6.6.2 Digital Forensics and Incident Analysis and Response Quiz Answers
6.6.2 Digital Forensics and Incident Analysis and Response Quiz. Cyber Threat Management Module 6 Quiz Answers
1. Which term is used in the Diamond Model of intrusion to describe a tool that a threat actor uses toward a target system?
- adversary
- capability
- infrastructure
- weaponization
Explanation: The Diamond Model of intrusion contains four parts:
- Adversary – the parties responsible for the intrusion
- Capability – a tool or technique that the adversary uses to attack the victim
- Infrastructure – the network path or paths that the adversaries use to establish and maintain command and control over their capabilities
- Victim – the target of the attack
2. Which two actions can help identify an attacking host during a security incident? (Choose two.)
- Validate the IP address of the threat actor to determine if it is viable.
- Develop identifying criteria for all evidence such as serial number, hostname, and IP address.
- Log the time and date that the evidence was collected and the incident remediated.
- Use an Internet search engine to gain additional information about the attack.
- Determine the location of the recovery and storage of all evidence.
Explanation: The following actions can help identify an attacking host during a security incident:
- Use incident databases to research related activity.
- Validate the IP address of the threat actor to determine if it is a viable one.
- Use an Internet search engine to gain additional information about the attack.
- Monitor the communication channels that some threat actors use, such as IRC.
3. A user is asked to create a disaster recovery plan for a company. The user needs to have a few questions answered by management to proceed. Which three questions should the user ask management as part of the process of creating the plan? (Choose three.)
- Where does the individual perform the process?
- What is the process?
- How long does the process take?
- Does the process require approval?
- Can the individual perform the process?
- Who is responsible for the process
Explanation: Disaster recovery plans are made based on the criticality of a service or process. Answers to questions of who, what, where, and why are necessary for a plan to be successful.
4. What is the purpose of the policy element in a computer security incident response capability of an organization, as recommended by NIST?
- It provides metrics for measuring the incident response capability and effectiveness.
- It details how incidents should be handled based on the organizational mission and functions.
- It defines how the incident response teams will communicate with the rest of the organization and with other organizations.
- It provides a roadmap for maturing the incident response capability.
Explanation: NIST recommends creating policies, plans, and procedures for establishing and maintaining a CSIRC. A purpose of the policy element is to detail how incidents should be handled based on the mission and functions of an organization.
5. After a threat actor completes a port scan of the public web server of an organization and identifies a potential vulnerability, what is the next phase for the threat actor in order to prepare and launch an attack as defined in the Cyber Kill Chain?
- weaponization
- exploitation
- action on objectives
- reconnaissance
Explanation: The Cyber Kill Chain specifies seven steps (or phases) and sequences that a threat actor must complete to accomplish an attack:
- Reconnaissance – The threat actor performs research, gathers intelligence, and selects targets.
- Weaponization – The threat actor uses the information from the reconnaissance phase to develop a weapon against specific targeted systems.
- Delivery – The weapon is transmitted to the target using a delivery vector.
- Exploitation – The threat actor uses the weapon delivered to break the vulnerability and gain control of the target.
- Installation – The threat actor establishes a back door into the system to allow for continued access to the target.
- Command and Control (CnC) – The threat actor establishes command and control (CnC) with the target system.
- Action on Objectives – The threat actor is able to take action on the target system, thus achieving the original objective.
6. After containing an incident that infected user workstations with malware, what are three effective remediation procedures that an organization can take for eradication? (Choose three.)
- Use clean and recent backups to recover hosts.
- Update and patch the operating system and installed software of all hosts.
- Rebuild DHCP servers using clean installation media.
- Rebuild hosts with installation media if no backups are available.
- Disconnect or disable all wired and wireless network adapters until the remediation is complete.
- Change assigned names and passwords for all devices.
Explanation: To recover infected user workstations, use clean and recent backups or rebuild the PCs with installation media if no backups are available or they have been compromised. Also, fully update and patch the operating system and installed software of all hosts. All users are encouraged to change their passwords for the workstation or workstations they use. Rebuilding DHCP servers is needed only if they are affected by the incident.Also not all devices need to change the name and password configuration setting unless they are affected by the incident.
