Chapter 14: Monitoring and Incident Response

Key Phrase: "incident response cycle"

Explanation:
Correct Answer (D): Preparation is the first phase of the incident response cycle and involves setting up the proper tools, training the response team, and creating incident response plans.
Why others are wrong:
A: Planning is an element of preparation but not a distinct phase of the incident response cycle.
B: Reporting occurs during the response phase but is not a phase in itself.
C: Monitoring is important in incident detection but comes after preparation in the cycle.

Key Phrase: "analyzes network traffic, including packet content"

Explanation:
Correct Answer (C): Packet capture tools like Wireshark allow for the detailed inspection of network packets, including their content, which is what Michael needs to do.
Why others are wrong:
A: Syslog is used for log aggregation and does not capture packet content.
B: NetFlow provides traffic flow data, not detailed packet analysis.
D: SIEM aggregates logs and event data, but it doesn't capture raw packet content.

Key Phrase: "aggregated log events related to logins from different geographic regions"

Explanation:
Correct Answer (C): SIEM systems can aggregate and correlate logs from various sources, including login events and geographic data, to detect impossible travel patterns.
Why others are wrong:
A: IPS detects network threats but is not designed to analyze user login patterns.
B: OS logs can be helpful but would need to be aggregated manually.
D: Vulnerability scan data identifies system vulnerabilities, not login events.

Key Phrase: "only install applications that are evaluated and approved"

Explanation:
Correct Answer (C): An application allowlist only allows approved applications to run on systems, ensuring that users cannot install unapproved software.
Why others are wrong:
A: SIEM is used for log aggregation and event correlation, not application control.
B: An application denylist blocks known malicious apps but does not restrict users from installing other unapproved software.
D: sFlow is used for network monitoring, not application control.

Key Phrase: "primary concern with sFlow"

Explanation:
Correct Answer (D): sFlow is a sampling protocol, meaning it only captures a subset of network traffic, which can result in some data being missed in high-traffic environments.
Why others are wrong:
A: Buffer overflow attacks are not a typical concern with sFlow.
B: sFlow is designed for large networks and can handle complexity, though it sacrifices some data detail.
C: sFlow doesn't typically create significant load on the flow collector.

Key Phrase: "removes from network and prevents reconnection"

Explanation:
Correct Answer (B): Isolation involves removing a compromised system from the network to prevent it from spreading or communicating with other systems.
Why others are wrong:
A: Containment would involve restricting a system’s activity but not necessarily removing it from the network entirely.
C: Segmentation involves dividing a network into smaller segments, typically to improve security.
D: Zoning is a similar concept but typically refers to physical network or system zones rather than incident response actions.

Key Phrase: "walks through a scenario to validate processes"

Explanation:
Correct Answer (C): A tabletop exercise is a scenario-based discussion that helps teams review their response strategies in a simulated environment.
Why others are wrong:
A: A checklist exercise is more structured and focused on following a list of steps.
B: A simulation involves a more hands-on approach to re-create a real incident.
D: A fail-over exercise involves testing system redundancy, not incident response plans.

Key Phrase: "GPS coordinates in a PNG photo"

Explanation:
Correct Answer (C): Metadata in the PNG image, such as EXIF data, often contains GPS coordinates if the photo was taken with a GPS-enabled device.
Why others are wrong:
A: Location.txt is not a standard file associated with PNG images.
B: The original camera may have stored GPS data, but it's not part of the PNG file itself.
D: Steganographically embedded data is used for hiding information, not for storing standard GPS data.

Key Phrase: "removes from the network to prevent impact"

Explanation:
Correct Answer (A): Quarantine involves isolating the compromised system to prevent further damage or spread of malware while an investigation occurs.
Why others are wrong:
B: Segmentation refers to dividing networks into zones and doesn't necessarily involve removing a compromised system.
C: Converted it to agentless is not relevant to malware containment.
D: Denylisting involves blocking specific malicious applications but doesn't describe isolating a system.

Key Phrase: "missing logs during threat hunting"

Explanation:
Correct Answer (C): Wiping logs is a common tactic used by attackers to cover their tracks and avoid detection.
Why others are wrong:
A: Log rotation may cause logs to be archived or deleted but not usually wiped.
B: A newly deployed system would still have logs, though they might not be comprehensive.
D: Encrypting logs would not delete them but may prevent access.