CCNA Cyber Ops FAQ: Introduction to Incident Response and the Incident Handling Process

CCNA Cyber Ops FAQ: Introduction to Incident Response and the Incident Handling Process

Q1. What NIST special publication covers the incident response process?
A. Special Publication 800-61
B. Judiciary, private, and individual investigations
C. Public, private, and corporate investigations
D. Government, corporate, and private investigations

Answer: A. NIST’s Special Publication 800-61 was created to provide guidelines for incident response and all related processes and procedures.

Q2. Which of the following is not part of the policy elements described in NIST’s Special Publication 800-61?
A. Statement of management commitment
B. Purpose and objectives of the incident response policy
C. The scope of the incident response policy
D. Definition of QoS policies in network infrastructure devices

Answer: D. Definition of QoS policies in network infrastructure devices is not part of NIST’s Special Publication 800-61.

Q3. Which of the following is NIST’s definition of standard operating procedures (SOPs)?
A. A delineation of the specific IPS signatures to be deployed in the network
B. A delineation of the specific technical processes, techniques, checklists, and forms used by the incident response team
C. A delineation of the specific firewall rules to be deployed in the network
D. A suspect-led approach that’s mostly used in private investigations

Answer: B. An SOP is a delineation of the specific technical processes, techniques, checklists, and forms used by the incident response team.

Q4. Which of the following is not a phase of the incident response process?
A. Preparation
B. Containment, eradication, and recovery
C. Post-incident activity
D. Network monitoring phase

Answer: D. Although network monitoring is part of the preparation phase, it is not a phase as a whole of the incident response process, as defined by NIST.

Q5. Incident prioritization is part of which phase of the incident response process?
A. Preparation
B. Containment, eradication, and recovery
C. Post-incident activity
D. Detection and analysis

Answer: D. Incident prioritization is part of the detection and analysis phase.

Q6. Which of the following is not part of the post-incident activity phase?
A. Lessons learned
B. Identifying the attacking hosts
C. Using collected incident data
D. Evidence retention

Answer: B. Identifying the attacking hosts is not part of the post-incident phase.

Q7. Which of the following is a good example of an information-sharing community?
A. The National Institute of Security and Technology (NIST)
B. The National Institute of Standards and Technology (NIST)
C. The Cyber Services Information Sharing and Analysis Center (CSISAC)
D. The Financial Services Information Sharing and Analysis Center (FS-ISAC)

Answer: D. The FS-ISAC is a good example of an information-sharing community.

Q8. During the investigation and resolution of a security incident, you may also need to communicate with outside parties regarding the incident. Which of the following are examples of those external entities?
A. Law enforcement
B. Internet service providers (ISPs)
C. The vendor of your hardware and software products
D. Coordination centers

Answer: A, B, C, and D. All of these are examples of external parties you may need to communicate with during the resolution of a security incident.

Q9. Which of the following is not an example of a type of incident response team?
A. Product Security Incident Response Team (PSIRT)
B. National CSIRT and Computer Emergency Response Team (CERT)
C. Incident response team of a security vendor and managed security service provider (MSSP)
D. Penetration testing team

Answer: D. Product Security Incident Response Teams (PSIRTs), National CSIRTs and Computer Emergency Response Teams (CERTs), and the incident response teams of security vendors and managed security service providers (MSSPs) are all examples of incident response teams.

Q10. Which of the following is not an example of the most common incident response team structures?
A. Product Security Incident Response Team (PSIRT)
B. Centralized incident response team
C. Distributed incident response team
D. Coordinating team

Answer: A. Centralized incident response teams, distributed incident response teams, and coordinating teams are all examples of the most common incident response team structures.

Q11. What is a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices?
A. Exploit
B. Vulnerability
C. Threat
D. Computer security incident

Answer: D. According to NIST, a computer security incident is a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices.

Q12. What is a delineation of the specific technical processes, techniques, checklists, and forms used by the incident response team?
A. CSIRT team plan
B. Standard operating procedure (SOP)
C. Standard incident plan (SIP)
D. Operation and incident plan (OIP)

Answer: B. An SOP is a delineation of the specific technical processes, techniques, checklists, and forms used by the incident response team.

Q13. What is any observable occurrence in a system or network?
A. Security event
B. Security incident
C. Security vulnerability
D. An exploit

Answer: A. A security event is any observable occurrence in a system or network.

Q14. Which of the following is not an example of the most common incident response team staffing models?
A. Employees
B. Partially outsourced
C. Fully outsourced
D. PSIRT

Answer: D. PSIRT is not an example of the most common incident response team staffing models. Staffing models are employees, partially outsourced team, and fully outsourced team.

Q15. The containment, eradication, and recovery phase includes which of the following? (Choose two.)
A. Choosing a firewall to be able to block traffic proactively or during an attack

B. Choosing an intrusion prevention system to be able to block traffic proactively or during an attack

C. Choosing a containment strategy to effectively contain and eradicate the attack, as well as to be able to successfully recover from it

D. Evidence gathering and handling

Answer: C and D. The containment, eradication, and recovery phase includes choosing a containment strategy and evidence gathering and handling.

Q16. Which phase in the incident response process includes lessons learned, how to use collected incident data, and evidence retention?
A. Post-incident activity (postmortem)
B. Containment, eradication, and recovery
C. The detection and analysis phase
D. The preparation phase

Answer: A. The post-incident activity phase in the incident response process includes lessons learned, how to use collected incident data, and evidence retention.

Q17. Which phase in the incident response process includes creating processes for incident handler communications and the facilities that will host the security operation center (SOC) and incident response team?
A. The preparation phase
B. The detection and analysis phase
C. Containment, eradication, and recovery
D. Post-incident activity (postmortem)

Answer: A. The preparation phase is the phase in the incident response process that includes creating processes for incident handler communications and the facilities that will host the security operation center (SOC) and incident response team.

Q18. Which of following are examples of the most common incident response team structures? (Choose two.)
A. Centralized incident response team
B. Partially outsourced
C. Fully outsourced
D. Distributed incident response team

Answer: A and D. Centralized and distributed are examples of the most common incident response team structures.

Q19. Which of following is not an example of the VERIS main schema categories?
A. Incident Tracking
B. Victim Demographics
C. Incident Description
D. Incident Forensics ID

Answer: D. The main five sections of the VERIS schema are:

  • Incident Tracking
  • Victim Demographics
  • Incident Description
  • Discovery & Response
  • Impact Assessment

Q20. Which of following is not an example of an element in the Incident Description section of the VERIS schema?
A. Actors
B. Actions
C. Victims and Losses
D. Attributes

Answer: C. The Incident Description section of the VERIS schema includes the following elements:

  • Actors
  • Actions
  • Assets
  • Attributes

More Resources

About the author

Scott

Leave a Comment