Threat Hunting Teams Quiz

What is a recommended method for new practitioners joining hunt teams? A. Create extensive policies governing hunt team actions B. Reduce the needs for iteration of hunt team plans C. Only perform hunt team tasks known to produce results

A. Create extensive policies governing hunt team actions

Where should hunt team functions be located in an organization? A. They can be located in several places, but functionality should rely on internal experts B. Hunt team operations should always exist as a separate component from incident response C. External organizations should be used to perform hunting activities for most organizations D. There is regulatory guidance on location of hunt team functionality; consult

A. They can be located in several places, but functionality should rely on internal experts

What is a definite benefit to hunt team activities? A. Quicker resolution of incidents B. Discovery of potential threats before they might normally be detected C. Lower need for other organizational security resources D. More advanced methodologies for incident response

B. Discovery of potential threats before they might normally be detected

All date and time stamps follow the ISO 8601 standard for labeling. A. True B. False

B. False

Hunting teams are primarily focused on discovering and addressing vulnerabilities inside their constituency. A. True B. False

B. False

Which of the following is a potential hunting process? A. Investigate, identify suspicious activity B. Mine data, identify suspicious activity, investigate, codify a repeatable analysis process C. Observe maturity and adoption of methods, investigate D. Focus on network-based detection of malicious activity, investigate

B. Mine data, identify suspicious activity, investigate, codify a repeatable analysis process

Which of the following is NOT used to determine if an incident should be designated as a particular priority? A. Criticality of systems involved B. Sophistication of malicious activity C. Cost of solution D. Impact or damage to organization

C. Cost of solution

Which of the following is NOT a purpose of threat modeling? A. Prioritizing which threats to handle first B. Organizing threats to an organization in a standardized manner C. Creating new vulnerability discovery techniques D. Using output to inform risk assessments

C. Creating new vulnerability discovery techniques

What does IOC stand for in the context of incident handling critical information? A. Index Output Categories B. Index of Categories C. Indicators of Compromise D. Indicators of Categories

C. Indicators of Compromise

Which of the following is an example of attack targets that might be reported in an incident report? A. Types and numbers of systems B. IP ranges C. Types of institutions D. Types of employees E. None of the above F. All of the above

F. All of the above

What are some typical sources of information used by hunting teams? A. Vendor trend reports B. New vulnerability disclosures C. Organizational disciplinary records D. Organizational budgetary information

Vendor trend reports