Identify
This phase of the Lockheed Martin Cyber Kill Chain reveals what motivates a threat actor during their attack.
What is Actions on Objectives?
This artifact should always be gathered from a victim host before being powered off.
What is a memory capture/memory dump?
This setting allows a domain-joined account to be preserved without allowing a user to log in to the account.
What is disabled?
This type of cyberattack should always be reported to the FBI, as they may be able to assist in recovery.
What is ransomware?
This activity should be held within two weeks of the conclusion of the incident, with both the incident response team and key incident stakeholders in attendance.
What is an incident restrospective?
A defaced website with derogatory messages likely means the attacker is motivated by this.
What is hacktivism?
This person communicates to the public/press about system outages caused by a cybersecurity incident.
Who is a communications representative/public representative/organizational spokesperson?
When this type of malware is installed, the operating system cannot be trusted, and the entire device should be re-built.
What is a rootkit?
This strategy needs to be tested BEFORE a cyber incident occurs in order to ensure a system can recover easily if the live system data is corrupted.
What is a backup and restore?
This activity is held regularly with both the incident response team and other organizational representatives, simulating a real cyber incident and guiding members through a cyber incident decision making process.
What is a malicious insider threat?
If you recently discovered that your new remote IT worker was operating under a false identity, you are likely victim of a coordinated cyberattack led by this nation state.
Who is the DPRK?
Responders should take this action to prevent a malicious device from connecting to the organizational network.
What is blocking a MAC address?
This action should be taken when an attacker has stolen a copy of a resource's public key.
What is nothing?
When this type of data is stolen by an attacker, victim organizations may face a fine of up to ~$23 million or 4% of their annual global turnover.
What is data about European Citizens?
This item should be kept stocked and in a well-known location at all times so that an Incident Response Team can quickly respond to an incident.
What is a jump bag?
The following description characterizes a vulnerability that requires a victim to perform this action to be vulnerable.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
What is none/nothing?
These two questions should be answered before a resource can be put back online after being contained.
Is the initial vulnerability/access patched? Is the attacker still in the system (persistence)?
What is delete injected content?
These two hourly metrics should be tracked during an incident to help determine the cost of an incident.
What is man hours and/or downtime hours?
This is the name for an organization's program or initiative designed to educate employees on recognizing and mitigating cyber threats.
What is security awareness training?
A suspicious process with a call to the Windows system function LoadLibraryExW may indicate this type of attack technique.
What is DLL sideloading/hijacking?
DOUBLE JEAPORDY -- MISC
HOW MUCH WILL YOU BET?
Ezekiel!
This remediation action is necessary when an attacker has managed to breach an active directory domain, steal hashes, and has forged authentication tickets for the domain's ticket-based network authentication protocol.
What is resetting the KRBTGT password twice?
This organizational internal policy can guide incident response teams as they prioritize which systems to bring back online first.
What is a disaster recovery plan?
This law, considered one of the strongest privacy laws in the nation, was the first comprehensive data privacy law for a state in the U.S.A. and was largely influenced by the Facebook--Cambridge Analytica scandal.
What is the California Consumer Privacy Act (CCPA)?