COURSE 5 – PENETRATION TESTING, INCIDENT RESPONSE AND FORENSICS
Module 2: Incident Response
IBM CYBERSECURITY ANALYST PROFESSIONAL CERTIFICATE
Complete Coursera Study Guide
INTRODUCTION – Incident Response
Throughout this module, you’ll delve into the distinct phases involved in incident response, explore the significance of documentation in relation to incidents, and examine the essential components comprising an incident response policy.
Learning Objectives
- Modify QRadar’s network hierarchy settings
- Generate a QRadar report
- Investigate QRadar offenses using QRadar SIEM
- Summarize how to manage a QRadar SIEM incident response queue
- Describe three modern cybersecurity tools: QRadar, McAfee ePolicy Orchestrator (ePO), and next-generation firewalls
- List common cybersecurity threats
- Describe “lessons learned” meetings and other activities that may be appropriate for post-incident analysis
- Recall questions from the Sysadmin, Audit, Network, and Security (SANS) Institute’s checklist for incident response
- Describe the goals of the eradication and recovery phases of incident response
- Explain why forensics is an essential part of incident containment
- Summarize considerations for selecting an incident containment strategy
- List parties that may require notification of a detected incident
- Discuss standard topics and impact categories to include in incident analysis documentation
- Describe the types of monitoring systems used for incident detection
- Distinguish between precursors and indicators and list their common sources
- Summarize recommended practices for securing networks, systems, and applications
- Describe the three types of resources needed for effective incident response
- Recall essential components of an incident response policy
- List common attack vectors for cybersecurity incidents
- Discuss the departments within an organization with which the incident response team should establish a working relationship
- Contrast the three models for incident response teams
- Explain what incident response is and why it’s important
- Distinguish events from incidents in the context of cybersecurity
INCIDENT RESPONSE KNOWLEDGE CHECK
1. Which three (3) of the following are phases of an incident response?
- Containment, Eradication & Recovery (CORRECT)
- Post Incident Analysis & Lessons Learned
- Preparation (CORRECT)
- Detection & Analysis (CORRECT)
Partially correct!
2. Which statement is true about an event?
- An incident is defined as an event that takes place at a specific time and place.
- An incident can lead to an event if it is determined to be a threat.
- Multiple events of the same type are necessary before they can be considered an incident.
- An event may be totally benign, like receiving an email. (CORRECT)
3. True or False: A robust automated incident response system should be able to detect and prevent loss from all incidents.
- True
- False (CORRECT)
4. Which three (3) are common Incident Response Team models?
- Distributed (CORRECT)
- Coordinating (CORRECT)
- Central (CORRECT)
- Control
Partially correct!
5. A good automated Incident Response system should be able to detect which three (3) of these common attack vectors?
- An unauthorized removable drive being attached to the network. (CORRECT)
- A brute force hacking attack. (CORRECT)
- A former employee using his knowledge at a competitor company.
- An email phishing attack. (CORRECT)
Partially correct!
6. Which three (3) of the following are components of an Incident Response Policy?
- IR Policy testing responsibility. (CORRECT)
- IR Awareness training.
- Means, tools and resources available. (CORRECT)
- Identity of IR team members. (CORRECT)
Partially correct!
7. Contact information, Smart phones, and Secure storage facilities all belong to which Incident Response resource category?
- Incident Handler Communications and Facilities. (CORRECT)
- Incident Analysis Resources.
- Incident Post-Analysis Resources.
- Incident Analysis Hardware and Software.
8. Which three (3) of the following would be considered an incident detection precursor?
- Detecting the use of a vulnerability scanner (CORRECT)
- An announced threat against your organization from an activist group. (CORRECT)
- An application log showing numerous failed login attempts from an unknown remote system.
- A vendor notice of a vulnerability to a product you own. (CORRECT)
Partially correct!
9. Which type of monitoring system detects anomalous network traffic but typically does not take action beyond sending an alert to an administrator?
- IPS
- IDS (CORRECT)
- DLP
- SIEM
10. True or False: The Incident Response team should keep their documentation as concise as possible so only the most important facts take up the attention of the team leadership.
- True
- False (CORRECT)
11. What is the proper classification for a data breach that resulted in the exposure of sensitive personally identifiable information (PII)?
- None
- Privacy Breach (CORRECT)
- Proprietary Breach
- Integrity Loss
12. What is the proper classification for the recovery effort from a breach if you can estimate the total effort required but it will require bringing in additional resources?
