Checkpoint Exam: Incident Response Answers

Explanation: Volatile data is data stored in memory such as registers, cache, and RAM, or it is data that exists in transit. Volatile memory is lost when the computer loses power.

Explanation: A disaster recovery plan enables an organization to prepare for potential disasters and minimize the resulting downtime.

Explanation: The management team creates the policies, designs the budget, and is in charge of staffing all departments. Management is also responsible for coordinating the incident response with other stakeholders and minimizing the damage of an incident.

Explanation: Operational exercises: At the most extreme are full operational exercises, or simulations. These are designed to interrupt services to verify that all aspects of a plan are in place and sufficient to respond to the type of incident that is being simulated.

Explanation: Place the options in the following order:

Explanation: A chain of custody refers to the documentation of evidence collected about an incident that is used by authorities during an investigation.

Explanation: The Cyber Kill Chain specifies seven steps (or phases) and sequences that a threat actor must complete to accomplish an attack:

– Reconnaissance – The threat actor performs research, gathers intelligence, and selects targets.
– Weaponization – The threat actor uses the information from the reconnaissance phase to develop a weapon against specific targeted systems.
– Delivery – The weapon is transmitted to the target using a delivery vector.
– Exploitation – The threat actor uses the weapon delivered to break the vulnerability and gain control of the target.
– Installation – The threat actor establishes a back door into the system to allow for continued access to the target.
– Command and Control (CnC) – The threat actor establishes command and control (CnC) with the target system.
– Action on Objectives – The threat actor is able to take action on the target system, thus achieving the original objective.

Explanation: In the detection and analysis phase of the NIST incident response process life cycle, the CSIRT should immediately perform an initial analysis to determine the scope of the incident, such as which networks, systems, or applications are affected; who or what originated the incident; and how the incident is occurring.

Explanation: Threat attribution refers to determining the individual, organization, or nation responsible for a successful intrusion or attack incident. The security investigation team correlates all the evidence in order to identify commonalities between tactics, techniques, and procedures (TPPs) for known and unknown threat actors.

Explanation: Place the options in the following order:

Explanation: Place the options in the following order:

Explanation: Corrective measures include controls that restore the system after a disaster or an event.

Explanation: As an incident category, the precursor is a sign that an incident might occur in the future. Examples of precursors are log entries that show a response to a port scan or a newly-discovered vulnerability in web servers using Apache.

Explanation: Once a target system is compromised, the threat actor will establish a back door into the system to allow for continued access to the target. Adding services and autorun keys is a way to create a point of persistent access.

Explanation: In the command and control phase of the Cyber Kill Chain, the threat actor establishes command and control (CnC) with the target system. With the two-way communication channel, the threat actor is able to issue commands to the malware software installed on the target.

Explanation: Corroborating evidence is evidence that supports a proposition already supported by initial evidence, therefore confirming the original proposition. Circumstantial evidence is evidence other than first-hand accounts of events provided by witnesses.

Explanation: NIST recommends creating policies, plans, and procedures for establishing and maintaining a CSIRC. One component of the plan element is to develop metrics for measuring the incident response capability and its effectiveness.

Explanation: A normal file copy does not recover all data on a storage device so an unaltered disk image is commonly made. An unaltered disk image preserves the original evidence, thus preventing inadvertent alteration during the discovery phase. It also allows recreation of the original evidence.

Explanation: NIST describes the digital forensics process as involving the following four steps:

* Collection – the identification of potential sources of forensic data and acquisition, handling, and storage of that data.
* Examination – assessing and extracting relevant information from the collected data. This may involve decompression or decryption of the data.
* Analysis – drawing conclusions from the data. Salient features, such as people, places, times, events, and so on should be documented.
* Reporting – preparing and presenting information that resulted from the analysis. Reporting should be impartial and alternative explanations should be offered if appropriate.

Explanation: In the installation phase of the Cyber Kill Chain, the threat actor establishes a back door into the system to allow for continued access to the target.