SANS 508 BOOK 1 QUESTIONS AND CORRECT DETAILED
ANSWERS (VERIFIED ANSWERS) ALREADY GRADED A+
Six-Step Incident Response Process Ans✓✓✓1. Preparation
2. Identification and Scoping
3. Containment/Intelligence Development
4. Eradication/Remediation
5. Recovery
6. Lessons Learned/ Threat Intel Consumption
Preparation Ans✓✓✓Preparation ensures that the right people from the
right teams are involved, understand their roles, and know what to do
when an incident occurs.
Identification Ans✓✓✓An alert from a security appliance, an escalated
event, or something discovered during threat hunting.
Containment Ans✓✓✓Responder must identify initial vulnerability or
exploit, how the attackers are maintaining persistence and laterally
moving in the network, and how C2 is operating.
Eradication Ans✓✓✓Aims to remove the threat and restore business
operations to a normal state. A full scope of the intrusion must be
understood before this can take place.
,Recovery Ans✓✓✓Recovery leads the enterprise back to day-to-day
business operations. Often divided into near, mid, and long term
changes. This should result in some recovery changes.
Follow-up/ Lessons learned Ans✓✓✓Used to verify the incident has
been mitigated and the adversary was removed. This combines
additional monitoring, network sweeps, looking for new breaches, and
auditing the network.
Eradication change examples Ans✓✓✓- Block malicious IP addresses
- Blackhole malicious domains
- Rebuild compromised systems
- coordinate with cloud and service providers
- enterprise password changes
- implement validation
Recovery change examples Ans✓✓✓- improve enterprise authentication
model
- enhanced network visibility
- establish comprehensive patch management program
- enforce changes management program
- centralized logging (siem)
- enhance password portal
- establish security awareness training program
, - network redesign
A remediation event should... Ans✓✓✓1. deny access to the
environment
2. eliminate the ability for the adversary to react to the remediation
3. remove the persistence of the adversary from the environment
4. degrade the ability for the adversary to return
Remediation consists of 3 steps Ans✓✓✓1. posture for remediation
(scoping the entire issue)
2. execute remediation (execute and follow removal plan)
3. implement and apply additional security controls
Critical remediation controls Ans✓✓✓1. disconnect from the internet
2. implement strict network segmentation (dont allow subnets to
communicate with each other)
3. block ip addresses and domains for c2
4. remove all infected systems
5. restrict access to compromised accounts
6. restrict access to compromised domain admin accounts
7. validate that all these steps are done properly
ANSWERS (VERIFIED ANSWERS) ALREADY GRADED A+
Six-Step Incident Response Process Ans✓✓✓1. Preparation
2. Identification and Scoping
3. Containment/Intelligence Development
4. Eradication/Remediation
5. Recovery
6. Lessons Learned/ Threat Intel Consumption
Preparation Ans✓✓✓Preparation ensures that the right people from the
right teams are involved, understand their roles, and know what to do
when an incident occurs.
Identification Ans✓✓✓An alert from a security appliance, an escalated
event, or something discovered during threat hunting.
Containment Ans✓✓✓Responder must identify initial vulnerability or
exploit, how the attackers are maintaining persistence and laterally
moving in the network, and how C2 is operating.
Eradication Ans✓✓✓Aims to remove the threat and restore business
operations to a normal state. A full scope of the intrusion must be
understood before this can take place.
,Recovery Ans✓✓✓Recovery leads the enterprise back to day-to-day
business operations. Often divided into near, mid, and long term
changes. This should result in some recovery changes.
Follow-up/ Lessons learned Ans✓✓✓Used to verify the incident has
been mitigated and the adversary was removed. This combines
additional monitoring, network sweeps, looking for new breaches, and
auditing the network.
Eradication change examples Ans✓✓✓- Block malicious IP addresses
- Blackhole malicious domains
- Rebuild compromised systems
- coordinate with cloud and service providers
- enterprise password changes
- implement validation
Recovery change examples Ans✓✓✓- improve enterprise authentication
model
- enhanced network visibility
- establish comprehensive patch management program
- enforce changes management program
- centralized logging (siem)
- enhance password portal
- establish security awareness training program
, - network redesign
A remediation event should... Ans✓✓✓1. deny access to the
environment
2. eliminate the ability for the adversary to react to the remediation
3. remove the persistence of the adversary from the environment
4. degrade the ability for the adversary to return
Remediation consists of 3 steps Ans✓✓✓1. posture for remediation
(scoping the entire issue)
2. execute remediation (execute and follow removal plan)
3. implement and apply additional security controls
Critical remediation controls Ans✓✓✓1. disconnect from the internet
2. implement strict network segmentation (dont allow subnets to
communicate with each other)
3. block ip addresses and domains for c2
4. remove all infected systems
5. restrict access to compromised accounts
6. restrict access to compromised domain admin accounts
7. validate that all these steps are done properly
