What are some common issues with the PICREL approach to incident response?
Not scoping.
Failure to contain the incident.
Improper scoping.
Failure to identify and/or fix the root cause.
What is DAIR?
It is a Dynamic Approach to Incident Response.
What would occur during preparation in DAIR?
This would include things like: Know your Organization, Know your Corporate Policies,
Internal Network Visibility, Log Review, Recovery Procedures Development, IR Team
Preparation.
,Detection Phase of DAIR
Check to see if it is a false positive
After the incident has been verified to have occurred, triaging is a good idea
Scoping
That's how we identify where in an organization's network the threat actors are by
scanning our network.
What is Velociraptor?
This is a free and open-source software tool for assisting with scoping an incident,
performing large-scale incident response, and supporting threat hunting efforts.
What occurs during the Containment phase of DAIR?
During this phase, the goal is to deny the threat actor further operation inside a
compromised network. During this stage, it also means data acquisition.
What occurs during the Eradication phase of DAIR?
This involves undoing or taking away what a threat actor did.
What occurs during the Recovery phase of DAIR? What is usually the most cost-effective
way of doing this?
The idea here is to restore the business with minimum disruption of normal business
operations.
This often is the most cost-effective way to achieve this by rebuilding the system.
What takes place in the Remediation phase of DAIR?
Well, this all involves remedying the root cause of an incident. Of course, after that you
need to monitor the system closely to see if the threat actor remains.
,Which of the following is a protection against hijacking attacks?
LLMNR disabled
3 options
Which one of the following is one of the tools that threat actors commonly use to extract
the victim password from the memory dump files?
Mimikatz
3 options
Which one of the following is one of the attacker's desired outcomes regarding
persistence?
Maintain privileges
3 options
An attacker has successfully stolen an AWS instance. What is the attacker's command
in order to see which S3 buckets are available?
aws s3 ls
3 options
Which of the following PowerShell cmdlets can provide valuable information to identify
attacker WMI-based persistence?
Get-WMIObject
3 choices
Which of the following is endpoint detection and response tools most effective when
coupled with?
Rapid incident response
, 3 choices
As adversaries continue to use new C2 and exfil techniques, traditional IDS identifies
fewer and fewer threats. Which of the following techniques can be used to identify C2
that is typically missed using traditional IDS techniques?
Statistical anomaly analysis
3 Choices
As this is the output from RITA's analysis, which would you consider as the most
suspicious IP?
Which of the following utilities uses a "high-low" approach, whereby it breaks down a
given file into pieces in order to constantly re-scan it to come up with the smallest chunk
The benefits of buying summaries with Stuvia:
Guaranteed quality through customer reviews
Stuvia customers have reviewed more than 700,000 summaries. This how you know that you are buying the best documents.
Quick and easy check-out
You can quickly pay through credit card or Stuvia-credit for the summaries. There is no membership needed.
Focus on what matters
Your fellow students write the study notes themselves, which is why the documents are always reliable and up-to-date. This ensures you quickly get to the core!
Frequently asked questions
What do I get when I buy this document?
You get a PDF, available immediately after your purchase. The purchased document is accessible anytime, anywhere and indefinitely through your profile.
Satisfaction guarantee: how does it work?
Our satisfaction guarantee ensures that you always find a study document that suits you well. You fill out a form, and our customer service team takes care of the rest.
Who am I buying these notes from?
Stuvia is a marketplace, so you are not buying this document from us, but from seller Stetson. Stuvia facilitates payment to the seller.
Will I be stuck with a subscription?
No, you only buy these notes for $13.99. You're not tied to anything after your purchase.