Test Your Knowledge Questions Course 6, Module 1
What is the NIST Incident Response Lifecycle?
A framework that provides a blueprint for effective incident response
What is the process of gathering data from different sources and putting it in one centralized place?
Aggregation is the process of gathering data from different sources and putting it in one centralized place.
What is the difference between an intrusion detection system (IDS) and an intrusion prevention system (IPS)?
An IDS monitors system activity and alerts on intrusive activity whereas an IPS stops intrusive activity.
What actions does an intrusion prevention system (IPS) perform?
An IPS monitors, detects, and stops abnormal or intrusive activity. IPS tools are not used to manage security incidents.
Fill in the blank: An _____ is an observable occurrence on a network, system, or device.
An event is an observable occurrence on a network, system, or device.
Which member of a CSIRT is responsible for tracking and managing the activities of all teams involved in the response process?
An incident coordinator is responsible for tracking and managing the activities of all teams involved in the response process.
Which document outlines the procedures to follow after an organization experiences a ransomware attack?
An incident response plan outlines the procedures to follow after an organization experiences a ransomware attack.
What application monitors system activity, then produces alerts about possible intrusions?
An intrusion detection system (IDS) is an application that monitors system activity, then produces alerts about possible intrusions.
A cybersecurity analyst receives an alert about a potential security incident. Which type of tool should they use to examine the alert's evidence in greater detail?
An investigative tool
What are the qualities of effective documentation?
Consistent Clear Accurate
Which of the following are phases of the NIST Incident Response Lifecycle?
Containment, Eradication, and Recovery Preparation Detection and Analysis
Which step in the SIEM process transforms raw data to create consistent log records?
During the normalize data step in the SIEM process, raw data is transformed to create consistent log records. The normalization process involves cleaning the data and removing non-essential attributes.
Which of the following is an example of a security incident?
Multiple unauthorized transfers of sensitive documents to an external system.
What are some examples of types of documentation?
Playbooks, final reports, and policies are examples of different types of documentation.
Which tool collects and analyzes log data to monitor critical activities in an organization?
SIEM tools collect and analyze log data to monitor critical activities in an organization.
What is the difference between a security information and event management (SIEM) tool and a security orchestration, automation, and response (SOAR) tool?
SIEM tools collect and analyze log data, which are then reviewed by security analysts. SOAR tools use automation to respond to security incidents.
Fill in the blank: Security orchestration, automation, and response (SOAR) is a collection of applications, tools, and workflows that uses automation to _____ security events.
SOAR is a collection of applications, tools, and workflows that uses automation to respond to security events.
Fill in the blank: The job of _____ is to investigate alerts and determine whether an incident has occurred.
Security analysts investigate security alerts and determine whether an incident has occurred.
What are some common elements contained in incident response plans?
System information Incident response procedures
What type of process is the NIST Incident Response Lifecycle?
The NIST Incident Response Lifecycle is a cyclical process. This means that phases in the lifecycle can be revisited or repeated as incident investigations progress.
What are the goals of a computer security incident response team (CSIRT)?
The goals of CSIRTs are to effectively and efficiently manage incidents, prevent future incidents from occurring, and provide services and resources for response and recovery.
A security professional investigates an incident. Their goal is to gain information about the 5 W's, which include what happened and why. What are the other W's? Select three answers.
The other W's are: who triggered the incident, when the incident took place, and where the incident took place.
The first phase of the NIST Incident Response Lifecycle is Preparation. What are the other phases?
The three other phases of the NIST Incident Response Lifecycle are: Detection and Analysis; Containment, Eradication, and Recovery; and Post-Incident Activity.
Fill in the blank: Ticketing systems such as _____ can be used to document and track incidents.
Ticketing systems such as Jira can be used to document and track incidents.
Fill in the blank: A specialized group of security professionals who are trained in incident management and response is a _____.
computer security incident response team
Fill in the blank: During the _____ step of the SIEM process, the collected raw data is transformed to create log record consistency.
data normalization
