In the context of incident handling phases, which two activities fall under scoping? (Choose two.)
A. determining the number of attackers that are associated with a security incident
B. ascertaining the number and types of vulnerabilities on your network
C. identifying the extent that a security incident is impacting protected resources on the network
D. determining what and how much data may have been affected
E. identifying the attackers that are associated with a security incident
I think it´s C and E becaue
Not -A because we identify the attackers in E and not really interested of how many
Not -B because it’s not related to an actual attack, this should be investigated during Hardening at least
Not -D because again it’s a lesson-learned post surveing
According to what Robert said before we are interested to know who is the attacker and what resources might be affected it’s C and E
Lets not foget that this Incident Handling assumes that we have detected an incident…the process itself starts with Preparation – where we need to prepare on how to respond to the incident….so if we take B we are now going back to SIEMs where we correlate our data and logs to identify the vulnerabilities that exist in out firm….in this case we assume we already know our vulnerabilities..and we are working on them but during that phase when we are working on them an attack may happen where we then need to initiate the Incident plan…hence the answers that will break the ice is D and E..
#my thoughts
NIST 800-61 r2
the team should rapidly perform an initial analysis to determine the incident’s scope, such as which networks, systems, or applications are affected; who or what originated the incident; and how the incident is occurring (e.g., what tools or attack methods are being used, what vulnerabilities are being exploited). The initial analysis should provide enough information for the team to prioritize subsequent activities, such as containment of the incident and deeper analysis of the effects of the incident.
(1. network,system, or application 2.who or what originated the incident; )
ANSWER = B, E
C & D are sort of similar, but D only references data, while C references ‘protected resources’. For C, this could be the network, systems and applications which more closely matches the text of the Incident response analysis phase ‘Which networks, systems, or applications are affected?’
I think E for sure is relevant (who or what originated the incident)
So I go for C & E
Anyone else got thoughts?
The initial analysis may include:
Which networks, systems, or applications are affected?
Who or what originated the incident?
Which tools or attack methods are being used?
Which vulnerabilities are being exploited?
I will agree with you C & E based on
D only refer data but C inculde network
B I would choose if you add exploited
The incident response team should work quickly to analyze and validate each incident, following a predefined process and documenting each step that is taken. When the team believes that an incident has occurred, the team should rapidly perform an initial analysis to determine the scope of the incident.
The initial analysis may include:
Which networks, systems, or applications are affected?
Who or what originated the incident?
Which tools or attack methods are being used?
Which vulnerabilities are being exploited?
The initial analysis should provide enough information for the team to prioritize subsequent activities, such as containment of the incident and deeper analysis of the effects of the incident. (If required, this deeper analysis may occur after the containment phase.)
B & E
C, D
?