a n d p o s t - i n c i d e n t r e s p o n s e p r o c e

Question #1 of 13 Question ID: 1192238

✗ A)

✗ B)

✓ C)

✗ D)

Exam 3-5 Summarize the incident recoveryand post-incident response process

Test ID: 140502950

During which stage of the incident recovery process do you ensure that all

security monitoring and logging is occurring correctly?

eradication

incident summary report

validation

containment

Explanation

The verification of proper logging/communication to security monitoring occurs

during the validation stage of the incident recovery process. This verification is

important to ensure that investigators are able to fully investigate an incident

using the logs.

The recovery process has five major parts, which are:

1. Containment

2. Eradication

3. Validation

4. Corrective actions

5. Incident summary reporting

Other than verifying proper logging and communication to security monitoring,

the validation stage includes patching, permissions, and scanning.

Patching - to update or least check for updates for a variety of components.

This includes all patches for the operating system, updates for any

applications that may be running and updates to all antimalware software

that may be installed. This is the correct action to take when you have

reimaged or reinstalled the operating system.

Permissions - to ensure that all permissions are in the state they SHOULD

be. This should be done when the system is NOT reinstalled or reimaged.

Scanning - to use a vulnerability scanner on the devices or the network of

devices that were affected by the incident. This should be done when NOT

reinstalling or reimaging the device.

Objective:Cyber Incident Response

Sub-Objective:Summarize the incident recovery and post-incident response process.

References:

Incident Response: How to Fight Back, https://www.sans.org/reading-

room/whitepapers/incident/incident-response-fight-35342

CompTIA Cybersecurity Analyst (CSA+) Study Guide: Exam CS0-001, Chapter

8: Recovery and Post-Incident Response

https://www.sans.org/reading-room/whitepapers/incident/incident-response-fight-35342

https://www.amazon.com/CompTIA-Cybersecurity-Analyst-Study-Guide/dp/1119348978/ref=as_sl_pc_qf_sp_asin_til?tag=transcender02-20&linkCode=w00&linkId=c2b55d7e980c303c736f861d34bf5dbd&creativeASIN=1119348978


✗ A)

✓ B)

✗ C)

✗ D)

CompTIA Cybersecurity Analyst (CSA+) Cert Guide (Certification Guide),

Chapter 8: The Incident Response Process

GTS Learning’s Cybersecurity Analyst Certification (CS0-001) Study Guide,

Module 4.3: Incident Analysis and Recovery

Which of the following is used to sanitize a SSD?

shredding

special commands

degaussing

zeroing

Explanation

Most solid-state drive vendors provide sanitization commands that can be used

to erase the data on the drive. Security professionals should research these

commands to ensure that they are effective.

Degaussing is not effective on a solid state drive. It only works on magnetic

hard disk drives.

Zeroing is not effective on a solid state drive. An SSD will write new data to a

new location.

https://www.amazon.com/CompTIA-Cybersecurity-Analyst-Guide-Certification/dp/0789756951/ref=as_sl_pc_qf_sp_asin_til?tag=transcender02-20&linkCode=w00&linkId=dcf064a8d9ed177a19e9153f08d36d9e&creativeASIN=0789756951


Shredding will render the device unusable. Sanitizing it with commands will not

render it unusable.



References:

Guidelines for Media Sanitization,

http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-88r1.pdf







In which stage of the incident recovery process does the cybersecurity analyst

perform scanning?

http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-88r1.pdf



✗ A)

✗ B)

✗ C)

✓ D)

Corrective actions

Containment

Eradication

Validation

Explanation

Scanning is performed during the validation stage. At this time, the device is

checked to ensure that techniques applied during the eradication stage were

successful at removing the threat. Other activities conducted during this stage

are:

Patching is to update or least check for updates for a variety of

components. This includes all patches for the operating system, updates

for any applications that may be running and updates to all antimalware

software that may be installed. This is the correct action to take when you

have reimaged or reinstalled the operating system.

Permissions means to ensure that all permissions are in the state they

SHOULD be. This should be done when the system is NOT reinstalled or

reimaged.

Scanning means to use a vulnerability scanner on the devices or the

network of devices that were affected by the incident. This should be done

when NOT reinstalling or reimaging the device.

Verify logging/communication to security monitoring means to ensure that

all logs related to security are collecting data. This should be done

regardless of whether you are reinstalling.

Scanning does not occur during the containment stage. The containment stage

includes segmentation, removal, isolation, and reverse engineering.

