C845 - Chapter 4: Incident Response and Recovery
What documentation is typically prepared after a postmortem review of an incident has been completed? A. A lessons learned document B. A risk assessment C. A remediation list D. A mitigation checklist
A. A lessons learned document
What important function do senior managers normally fill on a business continuity planning team? A. Arbitrating disputes about criticality B. Evaluating the legal environment C. Training staff D. Designing failure controls
A. Arbitrating disputes about criticality
What type of forensic investigation-related form is shown here? A. Chain of custody B. Report of examination C. Forensic discovery log D. Policy custody release
A. Chain of custody
If Danielle wants to purge a drive, which of the following options will accomplish her goal? A. Cryptographic erase B. Reformat C. Overwrite D. Partition
A. Cryptographic erase
Alejandro is an incident response analyst for a large corporation. He is on the midnight shift when an intrusion detection system alerts him to a potential brute-force password attack against one of the company's critical information systems. He performs an initial triage of the event before taking any additional action. What stage of the incident response process is Alejandro currently conducting? A. Detection B. Response C. Recovery D. Mitigation
A. Detection
Darcy is a computer security specialist who is assisting with the prosecution of a hacker. The prosecutor requests that Darcy give testimony in court about whether, in her opinion, the logs and other records in a case are indicative of a hacking attempt. What type of evidence is Darcy being asked to provide? A. Expert opinion B. Direct evidence C. Real evidence D. Documentary evidence
A. Expert opinion
Referring to the following figure, what technology is shown that provides fault tolerance for the database servers? A. Failover cluster B. UPS C. Tape backup D. Cold site
A. Failover cluster
The Domer Industries risk assessment team recently conducted a qualitative risk assessment and developed a matrix similar to the one shown here. Which quadrant contains the risks that require the most immediate attention? A. I B. II C. III D. IV
A. I
During an incident investigation, investigators meet with a system administrator who may have information about the incident but is not a suspect. What type of conversation is taking place during this meeting? A. Interview B. Interrogation C. Both an interview and an interrogation D. Neither an interview nor an interrogation
A. Interview
During what phase of the incident response process would security professionals analyze the process itself to determine whether any improvements are warranted? A. Lessons learned B. Remediation C. Recovery D. Reporting
A. Lessons learned
Which one of the following components should be included in an organization's emergency response guidelines? A. List of individuals who should be notified of an emergency incident B. Long-term business continuity protocols C. Activation procedures for the organization's cold sites D. Contact information for ordering equipment
A. List of individuals who should be notified of an emergency incident
Because of external factors, Eric has only a limited time period to collect an image from a workstation. If he collects only specific files of interest, what type of acquisition has he performed? A. Logical B. Bit-by-bit C. Sparse D. None of the above
A. Logical
Which one of the following is not normally included in business continuity plan documentation? A. Statement of accounts B. Statement of importance C. Statement of priorities D. Statement of organizational responsibility
A. Statement of accounts
In what virtualization model do full guest operating systems run on top of a virtualization platform? A. Virtual machines B. Software-defined networking C. Virtual SAN D. Application virtualization
A. Virtual machines
Ed has been tasked with identifying a service that will provide a low-latency, high- performance, and high-availability way to host content for his employer. What type of solution should he seek out to ensure that his employer's customers around the world can access their content quickly, easily, and reliably? A. A hot site B. A CDN C. Redundant servers D. A P2P CDN
B. A CDN
Cynthia is building a series of scripts to detect malware beaconing behavior on her network. Which of the following is not a typical means of identifying malware beaconing? A. Persistence of the beaconing B. Beacon protocol C. Beaconing interval D. Removal of known traffic
B. Beacon protocol
As part of his team's forensic investigation process, Matt signs drives and other evidence out of storage before working with them. What type of documentation is he creating? A. Criminal B. Chain of custody C. Civil D. CYA
B. Chain of custody
Who is the ideal person to approve an organization's business continuity plan? A. Chief information officer B. Chief executive officer C. Chief information security officer D. Chief operating officer
B. Chief executive officer
After completing an incident response process and providing a final report to management, what step should Casey use to identify improvement to her incident response plan? A. Update system documentation. B. Conduct a lessons-learned session. C. Review patching status and vulnerability scans. D. Engage third-party consultants.
