Know the relationship between machine learning (ML) and artificial intelligence (AI).  ML is a part of AI and refers to a system’s ability to learn. AI is a broad topic that includes ML.

Know the benefits of SOAR.  SOAR technologies automate responses to incidents. One of the primary benefits is that this reduces the workload of administrators. It also removes the possibility of human error by having computer systems respond.

Written Lab

1.Define an incident.

2.List the different phases of incident management identified in the CISSP Security Operations domain.

3.Describe the primary types of intrusion detection systems.

4.Discuss the benefits of a SIEM system.

5.Describe the purpose of SOAR technologies.

856  Chapter 17  ■  Preventing and Responding to Incidents

Review Questions

1.Which of the following are valid incident management steps or phases as listed in the CISSP objectives? (Choose all that apply.)

A.Prevention

B.Detection

C.Reporting

D.Lessons learned

E.Backup

2.You are troubleshooting a problem on a user’s computer. After viewing the host-­based intrusion detection system (HIDS) logs, you determine that the computer has been compromised by malware. Of the following choices, what should you do next?

A.Isolate the computer from the network.

B.Review the HIDS logs of neighboring computers.

C.Run an antivirus scan.

D.Analyze the system to discover how it was infected.

3.In the incident management steps identified by (ISC)2, which of the following occurs first?

A.Response

B.Mitigation

C.Remediation

D.Lessons learned

4.Which of the following are basic security controls that can prevent many attacks? (Choose three.)

A.Keep systems and applications up to date.

B.Implement security orchestration, automation, and response (SOAR) technologies.

C.Remove or disable unneeded services or protocols.

D.Use up-­to-­date antimalware software.

E.Use WAFs at the border.

5.Security administrators are reviewing all the data gathered by event logging. Which of the following best describes this body of data?

A.Identification

B.Audit trails

C.Authorization

D.Confidentiality

6.A file server in your network recently crashed. An investigation showed that logs grew so much that they filled the disk drive. You decide to enable rollover logging to prevent this from happening again. Which of the following should you do first?

A.Configure the logs to overwrite old entries automatically.

B.Copy existing logs to a different drive.

C.Review the logs for any signs of attacks.

D.Delete the oldest log entries.

7.You suspect an attacker has launched a fraggle attack on a system. You check the logs and filter your search with the protocol used by fraggle. What protocol would you use in the filter?

A.User Datagram Protocol (UDP)

B.Transmission Control Protocol (TCP)

C.Internet Control Message Protocol (ICMP)

D.Security orchestration, automation, and response (SOAR)

8.You are updating the training manual for security administrators and want to add a description of a zero-­day exploit. Which of the following best describes a zero-­day exploit?

A.An attack that exploits a vulnerability that doesn’t have a patch or fix

B.A newly discovered vulnerability that doesn’t have a patch or fix

C.An attack on systems without an available patch

D.Malware that delivers its payload after a user starts an application

9.Users in an organization complain that they can’t access several websites that are usually available. After troubleshooting the issue, you discover that an intrusion protection system (IPS) is blocking the traffic, but the traffic is not malicious. What does this describe?

A.A false negative

B.A honeynet

C.A false positive

D.Sandboxing

10.You are installing a new intrusion detection system (IDS). It requires you to create a baseline before fully implementing it. Which of the following best describes this IDS?

A.A pattern-­matching IDS

B.A knowledge-­based IDS

C.A signature-­based IDS

D.An anomaly-­based IDS

11.An administrator is implementing an intrusion detection system. Once installed, it will monitor all traffic and raise alerts when it detects suspicious traffic. Which of the following best describes this system?

A.A host-­based intrusion detection system (HIDS)

B.A network-­based intrusion detection system (NIDS)

858  Chapter 17  ■  Preventing and Responding to Incidents

C.A honeynet

D.A network firewall

12.You are installing a system that management hopes will reduce incidents in the network. The setup instructions require you to configure it inline with traffic so that all traffic goes through it before reaching the internal network. Which of the following choices best identifies this system?

A.A network-­based intrusion prevention system (NIPS)

B.A network-­based intrusion detection system (NIDS)

C.A host-­based intrusion prevention system (HIPS)

D.A host-­based intrusion detection system (HIDS)

13.After installing an application on a user’s system, your supervisor told you to remove it because it is consuming most of the system’s resources. Which of the following prevention systems did you most likely install?

A.A network-­based intrusion detection system (NIDS)

B.A web application firewall (WAF)

C.A security information and event management (SIEM) system

D.A host-­based intrusion detection system (HIDS)

14.You are replacing a failed switch. The configuration documentation for the original switch indicates a specific port needs to be configured as a mirrored port. Which of the following network devices would connect to this port?

A.An intrusion prevention system (IPS)

B.An intrusion detection system (IDS)

C.A honeypot

D.A sandbox

15.A network includes a network-­based intrusion detection system (NIDS). However, security administrators discovered that an attack entered the network and the NIDS did not raise an alarm. What does this describe?

A.A false positive

B.A false negative

C.A fraggle attack

D.A smurf attack

16.Management wants to add an intrusion detection system (IDS) that will detect new security threats. Which of the following is the best choice?

A.A signature-­based IDS

B.An anomaly detection IDS

C.An active IDS

D.A network-­based IDS

17.Your organization recently implemented a centralized application for monitoring. Which of the following best describes this?

A.SOAR

B.SIEM

C.HIDS

D.Threat feed

18.After a recent attack, management decided to implement an egress monitoring system that will prevent data exfiltration. Which of the following is the best choice?

A.An NIDS

B.An NIPS

C.A firewall

D.A DLP system

19.Security administrators are regularly monitoring threat feeds and using that information to check systems within the network. Their goal is to discover any infections or attacks that haven’t been detected by existing tools. What does this describe?

A.Threat hunting

B.Threat intelligence

C.Implementing the kill chain

D.Using artificial intelligence

20.Administrators find that they are repeating the same steps to verify intrusion detection system alerts and perform more repetitive steps to mitigate well-­known attacks. Of the following choices, what can automate these steps?

A.SOAR

B.SIEM

C.NIDS

D.DLP

■■7.12Test Disaster Recovery Plans (DRP)

■■7.12.1 Read-through/tabletop

■■7.12.2 Walkthrough

■■7.12.3 Simulation

■■7.12.4 Parallel

■■7.12.5 Full interruption