Cybersecurity Incident Report Preparation

Questions and Answers

Which of the following is the best way to begin preparation for a report titled 'What We Learned' regarding a recent incident involving a cybersecurity breach?

Decide on the color scheme that will effectively communicate the metrics

Determine the sophistication of the audience that the report is meant for (correct)

Include references and sources of information on the first page

Include a table of contents outlining the entire report

Which action would allow a security analyst to gather intelligence without disclosing information to the attackers?

Upload the binary to an air-gapped sandbox for analysis (correct)

Query the file hashes using VirusTotal

Send the binaries to the antivirus vendor

Execute the binaries on an environment with internet connectivity

Which of the following would help to minimize human engagement and aid in process improvement in security operations?

QVVASP

SIEM

OSSTMM

SOAR (correct)

Which risk management principle did the CISO select when refusing a software request due to a high risk score?

Avoid

Which important aspect should be included in the lessons-learned step after an incident?

Identify any improvements or changes in the incident response plan or procedures

What is the best way for the security operations team to consolidate several threat intelligence feeds?

Single pane of glass

Which tool would a security analyst most likely use to compare TTPs between different known adversaries?

MITRE ATT&CK

What step of the process does an analyst describe when actively removing a vulnerability from the system?

Eradication

What action should the incident response team recommend regarding Joe's situation?

Perform no action until HR or legal counsel advises on next steps

What is the best priority for the IT security team in a zero-trust approach?

Reduce the administrator and privileged access accounts

What action should the analyst take first to determine what happened during a security incident?

Clone the virtual server for forensic analysis

What is the most likely explanation for regular outgoing HTTPS connections from a data center server after hours?

C2 beaconing activity

What should the SOC manager recommend to ensure new employees are accountable for following the company policy?

All new employees must sign a user agreement to acknowledge the company security policy

What would be the best threat intelligence source to learn about a new ransomware campaign?

Information sharing organization

What is the most likely reason to include lessons learned in an after-action report?

To identify areas of improvement in the incident response process

Which vulnerabilities should the vulnerability management team patch first based on priority scoring?

TSpirit: Cobain: Yes, Grohl: Yes, Novo: Yes, Smear: No, Channing: No

Which of the following has occurred when a user downloads software containing malware?

Insider threat

What should the CSIRT conduct next after isolating a compromised virtual server?

Take a snapshot of the compromised server and verify its integrity

Which data should be collected first in a computer system during evidence acquisition based on its volatility?

Running processes

Which shell script function could help identify possible network addresses from different source networks belonging to the same company?

function z() { c=$(geoiplookup $1) && echo "$1 | $c" }

Which shell script function would help identify IP addresses from the same country?

function x() { info=$(geoiplookup $1) && echo "$1 | $info" }

What should be completed first to remediate findings from a vulnerability assessment on a web server?

Perform proper sanitization on all fields

What is the most likely vulnerability in the system where the debugger command contains hard-coded credentials?

Hard-coded credential

What should the company do with a proxy that has a CVE score of 9.8 and is not in use?

Decommission the proxy

Which log entry provides evidence of an attempted exploit of a zero-day command injection vulnerability?

Log entry 3

What is the most important factor to ensure accurate incident response reporting?

A well-defined timeline of the events

What is the best mitigation technique against unusual network scanning activity from an unassociated country?

Geoblock the offending source country

What is the best step to preserve evidence for an employee suspected of misusing a company laptop?

Make a forensic image of the device and create a SRA-I hash

Which vulnerabilities should a security analyst prioritize for remediation based on the provided tables?

brees

What type of vulnerability is being validated by the security analyst using the provided snippet?

XXE

What action should be performed immediately after a web server was affected by ransomware?

Quarantine the server

What would be missing from a scan performed with this configuration?

Registry key values

What method should be used to resolve issues with incomplete vulnerability reports?

Credentialed scan

What best describes consistent requests from an internal host to a blocklisted external server?

Data exfiltration

What best describes the output from a network mapping tool for a PCI audit?

The host is allowing insecure cipher suites

Which of the following CVE metrics would be most accurate for this zero-day threat?

CVSS: 31/AV: N/AC: L/PR: N/UI: N/S: U/C: H/I: H/A: L

Which of the following tools would work best to prevent the exposure of PII outside of an organization?

DLP

An organization conducted a web application vulnerability assessment against the corporate website, and the following output was observed: Which of the following tuning recommendations should the security analyst share?

Set an HttpOnly flag to force communication by HTTPS

Which of the following items should be included in a vulnerability scan report? (Choose two.)

Affected hosts

Which of the following would best protect this organization given exploitation of new attacks was happening approximately 45 days after a patch was released?

A mean time to remediate of 30 days

A security analyst recently joined the team and is trying to determine which scripting language is being used in a production script to determine if it is malicious. Given the following script: Given the following script, which of the following scripting languages was used?

PowerShell

Which of the following most likely describes the observed activity concerning user accounts being compromised?

An on-path attack is being performed by someone with internal access that forces users into port 80

Which of the following items should be included in a vulnerability scan report? (Choose two.)

Affected hosts

Which of the following will most likely ensure that mission-critical services are available in the event of an incident?