B. Conduct a lessons-learned session.
During what phase of incident response is the primary goal to limit the damage caused by an incident? A. Detection B. Containment C. Eradication D. Recovery
B. Containment
During a forensic investigation, Charles discovers that he needs to capture a virtual machine that is part of the critical operations of his company's website. If he cannot suspend or shut down the machine for business reasons, what imaging process should he follow? A. Perform a snapshot of the system, boot it, suspend the copied version, and copy the directory it resides in. B. Copy the virtual disk files and then use a memory capture tool. C. Escalate to management to get permission to suspend the system to allow a true forensic copy. D. Use a tool like the Volatility Framework to capture the live machine completely.
B. Copy the virtual disk files and then use a memory capture tool.
Which of the following is not an important part of the incident response communication process? A. Limiting communication to trusted parties B. Disclosure based on public feedback C. Using a secure method of communication D. Preventing accidental release of incident related information
B. Disclosure based on public feedback
Florian is building a disaster recovery plan for his organization and would like to determine the amount of time that a particular IT service may be down without causing serious damage to business operations. What variable is Florian calculating? A. RTO B. MTD C. RPO D. SLA
B. MTD
Karen's organization has been performing system backups for years but has not used the backups frequently. During a recent system outage, when administrators tried to restore from backups, they found that the backups had errors and could not be restored. Which of the following options should Karen avoid when selecting ways to ensure that her organization's backups will work next time? A. Log review B. MTD verification C. Hashing D. Periodic testing
B. MTD verification
Tim is a forensic analyst who is attempting to retrieve information from a hard drive. It appears that the user attempted to erase the data, and Tim is trying to reconstruct it. What type of forensic analysis is Tim performing? A. Software analysis B. Media analysis C. Embedded device analysis D. Network analysis
B. Media analysis
Which one of the following is not an example of a backup tape rotation scheme? A. Grandfather/Father/Son B. Meet-in-the-middle C. Tower of Hanoi D. Six Cartridge Weekly
B. Meet-in-the-middle
You are performing an investigation into a potential bot infection on your network and want to perform a forensic analysis of the information that passed between different systems on your network and those on the Internet. You believe that the information was likely encrypted. You are beginning your investigation after the activity concluded. What would be the best and easiest way to obtain the source of this information? A. Packet captures B. Netflow data C. Intrusion detection system logs D. Centralized authentication records
B. Netflow data
When working to restore systems to their original configuration after a long-term APT compromise, Charles has three options: Option 1: He can restore from a backup and then update patches on the system. Option 2: He can rebuild and patch the system using the original installation media and application software and his organization's build documentation. Option 3: He can remove the compromised accounts and rootkit tools and then fix the issues that allowed the attackers to access the systems. Which option should Charles choose in this scenario? A. Option 1 B. Option 2 C. Option 3 D. None of the above. Charles should hire a third party to assess the systems before proceeding.
B. Option 2
What type of disaster recovery test activates the alternate processing facility and uses it to conduct transactions but leaves the primary site up and running? A. Full interruption test B. Parallel test C. Checklist review D. Tabletop exercise
B. Parallel test
Eric has access to a full suite of network monitoring tools and wants to use appropriate tools to monitor network bandwidth consumption. Which of the following is not a common method of monitoring network bandwidth usage? A. SNMP B. Portmon C. Packet sniffing D. Netflow
B. Portmon
The senior management of Kathleen's company is concerned about rogue devices on the network. If Kathleen wants to identify rogue devices on her wired network, which of the following solutions will quickly provide the most accurate information? A. Discovery scan with a port scanner B. Router and switch-based MAC address reporting C. Physical survey D. Reviewing a central administration tool, such as SCCM
B. Router and switch-based MAC address reporting
Jerome is conducting a forensic investigation and is reviewing database server logs to investigate query contents for evidence of SQL injection attacks. What type of analysis is he performing? A. Hardware analysis B. Software analysis C. Network analysis D. Media analysis
B. Software analysis
Mika wants to analyze the contents of a drive without causing any changes to the drive. What method is best suited to ensuring this? A. Set the read-only jumper on the drive. B. Use a write blocker. C. Use a read blocker. D. Use a forensic software package.
