Its Fundamental
The three core principles of cybersecurity that guide incident response priorities.
What is the CIA Triad (Confidentiality, Integrity, Availability)?
You detect unusual outbound traffic from a server. What NIST phase are you in?
What is Detection and Analysis?
You isolate a system immediately but lose visibility into attacker activity. What strategy tradeoff did you make?
What is prioritizing containment over intelligence gathering?
This type of data is lost when a system is powered off and must be collected first.
What is volatile memory (RAM)?
The team restored systems without removing the attacker’s access. What failed?
What is Eradication?
The NIST phase where an incident is first identified and validated.
What is Detection and Analysis?
An attacker is actively exfiltrating data. What is the FIRST action you should consider?
What is Containment?
You delay containment to observe attacker behavior. What strategy are you using?
What is Monitor and Observe?
This documentation tracks who collected, handled, and transferred evidence.
What is chain of custody?
Your office failed to keep a record of who is responsible for the protection of evidentiary materials and of everyone who has accessed it.
What is "Chain of Custody?"
The action taken to stop an incident from spreading but not necessarily remove it.
What is Containment?
What is Incident Classification?
A type of scanning does this by listening to network traffic.
What is Passive Scanning?
You reboot a compromised system before collecting data. What critical mistake did you make?
What is destroying volatile evidence (memory loss)?
Investigators trusted system logs without verifying their integrity, not considering that an attacker may have altered or deleted them using this technique.
What is anti-forensics?
The process of verifying that collected digital evidence has not been altered.
What is hashing (integrity verification)?
Infiltration, Aggregation, Exfiltration, Persistence
What is the cyber kill chain (or anatomy of a hack)
A type scanning does it by sending traffic and observing what traffic returns as a result
What is "Active" Scanning?
Whitman Identifies 2 types of forensics, and one applies the procedures and techniques of forensics to the computer world.
What is Computer Forensics?
The organization contained the incident but failed to determine what systems, data, or users were impacted before moving to recovery.
What is Incident Damage Assessment?
The concept that ensures evidence can be tracked from collection to court without compromise.
What is chain of custody?
The search for, collection, and review of items stored in digital format that are of potential evidentiary value based on criteria specified by a legal team.
What is "eDiscovery"
An organization chooses to restore operations immediately, knowing evidence may be lost. What strategy is this most aligned with?
What is Protect and Forget?
Whitman Identifies 2 types of forensics, computer forensics and another further expands the use of forensics to any digital device, such as a cell phone.
What is Digital Forensics?
By prioritizing rapid recovery over investigation, a “Protect and Forget” approach commonly leads to the loss of these materials needed for legal or forensic analysis.
What are evidentiary materials?