Play It Safe: Manage Security Risks - Module 4
C
A business recently experienced a security breach. Security professionals are currently restoring the affected data using a clean backup that was created before the incident. What playbook phase does this scenario describe? A. Post-incident activity B. Containment C. Eradication and recovery D. Detection and analysis
A
A security analyst wants to ensure an organized response and resolution to a security breach. They share information with key stakeholders based on the organization's established standards. What phase of an incident response playbook does this scenario describe? A. Coordination B. Containment C. Detection and analysis D. Eradication and recovery
B
A security analyst wants to set the foundation for successful incident response. They outline roles and responsibilities of each security team member. What phase of an incident response playbook does this scenario describe? A. Post-incident activity B. Preparation C. Detection and analysis D. Containment
D
A security team is considering what they learned during past security incidents. They also discuss ways to improve their security posture and refine response strategies for future incidents. What is the security team's goal in this scenario? A. Delete biometric data B. Educate clients C. Assess employee performance D. Update a playbook
A
After you've taken all the necessary steps outlined in your organization's playbook to resolve the incident, what should you do? A.Communicate the incident to stakeholders B.Restore affected data using a clean backup C. Investigate the suspicious file download
C
Fill in the blank: During the _____ phase, security professionals use tools and strategies to determine whether a breach has occurred and to evaluate its potential magnitude. A. Containment B. Coordination C. Detection and analysis D. Preparation
A
Fill in the blank: During the _____ phase, security teams may conduct a full-scale analysis to determine the root cause of an incident and use what they learn to improve the company's overall security posture. A. Post-incident activity B. Detection and analysis C. Eradication and recovery D. Containment
D
Fill in the blank: Incident response is an organization's quick attempt to _____ an attack, contain the damage, and correct its effects. A. Expand B. Disclose C. Ignore D. Identify
D
Fill in the blank: Once a security incident is resolved, security analysts perform various post-incident activities and _____ efforts with the security team. A. Eradication B. Detection C. Preparation D. Coordination
D
In the event of a security incident, when would it be appropriate to refer to an incident response playbook? A. Only prior to the incident occurring B. At least one month after the incident is over C. Only when the incident first occurs D. Throughout the entire incident
B, C, D
In what ways do SIEM tools and playbooks help security teams respond to an incident? Select all that apply. A. Playbooks analyze data to detect threats. B. SIEM tools collect data. C. SIEM tools generate alerts. D. After receiving a SIEM alert, security teams use playbooks to guide their response process.
C
In which incident response playbook phase would a security team document an incident to ensure that their organization is better prepared to handle future security events? A. Containment B. Eradication and recovery C. Post-incident activity D. Coordination
Preparation-Detection and analysis-Containment-Eradication and recovery-Post incident activity
Name all of the incident response playbook phases in order
False
Playbooks are permanent, best-practice documents, so a security team should not make changes to them. True False
living documents
Playbooks should be treated as _________ _________ , which means that they are frequently updated by security team members to address industry changes and new threats. Playbooks are generally managed as a collaborative effort, since security team members have different levels of expertise.
SOAR
These tools are similar to SIEM tools in that they are used for threat monitoring. It is a piece of software used to automate repetitive tasks generated by tools such as a SIEM or managed detection and response (MDR). For example, if a user attempts to log into their computer too many times with the wrong password, this tool would automatically block their account to stop a possible intrusion. Then, analysts would refer to a playbook to take steps to resolve the issue.
Playbook
This is a manual that provides details about any operational action
Incident response
This is an organization's quick attempt to identify an attack, contain the damage, and correct the effects of a security breach
C
What is the relationship between SIEM tools and playbooks? A. They work together to predict future threats and eliminate the need for human intervention. B. Playbooks detect threats and generate alerts, then SIEM tools provide the security team with a proven strategy. C. They work together to provide a structured and efficient way of responding to security incidents. D. Playbooks collect and analyze data, then SIEM tools guide the response process.
Preparation
What stage of a incident response playbook goes along with the description below? Before incidents occur, mitigate potential impacts on the organization by documenting, establishing staffing plans, and educating users.
Detect and analyze events by implementing defined processes and appropriate technology.
What stage of an incident response playbook goes along with the description below?
Containment
What stage of an incident response playbook goes along with the description below? Prevent further damage and reduce immediate impact of incidents.
Coordination
What stage of an incident response playbook goes along with the description below? Report incidents and share information throughout the response process, based on established standards.
Eradication and recovery
What stage of an incident response playbook goes along with the description below? Completely remove artifacts of the incident so that an organization can return to normal operations.
Post-incident activity
What stage of an incident response playbook goes along with the description below? Document the incident, inform organizational leadership, and apply lessons learned.
A
Which action can a security analyst take when they are assessing a SIEM alert? A. Analyze log data and related metrics B. Isolate an infected network system C. Restore the affected data with a clean backup D. Create a final report
A, B, C
Which of the following statements accurately describe playbooks? Select three answers. A. A playbook is an essential tool used in cybersecurity. B. A playbook improves efficiency when identifying and mitigating an incident. C. A playbook can be used to respond to an incident. D. A playbook is used to develop compliance regulations.
C
Which phase of an incident response playbook is primarily concerned with preventing further damage and reducing the immediate impact of a security incident? A. Detection and analysis B. Preparation C. Containment D. Post-incident activity
A, C, D
Which statements are true about playbooks? Select three answers. A. Playbooks are manuals that provide details about any operational action. B. Playbooks categorize and analyze large amounts of data to help security teams identify risk. C. Playbooks clarify what tools should be used to respond to security incidents. D. Playbooks ensure that people follow a consistent list of actions in a prescribed way.
C
You determine that the suspicious file download alert is valid, so you follow the steps in your organization's playbook to contain and eliminate traces of the incident. What should you do next? A. Analyze log data B. Isolate the infected network system C. Restore affected systems
B
You're monitoring a SIEM dashboard and receive an alert about a suspicious file download. What's the first thing you should do? A. Report the alert to cyber crime agencies B. Assess the alert by gathering more information C. Use a tool to contain the incident