B. Use a write blocker.
In his role as a forensic examiner, Lucas has been asked to produce forensic evidence related to a civil case. What is this process called? A. Criminal forensics B. eDiscovery C. Cyber production D. Civil tort
B. eDiscovery
Sam is responsible for backing up his company's primary file server. He configured a backup schedule that performs full backups every Monday evening at 9 p.m. and differential backups on other days of the week at that same time. Files change according to the information shown in the following figure. How many files will be copied in Wednesday's backup? A. 2 B. 3 C. 5 D. 6
C. 5
If Alejandro's initial investigation determines that a security incident is likely taking place, what should be his next step? A. Investigate the root cause. B. File a written report. C. Activate the incident response team. D. Attempt to restore the system to normal operations.
C. Activate the incident response team.
As the CISO of her organization, Jennifer is working on an incident classification scheme and wants to base her design on NIST's definitions. Which of the following options should she use to best describe a user accessing a file that they are not authorized to view? A. An incident B. An event C. An adverse event D. A security incident
C. An adverse event
Which one of the following stakeholders is not typically included on a business continuity planning team? A. Core business function leaders B. Information technology staff C. CEO D. Support departments
C. CEO
Tara recently detected a security incident in progress on her network. What action should be her highest priority at this point? A. Eradication B. Recovery C. Containment D. Detection
C. Containment
During which phase of the incident response process would an analyst receive an intrusion detection system alert and verify its accuracy? A. Response B. Mitigation C. Detection D. Reporting
C. Detection
Veronica is considering the implementation of a database recovery mechanism recommended by a consultant. In the recommended approach, an automated process will move database backups from the primary facility to an off-site location each night. What type of database recovery technique is the consultant describing? A. Remote journaling B. Remote mirroring C. Electronic vaulting D. Transaction logging
C. Electronic vaulting
Which one of the following is not normally considered a business continuity task? A. Business impact assessment B. Emergency response guidelines C. Electronic vaulting D. Vital records program
C. Electronic vaulting
Who should receive initial business continuity plan training in an organization? A. Senior executives B. Those with specific business continuity roles C. Everyone in the organization D. First responders
C. Everyone in the organization
Which one of the following information sources is most likely to detect a security incident involving unauthorized modification of information by an employee? A. Intrusion detection system B. Antivirus software C. File integrity monitoring system D. Firewall logs
C. File integrity monitoring system
While performing post-rebuild validation efforts, Scott scans a server from a remote network and sees no vulnerabilities. Joanna, the administrator of the machine, runs a scan and discovered two critical vulnerabilities and five moderate issues. What is most likely causing the difference in their reports? A. Different patch levels during the scans B. Scanning through a load balancer C. Firewall between the remote network and the server D. Running the scan with different settings
C. Firewall between the remote network and the server
Gordon suspects that a hacker has penetrated a system belonging to his company. The system does not contain any regulated information, and Gordon wants to conduct an investigation on behalf of his company. He has permission from his supervisor to conduct the investigation. Which of the following statements is true? A. Gordon is legally required to contact law enforcement before beginning the investigation. B. Gordon may not conduct his own investigation. C. Gordon's investigation may include examining the contents of hard disks, network traffic, and any other systems or information belonging to the company. D. Gordon may ethically perform "hack back" activities after identifying the perpetrator.
C. Gordon's investigation may include examining the contents of hard disks, network traffic, and any other systems or information belonging to the company.
