Module 1: Introduction to Detection and Incident Response

Q: Which of the following is an example of a security incident?

• A software bug causes an application to crash.
• An unauthorized user successfully changes the password of an account that does not belong to them. 
• An authorized user successfully logs in to an account using their credentials and multi-factor authentication.
• A user installs a device on their computer that is allowed by an organization’s policy.

Explanation: Because this situation includes illegal access and alteration of account credentials, it constitutes a security incident. This is because it has the potential to result in unauthorized access to critical information or resources. 

Q: What is the NIST Incident Response Lifecycle?

• A system that only includes regulatory standards and guidelines
• The process used to document events
• The method of closing an investigation
• A framework that provides a blueprint for effective incident response 

Explanation: To provide companies with a framework for reacting to and recovering from cybersecurity events, the National Institute of Standards and Technology (NIST) established a formalized methodology. During the process of planning for, identifying, analyzing, containing, eliminating, recovering from, and managing cybersecurity events once they have occurred, this framework defines the actions and procedures that are involved. By providing a methodical approach, it makes it possible to properly manage and reduce the consequences of security breaches and other occurrences.

Q: Which of the following are phases of the NIST Incident Response Lifecycle? Select three answers.

• Containment, Eradication, and Recovery 
• Preparation 
• Detection and Analysis 
• Protection

Explanation: From planning in advance to identify and evaluate problems to confining them, eliminating the core cause, and recovering from the effect of the incident, these steps give a methodical strategy to addressing cybersecurity issues—from the beginning to the end. Although "Protection" is also an essential aspect of the incident response lifecycle, it is more often seen as a component of preventative measures than as a phase in and of itself.

Q: What is a computer security incident response team (CSIRT)?

• A specialized group of security professionals who are trained in incident management and response
• A specialized group of security professionals who are solely dedicated to crisis management 
• A specialized group of security professionals who focus on incident prevention
• A specialized group of security professionals who work in isolation from other departments

Explanation: CSIRTs, or Computer Security Incident Response Teams, are often devoted teams inside a company or collaborative organizations that are primarily concerned with reacting to and managing cybersecurity issues. The management of security breaches, the mitigation of risks, and the protection of the organization's systems and data are all within their purview. They are responsible for organizing and carrying out incident response actions. Although they are experts in incident management and response, they often collaborate with other departments and teams within a company to efficiently resolve security events.

Q: What are some common elements contained in incident response plans? Select two answers.

• Incident response procedures 
• Simulations
• System information 
• Financial information

Explanation: When reacting to a security event, these provide a step-by-step breakdown of the steps that should be performed. These include the roles and duties of team members, communication protocols, containment techniques, eradication methods, recovery processes, and post-incident analysis. This comprises comprehensive documentation about the systems, networks, applications, and data assets that are currently in use by the company. It is very necessary to have a thorough understanding of system settings, essential assets, dependencies, and vulnerabilities to effectively identify, contain, and recover from any incidents.

Q: What are investigative tools used for?

• Monitoring activity
• Documenting incidents
• Managing alerts
• Analyzing events 

Explanation: The purpose of these tools is to provide assistance in the process of examining and analyzing events, incidents, or anomalies that occur inside a system or network. They provide assistance to security teams in gaining a more in-depth understanding of the specifics of security incidents, comprehending the scale and effect of the occurrence, determining the underlying cause, and collecting evidence for subsequent action or improvement.The monitoring of activity, the documentation of events, and the management of alerts are all relevant components of cybersecurity operations; however, the emphasis of investigative tools is especially on the deep analysis and forensic examination that is necessary throughout the stages of incident response and inquiry.

Q: What are examples of tools used for documentation? Select two answers.

