Module 28: Digital Forensics and Incident Analysis and Response Answers

1. To ensure that the chain of custody is maintained, what three items should be logged about evidence that is collected and analyzed after a security incident has occurred? (Choose three.)

  • measures used to prevent an incident
  • extent of the damage to resources and assets
  • serial numbers and hostnames of devices used as evidence
  • time and date the evidence was collected
  • vulnerabilities that were exploited in an attack
  • location of all evidence

Explanation: A chain of custody refers to the proper accounting of evidence collected about an incident that is used as part of an investigation. The chain of custody should include the location of all evidence, the identifying information of all evidence such as serial numbers and hostnames, identifying information about all persons handing the evidence, and the time and date that the evidence was collected.

2. A threat actor has gained administrative access to a system and achieved the goal of controlling the system for a future DDoS attack by establishing a communication channel with a CnC owned by the threat actor. Which phase in the Cyber Kill Chain model describes the situation?

  • command and control
  • exploitation
  • action on objectives
  • delivery

Explanation: The Cyber Kill Chain specifies seven steps (or phases) and sequences that a threat actor must complete to accomplish an attack:

  • Reconnaissance – The threat actor performs research, gathers intelligence, and selects targets.
  • Weaponization – The threat actor uses the information from the reconnaissance phase to develop a weapon against specific targeted systems.
  • Delivery – The weapon is transmitted to the target using a delivery vector.
  • Exploitation – The threat actor uses the weapon delivered to break the vulnerability and gain control of the target.
  • Installation – The threat actor establishes a back door into the system to allow for continued access to the target.
  • Command and Control (CnC) – The threat actor establish command and control (CnC) with the target system.
  • Action on Objectives – The threat actor is able to take action on the target system, thus achieving the original objective.

3. Which meta-feature element in the Diamond Model describes tools and information (such as software, black hat knowledge base, username and password) that the adversary uses for the intrusion event?

  • resources
  • results
  • direction
  • methodology

Explanation: The resources element in the Diamond Model is used to describe one or more external resources used by the adversary for the intrusion event. The resources include software, knowledge gained by the adversary, information (e.g., username/passwords), and assets to carry out the attack.

4. Which action should be included in a plan element that is part of a computer security incident response capability (CSIRC)?

  • Create an organizational structure and definition of roles, responsibilities, and levels of authority.
  • Detail how incidents should be handled based on the mission and functions of an organization.
  • Prioritize severity ratings of security incidents.
  • Develop metrics for measuring the incident response capability and its effectiveness.

Explanation: NIST recommends creating policies, plans, and procedures for establishing and maintaining a CSIRC. A purpose of the plan element is to develop metrics for measuring the incident response capability and its effectiveness.

5. Which two actions can help identify an attacking host during a security incident? (Choose two.)

  • Validate the IP address of the threat actor to determine if it is viable.
  • Use an Internet search engine to gain additional information about the attack.
  • Determine the location of the recovery and storage of all evidence.
  • Develop identifying criteria for all evidence such as serial number, hostname, and IP address.
  • Log the time and date that the evidence was collected and the incident remediated.

Explanation: The following actions can help identify an attacking host during a security incident:

  • Use incident databases to research related activity.
  • Validate the IP address of the threat actor to determine if it is a viable one.
  • Use an Internet search engine to gain additional information about the attack.
  • Monitor the communication channels that some threat actors use, such as IRC.

6. What is a MITRE ATT&CK framework?

  • a collection of malware exploits and prevention solutions
  • a knowledge base of threat actor behavior
  • guidelines for the collection of digital evidence
  • documented processes and procedures for digital forensic analysis

Explanation: The MITRE framework is a global knowledge base of threat actor behavior. It is based on observation and analysis of real-world exploits with the purpose of describing the behavior of the attacker, not the attack itself. It is designed to enable automated information sharing by defining data structures for the exchange of information between its community of users and MITRE.

7. According to NIST, which step in the digital forensics process involves identifying potential sources of forensic data, its acquisition, handling, and storage?

  • examination
  • analysis
  • reporting
  • collection

Explanation: NIST describes the digital forensics process as involving the following four steps:

  • Collection – the identification of potential sources of forensic data and acquisition, handling, and storage of that data.
  • Examination – assessing and extracting relevant information from the collected data. This may involve decompression or decryption of the data.
  • Analysis – drawing conclusions from the data. Salient features, such as people, places, times, events, and so on should be documented.
  • Reporting – preparing and presenting information that resulted from the analysis. Reporting should be impartial and alternative explanations should be offered if appropriate.

8. When dealing with security threats and using the Cyber Kill Chain model, which two approaches can an organization use to help block potential exploitations of a system? (Choose two.)

  • Collect email and web logs for forensic reconstruction.
  • Audit endpoints to forensically determine origin of exploit.
  • Conduct employee awareness training and email testing.
  • Analyze the infrastructure path used for delivery.
  • Conduct full malware analysis.

