GCIH EXAM QUESTIONS AND 100% CORRECT
ANSWERS
What is the Six-Step Incident Response Process?
Preparation
Identification
Containment
Eradication
Recovery
Lessons Learned
What are some common issues with the PICREL approach to incident response?
Not scoping.
Failure to contain the incident.
Improper scoping.
Failure to identify and/or fix the root cause.
What is DAIR?
It is a Dynamic Approach to Incident Response.
What would occur during preparation in DAIR?
This would include things like: Know your Organization, Know your Corporate Policies,
Internal Network Visibility, Log Review, Recovery Procedures Development, IR Team
Preparation.
,Detection Phase of DAIR
Check to see if it is a false positive
After the incident has been verified to have occurred, triaging is a good idea
Scoping
That's how we identify where in an organization's network the threat actors are by
scanning our network.
What is Velociraptor?
This is a free and open-source software tool for assisting with scoping an incident,
performing large-scale incident response, and supporting threat hunting efforts.
What occurs during the Containment phase of DAIR?
During this phase, the goal is to deny the threat actor further operation inside a
compromised network. During this stage, it also means data acquisition.
What occurs during the Eradication phase of DAIR?
This involves undoing or taking away what a threat actor did.
What occurs during the Recovery phase of DAIR? What is usually the most cost-effective
way of doing this?
The idea here is to restore the business with minimum disruption of normal business
operations.
This often is the most cost-effective way to achieve this by rebuilding the system.
What takes place in the Remediation phase of DAIR?
Well, this all involves remedying the root cause of an incident. Of course, after that you
need to monitor the system closely to see if the threat actor remains.
,Which of the following is a protection against hijacking attacks?
LLMNR disabled
3 options
Which one of the following is one of the tools that threat actors commonly use to extract
the victim password from the memory dump files?
Mimikatz
3 options
Which one of the following is one of the attacker's desired outcomes regarding
persistence?
Maintain privileges
3 options
An attacker has successfully stolen an AWS instance. What is the attacker's command
in order to see which S3 buckets are available?
aws s3 ls
3 options
Which of the following PowerShell cmdlets can provide valuable information to identify
attacker WMI-based persistence?
Get-WMIObject
3 choices
Which of the following is endpoint detection and response tools most effective when
coupled with?
Rapid incident response
, 3 choices
As adversaries continue to use new C2 and exfil techniques, traditional IDS identifies
fewer and fewer threats. Which of the following techniques can be used to identify C2
that is typically missed using traditional IDS techniques?
Statistical anomaly analysis
3 Choices
As this is the output from RITA's analysis, which would you consider as the most
suspicious IP?
+---------------+-----------------+--------------------------+-------------+
| SOURCE IP | DESTINATION IP | DSTPORT:PROTOCOL:SERVICE | DURATION |
+---------------+-----------------+--------------------------+-------------+
| 10.55.100.100 | 65.52.108.225 | 443:tcp:- | 23h57m02s |
| 10.55.100.107 | 111.221.29.113 | 443:tcp:- | 23h57m00s |
| 10.55.100.109 | 65.52.108.218 | 443:tcp:- | 01h49m22s |
| 10.55.100.104 | 65.52.108.204 | 443:tcp:- | 01h28m45s |
| 10.55.182.100 | 104.244.43.112 | 443:tcp:ssl| 10m00s |
| 10.55.182.100 | 23.52.162.21 | 443:tcp:ssl| 09m50s |
| 10.55.182.100 | 198.8.70.210 | 443:tcp:ssl| 07m29s |
| 10.55.182.100 | 104.20.168.10 | 443:tcp:ssl | 07m25s |
| 10.55.182.100 | 104.16.162.13 | 443:tcp:ssl | 06m40s |
| 10.55.100.108 | 65.52.108.191 | 443:tcp:ssl | 06m00s |
65.52.108.225
3 choices
Which of the following utilities uses a "high-low" approach, whereby it breaks down a
given file into pieces in order to constantly re-scan it to come up with the smallest chunk
ANSWERS
What is the Six-Step Incident Response Process?
