M6 110 PRACTICE QUIZ FOR IR FUNDAMENTALS

A modern cyber security themed image depicting incident response tools, digital forensics, and a person analyzing data on a computer with a complex network background.

Incident Response Fundamentals Practice Quiz

Test your knowledge on Incident Response (IR) fundamentals with our comprehensive practice quiz. This quiz covers various critical aspects of incident recovery, including best practices, principles, and artifact analysis.

19 thought-provoking questions
Multiple choice and drop list formats
Designed for IR professionals and students alike

19 Questions5 MinutesCreated by AnalyzingWarrior253

This lecture mentioned three, high-level, possibly conflicting goals with respect to the overall incident recovery effort; which of these is not one of them?

Availability

Prosecution

Containment

Recovery

Which principle suggests that any attack/attacker is likely to leave evidentiary "signs", or "remnants" of attack activity behind on the attacked device(s)?

Which of these represents IR tool "best practices" (as presented in lecture) for analysis of artifacts on an exploited system where detection has already occurred? (GUI = Graphical User Interface, CLI = Command Line Interface)

Use only the tools found on the infected system, and favor GUI over CLI tools.

Bring your own tools, and favor GUI over CLI tools.

Use only the tools found on the infected system, and favor CLI over GUI tools.

Bring your own tools, and favor CLI over GUI tools.

From the SP800-83 (Guide to Malware Incident Prevention and Handling) we learned that incident containment has two, possibly conflicting, goals; what are they?

Stop malware from spreading — prevent further damage to infected system

Remove the vulnerability — block the attack delivery vector

Stop malware from spreading — preserve forensic data

Block the threat — remove the vulnerability

Which statement is true from this lecture section?

When duplicating a hard drive, software-based write-blockers are preferred to hardware- based write-blockers.

IR responders should prioritize the collection of artifact data that is most volatile.

Lucky for us, most system clocks and logs around the world are set to UTC (aka GMT).

Traditional (vice forensic) disk duplication will also copy slack and unallocated space

Which of these was not a point made in lecture regarding IOCs?

There is not—yet—a single, widely accepted and free standard for host-based IOCs.

Snort rule format is the most common standard for representing network-based IOCs.

Host-based IOCs are commonly represented using the nmap description language (NDL).

An IOC is a definition that captures the characteristics and related artifacts of a compromise.

Which of these is not good advice for an IR responder?

When evaluating evidence it is better to try and prove a positive than it is to prove a negative.

Avoid "analysis paralysis".

Follow initial leads, and avoid being distracted by "shiny objects".

Do not send your initial report until you are absolutely certain of the proper incident category.

What does each letter of the DICER mnemonic (memory aid) stand for? I have given you one of them. (Hint: What do we do when prevention fails?)

Which of these best describes the Daubert Standard?

A judicial (court) standard regarding the quality/admissibility of scientific evidence.

A NIST standard pertaining to methods applied when forensically copying digital data.

A legal standard regarding chain-of-custody handling for electronic evidence.

The standard adopted/supported by the CJCSM for cyber incident reporting.

Which type of analysis is typically used when the investigator does not otherwise know exactly what he/she is looking for, or how to look for it?

Syntactical

Full-packet

Session-level

Statistical

Which statement is true from this lecture section?

A commonly seen/noted IR investigation error is that the responders focus too much on finding and following leads, rather than on finding malware.

IOCs represent pre-determined/pre-considered courses of action to help remedy an incident.

When a rootkit, backdoor, or other "deeply-placed" threat is known or suspected, the recovery will/should likely entail a rebuild (or replacement) of the affected system(s).

When comparing potential RAs, the responder should always choose the one that will minimize spreading rather than the one that will minimize damage.

Which statement is true?

The term "event" implies a bad/malicious activity.

All incidents are composed of events.

The term "incident" is used to describe both good and bad activity.

All events are composed of incidents.

Which situation would suggest that W&L would most likely be preferred to a SLD containment decision?

Incident responders have little/no clue regarding a serious problem of data leakage

All passwords have been changed, and the offending malware has already been removed

Root cause is unknown, situation is being highly monitored, SLD is ready if necessary.

Root cause is known, isolation of affected systems has already been done

Which general/fundamental IR principle was not made in this section?

Avoid "analysis paralysis"

It's better to prove a negative than to prove a positive.

Avoid "shiny objects"

Strive to maintain a "light touch"

Time is one of the best ways to scope relevant data.

What point was not made in this section?

A typical misstep early in an investigation is to focus on finding malware.

Complete system rebuilds are recommended if the attacker received root-level access.

The goal early in an investigation is (should be) to find leads.

IOCs are typically developed during the Detection Phase of the (CJCSM) IH lifecycle

M6 110 PRACTICE QUIZ FOR IR FUNDAMENTALS

Incident Response Fundamentals Practice Quiz

More Quizzes