Alan is responding to a security incident and receives a hard drive image from a cooperating organization that contains evidence. What additional information should he request to verify the integrity of the evidence? A. Private key B. Public key C. Hash D. Drive capacity
C. Hash
Alex's organization uses the NIST incident classification scheme. Alex discovers that a laptop belonging to a senior executive had keylogging software installed on it. How should Alex classify this occurrence? A. Event B. Adverse event C. Incident D. Policy violation
C. Incident
Which one of the following tasks is performed by a forensic disk controller? A. Masking error conditions reported by the storage device B. Transmitting write commands to the storage device C. Intercepting and modifying or discarding commands sent to the storage device D. Preventing data from being returned by a read operation sent to the device
C. Intercepting and modifying or discarding commands sent to the storage device
Greg is redesigning his organization's incident response process, seeking to improve its efficiency and effectiveness. Which one of the following actions is not likely to improve his incident response plan? A. Create a mentoring program for technical staff B. Provide team members with opportunities to work on other tasks C. Keep all members of the team on permanent assignment to the team D. Conduct training exercises for the team
C. Keep all members of the team on permanent assignment to the team
During what phase of the incident response process do administrators take action to limit the effect or scope of an incident? A. Detection B. Response C. Mitigation D. Recovery
C. Mitigation
Jeff discovers a series of JPEG photos on a drive that he is analyzing for evidentiary purposes. He uses exiftool to collect metadata from those files. Which information is not likely to be included in that metadata? A. GPS location B. Camera type C. Number of copies made D. Timestamp
C. Number of copies made
As the incident response progresses, during which stage should the team conduct a root-cause analysis? A. Response B. Reporting C. Remediation D. Lessons learned
C. Remediation
Which one of the following events marks the completion of a disaster recovery process? A. Securing property and life safety B. Restoring operations in an alternate facility C. Restoring operations in the primary facility D. Standing down first responders
C. Restoring operations in the primary facility
Which one of the following is not a requirement for evidence to be admissible in court? A. The evidence must be relevant. B. The evidence must be material. C. The evidence must be tangible. D. The evidence must be competent.
C. The evidence must be tangible.
Darcy is designing a fault-tolerant system and wants to implement RAID level 5 for her system. What is the minimum number of physical hard disks she can use to build this system? A. One B. Two C. Three D. Five
C. Three
Which one of the following is an example of a computer security incident? A. Completion of a backup schedule B. System access recorded in a log C. Unauthorized vulnerability scan of a file server D. Update of antivirus signatures
C. Unauthorized vulnerability scan of a file server
NIST defines five major types of threat information types in NIST SP 800-150 the "Guide to Cyber Threat Information Sharing." They are: 1. Indicators, which are technical artifacts or observables that suggest an attack is imminent, currently underway, or compromise may have already occurred 2. Tactics, techniques, and procedures that describe the behavior of an actor 3. Security alerts like advisories and bulletins 4. Threat intelligence reports that describe actors, systems, and information being targeted and the methods being used 5. Tool configurations that support collection, exchange, analysis, and use of threat information Which one of the following groups would be least likely to included in an organization's cybersecurity incident communications plans? A. Law enforcement B. Security vendors C. Utilities D. Media
C. Utilities
Chris would like to use John the Ripper to test the security of passwords on a compromised Linux system. What files does he need to conduct this analysis? A. /etc/shadow and /etc/user B. /etc/passwd and /etc/user C. /etc/user and /etc/account D. /etc/passwd and /etc/shadow
D. /etc/passwd and /etc/shadow
Glenda would like to conduct a disaster recovery test and is seeking a test that will allow a review of the plan with no disruption to normal information system activities and as minimal a commitment of time as possible. What type of test should she choose? A. Tabletop exercise B. Parallel test C. Full interruption test D. Checklist review
D. Checklist review
Which one of the following actions is not normally part of the project scope and planning phase of business continuity planning? A. Structured analysis of the organization B. Review of the legal and regulatory landscape C. Creation of a BCP team D. Documentation of the plan
D. Documentation of the plan
Craig is selecting the site for a new data center and must choose a location somewhere within the United States. He obtained the earthquake risk map shown here from the United States Geological Survey. Which of the following would be the safest location to build his facility if he were primarily concerned with earthquake risk? A. New York B. North Carolina C. Indiana D. Florida
D. Florida
Lauren is the IT manager for a small company and occasionally serves as the organization's information security officer. Which of the following roles should she include as the leader of her organization's CSIRT? A. Her lead IT support staff technician B. Her organization's legal counsel C. A third-party IR team lead D. She should select herself.
D. She should select herself.
As part of his incident response process, Charles securely wipes the drive of a compromised machine and reinstalls the operating system (OS) from original media. Once he is done, he patches the machine fully and applies his organization's security templates before reconnecting the system to the network. Almost immediately after the system is returned to service, he discovers that it has reconnected to the same botnet it was part of before. Where should Charles look for the malware that is causing this behavior? A. The operating system partition B. The system BIOS or firmware C. The system memory D. The installation media
D. The installation media