• Playbooks
• Cameras 
• Final reports
• Audio recorders 

Explanation: During the different phases of incident response, they are organized papers that define the processes and activities that need to be performed in a step-by-step manner. Through the provision of unambiguous direction to incident response teams, playbooks contribute to the maintenance of consistency and efficiency in the management of situations. These papers provide a summary of the findings, actions done, lessons learned, and recommendations that developed as a consequence of the investigation and response to a cybersecurity event. In addition to providing stakeholders with a thorough perspective, they contribute to the improvement of incident response procedures in the future.

Q: What is the difference between an intrusion detection system (IDS) and an intrusion prevention system (IPS)?

• An IDS stops intrusive activity whereas an IPS monitors system activity and alerts on intrusive activity.
• An IDS and an IPS both have the same capabilities.
• An IDS monitors system activity and alerts on intrusive activity whereas an IPS stops intrusive activity. 
• An IDS automates response and an IPS generates alerts.

Explanation: Monitors the activities of the system and notifies the user of any invasive behavior. By monitoring logs or network traffic, it can identify possible security events or policy breaches; but, it does not take any direct action to stop these behaviors from occurring. Stops activities that are invasive. Actively blocking or stopping suspected harmful activity or assaults in real time is something that it can do. It is possible to set up an intrusion prevention system (IPS) to automatically react to threats that have been identified by restricting traffic, discarding packets, or taking other preventative measures.

Q: What is the difference between a security information and event management (SIEM) tool and a security orchestration, automation, and response (SOAR) tool?

• SIEM tools use automation to respond to security incidents. SOAR tools collect and analyze log data, which are then reviewed by security analysts.
• SIEM tools and SOAR tools have the same capabilities.
• SIEM tools are used for case management while SOAR tools collect, analyze, and report on log data.
• SIEM tools collect and analyze log data, which are then reviewed by security analysts. SOAR tools use automation to respond to security incidents. 

Explanation: Those are responsible for gathering and analyzing log data from a wide variety of sources, including systems, applications, and network devices. Additionally, they provide warnings and give insights into possible dangers by correlating events to identify security problems. The primary functions of security information and event management (SIEM) technologies are to monitor, notify, and provide insight into security incidents and occurrences. To investigate and respond to occurrences, they often include manual examination and analysis undertaken by security analysts.

Q: What happens during the data collection and aggregation step of the SIEM process? Select two answers.

• Data is centralized in one place. 
• Data is collected from different sources. 
• Data is analyzed according to rules.
• Data is cleaned and transformed.

Explanation: Security information and event management (SIEM) systems collect data from a wide variety of sources, including logs from servers, network devices, applications, and alarm appliances. The SIEM can have a full picture of actions and events that occur throughout the organization's IT infrastructure as a result of the aggregation of this data with the SIEM. All of the information that has been gathered is stored in a single repository or data store that is part of the SIEM platform overall. During the following stages of the SIEM process, this centralized storage makes it easier to handle data efficiently, correlate data, and conduct analysis.

Q: Which of the following is an example of a security incident?

• Multiple unauthorized transfers of sensitive documents to an external system. 
• An authorized user emails a file to a customer.
• A company experiences increased traffic volumes on their website because of a new product release.
• An extreme weather event causes a network outage.

Explanation: Because it includes illegal access and unlawful exfiltration of sensitive documents, this situation constitutes a security event. This is because it has the potential to result in data breaches and the compromising of secret information.

Q: What process is used to provide a blueprint for effective incident response?

• The NIST Cybersecurity Framework
• The 5 W’s of an incident
• The NIST Incident Response Lifecycle 
• The incident handler’s journal

Explanation: The National Institute of Standards and Technology (NIST) has established a structured framework known as the NIST Incident Response Lifecycle. This framework explains the major stages and actions that are involved in properly managing and reacting to cybersecurity events. Within the context of incident response, this lifecycle assists businesses in preparing for, detecting, analyzing, containing, eliminating, and recovering from occurrences. This ensures a methodical and all-encompassing approach to incident response.

Q: What are some roles included in a computer security incident response team (CSIRT)? Select three answers.

