Preparation Cycle
Cyber Kill Chain/Diamond Model
Detect
Analyze
Log
100

This type of exercise involves simulating an incident to test the effectiveness of the incident response plan.

What is a tabletop exercise?

100

This phase of the Cyber Kill Chain involves the attacker gaining initial access to the target network.

What is the exploitation phase?

100

This type of attack forces an end user to execute unwanted actions on a web application in which they are authenticated.

What is CSRF (Cross-Site Request Forgery)?

100

This process involves examining the behavior of an actor, including the tools they use and the methods they employ.

What are TTPs (Tactics, Techniques, and Procedures)?

100

This process ensures that evidence is collected, preserved, and documented in a manner that maintains its integrity.

What is chain of custody?

200

These predefined procedures guide the response to specific types of incidents.

What are playbooks?

200

This phase of the Cyber Kill Chain involves the attacker maintaining access to the target system over an extended period.

What is the persistence phase?

200

These artifacts indicate a potential intrusion and are used to detect malicious activity.

What are Indicators of Compromise (IoCs)?

200

This process involves verifying that data has not been altered or tampered with.

What is validating data integrity?

200

This legal process requires organizations to preserve relevant information for potential litigation.

What is a legal hold?

300

This analysis identifies the underlying cause of an incident to prevent future occurrences.

What is root cause analysis? Part of the Post-Incident process to prepare for future incidents.

300

In the Diamond Model, this feature represents the tools and techniques used by the adversary to conduct an attack.

What is capability?

300

This step involves determining the extent of an incident and its impact on the organization.

What is scoping?

300

This step involves removing malicious components from affected systems.

What is remediation?

300

This type of system collects and analyzes security event data from various sources to provide real-time analysis of security alerts.

What is a Security Information and Event Management (SIEM)?

400

These plans ensure that critical business functions can continue during and after a disaster.

What are business continuity (BC) and disaster recovery (DR) plans?

400

In the Diamond Model, this feature represents the infrastructure used by the adversary to deliver the capability to the victim.

What is infrastructure?

400

This type of attack tricks a server into fetching a resource on behalf of the attacker.

What is SSRF (Server-Side Request Forgery)?

400

This process ensures files are not tampered with by monitoring and reporting changes to files.

What is FIM (File Integrity Monitoring)?

400

This process involves collecting and processing log data from various sources to provide insights into system and network activities.

What is log ingestion?

500

This guide provides a framework for testing the security of web applications.

What is the OWASP Testing Guide?

500

This model uses four core features—adversary, capability, infrastructure, and victim—to analyze cyber intrusions.

What is the Diamond Model of Intrusion Analysis?

500

This type of attack allows an attacker to execute arbitrary code on a remote machine.

What is RCE (Remote Code Execution)?

500

This type of attack allows an attacker to include files on a server through the web browser.

What is LFI (Local File Inclusion)?

500

This logging level captures detailed information, including debugging messages, and is typically used during development.

What is debug level logging?

M
e
n
u