Preparation
Identification
Containment
Eradication
Recovery
Lessons Learned
What are some common issues with the PICREL approach to incident response?
Not scoping.
Failure to contain the incident.
Improper scoping.
Failure to identify and/or fix the root cause.
What is DAIR?
It is a Dynamic Approach to Incident Response.
What would occur during preparation in DAIR?
This would include things like: Know your Organization, Know your Corporate Policies,
Internal Network Visibility, Log Review, Recovery Procedures Development, IR Team
Preparation.
,Detection Phase of DAIR
Check to see if it is a false positive
After the incident has been verified to have occurred, triaging is a good idea
Scoping
That's how we identify where in an organization's network the threat actors are by
scanning our network.
What is Velociraptor?
This is a free and open-source software tool for assisting with scoping an incident,
performing large-scale incident response, and supporting threat hunting efforts.
What occurs during the Containment phase of DAIR?
During this phase, the goal is to deny the threat actor further operation inside a
compromised network. During this stage, it also means data acquisition.
What occurs during the Eradication phase of DAIR?
This involves undoing or taking away what a threat actor did.
What occurs during the Recovery phase of DAIR? What is usually the most cost-effective
way of doing this?
The idea here is to restore the business with minimum disruption of normal business
operations.
This often is the most cost-effective way to achieve this by rebuilding the system.
What takes place in the Remediation phase of DAIR?
Well, this all involves remedying the root cause of an incident. Of course, after that you
need to monitor the system closely to see if the threat actor remains.
,Which of the following is a protection against hijacking attacks?
LLMNR disabled
3 options
Which one of the following is one of the tools that threat actors commonly use to extract
the victim password from the memory dump files?
Mimikatz
3 options
Which one of the following is one of the attacker's desired outcomes regarding
persistence?
Maintain privileges
3 options
An attacker has successfully stolen an AWS instance. What is the attacker's command
in order to see which S3 buckets are available?
aws s3 ls
3 options
Which of the following PowerShell cmdlets can provide valuable information to identify
attacker WMI-based persistence?
Get-WMIObject
3 choices
Which of the following is endpoint detection and response tools most effective when
coupled with?
Rapid incident response
, 3 choices
As adversaries continue to use new C2 and exfil techniques, traditional IDS identifies
fewer and fewer threats. Which of the following techniques can be used to identify C2
that is typically missed using traditional IDS techniques?
Statistical anomaly analysis
3 Choices
As this is the output from RITA's analysis, which would you consider as the most
suspicious IP?
+---------------+-----------------+--------------------------+-------------+
| SOURCE IP | DESTINATION IP | DSTPORT:PROTOCOL:SERVICE | DURATION |
+---------------+-----------------+--------------------------+-------------+
| 10.55.100.100 | 65.52.108.225 | 443:tcp:- | 23h57m02s |
| 10.55.100.107 | 111.221.29.113 | 443:tcp:- | 23h57m00s |
| 10.55.100.109 | 65.52.108.218 | 443:tcp:- | 01h49m22s |
| 10.55.100.104 | 65.52.108.204 | 443:tcp:- | 01h28m45s |
| 10.55.182.100 | 104.244.43.112 | 443:tcp:ssl| 10m00s |
| 10.55.182.100 | 23.52.162.21 | 443:tcp:ssl| 09m50s |
| 10.55.182.100 | 198.8.70.210 | 443:tcp:ssl| 07m29s |
| 10.55.182.100 | 104.20.168.10 | 443:tcp:ssl | 07m25s |
| 10.55.182.100 | 104.16.162.13 | 443:tcp:ssl | 06m40s |
| 10.55.100.108 | 65.52.108.191 | 443:tcp:ssl | 06m00s |
65.52.108.225
3 choices
Which of the following utilities uses a "high-low" approach, whereby it breaks down a
given file into pieces in order to constantly re-scan it to come up with the smallest chunk