• Security analyst 
• Incident coordinator 
• Technical lead 
• Incident manager

Explanation: Monitoring, identifying, and evaluating security events are the responsibilities of this position. They have the responsibility of investigating alarms, carrying out early evaluations, and collecting data on security occurrences. In charge of managing and coordinating the process of responding to incidents. They are responsible for ensuring that communication is maintained among the members of the team, documenting the actions that are performed in response to the event, and acting as the point of contact for everyone involved. Offers advice and technical knowledge in the event of an emergency. They are in charge of the technical response efforts, contribute to the process of determining the underlying cause, and put remediation measures into action.

Q: What is an incident response plan?

• A document that contains policies, standards, and procedures
• A document that outlines the procedures to take in each step of incident response 
• A document that details system information
• A document that outlines a security team’s contact information

Explanation: Including tasks such as preparation, detection, analysis, containment, eradication, recovery, and post-incident operations, this plan offers comprehensive guidance on how to manage and react to security issues. In addition to ensuring that all members of the team are aware of their respective roles and duties, it also guarantees that events are handled in a way that is both coordinated and efficient.

Q: A cybersecurity analyst receives an alert about a potential security incident. Which type of tool should they use to examine the alert’s evidence in greater detail?

• A recovery tool
• An investigative tool 
• A detection tool
• A documentation tool

Explanation: The purpose of investigative tools is to provide assistance in conducting in-depth analyses and investigations of security issues. They assist analysts in becoming more in-depth with the evidence, gaining an understanding of the nature and breadth of the event, and gathering the information that is essential to identify the proper steps to take in reaction to the occurrence.

Q: What are the qualities of effective documentation? Select three answers.

• Clear 
• Accurate
• Consistent 
• Brief

Explanation: All of the important stakeholders should be able to interpret the documentation, and it should be written in a manner that the documentation is easily understood and devoid of ambiguity. When it comes to procedures, events, and actions, documentation has to be accurate and up-to-date, representing information that is truthful and accurate. The documentation has to be consistent in terms of its structure, language, and style to guarantee that it is dependable and simple to follow throughout a variety of papers and over time.

Q: Fill in the blank: During the _____ step of the SIEM process, the collected raw data is transformed to create log record consistency.

• data analysis
• data collection
• data normalization 
• data aggregation

Explanation: A transformation is performed on the raw data that has been acquired as part of the SIEM process to establish log record consistency during the data normalization stage. The process of data normalization guarantees that the data from different sources are structured in a consistent manner, which enables efficient correlation, analysis, and reporting.

Q: Which process uses a variety of applications, tools, and workflows to respond to security events?

• Security information and event management (SIEM)
• Intrusion prevention system (IPS)
• Intrusion detection system (IDS)
• Security orchestration, automation, and response (SOAR) 

Explanation: To improve the efficacy and speed of incident response, SOAR systems combine and automate a wide variety of security technologies and procedures. By doing so, they facilitate the streamlining of processes, the automation of repetitive operations, and the coordination of actions across various security applications and systems.

Q: A security team uses the NIST Incident Response Lifecycle to support incident response operations. How should they follow the steps to use the approach most effectively?

• Skip irrelevant steps.
• Only use each step once.
• Complete the steps in any order.
• Overlap the steps as needed. 

Explanation: The National Institute of Standards and Technology (NIST) event Response Lifecycle is comprised of stages that often need a restart and may overlap depending on the nature of the event and the developing circumstances. This strategy enables a fluid and adaptable response to security issues, enabling the team to review prior stages if new information becomes available or if extra measures are necessary.

Q: Which core functions of the NIST Cybersecurity Framework relate to the NIST Incident Response Lifecycle? Select two answers.

• Detect 
• Investigate
• Respond 
• Discover

Explanation: The NIST Incident Response Lifecycle consists of many essential stages, including the detection and analysis of incidents (referred to as "Detect") and the implementation of activities to contain, eliminate, and recover from events (referred to as "Respond"). These functions correspond with these phases.