Help
Options
Didn't know it?
click below
click below
Knew it?
click below
click below
Don't Know
Remaining cards (0)
Know
retry
shuffle
restart
0:00
Embed Code - If you would like this activity on your web page, copy the script below and paste it into your web page.
Normal Size Small Size show me how
Normal Size Small Size show me how
IR Midterm 1
Incident Response Midterm 1
| Question | Answer |
|---|---|
| What is an event? | Any observable occurrence in a system or network. |
| What is an incident? | Violation or imminent threat of violation of security policies or compromise of CIA |
| What is IR | IR is essentially a system for getting a business back into production quickly after an incident occurs |
| What are the different models of CSIRT? | Central, Distributed, Coordinating, Employees, Partial Outsourcing, Full-on Outsourcing |
| What does a CSIRT do? | Intrusion Detection, Advisory Distribution, Education and Awareness, Information Sharing |
| What is the 7 step incident response methodology? | Preparation, Identification, Containment, Investigation, Eradication, Recovery, Follow-up |
| What is the NIST IR methodology? | 1. Preparation, Detection and Analysis. 2. Containment, Eradication and Recovery. 3. Post-incident activity. |
| What are 6 incident categories? | Level 1 – Unauthorized Access Level 2 – DoS Level 3 – Malicious Code Level 4 – Improper Usage Level 5 – Scans/probes/attempted access Level 6 – Investigation Incident |
| What are 3 methods for containment? | 1. Disconnect the system from the network and allow the threat to work. 2. Shut down everything immediately. 3. Continue to allow the system to run and monitor its activities. |
| Explain OODA. | Observe, Orient, Decide, Act. |
| Explain Observe from the OODA Loop. | Gather information about your surroundings . |
| Explain Orient from the OODA Loop. | Pull apart elements of multiple situations to create uncertainty, then reassemble these parts to re-orient yourself. |
| Explain Decide from the OODA Loop. | Select and hypothesize action alternatives generated during orientation. |
| Explain Act from the OODA Loop. | Test out your hypotheses and gather feedback from the actions (back to observation). |
| Name 3 characteristics of a CIRT member. | Flexible, knowledgeable, curious. |
| Name 3 essential items of CIRT training. | 1. Technical and security training 2. Network and device familiarity 3. Policy acquaintance |
| Name some pre-incident preparation tasks | 1. Information gathering 2. Prevention of incidents 3. Providing maximum visibility of network and assets 4. Implementing measures to ensure that an incident will have the smallest impact possible 5. Ensuring CIRT staff are in place and capable |
| Name 5 elements of an IR Toolkit | 1. Software and Hardware 2. Computer systems 3. Contact/escalation list 4. Evidence gathering tools 5. Jump bag |
| What do the core CIRT members do? | 1. Watchers 2. Educators 3. Advisors |
| Who typically makes up a CIRT? | 1. Management 2. Elite members of different operational teams 3. Responders (core member) 4. Analysts (core member) |
| Name some pre-incident preparation tasks | 1. Information gathering 2. Prevention of incidents 3. Providing maximum visibility of network and assets 4. Implementing measures to ensure that an incident will have the smallest impact possible 5. Ensuring CIRT staff are in place and capable |
| Name 5 elements of an IR Toolkit | 1. Software and Hardware 2. Computer systems 3. Contact/escalation list 4. Evidence gathering tools 5. Jump bag |
| What do the core CIRT members do? | 1. Watchers 2. Educators 3. Advisors |
| Who typically makes up a CIRT? | 1. Management 2. Elite members of different operational teams 3. Responders (core member) 4. Analysts (core member) |
| Name 3 characteristics of a SOC. | 1. Generally consists of analysts and senior analysts 2. Monitor network security appliances 3. Raise tickets from security events and perform initial triage of security incidents |
| What are 4 means of detecting security events? | 1. Syslog events 2. Security appliance alerts 3. File system anomalies 4. External notifications. I.e. User ticket, ISP email, customer email |
| What are 7 required categories of incident information needed to identify an incident? | 1. Attacker information 2. Target information 3. Zoning information 4. Times (start and end) 5. What kind of attack is it? 6. Where is the attack coming from? 7. Are there any related attacks? |
| What does containment mean? | 1. Limiting the size and overall damage caused by the threat 2. Protecting resources 3.Protecting users |
| What are 6 methods used for eradication? | 1. Run our antivirus software 2. Pull a system off the network 3. Reimage a system 4. Replace faulty hardware 5. Fire the person who poked holes in the FW 6. Blackhole that malicious traffic/Autonomous System |
Created by:
evilfrosty
Popular Computers sets