Security+ (SY0-701): Lesson 12: Explain Incident Response and Monitoring Concepts Part 2
This flashcard set outlines key concepts in cybersecurity incident response, focusing on definitions, planning, and the seven-step lifecycle defined by CompTIA. It also explains the role of tools like SIEM in preparation and detection phases, providing a structured approach to managing and mitigating security incidents effectively.
Define a 'dump'
A file containing data captured from system memory.
Key Terms
Define a 'dump'
A file containing data captured from system memory.
Define a 'system memory dump'
An image file of running processes; Temporary files, registry data, network connections, cryptographic keys, etc.
Define 'disk image acquisition'
Acquiring data from nonvolatile storage; HDDs, SSDs, flash memory, optical media (CD/DVD).
What are the 3 types of device states for disk image acquisistion?
Live acquisition
Static acquisition by shutting down the host
Static acquisition by pulling the plug
...
Define 'Live acquisition'
Copying the data while the host is still running.
What is the upside to live acquisition?
Captures more evidence/data for analysis and reduces the impact on overall services.
Related Flashcard Decks
Study Tips
- Press F to enter focus mode for distraction-free studying
- Review cards regularly to improve retention
- Try to recall the answer before flipping the card
- Share this deck with friends to study together
| Term | Definition |
|---|---|
Define a 'dump' | A file containing data captured from system memory. |
Define a 'system memory dump' | An image file of running processes; Temporary files, registry data, network connections, cryptographic keys, etc. |
Define 'disk image acquisition' | Acquiring data from nonvolatile storage; HDDs, SSDs, flash memory, optical media (CD/DVD). |
What are the 3 types of device states for disk image acquisistion? |
|
Define 'Live acquisition' | Copying the data while the host is still running. |
What is the upside to live acquisition? | Captures more evidence/data for analysis and reduces the impact on overall services. |
What is the downside to live acquisition? | The data on the actual disks will have changed, so this method may not produce legally acceptable evidence; May also alert the bad actor and allow time to perform anti-forensics. |
What is the drawback of static acquisition by shutting down the host? | Runs the risk that the malware will detect the shutdown process and perform anti-forensics to try to remove traces of itself. |
What is the benefit and disadvantage of static acquisition by pulling the plug? | Most likely to preserve the storage devices in a forensically clean state, but there is the risk of corrupting data. |
What is paramount when performing any sequence of acquisition? | To document the steps taken and supply a timeline and video-recorded evidence of actions taken to acquire the evidence. |
What is the ''dd command'' in Linux and its function? | Linux command that makes a bit-by-bit copy of an input file, typically used for disk imaging. |
What is the syntax for the dd command to image a disk? | dd if=input file of=output file |
What is the value of a video verified | Establishes the provenance; Being able to trace the source of evidence to a crime scene and show that it has not been tampered with. |
When creating a forensically sound image from nonvolatile storage, what is to be considered when choosing the capture tool? | Capture tool must not alter data or metadata (properties) on the source disk or file system. |
Where is data acquisition typically performed? | By attaching the target device to a forensics workstation or field capture device equipped with a write blocker. |
Define a 'write blocker' and its purpose | A forensic tool to prevent the capture tool or analysis device from changing data on a target disk or media. |
What is the first step in data acquisition? | A cryptographic hash of the disk media is made, using either the MD5 or SHA hashing function. |
What is the second step in data acquisition? | A bit-by-bit copy of the media is made using an imaging utility. |
What is the third step in data acquisition? | A second hash is then made of the image, which should match the original hash of the media. |
What is the fourth step in data acquisition? | A copy is made of the reference image, validated again by the checksum. Analysis is performed on the copy. |
Define 'Chain of custody' | Record of handling evidence from collection to presentation in court to disposal. |
What is the reason for documenting chain of custody when security breaches go to trial? | Establishes the integrity and proper handling of evidence; Protects an organization against accusations that evidence has either been tampered with. |
Define 'E-discovery' | Filtering relevant evidence produced from all the data gathered in a forensic examination and storing it in a database in a format such that it can be used as evidence in a trial. |
What is an IoC that reveals the presence of a hidden partition? | Unused space in an extended partition. |
What is a file system metadata structure that is used to store and organize file object information, such as file size, owner, permissions, and timestamps? | inode |
Define a 'data source' in context of digital forensics | Something that can be subjected to analysis to discover indicators. |
What are typical data sources? | Log files from a network device, host/OS, application, system memory, etc. |
