SANS 504 UPDATED Exam Questions
and CORRECT Answers
Incident Handling - CORRECT ANSWER - Action plan for dealing with misuse of
computer systems and networks
Incident - CORRECT ANSWER - 1. refers to an adverse event in an information system
and/or network
2. or the threat of the occurrence of such an event
3. Focus is on detecting deviations from the normal state of the network and systems
Event - CORRECT ANSWER - 1. Is any observable occurrence in a system and/or
network
Example: System Crash
Six Primary Phases of Incident Handling - CORRECT ANSWER - 1. Preparation
2. Identification
3. Containment
4. Eradication
5. Recovery
6. Lessons Learned
Preparation Phase - Goal - CORRECT ANSWER - The goal of the preparation phase is to
get the team ready to handle incidents
Preparation Phase Includes - CORRECT ANSWER - 1. People
2. Policy
3. Law enforcement
4. Peer Notification
, 5. Take Notes - Hand written
6. Management support
7. Building a team
8. Communication check list
GRR Rapid Response - CORRECT ANSWER - 1. Tool maintained by Google
2. Has the ability to pull in-depth forensic artifacts from multiple systems
3. Good for large scale incident response and hunt teaming
Identification - Points to keep in Mind - CORRECT ANSWER - 1. Be willing to alert
early
2. Maintain situational awareness
3. Provide indication and warning
4. Provide current "intelligence" ( up-to-date information) to incident handler
5. Fuse or correlate information
Containment Goal - CORRECT ANSWER - 1. The goal of the containment phase is to
stop the bleeding
2. Prevent the attacker from getting any deeper into the impacted systems or spreading to other
systems
Containment - Sub-Phases - CORRECT ANSWER - 1. Short-Term Containment
2. System Back-Up
3. Long-Term Containment
Eradication - CORRECT ANSWER - 1. the goal of the eradication phase is to get rid of
the attacker's artifacts on the machine
2. Determine cause and symptoms of the incident
3. Try to isolate the attack and determine how it was executed
and CORRECT Answers
Incident Handling - CORRECT ANSWER - Action plan for dealing with misuse of
computer systems and networks
Incident - CORRECT ANSWER - 1. refers to an adverse event in an information system
and/or network
2. or the threat of the occurrence of such an event
3. Focus is on detecting deviations from the normal state of the network and systems
Event - CORRECT ANSWER - 1. Is any observable occurrence in a system and/or
network
Example: System Crash
Six Primary Phases of Incident Handling - CORRECT ANSWER - 1. Preparation
2. Identification
3. Containment
4. Eradication
5. Recovery
6. Lessons Learned
Preparation Phase - Goal - CORRECT ANSWER - The goal of the preparation phase is to
get the team ready to handle incidents
Preparation Phase Includes - CORRECT ANSWER - 1. People
2. Policy
3. Law enforcement
4. Peer Notification
, 5. Take Notes - Hand written
6. Management support
7. Building a team
8. Communication check list
GRR Rapid Response - CORRECT ANSWER - 1. Tool maintained by Google
2. Has the ability to pull in-depth forensic artifacts from multiple systems
3. Good for large scale incident response and hunt teaming
Identification - Points to keep in Mind - CORRECT ANSWER - 1. Be willing to alert
early
2. Maintain situational awareness
3. Provide indication and warning
4. Provide current "intelligence" ( up-to-date information) to incident handler
5. Fuse or correlate information
Containment Goal - CORRECT ANSWER - 1. The goal of the containment phase is to
stop the bleeding
2. Prevent the attacker from getting any deeper into the impacted systems or spreading to other
systems
Containment - Sub-Phases - CORRECT ANSWER - 1. Short-Term Containment
2. System Back-Up
3. Long-Term Containment
Eradication - CORRECT ANSWER - 1. the goal of the eradication phase is to get rid of
the attacker's artifacts on the machine
2. Determine cause and symptoms of the incident
3. Try to isolate the attack and determine how it was executed