Business continuity plan

Which of the following solutions will assist in reducing the risk of shadow IT in the enterprise?

Deploy a CASB and enable policy enforcement

Which of the following logs should the incident response team review first when investigating a DDoS attack?

DNS

Which of the following best describes the current stage of the Cyber Kill Chain in which a malicious actor does not want to lose access?

Exploitation

Which of the following steps of an attack framework is the analyst witnessing when an IP address runs scans across external assets?

Reconnaissance

Which of the following best describes what is happening when the company receives targeted emails containing concealed URLs?

Obfuscated links

Which of the following recommendations would best mitigate the problem of finding the same vulnerabilities in a critical application?

Use application security scanning as part of the pipeline for the CI/CD flow

Which of the following inhibitors to remediation do critical systems that cannot be upgraded represent?

Legacy systems

Which of the following most accurately describes the result of an Nmap scan for XSS?

The vulnerable parameter and characters '>' and '"' with a reflected XSS attempt

Which of the following is the best action to take after the conclusion of a security incident to improve incident response in the future?

Schedule a review with all teams to discuss what occurred

Which of the following is the best technique to perform analysis on a malicious binary file?

Reverse engineering

Which of the following pieces of data should be collected first to preserve sensitive information before isolating a server?

Hard disk

Which of the following security operations tasks are ideal for automation?

Firewall IoC block actions: Examine the firewall logs for IoCs from the most recently published zero-day exploit. Take mitigating actions in the firewall to block the behavior found in the logs. Follow up on any false positives that were caused by the block rules

Under the terms of PCI DSS, which of the following groups should the organization report a breach of customer transactions to?

PCI Security Standards Council

Which of the following is the best metric for an organization to focus on given recent investments in SIEM, SOAR, and a ticketing system?

Mean time to detect

Which of the following implications should be considered on the new hybrid IaaS cloud environment for a vulnerability management program?

Cloud-specific misconfigurations may not be detected by the current scanners

Which of the following is the best way to ensure that a security investigation complies with HR or privacy policies?

Ensure that the case details do not reflect any user-identifiable information. Password protect the evidence and restrict access to personnel related to the investigation

Which of the following must be done first when establishing a disaster recovery plan?

Agree on the goals and objectives of the plan

Which of the following should be the next step in the remediation process after identifying a vulnerability and applying a software patch?

Validation

Which of the following has occurred according to the endpoint log entry reviewed?

New account introduced

Which of the following best describes what the security program achieved by integrating security controls into a SIEM?

Single pane of glass

Given the Nmap scan output, which of the following choices should the analyst look at first?

wh4dc-748gy.lan (192.168.86.152)

Which of the following must be done first when starting an investigation?

Secure the scene

Which of the following describes how a CSIRT lead determines who should be communicated with during a security incident?

The lead should review what is documented in the incident response policy or plan

Which of the following will produce the data needed for an executive briefing on possible threats to the organization?

Risk assessment

Which of the following describes what the analyst has noticed concerning HTTPS traffic to a known-malicious IP?

Beaconing

Which of the following can the analyst perform to see the entire contents of the downloaded files in a Wireshark FTP session?

Change the display filter to ftp-data and follow the TCP streams

Which of the following documents should the SOC manager review to ensure the team meets contractual obligations?

SLA

Which of the following phases of the Cyber Kill Chain involves the adversary attempting to establish communication with a successfully exploited target?

Command and control

Which of the following vulnerability scanning methods would best meet the requirement of reduced network traffic for a geographically diverse workforce?

Agent-based

Which of the following describes the command detected in an exploit attempt?

Reverse shell

Which of the following factors would an analyst most likely communicate as the reason for the escalation of a CVE score from 7.1 to 9.8?

Weaponization

Which of the following systems should be prioritized for patching first according to a vulnerability report?

54.74.110.228

Which of the following scanning methods can be implemented to reduce access to systems while providing accurate vulnerability scan results?

Passive scanning

Which of the following functions can the analyst use on a shell script to identify anomalies on the network routing?

function x() { info= $(traceroute -m 40 $1 | awk 'END{print $1}') && echo " $1 | $info" }

Which of the following security controls would best support the company in improving its posture against sensitive information disclosure via file sharing services?

Data Loss Prevention (DLP)

A security analyst is tasked with prioritizing vulnerabilities for remediation. The relevant company security policies are shown below: Security Policy 1006: Vulnerability Management

1. The Company shall use the CVSSv3.1 Base Score Metrics (Exploitability and Impact) to prioritize the remediation of security vulnerabilities.
2. In situations where a choice must be made between confidentiality and availability, the Company shall prioritize confidentiality of data over availability of systems and data.
3. The Company shall prioritize patching of publicly available systems and services over patching of internally available system. According to the security policy, which of the following vulnerabilities should be the highest priority to patch?

C

The Chief Information Security Officer wants to eliminate and reduce shadow IT in the enterprise. Several high-risk cloud applications are used that increase the risk to the organization. Which of the following solutions will assist in reducing the risk?

