Which component of the NIST SP800-61 r2 incident handling strategy reviews data?

– by 12

Which component of the NIST SP800-61 r2 incident handling strategy reviews data?
A. preparation
B. detection and analysis
C. containment, eradication, and recovery
D. post-incident analysis

cisco-exams

12 thoughts on “Which component of the NIST SP800-61 r2 incident handling strategy reviews data?

  2. Correct answer is D.
    Key word here is “reviews”

    3.4 Post-Incident Activity

    3.4.1 Lessons Learned

    “This meeting provides a chance to achieve closure with respect to an incident by
    reviewing what occurred, what was done to intervene, and how well intervention worked.”

    See attached website

    Reply

  3. D is correct
    because in NIST 80061r2 document says the last step is post incident analysis which will be like reviews of the attacks and learn lessons from it. Page 37-38

    Reply

  4. Answer is definitely D.

    From NIST 800-61 = “This meeting provides a chance to achieve closure with respect to an incident by reviewing what occurred, what was done to intervene, and how well intervention worked. The meeting should be held within several days of the end o f the incident.”

    Reply

  5. Both B & D review data however i would say that the majority of review is done during the detection and analysis (answer B) stage:
    – Profile Networks and Systems
    – Understand Normal Behaviors.
    – Create a Log Retention Policy
    – Perform Event Correlation
    – Maintain and Use a Knowledge Base of Information
    – Use Internet Search Engines for Research
    – Run Packet Sniffers to Collect Additional Data
    – Filter the Data

    These all requiring reviewing a large amount of raw data whereas post incident analysis is more around using that data to prevent future incidents, possibly to justify larger funding. The main reviewing is done during the detection and analysis stage and therefore the answer is B.

    Reply

  6. answer is D
    3.4.2 Using Collected Incident Data (which falls under post incident analysis in the aforementioned document)
    Lessons learned activities should produce a set of objective and subjective data regarding each incident.
    Over time, the collected incident data should be useful in several capacities. The data, particularly the
    total hours of involvement and the cost, may be used to justify additional funding of the incident response
    team. A study of incident characteristics may indicate systemic security weaknesses and threats, as well
    as changes in incident trends. This data can be put back into the risk assessment process, ultimately
    leading to the selection and implementation of additional controls. Another good use of the data is
    measuring the success of the incident response team. If incident data is collected and stored properly, it
    should provide several measures of the success (or at least the activities) of the incident response team.
    Incident data can also be collected to determine if a change to incident response capabilities causes a
    corresponding change in the team’s performance (e.g., improvements in efficiency, reductions in costs).
    Furthermore, organizations that are required to report incident information will need to collect the

    Reply

  8. Thanks for the comment SK. Reviewing the comments, question and 800-61 r2 suggests that the correct answer is D: Post Incident Analysis

    Reply

  10. Correct ans B
    There are 4 basic phases of Forensic process:
    Collection: The first phase in the process is to identify, label, record, and acquire data from the possible sources of relevant data, while following guidelines and procedures that preserve the integrity of the data. Collection is typically performed in a timely manner because of the likelihood of losing dynamic data such as current network connections, and losing data from battery-powered devices such as cell phones and PDAs. During collection, data that is related to a specific event is identified, labeled, recorded, and collected, and its integrity is preserved.

    Examination: Examinations involve forensically processing large amounts of collected data using a combination of automated and manual methods to assess and extract data of particular interest, while preserving the integrity of the data. Forensic tools and techniques appropriate to the types of data that were collected are executed to identify and extract the relevant information from the collected data while protecting its integrity. Examination may use a combination of automated tools and manual processes.

    Analysis: The next phase of the process is to analyze the results of the examination, using legally justifiable methods and techniques. Analysis can derive useful information that addresses the questions that were the impetus for performing the collection and examination.

    Reporting: The final phase is reporting the results of the analysis. The analysis report may describe the actions that are performed, explain how tools and procedures were selected, specify other actions that need to be performed (such as forensic examination of additional data sources, securing identified vulnerabilities, and improving existing security controls), and provide recommendations for improvement to policies, guidelines, procedures, tools, and other aspects of the forensic process. The formality of the reporting step varies greatly depending on the situation.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *


The reCAPTCHA verification period has expired. Please reload the page.