sound the alarm detection and response coursera weekly challenge 3 answers

Test your knowledge: Incident detection and verification

1. Do detection tools have limitations in their detection capabilities?

  • Yes
  • No

2. Why do security analysts refine alert rules? Select two answers.

  • To increase alert volumes
  • To reduce false positive alerts
  • To create threat intelligence
  • To improve the accuracy of detection technologies

3. Fill in the blank: _____ involves the investigation and validation of alerts.

  • Honeypot
  • Detection
  • Analysis
  • Threat hunting

4. What are some causes of high alert volumes? Select two answers.

  • Refined detection rules
  • Broad detection rules
  • Misconfigured alert settings
  • Sophisticated evasion techniques

Test your knowledge: Response and recovery

5. A security analyst in a security operations center (SOC) receives an alert. The alert ticket describes the detection of the download of a possible malware file on an employee's computer. Which step of the triage process does this scenario describe?

  • Receive and assess
  • Add context
  • Collect and analyze
  • Assign priority

6. What is triage?

  • The prioritizing of incidents according to their level of importance or urgency
  • A document that outlines the procedures to sustain business operations during and after a significant disruption
  • The ability to prepare for, respond to, and recover from disruptions
  • The process of returning affected systems back to normal operations

7. Fill in the blank: _____ is the act of limiting and preventing additional damage caused by an incident.

  • Eradication
  • Resilience
  • Containment
  • Recovery

8. Which examples describe actions related to the eradication of an incident? Select two answers.

  • Apply a patch
  • Complete a vulnerability scan
  • Investigate logs to verify the incident

  • Develop a business continuity plan

Activity: Review a final report

9. What type of security incident was the organization affected by?

  • Ransomware
  • Data theft
  • Phishing
  • Malware

10. Which section of the report includes an explanation of the root cause of the incident?

  • Investigation
  • Recommendations
  • Timeline
  • Executive summary

11. What did the attacker use to exploit the e-commerce web application vulnerability?

  • Data breach
  • Web server logs
  • Forced browsing
  • User error

12. What recommendations did the organization implement to prevent future recurrences? Select two answers.

  • Implemented access control mechanisms
  • Paid the $50,000 payment request
  • Provided identity protection services to the affected customers
  • Implemented routine vulnerability scans

Weekly challenge 3

13. A security analyst is investigating an alert involving a possible network intrusion. Which of the following tasks is the security analyst likely to perform as part of the Detection and Analysis phase of the incident response lifecycle? Select two answers.

  • Identify the affected devices or systems.
  • Implement a patch to fix the vulnerability.
  • Collect and analyze the network logs to verify the alert.
  • Isolate the affected machine from the network.

14. What are the benefits of documentation during incident response? Select three answers.

  • Quality
  • Clarity
  • Standardization
  • Transparency

15. An organization is working on implementing a new security tool, and a security analyst has been tasked with developing workflow documentation that outlines the process for using the tool. Which documentation benefit does this scenario outline?

  • Transparency
  • Clarity
  • Quality
  • Standardization

16. Chain of custody documents establish proof of which of the following? Select two answers.

  • Integrity
  • Validation
  • Quality
  • Reliability

17. Which of the following does a semi-automated playbook use? Select two.

  • Threat intelligence
  • Crowdsourcing
  • Human intervention
  • Automation

18. What are the steps of the triage process in the correct order?

  • Receive and assess, assign priority, collect and analyze
  • Assign priority, receive and assess, collect and analyze
  • Collect and analyze, assign priority, receive and assess
  • Receive and assess, collect and analyze, assign priority

19. Fill in the blank: Containment is the act of limiting and _____ additional damage caused by an incident.

  • eradicating
  • removing
  • preventing
  • detecting

20. Fill in the blank: Eradication is the complete _____ of all the incident elements from affected systems.

  • removal
  • prevention
  • isolation
  • disconnection

21. Two weeks after an incident involving ransomware, the members of an organization want to review the incident in detail. Which of the following actions should be done during this review? Select all that apply.

  • Determine how to improve future response processes and procedures.
  • Determine the person to blame for the incident.
  • Create a final report.
  • Schedule a lessons learned meeting that includes all parties involved with the security incident.

22. During a lessons learned meeting following an incident, a meeting participant wants to identify actions that the organization can take to prevent similar incidents from occurring in the future. Which section of the final report should they refer to for this information?

  • Timeline
  • Executive summary
  • Detection
  • Recommendations

23. After a ransomware incident, an organization discovers their ransomware playbook needs improvements. A security analyst is tasked with changing the playbook documentation. Which documentation best practice does this scenario highlight?

  • Be accurate
  • Be concise
  • Know your audience
  • Update regularly

24. A member of the forensics department of an organization receives a computer that requires examination. On which part of the chain of custody form should they sign their name and write the date?

  • Description of the evidence
  • Custody log
  • Purpose of transfer
  • Evidence movement

25. A security analyst gets an alert involving a phishing attempt. Which step of the triage process does this scenario outline?

  • Add context
  • Receive and assess
  • Assign priority
  • Collect and analyze

26. After a security incident involving an exploited vulnerability due to outdated software, a security analyst applies patch updates. Which of the following steps does this task relate to?

  • Response
  • Reimaging
  • Prevention
  • Eradication

27. Which step of the NIST Incident Response Lifecycle involves returning affected systems back to normal operations?

  • Recovery
  • Containment
  • Response
  • Eradication

28. What questions can be asked during a lessons learned meeting? Select three answers.

  • What time did the incident happen?
  • Which employee is to blame?
  • What could have been done differently?
  • What were the actions taken for recovery?

29. In the NIST Incident Response Lifecycle, what is the term used to describe the prompt discovery of security events?

  • Preparation
  • Detection
  • Validation
  • Investigation

30. In incident response, documentation provides an established set of guidelines that members of an organization can follow to complete a task. What documentation benefit does this provide?

  • Reliability
  • Integrity
  • Standardization
  • Transparency

31. What are the steps of the third phase of the NIST Incident Response Lifecycle? Select three answers.

  • Eradication
  • Recovery
  • Containment
  • Response

32. An organization is completing its annual compliance audit. The people performing the audit have access to any relevant information, including records and documents. Which documentation benefit does this scenario outline?

  • Consistency
  • Organization
  • Transparency
  • Accuracy

33. An analyst is responding to a distributed denial of service attack (DDoS). They take several manual steps outlined in the organization’s DDoS playbook. Which type of playbook did they use to respond to the incident?

  • SOAR
  • Semi-automated
  • Non-automated
  • Automated

Leave a Reply