Deploy an API gateway

Study Notes

Vulnerability Management & Security Metrics

• Recent zero-day vulnerabilities are exploited without user interaction and have high confidentiality and integrity impact, suggesting immediate patching is necessary.
• CVE metrics for zero-day threats involve assessing Exploitability, Access Complexity, and the need for user interaction.
• Vulnerability scan reports should include affected hosts and risk scores to prioritize remediation efforts.

Tools & Strategies to Protect Sensitive Data

• Data Loss Prevention (DLP) tools effectively prevent exposure of Personally Identifiable Information (PII) outside an organization.
• Implementing a CASB (Cloud Access Security Broker) helps reduce shadow IT and manage risks associated with unauthorized cloud applications.

Incident Response & Investigation

• Identify the security incident’s cause through logs like CDN, DNS, or web server entries in case of a DDoS attack.
• The Cyber Kill Chain’s stages, such as exploitation and command and control, help understand the attacker's strategy in infiltration scenarios.
• Critical actions post-incident include reviewing processes and capturing data such as the primary boot partition for evidence preservation.

Security Policies & Compliance

• Organizations must report breaches under PCI DSS to the PCI Security Standards Council and relevant law enforcement bodies.
• Security operations should be underpinned by service-level agreements (SLAs) to ensure timely response and contractual obligations are met.

Vulnerability Scanning Techniques

• Agent-based scanning is preferred in hybrid environments to reduce network traffic and improve scanning efficiency.
• Credentialed scanning offers more accurate results while accessing sensitive systems with minimal exposure.

Risk Management & Decision Making

• Risk management principles include avoiding high-risk software deployments where necessary.
• The decision-making process during security incidents often refers to established policies for effective communication and actions required.

Human Engagement & Process Improvement

• Security tools like SOAR (Security Orchestration, Automation, and Response) minimize manual engagement, enabling quicker and more efficient responses.
• Continuous training and awareness for employees improve the organization’s security posture against data leaks.

Analyzing Malicious Activity

• Reverse shell attempts and other exploit mechanisms require meticulous analysis of endpoint logs to detect potential breaches.
• Use proper scanning and analysis techniques to understand traffic anomalies, enhance security posture, and identify vulnerabilities early.

Lessons Learned from Incidents

• Post-incident reviews are crucial for improving defenses, involving multi-team discussions to analyze what transpired and how processes can be enhanced.
• Relevant documentation of the incident can serve as valuable training material moving forward to prevent similar occurrences.### Incident Response and Security Measures
• Incident response plans must be updated after incidents, analyzing if internal mistakes occurred and who was responsible.
• Legal evidence gathered during incidents should be presented to law enforcement to assist investigations.
• Financial evaluations of incidents help determine the effectiveness of security controls in place.

Threat Intelligence and Analysis

• Consolidating threat intelligence feeds can be achieved using a "single pane of glass," which provides a unified view.
• Security analysts often use frameworks like MITRE ATT&CK to compare tactics, techniques, and procedures (TTPs) of known adversaries.
• Understanding potential risks from new threats requires consulting specialized threat intelligence sources, particularly for critical infrastructure, such as aerospace manufacturing.

Incident Management and Remediation

• The process of isolating and removing vulnerabilities is identified as "eradication."
• Best practices for employee incidents include consulting HR or legal before taking action against employees suspected of wrongdoing.
• A zero-trust approach emphasizes reducing privileged accounts to minimize attack surfaces.

Forensic Analysis and Evidence Collection

• In incident response, evidence collection must prioritize volatile data, starting with running processes before stabilizing disk contents.
• For compromised systems, taking snapshots for forensic purposes should be conducted post-isolation from the network.

Vulnerability Management

• High CVE scores (e.g., 9.8) signal urgent vulnerabilities needing immediate action; often best to decommission unused systems to prevent risk.
• Credentialed scans improve the comprehensiveness of vulnerability assessments, capturing what external scans miss.

Security Best Practices

• Employees should formally acknowledge security policies to prevent policy violations, such as using unauthorized devices.
• Geoblocking or blocking specific IP addresses is an effective mitigation for suspicious scanning activities emanating from regions without business relations.
• During a ransomware attack, quick actions include quarantining the affected server to limit the spread of the malware.

Analyzing Security Incidents

• SIEM logs revealing consistent internal requests to a blocklisted server can indicate data exfiltration or rogue device activity.
• Vulnerability scanning that is improperly configured may miss important aspects, such as operating system versions or open ports.

Miscellaneous

• Logs indicating potential vulnerabilities like command injection should be thoroughly analyzed to gauge susceptibility.
• In cases of employee misconduct, a forensic image of devices is critical for preserving evidence during investigations.

Technical Considerations

• Script functions can aid analysts in identifying IP addresses and network behaviors, enhancing threat response and network monitoring.
• Analysts must prioritize vulnerabilities based on potential exploitation, directing remediation efforts where they are most critical.

This expansive view covers essential themes regarding incident response, threat analysis, vulnerability management, and general security practices.

Description

This quiz focuses on effective strategies for preparing a report on cybersecurity incidents, emphasizing the importance of audience sophistication and initial preparations. Participants will explore various methods to enhance preparation and understanding of cybersecurity best practices.