LESSON TWENTY-SEVEN

tabletop exercise

A practice that begins with a security incident preparedness activity, taking participants through a step-by-step process of dealing with a simulated incident scenario and providing hands-on training for participants that can then highlight flaws in incident response planning.

cyber kill chain

A series of steps that trace stages of a cyber attack from the early reconnaissance stages to the exfiltration of data. The kill chain allows you to understand and combat ransomware, security breaches, and advanced persistent threats (APTs).

incident response plan

A set of instructions to help IT staff detect, respond to, and recover from network security incidents. These types of plans address issues like cybercrime, data loss, and service outages that threaten daily work.

disaster recovery plan (DRP)

A formal document created by organizations that contains detailed instructions on how to respond to unplanned incidents such as natural disasters, power outages, cyber attacks, or other disruptive events. A DRP should include information regarding redundancy, such as sites and backup, but should not include information that deals with the day-to-day operations of an organization, such as updating computers, patch management, monitoring and audits, and so on. It is important to include only what is necessary in a disaster recovery plan.

MITRE ATT&CK

A globally accessible knowledge base of adversary tactics, techniques, and procedures (TTPs) based on real-world observations of cybersecurity threats.

incident response team

A group of IT professionals in charge of preparing for and reacting to any type of organizational emergency.

Which phase of the incident response process should be performed within two weeks of the end of an incident? Identification Recovery Lessons learned Preparation

Lessons learned

Not implementing a disaster recovery plan properly can lead to which of the following? Lost revenue Faster recovery Satisfied customers Brand awareness

Lost revenue

Which high-level document is a step-by-step procedure that should be created as part of an incident response plan that can target specific incident handlings like malware and ransomware? Security incident report Playbook Play station Lessons learned after-action report

Playbook

The Diamond Model places the basic components of malicious activity at one of the four points on a diamond shape. Which of these are one of the four points?Each correct answer represents a complete solution. Choose all that apply. Capability and victim Adversary and infrastructure Personas and biometrics Malware and infection vectors

Capability and victim Adversary and infrastructure

NIST SP 800-53 requires that all federal agencies retain data for ________. three years on magnetic media seven years on magnetic media seven years on magnetic media and 10 years on paper ten years on magnetic media or 20 years on paper

Three years on magnetic media

What is one thing that a BCP plan contains and a DR plan does not? Continuity of a DRP in conjunction with a BCP A continuity plan for the entire organization A disaster recovery model A standby data center

a continuity plan for the entire organization

Which of these includes some of the incidents that an incident response team might be prepared for and respond to? A power outage in the data center All of these Attackers gaining access to the web server Hackers obtaining passwords from executives

all of these

In a communication plan, escalating communication information on a regular schedule or timeline is important. What is the appropriate frequency of this communication? Once an hour Once every six hours As key information is available As every item is uncovered

as key information is available

Which legal portion of an incident response plan requires notification or disclosure within 72 hours of discovery of a data incident? SANS NIST New Jersey Privacy Law GDPR

gdpr

Which of the following is one of the five key stakeholders of the incident response team? Public Library Legal Security Operations Security Guards

legal

The ATT&CK Framework has 11 tactics and hundreds of techniques. Which tactic describe(s) the way an adversary implements a technique? Impact Collection Procedures Privilege escalation

procedures

Which incident response plan item will provide an understanding of the severity of an incident so that it can be prioritized quickly and correctly? Triage matrix Threat matrix Disaster recovery report Incident response report

triage matrix

Which exercise simulates a real-life scenario of an incident response plan and is used to test and highlight areas where your team excels and areas that need to be addressed? Containment Recovery Cyber kill chain Tabletop

Tabletop

business continuity plan (BCP)

A current, tested plan in the hands of all personnel responsible for carrying out any part of that plan for the purpose of giving your organization the best shot at success during a disaster.

Diamond Model of Intrusion Analysis

A cybersecurity/threat intelligence model used to analyze and track the characteristics of cyber intrusions by advanced threat actors that emphasizes the relationships and characteristics of the adversary, capabilities, infrastructure, and victims.

continuity of operations planning (COOP)

A federal initiative to encourage people and departments to plan to address how critical operations will continue under a broad range of circumstances.

Which of the following ensures the restoration of organizational functions in the shortest possible time? COOP Cyber kill chain Diamond Model MITRE ATT&CK

COOP

Which of the following is a formal document that contains details on how to respond to cyber attacks and unplanned incidents? Incident response model Business continuity plan Disaster recovery plan Containment process

Disaster recovery plan