Security+ 4.2 Incident Response
An organization is establishing a Cyber-incident Response Team (CIRT). They want representatives from various positions in the organization. Which of the following positions would be the LEAST helpful to be on the team? A. Senior management B. Business office manager C. Network administrator D. Compliance officer
Business office manager
A Cyber-incident Response Team (CIRT) is writing an Incident Response Plan (IRP) at their organization. One common element of the plan is to document who to contact to report a computer security incident. What is this called? A. Escalation B. Functional exercise C. Tabletop exercise D. Incident category definitions
Escalation
In the incident response process, after identifying a security event, a Cyber-incident Response Team (CIRT) needs to isolate it. What is this step called? A. Prepare incident response policy, plan, and procedures B. Recovery C. Containment D. Eradication
Containment
These are alternate business practices, which are "workaround" activities that can temporarily substitute for normal business activities after a disaster. A. MITRE ATT&CK B. Continuity of Operations Planning (COOP) C. Cyber Kill Chain D. The Diamond Model of Intrusion Analysis
Continuity of Operations Planning (COOP)
These are seven-steps that are used to understand and disrupt attacks. We try to find a way to disrupt the attacker's steps to prevent them from reaching their final objective. A. The Diamond Model of Intrusion Analysis B. MITRE ATT&CK C. Continuity of Operations Planning (COOP) D. Cyber Kill Chain
Cyber Kill Chain
This outlines what to do if a disaster occurs. Part of this outline usually includes what type of disaster recovery sites will be used, such as hot sites, warm sites, and/or cold sites. A. MITRE ATT&CK B. The Diamond Model of Intrusion Analysis C. Cyber Kill Chain D. Disaster recovery plan
Disaster recovery plan
What is the first step in an incident response plan? This helps employees identify whether an event is benign or an actual security incident. A. Roles and responsibilities B. Documented incident types/category definitions C. Escalation D. Cyber-incident response teams
Documented incident types/category definitions
In the incident response process, a Cyber-incident Response Team (CIRT) needs to determine if an event is a legitimate security incident or not. What is this step called? A. Prepare incident response policy, plan, and procedures B. Identification C. Containment D. Eradication
Identification
What provides organizations with a formal, coordinated plan that employees can use when responding to an incident? A. Attack framework B. Incident response policy C. Security incident D. Incident response plan
Incident response plan
What provides organizations with a formal, coordinated plan that employees can use when responding to an incident? A. Incident response plan B. Security incident C. Attack framework D. Incident response policy
Incident response plan
What helps employees identify and respond to security incidents? It needs to be regularly updated. A. Security incident B. Attack framework C. Incident response policy D. NIST (National Institute of Standards and Technology)
Incident response policy
At the end of a training exercise, we need to have a discussion on how to improve the cyber-incident response team's (CIRT) response to the exercise. What is this called? A. Tabletop exercises B. Simulations C. Lessons learned D. Walk-throughs
Lessons learned
What is the LAST step a Cyber-incident Response Team (CIRT) should take in the incident response process? A. Eradication B. Lessons learned C. Recovery D. Containment
Lessons learned
This is a knowledge base of adversary tactics and techniques used in real-world attacks. It has a matrix that can be used to identify the type of attack and now to mitigate it. A. The Diamond Model of Intrusion Analysis B. MITRE ATT&CK C. Continuity of Operations Planning (COOP) D. Cyber Kill Chain
MITRE ATT&CK
What is the FIRST step a Cyber-incident Response Team (CIRT) should take in the incident response process? A. Eradication B. Containment C. Prepare incident response policy, plan, and procedures D. Identification
Prepare incident response policy, plan, and procedures
In the incident response process, after eradicating the security incident, a Cyber-incident Response Team (CIRT) needs to get the systems running normally again. What is this step called? A. Lessons learned B. Containment C. Recovery D. Identification
Recovery
A Cyber-incident Response Team (CIRT) is writing an Incident Response Plan (IRP) at their organization, which is a federal agency. Federal agencies are required to report computer security incidents to the United States Computer Emergency Readiness Team (US-CERT), so this will be included in their plan. What is this called? A. Incident category definitions B. Functional exercise C. Tabletop exercise D. Reporting requirements
Reporting requirements
What is an adverse event that can negatively affect the confidentiality, integrity, or availability (CIA triad) of data or systems within an organization? A. Incident response plan B. Security incident C. Incident response policy D. Attack framework
Security incident
At what type of training exercise do we have functional exercises that test actual responses? A. Simulations B. Lessons learned C. Walk-throughs D. Tabletop exercises
Simulations
At what type of training exercise do we have a discussion about how to respond to an event? A. Tabletop exercises B. Simulations C. Walk-throughs D. Lessons learned
Tabletop exercises
This is a way to understand an attacker by analyzing four key components of the intrusion event, which are adversary, capability, victim, and infrastructure. A. Continuity of Operations Planning (COOP) B. Cyber Kill Chain C. The Diamond Model of Intrusion Analysis D. MITRE ATT&CK
The Diamond Model of Intrusion Analysis
What type of training exercise has workshops that provides training about employee roles and responsibilities, explains business continuity plans, and plans tabletop exercises? A. Tabletop exercises B. Simulations C. Walk-throughs D. Lessons learned
Walk-throughs
A Cyber-incident Response Team (CIRT) wants to establish an Incident Response Plan (IRP) at their organization. One common element of the plan is to document incident category definitions. Which of the following is NOT a potential incident category? A. external/removal media, attrition B. exercises (tabletop, walkthroughs, simulations, lessons learned) C. improper usage, loss or theft of equipment D. web, email
exercises (tabletop, walkthroughs, simulations, lessons learned)