CSOC Threat Detection and Incident Response

Question 1

What are the typical phases of a cybersecurity incident response lifecycle?

Accepted Answer

Preparation, Detection and Analysis, Containment, Eradication, Recovery, and Post-Incident Review

Answer

The standard incident response lifecycle includes six phases: Preparation (planning and tools), Detection and Analysis (identifying the incident), Containment (limiting spread), Eradication (removing the threat), Recovery (restoring systems), and Post-Incident Review (lessons learned).

Question 2

What is a Security Information and Event Management (SIEM) system used for in a CSOC?

Accepted Answer

Aggregating and correlating security event logs from multiple sources to detect threats and support incident response

Answer

A SIEM collects, aggregates, and correlates log data and security events from across an organisation's IT infrastructure, providing security analysts with a unified view to detect anomalies, identify threats, and investigate incidents.

Question 3

What is an Indicator of Compromise (IoC) in threat detection?

Accepted Answer

Evidence found in a network or system that suggests a security breach or malicious activity may have occurred

Answer

IoCs are artifacts or pieces of evidence, such as unusual network traffic, specific file hashes, IP addresses, or registry changes, that indicate a system may have been compromised. They are used to detect and investigate potential security incidents.

Question 4

What is the difference between a security event and a security incident?

Accepted Answer

A security event is any observable occurrence; a security incident is an event that adversely affects security or violates a security policy

Answer

A security event is any observable occurrence in a system or network that may or may not be malicious. A security incident is a confirmed event that has actually violated security policies, caused harm, or required a formal response.

Question 5

What is 'containment' in the context of cybersecurity incident response?

Accepted Answer

Actions taken to limit the spread and impact of an active security incident while preserving evidence for investigation

Answer

Containment stops the incident from spreading further while preserving evidence for forensic analysis. It may involve isolating affected systems from the network, blocking malicious traffic, or disabling compromised accounts.

CSOC Practice Test

CSOC Practice Test

CSOC Threat Detection and Incident Response