SANS FOR508 Exam Questions and Answers 100% Pass

SANS FOR508 Exam Questions and Answers 100% Pass Dwell Time - The time an attacker has remained undetected within a network. An important metric to track as it directly correlates with the ability of an attacker to accomplish their objectives. Breakout Time - Time is takes an intruder to begin moving laterally once they have an initial foothold in the network. Main Threat Actors - APT (Nation State Actors) Organized Crime Hacktivists NIST - US National Institute for Standards and Technology Six-Step Incident Response Process - 1: Preparation 2: Identification 3: Containment and Intelligence Development 4: Eradication and Remediation 2Brittie Donald, All Rights Reserved © 2025 5: Recovery 6: Follow-up Six-Step - Preparation - Incident response methodologies emphasize preparation-not only establishing a response capability so the organization is ready to respond to incidents but also preventing incidents by ensuring that systems, networks, and applications are sufficiently secure. Six-Step - Identificatoin - Identification is triggered by a suspicious event. This could be from a security appliance, a call to the help-desk, or the result of something discovered via threat hunting. Event validation should occur and a decision made as to the severity of the finding (not valid events lead to a full incident response). Once an incident response has begun, this phase is used to better understand the findings and begin scoping the network for additional compromise. Six Step - Containment and Intelligence development - In this phase, the goal is to rapidly understand the adversary and begin crafting a containment strategy. Responders must identify the initial vulnerability or exploit, how the attackers are maintaining persistence and laterally moving in the network, and how command and control is being accomplished. in conjunction with the previous scoping phase, responders will work to have a complete picture of the attack and often implement changes to the environment to increase host and network visibility. Threat intelligence is one of the key products of the IP team during this phase. 3Brittie Donald, All Rights Reserved © 2025 Six Step - Eradication and Remediation - Arguably the most important phase of the process, eradication aims to remove the threat and restore business operations to a normal state. However, successful eradication cannot occur until the full scop of the intrusion is understood. A rush to this phase usually results in failure. Remediation plans are developed, and recommendations are implemented in a planned and controlled manner. Ex. Include -Block malicious IP addresses -Blackhole malicious domain names -Rebuild compromised systems -Coordinate with cloud and service providers -Enterprise-wide password changes -Implementation validation Recovery - Recovery leads the enterprise back to day-to-day business. The organization will have learned a lot during the incident