Segmentation involves limiting the scope of the incident by leveraging

existing segments of the network as barriers to prevent the spread of the

incident to other segments.

Removal involves shutting down the device or devices. In some cases, this

is not advisable until digital forensics have been completed.

Isolation is implemented in one of two ways: by blocking all traffic to and

from the device or devices, or by shutting down the device or devices'

interfaces.

Reverse engineering in incident recovery refers to retracing the steps in the

incident as seen from the logs in the affected devices or in logs of

infrastructure devices that may have been involved. With respect to

malware, reverse engineering refers to extracting the code from the binary

executable to identify how it was programmed and what it does. Reverse

engineering is the correct action to take when you are trying to locate the

source of the attack or when malware needs to be analyzed.

Scanning does not occur during the corrective actions stage. The corrective

actions stage includes change control processes, lessons learned reports, and

updates to the incident response plan:

For the change control process operation, all corrective actions (regardless

of how necessary) should go through the standard change control process.

This should be done whenever changes in processes are indicated by the

lessons learned report.

The lessons learned report will briefly list and discuss what is now known

about either about the attack or about the environment in which the attack

occurred, but which was not known prior to the attack. This should be

created after every incident.

The incident response plan should be updated to reflect any needed

changes in procedure as indicated by the lessons learned report. This

should be done whenever changes are called for by the lessons learned

report.

Scanning does not occur during the eradication stage. The eradication stage

includes sanitization, reconstruction/re-imaging, and secure disposal:

Sanitization removes all traces of the threat by overwriting the drive

multiple times to ensure the threat is removed. This is the correct action for

hard disk drives when you must ensure that all traces of the compromise

are gone or when the validation stage indicates remaining issues.

Reconstruction/re-imaging means reinstalling the operating system,

applying all system updates, reinstalling the anti-malware software, and

implementing any organization security settings. It may also mean

reimaging the device. This is the correct action to take when all traces must

be gone and you need to reuse the device.

Secure disposal is to dispose of the compromised device (or its storage

drive) rather than attempting to sanitize and re-use the device. This is the

correct action to take when there are np plans to reuse the device.



✓ A)

✗ B)

✗ C)

✗ D)


References:









Which of the following operations is NOT a part of the validation stage of

incident recovery?

lessons learned report

patching

scanning

permissions




Explanation

The lesson learned report is generated during the corrective actions stage of

incident recovery, not the validation stage. The recovery process has five major

parts, which are:

1. Containment

2. Eradication

3. Validation



The operations performed during the corrective actions stage are change

control processes, lessons learned reports, and updates to the incident

response plan.

For the change control process operation, all corrective actions (regardless of

how necessary) should go through the standard change control process. This

should be done whenever changes in processes are indicated by the lessons

learned report.

The lessons learned report will briefly list and discuss what is now known about

either about the attack or about the environment in which the attack occurred,

but which was not known prior to the attack. This should be created after every

incident.

You should update the incident response plan to reflect any needed changes in

procedure as indicated by the lessons learned report. The incident response

plan contains the steps to be followed during an incident. The lessons learned

exercise may also uncover flaws in your IR plan. If this is the case, it should be

appropriately updated to reflect the needed changes in your procedures.

The operations included in the validation stage include patching, permissions,

scanning, and verifying logging and security monitoring.

Patching means to update or least check for updates for a variety of

components. This includes all patches for the operating system, updates for

any applications that may be running, and updates to all anti-malware software


reimaged or reinstalled the operating system during the eradication stage.

Permissions means to review all permissions to ensure that all are in the state

they SHOULD be. This should be done when the system is NOT reinstalled or

reimaged.

Scanning of the devices or the network of devices that were affected with a

vulnerability scanner should be performed when NOT reinstalling or reimaging

the device.

Verify logging/communication to security monitoring means to check and

ensure that all logs related to security are collecting data. This should be done

during the validation stage, regardless of whether you are reinstalling or not.




✗ A)

✗ B)

✗ C)

✓ D)

References:









Which of the following techniques involves limiting the scope of the incident at

either Layer 2 or Layer 3?

isolation

sanitization

scanning

segmentation

Explanation




The segmentation process involves limiting the scope of the incident by

leveraging existing segments of the network as barriers to prevent the spread

to other segments. These segments could be defined at either Layer 3 or Layer

2. Segmentation is one of the four techniques used during the containment step

of incident response, along with removal, isolation, and reverse engineering.

Isolation typically is implemented by either blocking all traffic to and from the

device or devices or by shutting down the device's interfaces. This approach

works well for a single compromised system, but becomes cumbersome when

multiple devices are involved.

