Digital Forensics and Incidents Analysis and response - CSL Training | CISCO, Microsoft, Linux, Juniper, Asterisk, MikroTik, CCNA Training in Bangladesh

1. To ensure that the chain of custody is maintained, what three items should be logged about evidence that is collected and analyzed after a security incident has occurred? (Choose three.)

A chain of custody refers to the proper accounting of evidence collected about an incident that is used as part of an investigation. The chain of custody should include the location of all evidence, the identifying information of all evidence such as serial numbers and hostnames, identifying information about all persons handing the evidence, and the time and date that the evidence was collected.

2. A threat actor has gained administrative access to a system and achieved the goal of controlling the system for a future DDoS attack by establishing a communication channel with a CnC owned by the threat actor. Which phase in the Cyber Kill Chain model describes the situation?

Explanation

The Cyber Kill Chain specifies seven steps (or phases) and sequences that a threat actor must complete to accomplish an attack: 1 Reconnaissance – The threat actor performs research, gathers intelligence, and selects targets.

2. Weaponization – The threat actor uses the information from the reconnaissance phase to develop a weapon against specific targeted systems. 3. Delivery – The weapon is transmitted to the target using a delivery vector. 4. Exploitation – The threat actor uses the weapon delivered to break the vulnerability and gain control of the target. 5. Installation – The threat actor establishes a back door into the system to allow for continued access to the target. 6. Command and Control (CnC) – The threat actor establish command and control (CnC) with the target system. 7. Action on Objectives – The threat actor is able to take action on the target system, thus achieving the original objective.

3. Which meta-feature element in the Diamond Model describes tools and information (such as software, black hat knowledge base, username and password) that the adversary uses for the intrusion event?

Explanation

The resources element in the Diamond Model is used to describe one or more external resources used by the adversary for the intrusion event. The resources include software, knowledge gained by the adversary, information (e.g., username/passwords), and assets to carry out the attack.

4. Which action should be included in a plan element that is part of a computer security incident response capability (CSIRC)?

Explanation

NIST recommends creating policies, plans, and procedures for establishing and maintaining a CSIRC. A purpose of the plan element is to develop metrics for measuring the incident response capability and its effectiveness.

5. Which two actions can help identify an attacking host during a security incident? (Choose two.)

Explanation

The following actions can help identify an attacking host during a security incident: 1. Use incident databases to research related activity. 2. Validate the IP address of the threat actor to determine if it is a viable one. 3. Use an Internet search engine to gain additional information about the attack. 4. Monitor the communication channels that some threat actors use, such as IRC.

6. What is a MITRE ATT&CK framework?

Explanation

The MITRE framework is a global knowledge base of threat actor behavior. It is based on observation and analysis of real-world exploits with the purpose of describing the behavior of the attacker, not the attack itself. It is designed to enable automated information sharing by defining data structures for the exchange of information between its community of users and MITRE.

7. According to NIST, which step in the digital forensics process involves identifying potential sources of forensic data, its acquisition, handling, and storage?

Explanation

NIST describes the digital forensics process as involving the following four steps: 1. Collection – the identification of potential sources of forensic data and acquisition, handling, and storage of that data. 2. Examination – assessing and extracting relevant information from the collected data. This may involve decompression or decryption of the data. 3. Analysis – drawing conclusions from the data. Salient features, such as people, places, times, events, and so on should be documented. 4. Reporting – preparing and presenting information that resulted from the analysis. Reporting should be impartial and alternative explanations should be offered if appropriate.

8. When dealing with security threats and using the Cyber Kill Chain model, which two approaches can an organization use to help block potential exploitations of a system? (Choose two.)

Explanation

The most common exploit targets, once a weapon is delivered, are applications, operating system vulnerabilities, and user accounts. Among other measures, conducting employee awareness training and email testing and auditing endpoints to forensically determine the origin of an exploit can help block future exploitations of systems.

9. Which term is used in the Diamond Model of intrusion to describe a tool that a threat actor uses toward a target system?

Explanation

The Diamond Model of intrusion contains four parts: 1. Adversary – the parties responsible for the intrusion 2. Capability – a tool or technique that the adversary uses to attack the victim 3. Infrastructure – the network path or paths that the adversaries use to establish and maintain command and control over their capabilities o Victim – the target of the attack

10. What is the purpose of the policy element in a computer security incident response capability of an organization, as recommended by NIST?

