Cyber Threat Management (CyberTM) Module 6 Group Test Online

Hint

Volatile data is data stored in memory such as registers, cache, and RAM, or it is data that exists in transit. Volatile memory is lost when the computer loses power.

Hint

A disaster recovery plan enables an organization to prepare for potential disasters and minimize the resulting downtime.

Hint

The management team creates the policies, designs the budget, and is in charge of staffing all departments. Management is also responsible for coordinating the incident response with other stakeholders and minimizing the damage of an incident.

Hint

Operational exercises: At the most extreme are full operational exercises, or simulations. These are designed to interrupt services to verify that all aspects of a plan are in place and sufficient to respond to the type of incident that is being simulated.

Hint

Place the options in the following order:

network path used to establish and maintain command and controlk	infrastructure
a tool or technique used to attack the victim	capability
the parties responsible for the intrusion	adversary
the target of the attack	victim

Hint

A chain of custody refers to the documentation of evidence collected about an incident that is used by authorities during an investigation.

Hint

The Cyber Kill Chain specifies seven steps (or phases) and sequences that a threat actor must complete to accomplish an attack: – Reconnaissance – The threat actor performs research, gathers intelligence, and selects targets. – Weaponization – The threat actor uses the information from the reconnaissance phase to develop a weapon against specific targeted systems. – Delivery – The weapon is transmitted to the target using a delivery vector. – Exploitation – The threat actor uses the weapon delivered to break the vulnerability and gain control of the target. – Installation – The threat actor establishes a back door into the system to allow for continued access to the target. – Command and Control (CnC) – The threat actor establishes command and control (CnC) with the target system. – Action on Objectives – The threat actor is able to take action on the target system, thus achieving the original objective.

Hint

In the detection and analysis phase of the NIST incident response process life cycle, the CSIRT should immediately perform an initial analysis to determine the scope of the incident, such as which networks, systems, or applications are affected; who or what originated the incident; and how the incident is occurring.

Hint

Threat attribution refers to determining the individual, organization, or nation responsible for a successful intrusion or attack incident. The security investigation team correlates all the evidence in order to identify commonalities between tactics, techniques, and procedures (TPPs) for known and unknown threat actors.

Hint

Place the options in the following order:

step 1	reconnaissance
step 2	weaponization
step 3	delivery
step 4	exploitation
step 5	installation
step 6	command and control
step 7	action on objectives

Hint

Place the options in the following order:

preserves attack evidence	IT support
designs the budget	management
reviews policies for local or federal guideline violations	legal department
performs disciplinary measures	human resources
develops firewall rules	information assurance

Hint

Corrective measures include controls that restore the system after a disaster or an event.

Hint

As an incident category, the precursor is a sign that an incident might occur in the future. Examples of precursors are log entries that show a response to a port scan or a newly-discovered vulnerability in web servers using Apache.

Hint

Once a target system is compromised, the threat actor will establish a back door into the system to allow for continued access to the target. Adding services and autorun keys is a way to create a point of persistent access.

Hint

In the command and control phase of the Cyber Kill Chain, the threat actor establishes command and control (CnC) with the target system. With the two-way communication channel, the threat actor is able to issue commands to the malware software installed on the target.

Hint

Corroborating evidence is evidence that supports a proposition already supported by initial evidence, therefore confirming the original proposition. Circumstantial evidence is evidence other than first-hand accounts of events provided by witnesses.

Hint

NIST recommends creating policies, plans, and procedures for establishing and maintaining a CSIRC. One component of the plan element is to develop metrics for measuring the incident response capability and its effectiveness.

Hint

A normal file copy does not recover all data on a storage device so an unaltered disk image is commonly made. An unaltered disk image preserves the original evidence, thus preventing inadvertent alteration during the discovery phase. It also allows recreation of the original evidence.

Hint

NIST describes the digital forensics process as involving the following four steps: * Collection – the identification of potential sources of forensic data and acquisition, handling, and storage of that data. * Examination – assessing and extracting relevant information from the collected data. This may involve decompression or decryption of the data. * Analysis – drawing conclusions from the data. Salient features, such as people, places, times, events, and so on should be documented. * Reporting – preparing and presenting information that resulted from the analysis. Reporting should be impartial and alternative explanations should be offered if appropriate.

Hint

In the installation phase of the Cyber Kill Chain, the threat actor establishes a back door into the system to allow for continued access to the target.