The three techniques using during the eradication stage are sanitization,

reconstruction/re-imaging, and secure disposal. Sanitizing refers removing all

traces of the threat by overwriting the drive multiple times to ensure the threat

is removed. This works well for hard drive, but solid state drives present a

challenge in that they cannot be overwritten.

The operations included in the validation stage include patching, permissions,

scanning, and verifying logging and security monitoring. Scanning is the

process of checking the affected devices for malware with a vulnerability

scanner. Make sure that you have updated the scanner before you begin so it

can recognize the latest vulnerabilities and threats.




✓ A)

✗ B)

✗ C)

✗ D)

References:

Improving Security via Proper Network Segmentation,

http://www.securityweek.com/improving-security-proper-network-segmentation







During which stage of the incident recovery process are areas that need

improvement identified?

Incident summary report

Corrective actions

Validation

Eradication

Explanation

http://www.securityweek.com/improving-security-proper-network-segmentation



The incident summary report is where areas that need improvement are

identified. Other details from this report should include:

When was the problem first detected and by whom?

What was the scope of the incident?

How it was contained and eradicated?

What work was performed during recovery?

In which areas were the CIRT teams effective?

In which areas did the CIRT teams need improvement?


1. Containment

2. Eradication

3. Validation





References:





✓ A)

✗ B)

✗ C)

✗ D)







During the containment stage of incident recovery, which operation do you

implement either by blocking all traffic to and from the device or devices or by

shutting down the devices' interfaces?

isolation

removal

segmentation

reverse engineering

Explanation

Isolation typically is implemented in one of two ways: by blocking all traffic to

and from the device or devices, or by shutting down the devices' interfaces.

This approach works well for a single compromised system, but becomes

cumbersome when multiple devices are involved.



Another option is to shut down the device or devices instead of just shutting

down the interfaces. This technique is called removal. In some cases, it is not

advisable to remove a device until digital forensics have been completed.

Reverse engineering can refer to retracing the steps in the incident as seen

from the logs in the affected devices, or as seen in the logs of infrastructure

devices that may have been involved in transferring information. This can help

to understand the sequence of events.




2.



References:

Isolation Based Security Provides Prevention and Enhances Incident

Response, http://www.securityweek.com/isolation-based-security-provides-

prevention-and-enhances-incident-response



http://www.securityweek.com/isolation-based-security-provides-prevention-and-enhances-incident-response



✗ A)

✗ B)

✓ C)

✗ D)





During the containment stage of incident recovery, which operation is

implemented by shutting the device down?

isolation

segmentation

removal

reverse engineering

Explanation

One option to accomplish containment is to shut down the device or devices

instead of just shutting down the interfaces. This technique is called removal. In

some cases, it is not advisable to remove a device until digital forensics has

been completed.

Isolation typically is implemented by either blocking all traffic to and from the

device or devices or by shutting down the devices interfaces. This approach


works well for a single compromised system, but becomes cumbersome when

multiple devices are involved.

Reverse engineering can refer to retracing the steps in the incident as seen

from the logs in the affected devices, or as seen in the logs of infrastructure

devices that may have been involved in transferring information. This can help

to understand the sequence of events.




2.



References:

Incident Handler's Handbook, https://www.sans.org/reading-

room/whitepapers/incident/incident-handlers-handbook-33901





https://www.sans.org/reading-room/whitepapers/incident/incident-handlers-handbook-33901




✗ A)

✗ B)

✗ C)

✓ D)



During which of the following stages of incident recovery would you perform

reconstruction or re-imaging?

Containment

Corrective actions

Validation

Eradication

Explanation

Sanitization of affected devices, including reconstruction or re-imaging, occurs

during the eradication stage of incident recovery.


1. Containment

2. Eradication

3. Validation



The eradication stage includes three techniques: sanitization, reconstruction or

reimaging, and secure disposal.

Sanitization removes all traces of the threat by overwriting the drive multiple

times to ensure all data is destroyed. This is the correct action for hard disk

drives when you must ensure that all traces of the compromise are gone or

when the validation stage indicates that there are issues remaining after prior

attempts at eradication.

Reconstruction/re-imaging means reinstalling the operating system, applying all

system updates, reinstalling the anti-malware software, and implementing any

organizational security settings. Alternatively, it can mean reimaging the device

from a saved image that is already configured with the correct software and

settings. This is the correct action to take when all traces of the infection are

gone and you need to reuse the device.

