M24 Practice Quiz
Question 1
-
What step in the incident response process involves developing a preliminary incident description, categorizing the incident severity, and establishing an incident response team?
Options:
- Preparation
- Detection and analysis
- Post-incident activity
- Containment, eradication, and recovery
Overall explanation:
- According to the NIST SP 800-61, the preparation step in the incident response process involves developing a preliminary incident description, categorizing the incident severity, and establishing an incident response team.
Question 2
-
Which training and testing method typically involves a structured discussion in a meeting room where participants provide their responses to various scenarios and discuss their roles and responsibilities in an incident?
Options:
- Red teaming
- Tabletop exercise
- Blue teaming
- Simulation
Overall explanation:
- A tabletop exercise is a structured, discussion-based training method where participants simulate responses to various scenarios to discuss their roles and responsibilities in an incident without executing actual actions.
- Simulation is a training approach that replicates real-world scenarios to provide hands-on experience and practice for individuals or teams.
- Red teaming involves independent experts actively simulating adversarial actions and strategies to assess an organization's security vulnerabilities and weaknesses.
- Blue teaming refers to a defensive exercise where a designated group assesses and strengthens an organization's security measures by detecting and responding to simulated or real threats, often in coordination with red team assessments.
Question 3
-
In digital forensics, which of the following involves the systematic process of maintaining and safeguarding electronic evidence, ensuring its unaltered state, and keeping a detailed record of its handling and transfers throughout the investigation?
Options:
- Reporting
- Chain of custody
- Legal hold
- E-discovery
Overall explanation:
- Chain of custody is a fundamental aspect of digital forensics that involves the meticulous documentation and tracking of electronic evidence from the moment of collection to its presentation in a legal context. It ensures the integrity of the evidence and its admissibility in court.
- Legal hold refers to the preservation of data when litigation is expected.
- E-discovery is the process of identifying and collecting electronically stored information for legal proceedings.
- Reporting is where findings and conclusions are documented for legal or investigative purposes.
Question 4
-
Which process involves a thorough examination of the events and factors that led to a security incident and aims to identify the underlying issues and vulnerabilities that need to be addressed to prevent future occurrences?
Options:
- Root cause analysis
- Threat hunting
- Chain of custody
- Lessons learned
Overall explanation:
- Root cause analysis is a systematic approach to investigating cybersecurity incidents to understand their primary causes and contributing factors, enabling organizations to take corrective actions to enhance their security posture and prevent similar incidents in the future.
- Chain of custody pertains to the secure handling of evidence.
- Threat hunting involves actively searching for security threats within an environment.
- Lessons learned involves capturing knowledge and insights gained from past incidents for improvement.
Tags: Root Cause Analysis
Question 5
-
According to the order of volatility, which of the following would typically be considered the least volatile form of evidence?
Options:
- RAM memory
- Network logs
- Registry entries
- Hard disk image
Overall explanation:
- A hard disk image is considered the least volatile form of evidence in digital forensics because it represents a static and preserved snapshot of the entire storage device, whereas RAM memory, network logs, and registry entries are more volatile and subject to rapid changes during system operation.