7. The company you work for has asked you to create a broad plan that includes DRP and getting critical systems to another location in case of disaster. What type of plan are you being asked to create?
- annual loss expectancy
- Network Admission Control
- business continuity plan
- disaster recovery plan
Explanation: A plan that goes beyond an incident response or DRP also allows for succession planning in case of disaster. The broader plan needs to make sure the company can continue to operate in the face of a disaster.
8. A threat actor has gained administrative access to a system and achieved the goal of controlling the system for a future DDoS attack by establishing a communication channel with a CnC owned by the threat actor. Which phase in the Cyber Kill Chain model describes the situation?
- command and control
- exploitation
- delivery
- action on objectives
Explanation: The Cyber Kill Chain specifies seven steps (or phases) and sequences that a threat actor must complete to accomplish an attack:
- Reconnaissance – The threat actor performs research, gathers intelligence, and selects targets.
- Weaponization – The threat actor uses the information from the reconnaissance phase to develop a weapon against specific targeted systems.
- Delivery – The weapon is transmitted to the target using a delivery vector.
- Exploitation – The threat actor uses the weapon delivered to break the vulnerability and gain control of the target.
- Installation – The threat actor establishes a back door into the system to allow for continued access to the target.
- Command and Control (CnC) – The threat actor establish command and control (CnC) with the target system.
- Action on Objectives – The threat actor is able to take action on the target system, thus achieving the original objective.
9. According to NIST, which step in the digital forensics process involves extracting relevant information from data?
- collection
- analysis
- reporting
- examination
Explanation: NIST describes the digital forensics process as involving the following four steps:
- Collection – the identification of potential sources of forensic data and acquisition, handling, and storage of that data.
- Examination – assessing and extracting relevant information from the collected data. This may involve decompression or decryption of the data.
- Analysis – drawing conclusions from the data. Salient features such as people, places, times, events, and so on should be documented.
- Reporting – preparing and presenting information that resulted from the analysis. Reporting should be impartial and alternative explanations should be offered if appropriate.
10. Which meta-feature element in the Diamond Model describes tools and information (such as software, black hat knowledge base, username and password) that the adversary uses for the intrusion event?
- methodology
- resources
- results
- direction
Explanation: The resources element in the Diamond Model is used to describe one or more external resources used by the adversary for the intrusion event. The resources include software, knowledge gained by the adversary, information (e.g., username/passwords), and assets to carry out the attack.
11. What is a MITRE ATT&CK framework?
- a knowledge base of threat actor behavior
- guidelines for the collection of digital evidence
- a collection of malware exploits and prevention solutions
- documented processes and procedures for digital forensic analysis
Explanation: The MITRE framework is a global knowledge base of threat actor behavior. It is based on observation and analysis of real-world exploits with the purpose of describing the behavior of the attacker, not the attack itself. It is designed to enable automated information sharing by defining data structures for the exchange of information between its community of users and MITRE.
12. Which action should be included in a plan element that is part of a computer security incident response capability (CSIRC)?
- Prioritize severity ratings of security incidents.
- Create an organizational structure and definition of roles, responsibilities, and levels of authority.
- Detail how incidents should be handled based on the mission and functions of an organization.
- Develop metrics for measuring the incident response capability and its effectiveness.
Explanation: NIST recommends creating policies, plans, and procedures for establishing and maintaining a CSIRC. A purpose of the plan element is to develop metrics for measuring the incident response capability and its effectiveness.
13. Which statement describes the Cyber Kill Chain?
- It specifies common TCP/IP protocols used to fight against cyberattacks.
- It uses the OSI model to describe cyberattacks at each of the seven layers.
- It identifies the steps that adversaries must complete to accomplish their goals.
- It is a set of metrics designed to create a way to describe security incidents in a structured and repeatable way.
Explanation: The Cyber Kill Chain was developed to identify and prevent cyber intrusions by specifying what threat actors must complete to accomplish their goals.