Implement incident management

Real-time monitoring and preventive measures

Logging and instrumentation

Automated incident response

List and describe incident management steps. The Security Operations domain of the CISSP lists the incident management steps: detection, response, containment, reporting, recovery, remediation, and lessons learned. After an incident is detected and proven, the first response is to limit or contain the scope of the incident while protecting evidence. Depending on relevant laws, organizations may need to report incidents to relevant authorities. If personally identifiable information (PII) is compromised, relevant individuals will also need to be notified of the situation. The remediation and lessons learned phase includes conducting a root cause analysis to determine the cause and propose solutions to prevent the incident from happening again.

Learn basic precautions. Basic precautions can prevent many incidents from occurring. These include keeping systems updated, removing or disabling unnecessary protocols and services, using intrusion detection and prevention systems, using anti-malware programs equipped with the latest signatures, and enabling host- and network-based firewalls.

Understand the difference between whitelist and blacklist. Software whitelisting provides a list of approved software to prevent any other software not on the list from being installed on the system. The blacklist provides a list of unapproved software to prevent any software on the list from being installed on the system.

Learn about sandboxes. A sandbox provides an isolated environment that prevents code running within the sandbox from interacting with elements outside the sandbox.

Learn about security services provided by third parties. Third-party security services help organizations enhance the security services provided by their in-house staff. Many organizations use cloud-based solutions to enhance internal security.

Learn about botnets, botnet controllers, and botherders. Botnets can mobilize a large number of computers to launch attacks and pose a major threat. Therefore, it is necessary to understand what a botnet is. A botnet is a collection of compromised computing devices (often called puppets or zombies) that form a network and are controlled by criminals known as zombie herders. Zombie herders remotely control zombies through C&C servers, often using botnets to launch attacks on other systems, or send spam or phishing emails. Zombie herders also rent out access to their botnets to other criminals.

Learn about Denial of Service (DoS) attacks. DoS attacks prevent a system from responding to legitimate service requests. The SYN flood attack that destroys the TCP three-way handshake is a common DoS attack method. Even if old-school attacks are less common today because of basic precautions, you'll still encounter questions in this area because many new attacks are often just variations of older methods. The smurf attack uses a Fang Dawang to send a large number of response packets to the victim. The Ping of Death attack sends a large number of extremely large ping packets to the victim, causing the victim's system to freeze, crash, or restart.

Learn about zero-day exploits. A zero-day exploit is an attack that exploits a vulnerability that is unknown to anyone but the attacker and is only known to a limited number of people. On the surface, this looks like an unknown exploit that cannot be prevented, but basic security instructions can still be of great help in preventing zero-day exploits. By removing or disabling unnecessary protocols and services, the attack surface of the system can be reduced: a firewall can block many access points; and an intrusion detection and prevention system can easily detect and block potential attacks. In addition, by using tools such as honeypots, you can also help protect active networks.

Learn about man-in-the-middle attacks. A man-in-the-middle attack occurs when an intentional user is able to occupy a logical position between two endpoints of a communication line. Although the attacker needs to do a lot of complicated things in order to complete a man-in-the-middle attack, the amount of data he gets from the attack is also quite large.

Learn about intrusion detection and intrusion prevention. IDS and IPS are important detection and prevention tools against attacks. You need to understand the difference between knowledge-based detection (which uses a database similar to the Anti-Aware Signature Library) and behavior-based detection. Behavior-based detection first creates a baseline to identify normal behavior, and then compares various activities to the baseline to detect abnormal activities. If the network changes, the baseline may become outdated, so the baseline must be updated as soon as the environment changes.

Understand IDS/IPS responses. IDS can respond passively by logging and sending notifications, or proactively by changing the environment. Some people call active IDS IPS. But it's important to realize that IPS placed on the inline lines carrying traffic can intercept traffic before it reaches the target.

Learn the difference between HIDS and NIDS. Host-based IDS (HIDS) can only monitor activity on a single system. The disadvantage is that an attacker can discover and disable them. Network-based IDS (NIDS) can monitor activities on a network and are invisible to attackers.

