Chapter 14 Monitoring and Incident Response

Questions and Answers

What is the first step that must be taken once an event is identified as potentially being part of an incident?

• Recovery
• Containment
• Analysis (correct)
• Eradication

Which of the following is NOT a part of the incident response process?

• Containment
• Enforcement (correct)
• Recovery
• Eradication

What is the role of containment in incident response?

• Identify related events
• Restore services to normal
• Rebuild systems from backups
• Prevent further damage (correct)

Why is complete eradication and verification crucial in incident response?

To ensure an incident is truly over (B)

What is typically conducted after an incident response to improve future responses?

Lessons learned session (D)

Which phase involves bringing systems or services back online?

Recovery (A)

What may containment involve to isolate impacted systems?

Quarantine (D)

What is the primary goal of the eradication phase?

To remove artifacts from an incident (C)

What is a primary function of dashboards in security analysis?

To display high-level visual representations of critical information (C)

What role do sensors play in a Security Information and Event Management (SIEM) system?

They gather and forward data to the SIEM for analysis (C)

Why is it necessary to set thresholds and filter rules in a SIEM?

To limit the volume of alerts generated (A)

Where are sensors typically deployed to gather security data?

In environments with high volumes of unique data generation (B)

What must be ensured when deploying sensors in a network?

They must be secured against attacks and compromises (C)

What is the main challenge organizations face regarding security data generation?

The massive amount of data that is produced (B)

What may sensors do to optimize data before it is ingested by the SIEM?

Perform preprocessing on the data (B)

What important component contributes to the functionality of SIEM dashboards?

Correlation engines and associated rules (D)

What type of monitoring involves analyzing system logs and utilizing central management tools?

System monitoring (D)

Which protocols are commonly used for monitoring infrastructure devices?

SNMP and syslog (A)

What does a security information and event management (SIEM) tool primarily do?

Collect and analyze log data from multiple sources (D)

Why is it important to have devices like SIEM in a monitoring setup?

They consolidate logs from multiple devices and analyze them. (D)

Application monitoring may vary significantly based on what factor?

What the application provides (A)

What might be included in application monitoring?

Application logs and performance monitoring tools (A)

What role does heuristic analysis play in SIEM systems?

It learns patterns to improve threat detection over time. (B)

Which statement is NOT true regarding system monitoring?

It is only applicable in cloud services. (D)

What qualifies as an indicator in the context of incident response?

Any observable behavior performed by an attacker (C)

What type of indicator includes those that have been publicly reported or documented?

Published/documented indicators (B)

What primary purpose do attack frameworks serve in incident response?

To understand adversaries and categorize tactics (A)

What is included in the MITRE ATT&CK knowledgebase?

Descriptions of adversary tactics and techniques (A)

During incident response, how might you apply the ATT&CK framework?

To categorize the tools used in an observed attack (A)

What should an incident responder be ready to do when analyzing an indicator?

Determine what may have happened and if an incident should be declared (A)

Which of the following is NOT a phase in the incident response process?

Integration (A)

What aspect of the ATT&CK framework is essential for threat assessment modeling?

Common descriptions and knowledge of threat behaviors (B)

What is one of the key functions of a SIEM system when it receives data inputs?

It ingests the data and applies analytical techniques. (B)

Which of the following can be considered an input for SIEM devices?

Packet capture from network traffic (D)

What analytical capability might SIEM systems utilize to assess user behavior?

Sentiment analysis through natural language processing (D)

What do SIEM systems use to provide alerts and track incident responses?

Forensic capabilities and workflow ticketing processes (B)

What might correlate with raw packet data in a SIEM system for improved incident analysis?

Firewall logs and IDS/IPS events (D)

Why has the term SIEM become more prevalent than SIM or SEM in the current market?

SIEM represents a broader, more matured focus in security management. (C)

What is the primary visibility tool many security practitioners use when interacting with a SIEM?

SIEM dashboards (B)

What is a common misconception about the capabilities of SIEM systems?

They primarily focus on data storage without analysis. (A)

Study Notes

Incident Response Process

• Pay attention to indicators of compromise (IoCs) during security events.
• Utilize log analysis and security monitoring to enhance incident detection.
• Train staff on incident reporting and awareness to improve response times.

Analysis Phase

• Analyze identified potential incidents by correlating related events and assessing their impact.
• Understanding the target of the incident and its overall consequences is crucial for effective response.

Containment Strategy

• Take immediate action to contain identified incidents and prevent escalation or further damage.
• Isolation methods may include quarantine—restricting affected devices from accessing the network.

Eradication Stage

• Focus on removing all artifacts related to the incident, which may require rebuilding systems from backups.
• Achieve complete eradication to ensure the incident is fully resolved.

Recovery Phase

• Restore normal operations by bringing systems and services back online while ensuring weaknesses are fixed.
• Conduct post-incident analysis to prevent recurrence of the same incident.

Lessons Learned Sessions

• Organize sessions to analyze incidents, fostering organizational improvement and preventing repeat mistakes.

Types of Indicators

• Recognize that any behavior exhibited by an attacker can serve as an IoC.
• Published/documented indicators are shared through threat feeds and information-sharing organizations.

Incident Response Frameworks

• Utilize common terminology and frameworks, like MITRE ATT&CK, to categorize and document attack techniques.
• Familiarize with the entirety of the threat life cycle for better incident handling.

Monitoring Computing Resources

• Understand key monitoring types: systems, applications, and infrastructure.
• Collect logs for system health and performance; application monitoring varies based on specific applications used.

Role of SIEM Systems

• Centralize security monitoring through security information and event management (SIEM) systems.
• SIEM systems collect log data from multiple sources, allowing for correlation and advanced analysis.

SIEM Features

• SIEM tools can alert, report, and respond to potential security incidents and user behavior analysis.
• Capable of performing packet capture for in-depth incident investigation and correlating various log sources.

SIEM Dashboard Utility

• Dashboards provide visual representation of critical security data to help analysts identify abnormalities.
• Configure dashboards to focus on key metrics and trends relevant to organizational security needs.

Sensor Deployment

• Sensors gather additional data for SIEMs and are critical for environments that generate large volumes of unique data.
• Proper placement and security of sensors are essential to protect data acquisition efforts from compromise.

Managing Sensitivity and Alerts

• Adjust sensitivity and thresholds in SIEM systems to control the volume of alerts and minimize noise.
• Implement filtering rules to ensure that critical alerts are prioritized for response.

Description

Test your knowledge on the key components of incident response management. This quiz covers the importance of recognizing compromise indicators, conducting log analysis, and implementing effective monitoring and awareness programs. Additionally, it addresses the critical phases of analysis and containment in incident management.