- Regular
- Extended
- Supplemented (CORRECT)
- Not Recoverable
13. During which stage of a comprehensive Containment, Eradication & Recovery strategy does NIST recommend considering the following: Potential damange to and theft of resources, Need for evidence preservation, and Service availability?
- Containment (CORRECT)
- Eradication
- Recovery
- None of these
14. Which Post Incident activity would include ascertaining exactly what happened and at what times?
- Utilizing collected data
- Evidence retension
- Lessons learned meeting (CORRECT)
- Documentation review & update
INCIDENT RESPONSE GRADED QUIZ
1. Select the missing phase of Incident Response: Preparation, _____, Containment, Eradication & Recovery, Post Incident Activity.
- Detection and Analysis (CORRECT)
- Execution
- Root Cause Analysis
- Acquire Data
2. Which statement is true about an incident?
- An incident is an event that negatively affects IT systems. (CORRECT)
- An incident is any collection of 3 or more related events.
- Incidents involved external actors while events involved internal actors.
- An incident becomes an event if a threat is identified.
3. True or False: A Coordinating Incidents Response Team provides advice and guidance to the Distributed IR teams in each department, but generally does not have specific authority over those teams.
- True (CORRECT)
- False
4. Which Incident Response Team model describes a team that has authority over all aspects of IR within the entire organization?
- Distributed
- Coordinating
- Central (CORRECT)
- Control
5. In what way will having a set of predefined baseline questions will help you in the event of an incident?
- Trap the bad actors.
- Interrogate suspects.
- Coordinate with other teams and the media. (CORRECT)
- Avoid events turning into Incidents.
6. Incident Response team resources can be divided into which three (3) of the following categories?
- Incident Analysis Resources (CORRECT)
- Incident Handler Communications and Facilities (CORRECT)
- Incident Post-Analysis Resources
- Incident Analysis Hardware and Software (CORRECT)
Partially correct!
7. Port lists, Documentation, and Cryptographic hashes all belong to which Incident Response resource category?
- Incident Post-Analysis Resources
- Incident Analysis Resources (CORRECT)
- Incident Analysis Hardware and Software
- Incident Handler Communications and Facilities
8. Which three (3) of the following would be considered an incident detection indicator?
- Detecting the use of a vulnerability scanner.
- An application log showing numerous failed login attempts from an unknown remote system. (CORRECT)
- A significant deviation from typical network traffic flow patterns. (CORRECT)
- The discovery of a file containing unusual characters by a system administrator. (CORRECT)
Partially correct!
9. Which type of monitoring system analyzes logs and events in real time?
- IPS
- IDS
- DLP
- SIEM (CORRECT)
10. True or False: Highly detailed and thorough documentation is needed to support the analysis of current and future incidents.
- True (CORRECT)
- False
11. What is the proper classification for a breach that results in sensitive or proprietary information being changed or deleted.
- Proprietary Breach
- Privacy Breach
- Integrity Loss (CORRECT)
- None
12. What is the proper classification for the recovery effort from a breach if sensitive data was stolen and posted on a public web site?
- Not Recoverable (CORRECT)
- Supplemented
- Regular
- Extended
13. During which stage of a comprehensive Containment, Eradication & Recovery strategy does NIST recommend considering the following: Eliminate components of the incident, Disable compromised accounts, and Identify and mitigate vulnerabilities?
- Containment
- Eradication (CORRECT)
- Recovery
- None of these.
14. Which Post Incident activity would include reviewing response times, which systems were impacted and other metrics associated with the incident?
- Lessons learned meeting
- Evidence retention
- Documentation review & update
- Utilizing collected data (CORRECT)
CONCLUSION – Incident Response
In conclusion, this module has equipped you with a comprehensive understanding of incident response, covering its phases, the crucial role of documentation, and the key components of an effective incident response policy.
With this knowledge, you are better prepared to respond efficiently and effectively to security incidents within your organization.
Subscribe to our site
Get new content delivered directly to your inbox.
Quiztudy Top Courses
Popular in Coursera
- Google Advanced Data Analytics
- Google Cybersecurity Professional Certificate
- Meta Marketing Analytics Professional Certificate
- Google Digital Marketing & E-commerce Professional Certificate
- Google UX Design Professional Certificate
- Meta Social Media Marketing Professional Certificate
- Google Project Management Professional Certificate
- Meta Front-End Developer Professional Certificate
Liking our content? Then, don’t forget to ad us to your BOOKMARKS so you can find us easily!