Explanation: The most common exploit targets, once a weapon is delivered, are applications, operating system vulnerabilities, and user accounts. Among other measures, conducting employee awareness training and email testing and auditing endpoints to forensically determine the origin of an exploit can help block future exploitations of systems.

9. Which term is used in the Diamond Model of intrusion to describe a tool that a threat actor uses toward a target system?

  • weaponization
  • infrastructure
  • capability
  • adversary

Explanation: The Diamond Model of intrusion contains four parts:

  • Adversary – the parties responsible for the intrusion
  • Capability – a tool or technique that the adversary uses to attack the victim
  • Infrastructure – the network path or paths that the adversaries use to establish and maintain command and control over their capabilities
  • Victim – the target of the attack

10. What is the purpose of the policy element in a computer security incident response capability of an organization, as recommended by NIST?

  • It provides metrics for measuring the incident response capability and effectiveness.
  • It details how incidents should be handled based on the organizational mission and functions.
  • It provides a roadmap for maturing the incident response capability.
  • It defines how the incident response teams will communicate with the rest of the organization and with other organizations.

Explanation: NIST recommends creating policies, plans, and procedures for establishing and maintaining a CSIRC. A purpose of the policy element is to detail how incidents should be handled based on the mission and functions of an organization.

11. According to NIST, which step in the digital forensics process involves extracting relevant information from data?

  • examination
  • analysis
  • reporting
  • collection

Explanation: NIST describes the digital forensics process as involving the following four steps:

  • Collection – the identification of potential sources of forensic data and acquisition, handling, and storage of that data.
  • Examination – assessing and extracting relevant information from the collected data. This may involve decompression or decryption of the data.
  • Analysis – drawing conclusions from the data. Salient features such as people, places, times, events, and so on should be documented.
  • Reporting – preparing and presenting information that resulted from the analysis. Reporting should be impartial and alternative explanations should be offered if appropriate.

12. Which statement describes the Cyber Kill Chain?

  • It is a set of metrics designed to create a way to describe security incidents in a structured and repeatable way.
  • It identifies the steps that adversaries must complete to accomplish their goals.
  • It uses the OSI model to describe cyberattacks at each of the seven layers.
  • It specifies common TCP/IP protocols used to fight against cyberattacks.

Explanation: The Cyber Kill Chain was developed to identify and prevent cyber intrusions by specifying what threat actors must complete to accomplish their goals.

13. After containing an incident that infected user workstations with malware, what are three effective remediation procedures that an organization can take for eradication? (Choose three.)

  • Update and patch the operating system and installed software of all hosts.
  • Rebuild DHCP servers using clean installation media.
  • Rebuild hosts with installation media if no backups are available.
  • Disconnect or disable all wired and wireless network adapters until the remediation is complete.
  • Use clean and recent backups to recover hosts.
  • Change assigned names and passwords for all devices.

Explanation: To recover infected user workstations, use clean and recent backups or rebuild the PCs with installation media if no backups are available or they have been compromised. Also, fully update and patch the operating system and installed software of all hosts. All users are encouraged to change their passwords for the workstation or workstations they use. Rebuilding DHCP servers is needed only if they are affected by the incident.Also not all devices need to change the name and password configuration setting unless they are affected by the incident.

14. After a threat actor completes a port scan of the public web server of an organization and identifies a potential vulnerability, what is the next phase for the threat actor in order to prepare and launch an attack as defined in the Cyber Kill Chain?

  • weaponization
  • reconnaissance
  • exploitation
  • action on objectives

Explanation: The Cyber Kill Chain specifies seven steps (or phases) and sequences that a threat actor must complete to accomplish an attack:

  • Reconnaissance – The threat actor performs research, gathers intelligence, and selects targets.
  • Weaponization – The threat actor uses the information from the reconnaissance phase to develop a weapon against specific targeted systems.
  • Delivery – The weapon is transmitted to the target using a delivery vector.
  • Exploitation – The threat actor uses the weapon delivered to break the vulnerability and gain control of the target.
  • Installation – The threat actor establishes a back door into the system to allow for continued access to the target.
  • Command and Control (CnC) – The threat actor establishes command and control (CnC) with the target system.
  • Action on Objectives – The threat actor is able to take action on the target system, thus achieving the original objective.

15. Which task describes threat attribution?

  • reporting the incident to the proper authorities
  • determining who is responsible for the attack
  • obtaining the most volatile evidence
  • evaluating the server alert data

Explanation: Threat attribution refers to determining the individual, organization, or nation responsible for a successful intrusion or attack incident. The security investigation team correlates all the evidence in order to identify commonalities between tactics, techniques, and procedures (TPPs) for known and unknown threat actors.


guest
0 Comments
Inline Feedbacks
View all comments