6.6.2 Digital Forensics and Incident Analysis and Response Quiz Answers
6.6.2 Digital Forensics and Incident Analysis and Response Quiz. Cyber Threat Management Module 6 Quiz Answers
1. Which term is used in the Diamond Model of intrusion to describe a tool that a threat actor uses toward a target system?
2. Which two actions can help identify an attacking host during a security incident? (Choose two.)
- Validate the IP address of the threat actor to determine if it is viable.
- Develop identifying criteria for all evidence such as serial number, hostname, and IP address.
- Log the time and date that the evidence was collected and the incident remediated.
- Use an Internet search engine to gain additional information about the attack.
- Determine the location of the recovery and storage of all evidence.
3. A user is asked to create a disaster recovery plan for a company. The user needs to have a few questions answered by management to proceed. Which three questions should the user ask management as part of the process of creating the plan? (Choose three.)
- Where does the individual perform the process?
- What is the process?
- How long does the process take?
- Does the process require approval?
- Can the individual perform the process?
- Who is responsible for the process
4. What is the purpose of the policy element in a computer security incident response capability of an organization, as recommended by NIST?
- It provides metrics for measuring the incident response capability and effectiveness.
- It details how incidents should be handled based on the organizational mission and functions.
- It defines how the incident response teams will communicate with the rest of the organization and with other organizations.
- It provides a roadmap for maturing the incident response capability.
5. After a threat actor completes a port scan of the public web server of an organization and identifies a potential vulnerability, what is the next phase for the threat actor in order to prepare and launch an attack as defined in the Cyber Kill Chain?
- action on objectives
6. After containing an incident that infected user workstations with malware, what are three effective remediation procedures that an organization can take for eradication? (Choose three.)
- Use clean and recent backups to recover hosts.
- Update and patch the operating system and installed software of all hosts.
- Rebuild DHCP servers using clean installation media.
- Rebuild hosts with installation media if no backups are available.
- Disconnect or disable all wired and wireless network adapters until the remediation is complete.
- Change assigned names and passwords for all devices.
7. The company you work for has asked you to create a broad plan that includes DRP and getting critical systems to another location in case of disaster. What type of plan are you being asked to create?
- annual loss expectancy
- Network Admission Control
- business continuity plan
- disaster recovery plan
8. A threat actor has gained administrative access to a system and achieved the goal of controlling the system for a future DDoS attack by establishing a communication channel with a CnC owned by the threat actor. Which phase in the Cyber Kill Chain model describes the situation?
- command and control
- action on objectives
9. According to NIST, which step in the digital forensics process involves extracting relevant information from data?
10. Which meta-feature element in the Diamond Model describes tools and information (such as software, black hat knowledge base, username and password) that the adversary uses for the intrusion event?
11. What is a MITRE ATT&CK framework?
- a knowledge base of threat actor behavior
- guidelines for the collection of digital evidence
- a collection of malware exploits and prevention solutions
- documented processes and procedures for digital forensic analysis
12. Which action should be included in a plan element that is part of a computer security incident response capability (CSIRC)?
- Prioritize severity ratings of security incidents.
- Create an organizational structure and definition of roles, responsibilities, and levels of authority.
- Detail how incidents should be handled based on the mission and functions of an organization.
- Develop metrics for measuring the incident response capability and its effectiveness.
13. Which statement describes the Cyber Kill Chain?
- It specifies common TCP/IP protocols used to fight against cyberattacks.
- It uses the OSI model to describe cyberattacks at each of the seven layers.
- It identifies the steps that adversaries must complete to accomplish their goals.
- It is a set of metrics designed to create a way to describe security incidents in a structured and repeatable way.