Cyber Threat Management (Module 6)
business continuity plan
The company you work for has asked you to create a broad plan that includes DRP and getting critical systems to another location in case of disaster. What type of plan are you being asked to create?
a knowledge base of threat actor behavior
What is a MITRE ATT&CK framework?
It details how incidents should be handled based on the organizational mission and functions.
What is the purpose of the policy element in a computer security incident response capability of an organization, as recommended by NIST?
action on objectives
A threat actor has gained administrative access to a system and achieved the goal of controlling the system for a future DDoS attack by establishing a communication channel with a CnC owned by the threat actor. Which phase in the Cyber Kill Chain model describes the situation?
What is the process?, Where does the individual perform the process?, Who is responsible for the process
A user is asked to create a disaster recovery plan for a company. The user needs to have a few questions answered by management to proceed. Which three questions should the user ask management as part of the process of creating the plan?
examination
According to NIST, which step in the digital forensics process involves extracting relevant information from data?
weaponization
After a threat actor completes a port scan of the public web server of an organization and identies a potential vulnerability, what is the next phase for the threat actor in order to prepare and launch an attack as dened in the Cyber Kill Chain?
Use clean and recent backups to recover hosts, Rebuild hosts with installation media if no backups are available, Update and patch the operating system and installed software of all hosts.
After containing an incident that infected user workstations with malware, what are three effective remediation procedures that an organization can take for eradication?
Develop metrics for measuring the incident response capability and its effectiveness.
Which action should be included in a plan element that is part of a computer security incident response capability (CSIRC)?
resources
Which meta-feature element in the Diamond Model describes tools and information (such as software, black hat knowledge base, username and password) that the adversary uses for the intrusion event?
It identifies the steps that adversaries must complete to accomplish their goals
Which statement describes the Cyber Kill Chain?
capability
Which term is used in the Diamond Model of intrusion to describe a tool that a threat actor uses toward a target system?
Use an Internet search engine to gain additional information about the attack, Validate the IP address of the threat actor to determine if it is viable
Which two actions can help identify an attacking host during a security incident?