SEC+ 601. Chapter 14: Incident Response
Hitesh wants to keep a system online but limit the impact of the malware that was found on it while an investigation occurs. What method from the following list should he use? A. Containment B. Isolation C. Segmentation D. Black holing
A. Containment Containment activities focus on preventing further malicious actions or attacks. In this case, Hitesh might opt to prevent the malware from spreading but leave the system online due to a critical need or a desire to preserve memory and other artifacts for investigation. Isolation walls a system or systems off from the rest of the world, whereas segmentation is frequently used before incidents occur to create zones or segments of a network or system with different security levels and purposes.
Megan's organization uses the Diamond Model of Intrusion Analysis as part of their incident response process. A user in Megan's organization has discovered a compromised system. What core feature would help her determine how the compromise occurred? A. Adversary B. Capability C. Infrastructure D. Victim
B. Capability Capability analysis is used to determine what an attacker can do and what the tools that are used in the attack may be capable of. Megan should analyze the capability of the adversary and tool, and then consider infrastructure and adversary information to enhance her threat model.
Mark unplugs the network connection from a system that is part of an incident and places tape over its Ethernet jack with a sign that says "Do not reconnect without approval from IR team." How is this method best described? A. Containment B. Isolation C. Segmentation D. Zoning
B. Isolation Mark has isolated the system by removing it from the network and ensuring that it cannot communicate with other systems. Containment would limit the impact of the incident and might leave the system connected but with restricted or protected access. Segmentation moves systems or groups of systems into zones that have similar purposes, data classification, or other restrictions on them.
Gwen is building her organization's documentation and processes and wants to create the plan for what the organization would if her datacenter burned down. What type of plan would typically cover that type of scenario? A. An incident response plan B. A business continuity plan C. A disaster recovery plan D. A stakeholder management plan
C. A disaster recovery plan Disaster recovery plans describe what will occur if a natural or man-made disaster has a significant impact on an organization. Business continuity plans describe how the business will continue to operate. IR plans deal with incidents, and stakeholder management is part of many plans.
Madhuri wants to check a PNG-formatted photo for GPS coordinates. Where can she find that information if it exists in the photo? A. In the location.txt file appended to the PNG B. On the original camera C. In the photo's metadata D. In the photo as a steganographically embedded data field
C. In the photo's metadata If the photo includes GPS data, it will be included in the photo's metadata. Madhuri can use a tool like ExifTool to review the metadata for useful information. None of the other answers are places where data is stored for a PNG image as a normal practice.
Which team member acts as a primary conduit to senior management on an IR team? A. Communications and public relations B. Information security C. Management D. Technical expert
C. Management Members of management or organizational leadership act as a primary conduit to senior leadership for most incident response teams. They also ensure that difficult or urgent decisions can be made without needing escalated authority. Communications and PR staff focus on internal and external communications but are typically not the direct conduit to leadership. Technical and information security experts do most of the incident response work itself.
Henry wants to check to see if services were installed by an attacker. What commonly gathered organizational data can he use to see if a new service appeared on systems? A. Registry dumps from systems throughout his organization B. Firewall logs C. Vulnerability scans D. Flow logs
C. Vulnerability scans Vulnerability scans are the best way to find new services that are offered by systems. In fact, many vulnerability scanners will flag new services when they appear, allowing administrators to quickly notice unexpected new services. Registry information is not regularly dumped or collected in most organizations. Firewall logs and flow logs could show information is the services are being used by systems whose traffic passes through them, but this is a less useful and accurate way of identifying new services and would work only if those services were also being used.
Jim wants to view log entries that describe actions taken by applications on a CentOS Linux system. Which of the following tools can he use on the system to view those logs? A. logger B. syslog-ng C. journalctl D. tail
C. journalctl CentOS and Red Hat Enterprise Linux both use journalctl to view journal logs that contain application information. Jim should use journalctl to review the logs for the information he needs. The tool also provides functionality that replicates what head and tail can do for logs. Syslog-ng is a logging infrastructure, and though logs may be sent via syslog-ng, it is not mentioned here. logger is a logging utility used to make entries in the system log.
As part of their yearly incident response preparations, Ben's organization goes through a sample incident step by step to validate what each person will do in the incident. What type of exercise is this? A. A checklist exercise B. A simulation C. A tabletop exercise D. A walk-through
D. A walk-through Ben's organization is conducting a walk-through exercise that reviews each step, thus ensuring that every team member knows what they would do and how they would do it. Checklist exercises are not a specific type of exercise. Tabletop exercises are conducted with more flexibility—team members are given a scenario and asked how they would respond and what they would do to accomplish tasks they believe would be relevant. A simulation exercise attempts to more fully re-create an actual incident to test responses.
