Skip to content

Page424

Chapter 8: Domain 7: Security Operations

  1. What type of backup is obtained during the Response (aka Containment) phase of Incident Response?
    A. Incremental
    B. Full
    C. Differential
    D. Binary

Correct Answer and Explanation: D. Answer D is correct; binary, or bit by bit, backups are what is obtained during the containment phase of incident response. Strong preference is also for a forensically sound binary backup that leverages a hashing algorithm to convey reliability. The other types of backups will not capture unallocated space, and could cause the analyst to miss some data that had been marked for deletion.

Incorrect Answers and Explanations: A, B, and C. Answers A, B, and C are incorrect. Incremental, Full, and Differential are all common backup techniques, but will only backup allocated space rather than the full drive. These techniques are used for simple backup/restore capabilities rather than incident response or forensics.

  1. What is the primary goal of disaster recovery plan (DRP)?
    A. Integrity of data
    B. Preservation of business capital
    C. Restoration of business processes
    D. Safety of personnel

Correct Answer and Explanation: D. Answer D is correct; Loss of human life is the highest impact of any risk; personnel safety is the primary concern of all 8 domains, including business continuity and disaster recovery planning.

Incorrect Answers and Explanations: A, B, and C. Answers A, B, and C are incorrect. All are valid concerns, but none trump personnel safety.

  1. Adversaries targeting your organization have created a custom maliciously crafted document and emailed it to a user within your organization. Which control is most likely to aid the organization in identifying this targeted attack?
    A. Antimalware
    B. Next Generation Firewall (NGFW)
    C. Sandboxing
    D. User and Entity Behavior Analytics (UEBA)

Correct Answer and Explanation: C. Answer C is correct; malware sandboxing exists specifically to address the issues associated with custom created malicious content. Further, the emphasis on email being used to distribute the malicious firewall further supports the control in question being sandboxing as email and web download are the two primary delivery mechanisms scrutinized by sandboxing.

Incorrect Answers and Explanations: A, B, and D. Answers A, B, and D are incorrect. While each of the other controls might offer benefits in this scenario, the emphasis on custom crafting plays to the strength of sandboxing more than the other controls. Antimalware and NGFW would be more closely aligned with signature-based detection, which would fail with the custom-crafted nature described. While UEBA could offer user-oriented behavior-based detection benefits depending on activities exhibited if the document were rendered by the end user.

  1. Your Maximum Tolerable Downtime is 48 hours. What is the most cost-effective alternate site choice?
    A. Cold
    B. Hot
    C. Redundant
    D. Warm

Correct Answer and Explanation: D. Answer D is correct; A warm site is a datacenter with raised floor, power, utilities, computer peripherals, and fully configured computers, requiring 24–72 hours to become fully operational.

Incorrect Answers and Explanations: A, B, and C. Answers A, B, and C are incorrect. A cold site has basic physical and environmental controls, but no computer systems. It normally takes a week or more to make fully operational. A hot site is a datacenter with a raised floor, power, utilities, computer peripherals, and fully configured computers. A hot site takes hours to become fully operational, and is the second-most expensive option. A redundant site is an exact production duplicate of a system that has the capability to seamlessly operate all necessary IT operations, and is the most expensive option.

  1. Your organization receives communication from an ISAC detailing indicators associated with a recently observed intrusion campaign. This process would be considered a form of which of the following?
    A. Disaster recovery
    B. Incident management
    C. Threat intelligence
    D. Behavior analytics

Correct Answer and Explanation: C. Answer C is correct; threat intelligence involves handing adversary-oriented information gleaned from previous security incidents.

Incorrect Answers and Explanations: A, B, and D. Answers A, B, and D are incorrect. The intelligence provided could ultimately allow the organization to discover an incident to manage, which could ultimately lead to a disaster. However, even without either an incident or a disaster, the process described would still fit within the purview of threat intelligence. Behavior analytics seems rather unrelated to the process being described.