Explanation

NIST recommends creating policies, plans, and procedures for establishing and maintaining a CSIRC. A purpose of the policy element is to detail how incidents should be handled based on the mission and functions of an organization.

11. According to NIST, which step in the digital forensics process involves extracting relevant information from data?

Explanation

NIST describes the digital forensics process as involving the following four steps: o Collection – the identification of potential sources of forensic data and acquisition, handling, and storage of that data. o Examination – assessing and extracting relevant information from the collected data. This may involve decompression or decryption of the data. o Analysis – drawing conclusions from the data. Salient features such as people, places, times, events, and so on should be documented. o Reporting – preparing and presenting information that resulted from the analysis. Reporting should be impartial and alternative explanations should be offered if appropriate.

12. Which statement describes the Cyber Kill Chain?

Explanation

The Cyber Kill Chain was developed to identify and prevent cyber intrusions by specifying what threat actors must complete to accomplish their goals.

13. After containing an incident that infected user workstations with malware, what are three effective remediation procedures that an organization can take for eradication? (Choose three.)

Explanation

To recover infected user workstations, use clean and recent backups or rebuild the PCs with installation media if no backups are available or they have been compromised. Also, fully update and patch the operating system and installed software of all hosts. All users are encouraged to change their passwords for the workstation or workstations they use. Rebuilding DHCP servers is needed only if they are affected by the incident.Also not all devices need to change the name and password configuration setting unless they are affected by the incident.

14. After a threat actor completes a port scan of the public web server of an organization and identifies a potential vulnerability, what is the next phase for the threat actor in order to prepare and launch an attack as defined in the Cyber Kill Chain?

Explanation

The Cyber Kill Chain specifies seven steps (or phases) and sequences that a threat actor must complete to accomplish an attack: o Reconnaissance – The threat actor performs research, gathers intelligence, and selects targets. o Weaponization – The threat actor uses the information from the reconnaissance phase to develop a weapon against specific targeted systems. o Delivery – The weapon is transmitted to the target using a delivery vector. o Exploitation – The threat actor uses the weapon delivered to break the vulnerability and gain control of the target. o Installation – The threat actor establishes a back door into the system to allow for continued access to the target. o Command and Control (CnC) – The threat actor establishes command and control (CnC) with the target system. o Action on Objectives – The threat actor is able to take action on the target system, thus achieving the original objective.

15. Which task describes threat attribution?

Explanation

Threat attribution refers to determining the individual, organization, or nation responsible for a successful intrusion or attack incident. The security investigation team correlates all the evidence in order to identify commonalities between tactics, techniques, and procedures (TPPs) for known and unknown threat actors.

GET IT BEFORE EXPIRE

TEST EXAM 10% OFF

1. To ensure that the chain of custody is maintained, what three items should be logged about evidence that is collected and analyzed after a security incident has occurred? (Choose three.)

2. A threat actor has gained administrative access to a system and achieved the goal of controlling the system for a future DDoS attack by establishing a communication channel with a CnC owned by the threat actor. Which phase in the Cyber Kill Chain model describes the situation?

3. Which meta-feature element in the Diamond Model describes tools and information (such as software, black hat knowledge base, username and password) that the adversary uses for the intrusion event?

4. Which action should be included in a plan element that is part of a computer security incident response capability (CSIRC)?

5. Which two actions can help identify an attacking host during a security incident? (Choose two.)

6. What is a MITRE ATT&CK framework?

7. According to NIST, which step in the digital forensics process involves identifying potential sources of forensic data, its acquisition, handling, and storage?

8. When dealing with security threats and using the Cyber Kill Chain model, which two approaches can an organization use to help block potential exploitations of a system? (Choose two.)

9. Which term is used in the Diamond Model of intrusion to describe a tool that a threat actor uses toward a target system?

10. What is the purpose of the policy element in a computer security incident response capability of an organization, as recommended by NIST?

11. According to NIST, which step in the digital forensics process involves extracting relevant information from data?

12. Which statement describes the Cyber Kill Chain?

13. After containing an incident that infected user workstations with malware, what are three effective remediation procedures that an organization can take for eradication? (Choose three.)

14. After a threat actor completes a port scan of the public web server of an organization and identifies a potential vulnerability, what is the next phase for the threat actor in order to prepare and launch an attack as defined in the Cyber Kill Chain?

15. Which task describes threat attribution?

About Us

Information

Lalmatia Branch

Kuril LAB Location

CSL Training

COURSE REGISTRATION FORM