Describe honeypots and honeynets. A honeypot is a system that often uses fake flaws and fake data to lure intruders. A honeynet is two or more honeypots in a network. Administrators can observe the activities of attackers after they enter the honeypot. As long as the attackers are in the honeypot, they are not on the active network.

Learn how to block malicious code. Several tools can block malicious code when used together. Among them, anti-malware programs, installed on every system, network border and email server and equipped with the latest definitions, are the most obvious tools. However, policies based on basic security principles such as the principle of least privilege can also prevent ordinary users from installing potentially malicious software. In addition, educating users about the risks and methods commonly used by attackers to spread viruses can also help users understand and avoid risky behaviors.

Understand the types of log files. Log data is recorded in databases and various log files. Common log files include security logs, system logs, application logs, firewall logs, agent logs, and change logs. Log files should be stored centrally and protected by restricting access permissions, while archived logs should be set to read-only to prevent tampering.

Learn about testing and what testing tools are used for. Detection rooms focus on a form of auditing that proactively reviews log file data. Detection is used to hold subjects accountable for their actions and to detect unusual or malicious activity. Instrumentation is also used to monitor system performance. Monitoring tools such as IDS and SIEM can automatically and continuously monitor and provide real-time analysis of events, including monitoring conditions within the network, communication flows entering the network, and communication flows leaving the network. Log management includes analysis logs and archived logs.

Interpret the audit trail. An audit trail is a record created when information about an event and the circumstances surrounding it is written to one or more databases or log files. Audit trails can be used to reconstruct events, extract information about events, prove culpability, or refute accusations. Using an audit trail is a passive form of implementing detective security controls. Audit trails are also essential evidence for prosecuting criminals.

Learn how to stay accountable. Through the use of audits, accountability for individual actors can be maintained. Logs record user activities, and users are responsible for their recorded actions. This has a direct role in promoting users to form good behavioral habits and comply with organizational security policies.

Learn about sampling and shearing. Sampling, also called data extraction, refers to the process of extracting specific elements from a large amount of data to form a meaningful overview or summary. Statistical sampling utilizes precise mathematical functions to extract meaningful information from large amounts of data. Clipping acts as a form of non-statistical sampling, recording only events that exceed a threshold.

Describe threat feeds and threat hunting. Threat feeds provide organizations with a steady stream of raw data. By analyzing threat feeds, security administrators can understand the current threat landscape. They can then use this information to search the network for signs of these threats.

Understand the relationship between machine learning (ML) and artificial intelligence (AI). ML is a component of AI and refers to the learning ability of the system. AI is a broad topic that includes ML.

Learn about SOAR. SOAR technology can automatically respond to events. One of the main benefits of SOAR is that it reduces the workload of administrators. It also eliminates human error by making computer systems responsive.

1.Which of the following options are valid incident management steps or phases listed in the CISSP objectives? (Select all that apply.) A. Prevention B.Detection C.Report D. Summarize lessons E. Backup

2. You are troubleshooting a problem on the user's computer. You check the host-based intrusion detection system (HIDS) logs and confirm that It is determined that this computer has been compromised by malware. Next, which of the following options should you choose? A. Isolate the computer from the network B. View the HIDS logs of nearby computers C. Perform an anti-virus scan D. Analyze the system to find out how it was infected

3. Among the incident management steps proposed by (ISC)2, which step should be performed first? A.Response B. Inhibit C. Remedy D.Detection

4. Which of the following options are basic security controls that can prevent many attacks? (Choose 3.) A. Keep systems and applications updated B. Implement security orchestration, automation, and response (SOAR) technologies C. Remove or disable unnecessary services or protocols D. Use the latest anti-spam software programs E. Use WAF on the border

5． The security administrator is reviewing all the data collected by the event log. Which of the following is the best representation of this body of data? A. Identification B. Audit Trail C. Authorization D.Confidentiality