Selah is following the Cyber Kill Chain model and has completed the delivery phase. What step is next according to the Kill Chain? A. Weaponization B. Exploitation C. Installation D. Actions on Objective
B. Exploitation The Cyber Kill Chain describes the phase after delivery when a weapon is delivered to the target as exploitation. In this phase, the malware is triggered and it exploits vulnerabilities on the system to acquire access. Weaponization is the creation of tools to exploit vulnerabilities. Installation occurs when remote access tools are installed. Actions on Objective is the final phase in the Kill Chain when attackers take action to accomplish their goals.
Ian has been receiving hundreds of false positive alerts from his SIEM every night when scheduled jobs run across his datacenter. What should he adjust on his SIEM to reduce the false positive rate? A. Trend analysis B. Sensitivity C. Correlation rules D. Dashboard configuration
B. Sensitivity Ian's first step should be changing the sensitivity for his alerts. Adjusting the alerts to ignore safe or expected events can help reduce false positives. Correlation rules may then need to be adjusted if they are matching unrelated items. Dashboards are used to visualize data, not for alerting, and trend analysis is used to feed dashboards and reports.
Chris has turned on logon auditing for a Windows system. Which log will show them? A. The Windows Application log B. The Windows Security log C. The Windows System log D. All of the above
B. The Windows Security log The Windows Security log records logon events when logon auditing is enabled. The Application and System logs do not contain these events.
What tool is specifically designed to support incident responders by allowing unified, automated responses across an organization? A. IPS B. COOP C. SOAR D. IRC
C. SOAR Security orchestration, automation, and response (SOAR) tools are designed to automate security responses, to allow centralized control of security settings and controls, and to provide strong incident response capabilities. IPS is an intrusion prevention system, COOP is the federal government's standards for continuity of operations, and Internet Relay Chat (IRC) is an online chat tool.
Michael wants to log directly to a database while also using TCP and TLS to protect his log information and to ensure it is received. What tool should he use? A. syslog B. rsyslog C. syslog-ng D. journalctl
C. syslog-ng Syslog-ng allows logging directly to common databases, uses TCP, and supports TLS, making it a secure and reliable option. Rsyslog does not allow direct logging to a database, and syslog itself does not provide these functions by default.
Alyssa wants to prevent a known Microsoft Word file from being downloaded and accessed on devices she is responsible for. What type of tool can she use to prevent this? A. An allow list tool B. A COOP C. A SIEM D. A deny list tool
D. A deny list tool Alyssa's best option is to use a deny list tool that can recognize the file, by filename, content, or hash value. An allow list tool would be far more difficult to use as she would have to approve all the files that were allowed, which can be exceptionally difficult and time consuming. A SIEM is used to view and analyze data but does not directly block files or data from being used. COOP (Continuity of Operations Planning) is a federal guideline on how to complete DR and BCP plans.
Which of the following is not one of the four phases in COOP? A. Readiness and preparedness B. Activation and relocation C. Continuity of operations D. Documentation and reporting
D. Documentation and reporting The fourth phase of COOP is Reconstitution, which restores systems and services to operation. Documentation and reporting is not a phase in COOP, although it is likely to occur in multiple phases.
What phase in the incident response process leverages indicators of compromise and log analysis as part of a review of events? A. Preparation B. Containment C. Eradication D. Identification
D. Identification The identification phase focuses on using various techniques to analyze events to identify potential incidents. Preparation focuses on building tools, processes, and procedures to respond to incidents. Eradication involves the removal of artifacts related to the incident, and containment limits the scope and impact of the incident.
The following figure shows the Security+ incident response cycle. What item is missing? A. Planning B. Reporting C. Monitoring D. Preparation
D. Preparation The first item in the incident response cycle used by the Security+ exam is preparation.
Susan has discovered that an incident took place on her network almost six months ago. As she prepares to identify useful data for the incident, which common policy is most likely to cause her difficulties during her investigation? A. Configuration standards B. Communication policies C. Incident response policies D. Retention policies
D. Retention policies Retention policies for many organizations mean that data is kept for only a limited period of time. Many organizations keep specific logs for as short a period as 30 or 45 days, with other data kept for longer periods of time. It is likely that Susan will not have all of the incident data she would have if she had discovered the incident within 30 days of it occurring. Configuration standards are not a policy; communication and incident response policies would both support her IR needs.
What is the primary concern with SFlow in a large, busy network? A. It may allow buffer overflow attacks against the collector host. B. SFlow is not designed for large or complex networks. C. SFlow puts extreme load on the flow collector host. D. SFlow samples only network traffic, meaning that some detail will be lost.
D. SFlow samples only network traffic, meaning that some detail will be lost. The primary concern for analysts who deploy SFlow is often that it samples only data, meaning some accuracy and nuance can be lost in the collection of flow data. Sampling, as well as the implementation methods for SFlow, means that it scales well to handle complex and busy networks. Although vulnerabilities may exist in SFlow collectors, a buffer overflow is not a primary concern for them.