Incident Response Question Bank

Take me through the possible phases of an attack (could be using something like the mitre attack framework).

Name/explain reconnaissance techniques.

Name/explain lateral movement techniques.

Name/explain persistence techniques.

Name/explain privilege escalation techniques.

Name/explain defence evasion techniques.

Name/explain some discovery techniques ( the adversary trying to figure out your environment).

Name/explain defence evasion techniques.

Name/explain c&c techniques.

What does ‘living off the land’ mean? Can you provide examples?

You have access to a live system. How would you determine if the system is infected? What about on a different OS?

Describe process injection?

Talk me through an incident that you responded to (initial situation/preparation, identification, containment, eradication, recovery, lessons learned).

What are your first five questions when doing an initial IR triage call with a client?

What are your top 3 log/data sources and why?

What are some ways malware can maintain persistence on a Windows host?

What are some ways malware can maintain persistence on a Linux host?

What are some ways malware can maintain persistence on MacOS?

What are some basic Windows/Linux commands or tools I can use to identify host operations (processes, connections, etc)?

What OSINT tools help you in aiding invalidating a malicious file?

What artefacts would you use to find evidence of execution?

What artefacts would you use to find evidence of persistence?

What artefacts would you use to find evidence of exfiltration?

What artefacts would you use to find evidence of file touch?

What artefacts would you use to find evidence of deletion?

What artefacts would you use to find evidence of lateral movement?

Talk me through the phases of the IR lifecycle. (Recommend NIST and SANS)

How would you perform remote triage?

How would you acquire memory?

How would you image a disk?

How would you analyse event logs?

How would you analyse memory?

How would you analyse malware?

How would you analyse a disk image?

How do you know when malware got onto a system?

What are the key components of an incident response report?

How do you manage stressful situations?

How would you react to a visibly stressed client, how would you help them?

What are the goals of incident response?

A client wants to rebuild their infrastructure without performing any forensic analysis. How would you approach this situation?

A client wants to restore their infrastructure from backups, without performing any forensic analysis. How would you approach this situation?

What experience do you have in ICS/OT incident response? How would you approach it ?