6. A file server on your network recently crashed. Investigation revealed that the logs had grown so much that they filled the entire hard drive. You decide to enable rolling logging to prevent this from happening again. Which of the following is the first step you should take? A. Configure the log so that it automatically overwrites old entries B. Copy existing logs to another drive C. Look for any signs of attack in the logs D. Delete the oldest log entry

7. You suspect an attacker has launched a fraggle attack on your system. You check the logs and filter your searches using the protocol used by fraggle. Which protocol would you use in the filter? A. User Datagram Protocol (UDP) B. Transmission Control Protocol (TCP) C. Internet Control Message Protocol (ICMP) D. Security Orchestration, Automation and Response (SOAR)

8. You are revising the security administrator training manual to add content about zero-day exploits. Which of the following best describes a zero-day exploit? A. Attacks that exploit vulnerabilities that do not yet have patches or fixes B. Newly discovered vulnerabilities that do not yet have patches or hotfixes C. Attacks on systems without ready-made patches D Malware that drops its payload after the user launches the application

9 Organization users complained that they were unable to access several normally accessible websites. You discover through troubleshooting that an intrusion prevention system (IPS) is intercepting the traffic, but the traffic is not malicious. This belongs to? A false negative B. Honeynet C. False positive D.Sandbox

10. You are installing a new intrusion detection system (IDS). IDS requires you to create a series of baselines before fully executing it. Which of the following best describes this IDS? A. Pattern Matching DDS B. Knowledge-based DDS C signature-based 1S D. Anomaly-based DDS

11. An administrator implements an intrusion detection system. Once installed, the system monitors all traffic and generates alerts if suspicious traffic is detected. Which of the following best describes this system? A. Host-based Intrusion Detection System (HIDS) B. Network-based Intrusion Detection System (NIDS) C. Honeynet D.Network firewall

12. You are installing a system that management hopes will reduce incidents on the network. The setup directive requires you to configure it on an inline line that carries traffic so that all traffic must pass through it before reaching the internal network. Which of the following options best describes this system? ^.Network-based intrusion prevention system (VIPS) B. Network-based Intrusion Detection System (NIDS) C. Host-based Intrusion Prevention System (HIPS) D. Host-based intrusion detection system (HIDS)

13. After you install an application on the user's system, your supervisor tells you that since the application consumes most of the system's resources, you need to remove it. Which of the following prevention systems are you most likely to have installed? A. Network-based Intrusion Detection System (NIDS) B. web application firewall (WAF) C. Security Information and Event Management (SIEM) Systems D. Host-based intrusion detection system CHIDS)

14. You are replacing a failed switch. The configuration file of the original switch indicates that a specific port needs to be configured as a mirror port. Which of the following network devices would connect to this port? A. Intrusion Prevention System (PS) B. Intrusion Detection System (IDS) C.honeypot D sandbox

15 A network device is equipped with a network-based intrusion detection system (NIDS). Then, the security administrator discovered that there was an attack on the Internet, but the NIDS did not send an alert. This belongs to? A. False positive B. False negative C. fraggle attack D.smurf attack

16 Management requested the addition of an intrusion detection system (IDS) to detect new security threats. Which of the following is a student choice? A. Signature-based IDS B. Anomaly-based IDS C. Active IDS D. Web-based IDS

17. The organization you work for recently deployed a centralized application for monitoring. This situation best describes the following original item? A. SOAR B. SIEM C.HIDS D. Threat feed

18. After a recent attack, management decided to implement a portal monitoring system to prevent data breaches. Which of the following is the best option? A. NIDS B. NIPS C. Firewall D.DLP system

19. Security administrators regularly review threat feeds and use this information to inspect systems within the network. Their goal is to discover any infection or attack that has not been detected by existing tools. Which of the following descriptions best fits this situation? A. Threat hunting B. Threat Intelligence C. Execute the kill chain D. Utilize artificial intelligence

20. Administrators find themselves repeatedly performing the same steps to verify alerts from intrusion detection systems and perform other repetitive steps to suppress known attacks. Which of the following options automates these steps? A. SOAR B. SIEM C. NIDS D.DI