What two ways can a SIEM platform be used for automated reporting? |
|
Define 'metadata' | Information stored or recorded as a property of an object, state of a system, or transaction. |
What are the 3 components of a syslog message? |
|
Define the PRI code of a syslog message | Calculated from the facility and a severity level. |
Define the header of a syslog message | Contains a timestamp, host name, app name, process ID, and message ID fields. |
Define the the message of a syslog alert | Contains a tag showing the source process plus content. |
What do security logs typically contain? | Audit events, such as a failed login or access to a file being denied. |
Define an 'endpoint log' | A target for security-related events generated by host-based malware and intrusion detection agents.` |
Define an 'email's internet header' | A record of the email servers involved in transferring an email message from a sender to a recipient. |
How can metadata play a role in analysis of an incident? | Establish timeline questions, such as when and where a breach occurred, as well as containing other types of evidence. |
Where can email metadata such as an email header be viewed? | Via commands on a mail client or from a message transfer agent (MTA). |
Define the function of a security information and event management (SIEM)? | Provides real-time or near-real-time analysis of security alerts generated by network hardware and applications. |
What are the 3 forms of collection that a security information and event management (SIEM) can utilize? |
|
Define a 'Listener/Collector' | A network appliance that gathers or receives log and/or state data from other network systems. |
Define 'log aggregation' | Parsing information from multiple data sources so that it can be presented in a consistent and searchable format. |
Define 'correlation' | A function of log analysis that links log and state data to identify a pattern that should be logged or alerted as an event. |
Define an 'executive report' and its purpose | High-level summary for decision-makers. This guides planning and investment activity. |
Define a 'manager report' and its purpose | Provides cybersecurity and department leaders with detailed information. This guides day-to-day operational decision-making. |
Define 'alert tuning' | Process of adjusting detection and correlation rules to reduce incidence of false positives and low-priority alerts. |
How can a rule/alert level be adjusted to correct false positives? | Adjust the parameter of the rules, adding more correlation factors, setting to log only/no alert, or to produce a notification for x amount of events. |
In order to alleviate the number of alerts at an analyst's dashboard, what can be done to reduce alerts? | By redirecting alerts to a different group based on the type of alert. |
How can AI help develop alerting? | Deploying machine learning (ML) to rapidly analyze the sort of data sets produced by SIEM and how analysts respond to alerts and tuning the ruleset in a way that reduces alert. |
Define a 'network monitor' | Auditing software that collects status and configuration information from network devices typically based on SNMP. |
Define the difference between a 'flow collector' and a network monitor | Records metadata and network traffic statistics rather than recording each frame for analysis. |
What is the purpose of a flow collector? | Highlight patters in traffic; Alert based on anomalies, flow patterns or custom rules; Visualization of network. |
How does a flow collector define a specific traffic flow? | By packets sharing the same characteristics, referred to as keys. |
What is a collection of keys identifying a traffic flow called? | A flow label. |
If traffic matches a key/flow label, what is it called? | A flow record. |
What is a flow label made up of? | Packets that share the same key characteristics, such as IP source and destination addresses and protocol type; Also known as a 5-tuple. |
Define a 'system monitor' | Software that tracks the health of a computer's subsystems using metrics reported by system hardware or sensors; high temperature, chassis intrusion, and so on. |
What protocol does a vulnerability scanner use to determine if a host/app/service meets security best practice? | Security Content Automation Protocol (SCAP) allows compatible scanners to determine whether a computer meets a configuration baseline. |
What two tools does the Security Content Automation Protocol (SCAP) use to determine if a computer meets baseline? |
|
What is the difference between a sensor and a collector, in the context of SIEM? | A SIEM collector receives log data from a remote host and parses it into a standard format that can be recorded within the SIEM; A sensor (or sniffer) copies data frames from the network, using a mirror port or a TAP. |
Which type of analysis involves deep-down, frame-by-frame scrutiny of captured network traffic to decode packet header fields and payload contents, aiding in identifying attack tools, data exfiltration attempts, and suspicious domains? | Retrospective network analysis (RNA) |
Define 'Retrospective network analysis' | Recording the totality of network events at a packet header or payload level. |
What is the purpose of retrospective network analysis? | Detailed analysis of captured traffic to identify attack tools, data exfiltration attempts, and suspicious domains. |