Module 3: Incident Investigation and Response

Q: Which step of the NIST Incident Response Lifecycle involves the investigation and validation of alerts?

  • Detection
  • Recovery
  • Discovery
  • Analysis 
Explanation: In the NIST Incident Response Lifecycle, the stage known as "Detection and Analysis" is the one that is responsible for the investigation and validation of alarms. The detection of problems takes place at this phase using a variety of methods, including monitoring tools, alarms, and reports from users. An analysis is then performed on the occurrences that have been discovered to ascertain their nature, effect, and possible responses.

Q: An organization is completing its annual compliance audit. The people performing the audit have access to any relevant information, including records and documents. Which documentation benefit does this scenario outline?

  • Transparency
  • Accuracy
  • Organization
  • Consistency

Explanation: The use of transparent documentation ensures that auditors have access to all pertinent information, enabling them to carry out their audit efficiently and verify that the organization is in conformity with legislation and standards.

Q: An organization is working on implementing a new security tool, and a security analyst has been tasked with developing workflow documentation that outlines the process for using the tool. Which documentation benefit does this scenario outline?

  • Quality
  • Standardization 
  • Transparency
  • Clarity
Explanation: Because standardization guarantees a consistent and uniform approach for employing the new security technology, it contributes to the company's ability to maintain consistent policies and procedures across the whole organization.

Q: A member of the forensics department of an organization receives a computer that requires examination. On which part of the chain of custody form should they sign their name and write the date?

  • Custody log
  • Description of the evidence
  • Purpose of transfer
  • Evidence movement
Explanation: On the Custody log section of the chain of custody form, the member of the forensics department would be required to sign their name and write the date. A recorded history of who has handled the evidence is possible thanks to the custody log, which documents the specifics of each transfer of the evidence, including the persons involved and the dates of transfer.

Q: Which statement best describes the functionality of automated playbooks?

  • They use automation to execute tasks and response actions. 
  • They require the combination of human intervention and automation to execute tasks.
  • They require the use of human intervention to execute tasks.
  • They use a combination of flowcharts and manual input to execute tasks and response actions.
Explanation: Predefined, automated processes that are meant to handle certain duties and reaction actions without the need for human interaction are referred to as automated playbooks. Through the automation of repetitive and standardized activities, they simplify and speed processes, guaranteeing that execution is both consistent and efficient. By doing so, security teams can decrease the amount of manual labor they have to do, which in turn helps them mitigate threats and events more swiftly.

Q: What are the steps of the triage process in the correct order?

  • Assign priority, receive and assess, collect and analyze
  • Receive and assess, assign priority, collect and analyze
  • Receive and assess, collect and analyze, assign priority
  • Collect and analyze, assign priority, receive and assess
Explanation: Determine the nature of the event or alarm and collect the preliminary information about it. Find out how serious and urgent the situation is, and then decide how to prioritize it based on that information. To have a complete understanding of the situation and to choose the right reaction, it is necessary to collect specific information and conduct an in-depth study.

Q: What are the steps of the third phase of the NIST Incident Response Lifecycle? Select three answers.

  • Containment 
  • Response
  • Eradication 
  • Recovery 
Explanation: The Incident Response Lifecycle of the National Institute of Standards and Technology (NIST) has three phases: the Containment, Eradication, and Recovery phase. 

Q: Which step of the NIST Incident Response Lifecycle involves returning affected systems back to normal operations?

  • Recovery 
  • Response
  • Eradication
  • Containment
Explanation: Recovery is the stage of the NIST Incident Response Lifecycle that is responsible for restoring impacted systems to their regular state of operation during the incident.

Q: Two weeks after an incident involving ransomware, the members of an organization want to review the incident in detail. Which of the following actions should be done during this review? Select all that apply.

  • Determine the person to blame for the incident.
  • Create a final report. 
  • Determine how to improve future response processes and procedures. 
  • Schedule a lessons learned meeting that includes all parties involved with the security incident. 
Explanation: As a result of these measures, the event is documented and extensively analyzed, opportunities for improvement are identified, and it is ensured that lessons are learned and utilized to improve the organization's security posture in the future.

