- A software bug causes an application to crash.
- An unauthorized user successfully changes the password of an account that does not belong to them.
- An authorized user successfully logs in to an account using their credentials and multi-factor authentication.
- A user installs a device on their computer that is allowed by an organization’s policy.
Q: What is the NIST Incident Response Lifecycle?
- A system that only includes regulatory standards and guidelines
- The process used to document events
- The method of closing an investigation
- A framework that provides a blueprint for effective incident response
Q: Which of the following are phases of the NIST Incident Response
Lifecycle? Select three answers.
- Containment, Eradication, and Recovery
- Preparation
- Detection and Analysis
- Protection
Q: What is a computer security incident response team (CSIRT)?
- A specialized group of security professionals who are trained in incident management and response
- A specialized group of security professionals who are solely dedicated to crisis management
- A specialized group of security professionals who focus on incident prevention
- A specialized group of security professionals who work in isolation from other departments
Q: What are some common elements contained in incident response plans?
Select two answers.
- Incident response procedures
- Simulations
- System information
- Financial information
Q: What are investigative tools used for?
- Monitoring activity
- Documenting incidents
- Managing alerts
- Analyzing events
Q: What are examples of tools used for documentation? Select two
answers.
- Playbooks
- Cameras
- Final reports
- Audio recorders
Q: What is the difference between an intrusion detection system (IDS)
and an intrusion prevention system (IPS)?
- An IDS stops intrusive activity whereas an IPS monitors system activity and alerts on intrusive activity.
- An IDS and an IPS both have the same capabilities.
- An IDS monitors system activity and alerts on intrusive activity whereas an IPS stops intrusive activity.
- An IDS automates response and an IPS generates alerts.
Q: What is the difference between a security information and event
management (SIEM) tool and a security orchestration, automation, and response
(SOAR) tool?
- SIEM tools use automation to respond to security incidents. SOAR tools collect and analyze log data, which are then reviewed by security analysts.
- SIEM tools and SOAR tools have the same capabilities.
- SIEM tools are used for case management while SOAR tools collect, analyze, and report on log data.
- SIEM tools collect and analyze log data, which are then reviewed by security analysts. SOAR tools use automation to respond to security incidents.
Q: What happens during the data collection and aggregation step of the
SIEM process? Select two answers.
- Data is centralized in one place.
- Data is collected from different sources.
- Data is analyzed according to rules.
- Data is cleaned and transformed.
Q: Which of the following is an example of a security incident?
- Multiple unauthorized transfers of sensitive documents to an external system.
- An authorized user emails a file to a customer.
- A company experiences increased traffic volumes on their website because of a new product release.
- An extreme weather event causes a network outage.
Q: What process is used to provide a blueprint for effective incident
response?
- The NIST Cybersecurity Framework
- The 5 W’s of an incident
- The NIST Incident Response Lifecycle
- The incident handler’s journal
Q: What are some roles included in a computer security incident
response team (CSIRT)? Select three answers.
- Security analyst
- Incident coordinator
- Technical lead
- Incident manager
Q: What is an incident response plan?
- A document that contains policies, standards, and procedures
- A document that outlines the procedures to take in each step of incident response
- A document that details system information
- A document that outlines a security team’s contact information
Q: A cybersecurity analyst receives an alert about a potential security
incident. Which type of tool should they use to examine the alert’s evidence in
greater detail?
- A recovery tool
- An investigative tool
- A detection tool
- A documentation tool
Q: What are the qualities of effective documentation? Select three
answers.
- Clear
- Accurate
- Consistent
- Brief
Q: Fill in the blank: During the _____ step of the SIEM process, the
collected raw data is transformed to create log record consistency.
- data analysis
- data collection
- data normalization
- data aggregation
Q: Which process uses a variety of applications, tools, and workflows
to respond to security events?
- Security information and event management (SIEM)
- Intrusion prevention system (IPS)
- Intrusion detection system (IDS)
- Security orchestration, automation, and response (SOAR)
Q: A security team uses the NIST Incident Response Lifecycle to support
incident response operations. How should they follow the steps to use the
approach most effectively?
- Skip irrelevant steps.
- Only use each step once.
- Complete the steps in any order.
- Overlap the steps as needed.
Q: Which core functions of the NIST Cybersecurity Framework relate to
the NIST Incident Response Lifecycle? Select two answers.
- Detect
- Investigate
- Respond
- Discover
Explanation: The NIST Incident Response Lifecycle consists of many essential stages, including the detection and analysis of incidents (referred to as "Detect") and the implementation of activities to contain, eliminate, and recover from events (referred to as "Respond"). These functions correspond with these phases.