CCNA Cybersecurity Operations (Vesion 1.1) – CyberOps Chapter 13 Exam Answers
- What is a chain of custody?
- The documentation surrounding the preservation of evidence related to an incident *
- A list of all of the stakeholders that were exploited by an attacker
- The disciplinary measures an organization may perform if an incident is caused by an employee
- A plan ensuring that each party involved in an incident response understands how to collect evidence
- What type of CSIRT organization is responsible for determining trends to help predict and provide warning of future security incidents?
- Analysis center *
- Vendor team
- Coordination center
- National CSIRT
- Which approach can help block potential malware delivery methods, as described in the Cyber Kill Chain model, on an Internet-facing web server?
- Build detections for the behavior of known malware.
- Collect malware files and metadata for future analysis.
- Analyze the infrastructure path used for files. *
- Audit the web server to forensically determine the origin of exploit.
- According to NIST standards, which incident response stakeholder isresponsible for coordinating an incident response with other stakeholders to minimize the damage of an incident?
- IT support
- Management *
- Legal department
- Human resources
- After a threat actor completes a port scan of the public web server of an organization and identifies a potential vulnerability, what is the next phase for the threat actor in order to prepare and launch an attack as defined in the Cyber Kill Chain?
- Exploitation
- Weaponization *
- Reconnaissance
- Action on objectives
- When dealing with security threats and using the Cyber Kill Chain model, which two approaches can an organization use to help block potential exploitations of a system? (Choose two.)
- Collect email and web logs for forensic reconstruction.
- Analyze the infrastructure path used for delivery.
- Audit endpoints to forensically determine origin of exploit.
- Conduct full malware analysis.
- Conduct employee awareness training and email testing.
15. Which action should be included in a plan element that is part of a computer security incident response capability (CSIRC)?
- Detail how incidents should be handled based on the mission and functions of an organization.
- Develop metrics for measuring the incident response capability and its effectiveness.
- Create an organizational structure and definition of roles, responsibilities, and levels of authority.
- Prioritize severity ratings of security incidents.
16. What is the objective the threat actor in establishing a two-way communication channel between the target system and a CnC infrastructure?
- to allow the threat actor to issue commands to the software that is installed on the target
- to steal network bandwidth from the network where the target is located
- to launch a buffer overflow attack
- to send user data stored on the target to the threat actor
- Applications *
- User accounts *
- OS vulnerabilities *
- Existing backdoors
- Domain name space
- DHCP configurations
- Results
- Direction
- Resources *
- Methodology
- Harvest email addresses of user accounts.
- Obtain an automated tool to deliver the malware payload.
- Open a two-way communication channel to the CnC infrastructure.
- Install a web shell on the target web server for persistent access. *
- Discovery and Response *
- Incident Description
- Incident Tracking
- Victim Demographics
- Conduct full malware analysis.
- Train web developers to secure code. *
- Collect email and web logs for forensic reconstruction.
- Build detections for the behavior of known weaponizers.
- Perform regular vulnerability scanning and penetration testing. *
- Hold meetings on lessons learned.
- Change all passwords.
- Patch all vulnerabilities.
- Identify all hosts that need remediation.
- the procedures that are followed during an incident response
- the metrics for measuring incident response capabilities
- the roadmap for increasing incident response capabilities
- the details on how an incident is handled
- black hat
- gray hat
- red hat
- white hat
- Create a back door in the target system to allow for future access.
- Establish command and control (CnC) with the target system.
- Use the information from the reconnaissance phase to develop a weapon against the target.
- Break the vulnerability and gain control of the target.
- resources
- methodology
- direction
- results
- It can be used to discover how other organizations dealt with a particular type of security incident.
- Companies who pay to contribute and access the database are protected from security threats.
- It can be used to discover the name of known threat actors.
- The database can be easily compressed.
- actions on objectives
- command and control
- delivery
- exploitation
- installation
- Event Viewer
- net command
- PowerShell
- Task Manager
- false negative
- false positive
- true negative
- true positive
- Build detections for the behavior of known malware.
- Train web developers for securing code.
- Detect data exfiltration, lateral movement, and unauthorized credential usage.
- Perform forensic analysis of endpoints for rapid triage.
- Collect malware files and metadata for future analysis.
- Obtain an automated tool in order to deliver the malware payload through the vulnerability.
- Install a webshell on the web server for persistent access.
- Create a point of persistence by adding services.
- Collect credentials of the web server developers and administrators.
- Document the handling of the incident.
- identify and validate incidents.
- Conduct CSIRT response training.
- Implement procedures to contain threats.
- incident description
- incident tracking
- discovery and response
- victim demographics
- Coordinate incident handling across multiple CSIRTs.
- Handle customer reports concerning security vulnerabilities.
- Use data from many sources to determine incident activity trends.
- Provide incident handling to other organizations as a fee-based service.
- Analyze web log alerts and historical search data.
- Audit endpoints to forensically determine origin of exploit.
- Build playbooks for detecting browser behavior.
- Conduct full malware analysis.
- Understand targeted servers, people, and data available to attack.
- measures used to prevent an incident
- time and date the evidence was collected
- extent of the damage to resources and assets
- vulnerabilities that were exploited in an attack
- serial numbers and hostnames of devices used as evidence
- location of all evidence
- VERIS
- Diamond
- CSIRT
- Cyber Kill Chain
- It provides a roadmap for maturing the incident response capability.
- It provides metrics for measuring the incident response capability and effectiveness.
- It defines how the incident response teams will communicate with the rest of the organization and with other organizations.
- It details how incidents should be handled based on the organizational mission and functions.
- the processes used to preserve evidence
- the strategies and procedures used for incident containment
- the networks, systems, and applications affected by an incident
- the amount of time and resources needed to handle an incident
- Launch a DoS attack.
- Send a message back to a CnC controlled by the threat actor.
- Break the vulnerability and gain control of the target.
- Establish a back door into the system.
- infrastructure
- capability
- weaponization
- adversary
- Receive, review, and respond to security incidents in an organization.
- Provide national standards as a fee-based service.
- Coordinate security incident handling across multiple CSIRTs.
- Provide security awareness, best practices, and security vulnerability information to a specific population.