Q: What does a final report contain? Select three.

  • Timeline 
  • Recommendations 
  • Incident details 
  • Updates
Explanation: A comprehensive timeline of the events that transpired concerning the incident, including the dates on which certain activities took place. Based on the lessons learned from the event, below are some suggestions for enhancing security processes or measures. Information that is exhaustive on the event itself, including its nature, the effect it had, and the measures that were made in response to it.

Q: In the NIST Incident Response Lifecycle, what is the term used to describe the prompt discovery of security events?

  • Validation
  • Preparation
  • Detection 
  • Investigation
Explanation: The rapid finding of security incidents is referred to as "Detection" in the NIST Incident Response Lifecycle. This word is used to define the process. Through a variety of monitoring and alerting techniques, detection is the process of finding and recognizing possible security issues or occurrences.

Q: Which of the following does a semi-automated playbook use? Select two.

  • Threat intelligence
  • Automation 
  • Human intervention 
  • Crowdsourcing
Explanation: To automatically carry out predetermined tasks and appropriate responses. using human judgment or interaction to manage jobs or choices that need human intervention.

Q: Fill in the blank: Eradication is the complete _____ of all the incident elements from affected systems.

  • prevention
  • disconnection
  • removal 
  • isolation
Explanation: In the context of impacted systems, eradication refers to the comprehensive elimination of all incident items.

Q: Chain of custody documents establish proof of which of the following? Select two answers.

  • Quality
  • Reliability 
  • Integrity
  • Validation
Explanation: They make certain that the evidence has not been tampered with or manipulated in any way, so preserving its integrity from the time it is collected until it is presented in the legal processes. To establish that the evidence can be accepted as accurate and dependable in legal or investigative settings, they confirm the authenticity and dependability of the evidence by recording its management and possession.

Q: After a security incident involving an exploited vulnerability due to outdated software, a security analyst applies patch updates. Which of the following steps does this task relate to?

  • Prevention
  • Response
  • Eradication 
  • Reimaging
Explanation: This stage comprises eliminating the cause of the incident or vulnerability to prevent additional exploitation of the vulnerability. In this particular scenario, replacing the program with patches fixes the vulnerability that was exploited, which ultimately results in the elimination of the immediate danger.

16. Fill in the blank: A lessons learned meeting should be held within ____ weeks of an incident.

  • two 
  • three
  • four
  • five
Explanation: A meeting to discuss the lessons gained should take place within two weeks after the occurrence of an event.

Q: Which documentation provides a comprehensive review of an incident?

  • Lessons learned meeting
  • Timeline
  • Final report 
  • New technology
Explanation: The final report is the record that comprehensively summarizes an occurrence. This report will normally contain a comprehensive analysis of the incident, which will include topics such as its causes, effects, reaction activities done, lessons learned, and suggestions for future improvements or preventative measures. To provide stakeholders and decision-makers with a reference, the final report compiles all of the pertinent information that was acquired during the incident response process so that it may be used.

Q: What are the benefits of documentation during incident response? Select three answers.

  • Quality
  • Standardization 
  • Transparency 
  • Clarity 
Explanation: The documentation of processes and procedures ensures that they are followed in a consistent manner, which in turn increases efficiency and effectiveness in the investigation and resolution of problems. To offer stakeholders clear insight into the incident response operations, documentation is essential. This visibility enables stakeholders to comprehend what transpired, the actions that were done, and the reasons why choices were made. Documentation serves to explain the sequence of events, the breadth of the incident, and the impact it had, which in turn helps to facilitate the process of making informed choices and effectively communicating with all parties involved.

Q: Fill in the blank: Inconsistencies in the collection and logging of evidence cause a _____ chain of custody.

  • broken
  • missing
  • secure
  • forensic
Explanation: This results in a broken chain of custody since there are inconsistencies in the collecting and recording of evidence.

Q: Fill in the blank: Containment is the act of limiting and _____ additional damage caused by an incident.

  • preventing
  • eradicating
  • removing
  • detecting

Explanation: The act of minimizing and avoiding further harm produced by an occurrence is what is often referred to as containment.

Post a Comment

Previous Post Next Post