Secure disposal means to dispose of the compromised device (or its storage

drive) rather than attempt to sanitize and re-use the device. This is the correct

action to take when there are no plans to reuse the device.



References:


✗ A)

✓ B)

✗ C)

✗ D)









During which stage of incident recovery is the change control process invoked?

validation

corrective actions

eradication


Explanation

During the corrective actions stage, all corrective actions must go through the

change control process to ensure alignment with other security goals and

policies. The change control process ensures that changes are implemented in

a controlled manner.





1. Containment

2. Eradication

3. Validation





response plan.




learned report.




incident.


procedure as indicated by the lessons learned report. This should be done

whenever changes are called for by the lessons learned report.



✗ A)

✗ B)

✗ C)

✓ D)


References:









Which of the following is used to drive improvement in the security posture of

the organization?

incident response plan


change control process

lessons learned document




Explanation

: The lessons learned documents will briefly list and discuss what we now know

either about the attack or about our environment of which we were formerly

unware.

The incident summary report covers the major points of the incident. Some of

the highlights that should be included are:

When was the problem first detected and by whom?

What was the scope of the incident?

How it was contained and eradicated?

What work was performed during recovery?

In which areas were the CIRT teams effective?

In which areas did the CIRT teams need improvement?

The incident response plan contains the steps to be followed during an

incident. The lessons learned exercise may also uncover flaws in your IR plan.

If this is the case, it should be appropriately updated to reflect the needed

changes in your procedures.

The change control process is used to manage change and ensure

consistency. The lessons learned report may generate a number of changes

that should be made to the network infrastructure. All of these changes

regardless of how necessary should go through the standard change control

process.



✗ A)

✓ B)

✗ C)

✗ D)


References:

Incident Handler's Handbook, https://www.sans.org/reading-

room/whitepapers/incident/incident-handlers-handbook-33901







Which of the following is NOT a containment strategy in the incident recovery

process?

segmentation

sanitization

removal

reverse engineering

https://www.sans.org/reading-room/whitepapers/incident/incident-handlers-handbook-33901



Explanation

Sanitization is not a containment strategy in incident recovery. It is an

eradication technique. The three eradication techniques are sanitization,

reconstruction/re-imaging, and secure disposal.


1. Containment

2. Eradication

3. Validation



The four techniques used during the containment step are segmentation,

removal, isolation, and reverse engineering.

Segmentation involves limiting the scope of the incident by leveraging existing

segments of the network as barriers to prevent the spread of the incident to

other segments.

Removal involves shutting down the device or devices. In some cases, this is

not advisable until digital forensics have been completed.

Isolation is implemented in one of two ways: by blocking all traffic to and from

the device or devices, or by shutting down the device or devices' interfaces.

Reverse engineering in incident recovery refers to retracing the steps in the

incident as seen from the logs in the affected devices or in logs of infrastructure

devices that may have been involved. With respect to malware, reverse

engineering refers to extracting the code from the binary executable to identify


how it was programmed and what it does. Reverse engineering is the correct

action to take when you are trying to locate the source of the attack or when

malware needs to be analyzed.



References:









Which of the following is NOT an operation undertaken during the validation

stage of incident recovery?




✗ A)

✗ B)

✓ C)

✗ D)

patching

permissions

lessons learned report

verify logging/communication to security monitoring

Explanation

Creating a lessons learned report occurs during the corrective actions stage of

incident recovery, not the validation stage. The operations included in the

validation stage include patching, permissions, scanning, and verifying logging

and security monitoring.

Patching means to update or least check for updates for a variety of

components. This includes all patches for the operating system, updates for

any applications that may be running, and updates to all anti-malware software


reimaged or reinstalled the operating system during the eradication stage.

Permissions means to review all permissions to ensure that all are in the state

they SHOULD be. This should be done when the system is NOT reinstalled or

reimaged.

Scanning of the devices or the network of devices that were affected with a

vulnerability scanner should be performed when NOT reinstalling or reimaging

the device.

Verify logging/communication to security monitoring means to check and

ensure that all logs related to security are collecting data. This should be done

during the validation stage, regardless of whether you are reinstalling or not.



response plan.




learned report.




incident.


procedure as indicated by the lessons learned report. The incident response

plan contains the steps to be followed during an incident. The lessons learned

exercise may also uncover flaws in your IR plan. If this is the case, it should be

appropriately updated to reflect the needed changes in your procedures.


1. Containment

2. Eradication

3. Validation





References:












a n d p o s t - i n c i d e n t r e s p o n s e p r o c e

Documents