Bash, the Crucial Exams Chat Bot
AI Bot
Incident Response, Monitoring, and Forensics (CCNACBR) Flashcards
Cisco CCNA Cybersecurity 200-201 CCNACBR Flashcards
Study our Incident Response, Monitoring, and Forensics (CCNACBR) flashcards for the Cisco CCNA Cybersecurity 200-201 CCNACBR exam with 79+ flashcards. View as flashcards, a searchable table, or as a fun matching game.
| Front | Back |
| Benefit of playbooks | Speed consistency and improved decision making |
| Best practice for communicating incidents to stakeholders | Be timely factual and avoid speculation |
| Best practice for timestamps | Use NTP and UTC across infrastructure |
| Common memory analysis tool | Volatility |
| Common severity levels | Low Medium High Critical |
| Common syslog transport protocols | UDP TCP and TLS |
| Containment example | Isolate network segment disable compromised accounts block malicious IPs |
| Definition of alert triage | Process of validating prioritizing and assigning alerts |
| EDR common capabilities | Process monitoring file activity memory scanning isolation |
| Eradication tasks | Remove malware patch vulnerabilities change credentials rebuild systems |
| Example correlation rule | Multiple failed logins followed by a successful login from same IP |
| Examples of IOCs | Malicious IPs domains hashes or suspicious registry keys |
| Examples of volatile data | RAM open network connections running processes and logged in users |
| First step in alert triage | Verify that the alert is not a false positive |
| First step in evidence preservation | Isolate affected systems to prevent further contamination |
| How does threat intelligence help | Provide reputation and context to prioritize response |
| How to combat alert fatigue | Prioritize tune and automate low value alerts |
| How to detect lateral movement | Monitor for unusual authentication logons and remote execution |
| How to reduce false positives | Refine rules tune thresholds add context and suppression |
| Key chain of custody elements Who What When Why and How | Record who collected handled and accessed evidence with timestamps and reasons |
| Key triage question Is this active or historical? | Determine if attack is ongoing or already occurred |
| Order of volatile data collection | Collect RAM then network then disk then system logs |
| Post incident tasks | Root cause analysis lessons learned update playbooks |
| Primary purpose of a SIEM | Collect correlate and alert on log data |
| Recovery steps | Validate systems monitor for recurrence restore services from clean backups |
| Risk of live forensics | Altering system state while collecting data |
| What does SIEM stand for? | Security Information and Event Management |
| What hashing is used for evidence integrity | Use cryptographic hashes like SHA256 |
| What is a baselining in monitoring | Establishing normal behavior to detect anomalies |
| What is a containment validation test | Attempting controlled access to ensure compromise is contained |
| What is a disk image | Bit for bit copy of storage media for analysis |
| What is a learnings register | Document of lessons countermeasures and action items from incidents |
| What is a playbook in incident response | Predefined procedures to handle specific incident types |
| What is alert enrichment | Adding context such as asset owner geolocation threat intelligence |
| What is alert fatigue | Desensitization from too many alerts leading to missed critical events |
| What is alert severity rating | Measure of impact and urgency of an alert |
| What is an event vs an alert | Event is raw logged activity Alert is SIEM flagged item |
| What is an incident timeline | Chronological record of events and actions during an incident |
| What is artifact preservation | Saving files logs and config relevant to investigation |
| What is business impact analysis in incidents | Assessing effects on operations revenue and reputation |
| What is chain of custody | Documented history of evidence handling |
| What is containment in incident response | Actions to limit scope and impact of an incident |
| What is containment strategy short term vs long term | Short term limits damage Long term removes persistent threats |
| What is data exfiltration indicator | Large transfers unusual protocols or unknown destinations |
| What is endpoint detection and response EDR | Tooling for detecting investigating and responding on endpoints |
| What is eradication | Removing root cause and malicious artifacts |
| What is escalation path | Defined route for raising incidents to higher expertise or authority |
| What is evidence admissibility consideration | Ensure integrity provenance and authorized collection |
| What is evidence preservation | Actions to protect data integrity for investigations |
| What is false positive | Alert that is benign or expected behavior |
| What is forensic image verification | Compare hash of original and image to confirm exact copy |
| What is isolation vs quarantine | Isolation removes system from network Quarantine limits harmful interactions while preserving data |
| What is key objective of eradication verification | Ensure no residual backdoors or artifacts remain |
| What is live forensics | Collecting data from a running system |
| What is log correlation | Linking related log entries across sources to reveal incidents |
| What is log normalization | Converting diverse log formats into a consistent schema |
| What is log retention policy | Rules for how long different logs are stored |
| What is malware persistence indicator | Registry autorun services scheduled tasks or startup entries |
| What is memory analysis used for | Recovering malware and in memory artifacts |
| What is post incident activity | Reviewing and improving after containment and recovery |
| What is recovery | Restoring systems to normal operation securely |
| What is root cause analysis goal | Identify underlying cause to prevent recurrence |
| What is secure evidence storage | Protecting evidence with access controls encryption and logging |
| What is SIEM use case for compliance | Centralized logging retention access for audits |
| What is syslog | Standard protocol for forwarding log messages |
| What is the IOC abbreviation for | Indicator of Compromise |
| What is time synchronization importance | Aligning timestamps across systems for accurate timelines |
| What is triage ticketing metadata | Details like priority owner status and notes for an alert |
| What is volatile data | Information lost when a system is powered off |
| What to include in an incident report | Executive summary timeline impact remediation and recommendations |
| Where to collect logs centrally | SIEM or log aggregator |
| Why build a timeline | Understand progression identify gaps and support reporting |
| Why create a disk image | Preserve original evidence while enabling analysis on a copy |
| Why document all actions during incident | Provide accountability enable reconstruction and legal defensibility |
| Why document escalation contacts | Ensure timely access to decision makers and specialists |
| Why hash evidence | To prove evidence has not been altered |
| Why index logs in a SIEM | Enable fast search and correlation |
| Why retain logs for investigations | Preserve evidence and establish timelines |
| Why use log parsing | Extract fields to enable search filtering and correlation |
About the Flashcards
Flashcards for the Cisco CCNA Cybersecurity exam help students review core terminology, SIEM fundamentals, and practical incident response steps. The deck explains SIEM functions like log collection, normalization, indexing, common transports (UDP/TCP/TLS), and log parsing to enable correlation, enrichment, and threat intelligence driven prioritization. It also covers alert concepts such as event vs alert distinctions, severity levels, and strategies to reduce false positives.
It focuses on triage and forensic procedures: alert triage, IOC identification, volatile data collection order, disk imaging, hashing for integrity (SHA256), chain of custody, and evidence preservation. Students will reinforce operational steps for containment, eradication, recovery, and validation tests, plus building incident timelines, running root cause analysis, and documenting lessons learned and reports for stakeholders.
Topics covered in this flashcard deck:
- SIEM and log management
- Alert triage and correlation
- Evidence preservation and hashing
- Memory and disk forensics
- Containment, eradication, recovery
- Playbooks and incident reporting