatures
D.Malware signatures Explanation Malware signatures would not normally be included in an evidence log. The log would typically contain identifying information (ie the location, serial number, model number, hostname, MAC address, and Ip addresses of a computer) the name, title and phone number of each individual who collected or handled the evidence during the investigation, the time, the date and of each occurrence of evidence handling and the location where the evidence was stored
Sondra determines that an attack has gained access to a server containing critical business files and wishes to ensure that the attacker cannot delete those files. Which one of the following strategies would meet Sondras goal? A.Isolation B.Segmentation C.Removal D.None of the above
D.None of the above Explanation: Even removing a system from the network doesn't guarantee that the attack will not continue. In the example given in this chapter, an attacker can run a script on the server that detects when it has been removed from the network and then proceeds to destroy data stored on the server
After observing the attacker, Alice decides to remove the Internet connection entirely, leaving the system running but inaccessible from outside the quarantine VLAN. What strategy is she now pursuing? A.Eradication B.Isolation C.Segmentation D.Removal
D.Removal Explanation: In the removal approach, Alice keeps the system running from forensic purposes but completely cuts off their access to or from other networks, including the Internet
What NIST publication contains guidance on cybersecurity incident handling? A.SP 800-53 B.SP 800-88 C.SP 800-18 D.SP 800-61
D.SP 800-61 Explanation: NIST SP 800-61 is the Computer Security Incident Handling Guide, NIST SP 800-53 is Security and Privacy Controls for Federal Information Systems and Organizations NIST SP 800-88 is Guidelines for Media Sanitation NIST SP 800-18 is the Guide for Developing Security Plans for Federal Information Systems
Which one of the following activities does CompTIA classify as part of the recovery validation effort? A.Rebuilding system B. Sanitation C.Secure disposal D.Scanning
D.Scanning Explanation: CompTIA includes patching, permissions, security scanning and verifying logging/communication to monitoring in the set of validation activities that cybersecurity analysts should undertake in the aftermath of a security incident
