Lesson 17: Performing Incident Response
The IT team at a company discovers that a Windows server is infected with malware. As a result, the server is not functioning properly. Which event log does the team review to find errors from failing services related to newly installed software?
Application
When endpoint security experiences a breach, there are several classes of vector to consider for mitigation. Which type relates to exploiting an unauthorized service port change?
Configuration drift
A systems administrator suspects that a virus has infected a critical server. In which step of the incident response process does the administrator notify stakeholders of the issue?
Identification
An engineer creates a set of tasks that queries information and runs some PowerShell commands to automate the identification of threats and other malicious activity on multiple servers. The engineer defines these tasks using which of the following?
Playbook
A system compromise prompts the IT department to harden all systems. The technicians look to block communications to potential command and control servers. Which solutions apply to working with egress filtering? (Select all that apply.)
Restrict DNS lookups Allow only authorized application ports
Incident management relies heavily on the efficient allocation of resources. Which of the following factors should an IT manager consider as it relates to the overall scope of dealing with an incident? (Select all that apply.)
Downtime Detection time Recovery time
An engineer needs to review systems metadata to conclude what may have occurred during a breach. The first step the engineer takes in the investigation is to review MTA information in an Internet header. Which data type does the engineer review?
Successful adversarial attacks mostly depend on knowledge of the algorithms used by the target AI. In an attempt to keep an algorithm secret, which method does an engineer use when hiding the secret?
Obscurity
A security team desires to modify event logging for several network devices. One team member suggests using the configuration files from the current logging system with another open format that uses TCP with a secure connection. Which format does the team member suggest?
Rsyslog
The first responder to a security incident decides the issue requires escalation. Consider the following and select the scenario that best describes escalation in this issue.
The first responder calls senior staff to get them involved.
A security analyst needs to contain a compromised system. The analyst would be most successful using which containment approach?
Airgap
During weekly scans, a system administrator identifies a system that has software installed that goes against security policy. The system administrator removes the system from the network in an attempt to limit the effect of the incident on the remainder of the network. Apply the Computer Security Incident Handling Guide principles to determine which stage of the incident response life cycle the administrator has entered.
Containment, eradication and recovery
An administrator uses data from a Security Information and Event Management (SIEM) system to identify potential malicious activity. Which feature does the administrator utilize when implementing rules to interpret relationships between datapoints to diagnose incidents?
Correlation
A user calls the help desk to report that Microsoft Excel continues to crash when used. The technician would like to review the logs in an attempt to determine the cause. Analyze the types of logs to determine which would contain the information the technician needs.
Event log
Arrange the following stages of the incident response life cycle in the correct order.
Preparation; Identification; Containment, Eradication, and Recovery; Lessons Learned
A security expert needs to review systems information to conclude what may have occurred during a breach. The expert reviews NetFlow data. What samples does the expert review?
Statistics about network traffic
