Bash, the Crucial Exams Chat Bot
AI Bot
Security Operations, Monitoring, and Incident Response (CCST) Flashcards
Cisco CCST Cybersecurity 100-160 Flashcards
Study our Security Operations, Monitoring, and Incident Response (CCST) flashcards for the Cisco CCST Cybersecurity 100-160 exam with 51+ flashcards. View as flashcards, a searchable table, or as a fun matching game.
| Front | Back |
| Best practice for forensic imaging | Create a bit for bit copy using write blockers and verify checksums |
| Chain of custody importance | Ensures evidence integrity admissibility and traceability during investigations |
| Containment strategies short term | Isolate host block network access and disable accounts |
| Data privacy considerations during IR | Minimize access to personal data and follow retention and disclosure laws |
| Define escalation matrix | Predefined contacts and thresholds for escalating incidents to higher teams |
| Define evidence preservation order | Collect most volatile data first then less volatile items later |
| Define false negative | Malicious activity that goes undetected by security controls |
| Define false positive | Alert that incorrectly signals malicious activity when none exists |
| Define nonvolatile evidence | Persistent data on disk removable media or logs retained after reboot |
| Define RPO | Recovery point objective acceptable amount of data loss measured in time |
| Define RTO | Recovery time objective target time to restore a function after disruption |
| Define SIEM | Centralized collection normalization correlation and analysis of security events |
| Define threat hunting | Proactive search for hidden threats using hypothesis driven investigation |
| Define volatile evidence | Data in memory or running system state lost on power off |
| Describe a correlation rule | Logic that links multiple events across sources to detect complex incidents |
| Difference between intel feed types | Strategic tactical and operational feeds vary by detail and timeliness |
| Evidence handling best practice | Document collect preserve and transfer evidence using chain of custody |
| First phase of incident response | Preparation activities including policies training and tooling setup |
| HIDS vs NIDS | Host based monitors individual systems NIDS monitors network traffic |
| Importance of backups regular testing | Backups must be frequent tested and protected to enable reliable recovery |
| Key metrics for SOC performance | MTTA MTTR number of incidents and false positive rate |
| Log retention considerations | Compliance storage cost privacy and forensic needs determine retention periods |
| Malware sandboxing purpose | Execute suspicious files in isolated environment to observe behavior safely |
| Name common log sources | Endpoints firewalls IDS proxies and servers |
| Network segmentation benefit | Limit lateral movement reduce blast radius and simplify containment |
| Next phase after detection | Containment actions to limit scope and prevent further damage |
| Purpose of a post incident review | Identify lessons learned improve controls and update response plans |
| Purpose of MITRE ATTCK mapping | Standardize adversary behaviors for detection and analysis |
| Purpose of NTP and time sync | Ensure consistent timestamps across systems for accurate correlation and forensics |
| Role of IDS | Detect suspicious network or host activity and alert analysts |
| Signature detection vs anomaly detection | Signature matches known patterns anomaly detects deviations from normal behavior |
| What are TTPs | Tactics Techniques and Procedures used by adversaries to achieve objectives |
| What belongs in an incident report | Summary timeline impact root cause remediation and recommended actions |
| What is a hypothesis in threat hunting | A testable assumption about possible malicious activity to investigate |
| What is a playbook | Predefined sequence of response steps for a specific incident type |
| What is a runbook | Operational checklist for executing technical procedures during response |
| What is a security baseline | A documented expected configuration used to detect deviations and drift |
| What is a SOC playbook | Operational guidance for SOC analysts on detecting triage and response workflows |
| What is alert triage | Process of validating classifying prioritizing and assigning alerts for investigation |
| What is an enrichment in SIEM | Augmenting raw events with context such as user asset or threat intelligence |
| What is an IOA | Indicator of attack behavioral evidence showing attacker techniques and intent |
| What is an IOC | Indicator of compromise observable artifact such as IP address file hash or domain |
| What is an IOC enrichment | Adding context like geolocation whois or reputation to observed indicators |
| What is containment | Short term actions to limit impact and isolate affected assets |
| What is eradication | Removing malware artifacts closing vulnerabilities and restoring integrity |
| What is legal hold | Order to preserve potential evidence and prevent destruction during investigations |
| What is log normalization | Converting diverse log formats into a common structured schema |
| What is recovery | Restoring systems to production and validating normal operation |
| What is threat intelligence | Information about threat actors indicators and malicious infrastructure |
| Why is time synchronization important | Accurate timestamps enable reliable event correlation and timeline reconstruction |
| Why tune SIEM rules | Reduce false positives improve performance and focus analyst time on real threats |
Related Study Materials
About the Flashcards
Flashcards for the Cisco CCST Cybersecurity exam help students master core terminology and operational practices for security monitoring and incident response. The deck reviews SIEM fundamentals such as log collection, normalization, enrichment, correlation rules, time synchronization, and rule tuning, alongside common log sources and SOC performance metrics analysts use to evaluate detection effectiveness.
Also covered are detection concepts like IOC and IOA, signature versus anomaly detection, alert triage, threat hunting and MITRE ATT&CK mapping, and practical response procedures from preparation through containment, eradication, and recovery. Forensics and evidence handling topics include volatile versus nonvolatile data, chain of custody, forensic imaging best practices, legal hold, and data privacy considerations.
Topics covered in this flashcard deck:
- SIEM operations and tuning
- Log collection and normalization
- IOC and IOA detection
- Incident response phases
- Digital forensics and evidence
- Threat hunting and MITRE ATT&CK