Which three types of information could be used during the incident response investigation phase? (Choose three.)
The incident response investigation phase is a critical step in identifying the root cause of a security incident and developing an appropriate response plan. The following are the three types of information that could be used during the incident response investigation phase:
A. NetFlow data: NetFlow is a network protocol that collects information about IP traffic flows. It can provide valuable information about network traffic patterns, such as source and destination IP addresses, the protocols used, the duration of the connection, and the amount of data transferred. NetFlow data can help investigators identify suspicious traffic patterns, identify the source of an attack, and determine the scope of the incident.
D. Syslog output: Syslog is a standard protocol used for forwarding log messages across a network. It provides a centralized location for collecting and analyzing log data from various sources, such as firewalls, routers, and servers. Syslog output can provide valuable information about network events, such as authentication failures, system errors, and configuration changes. This information can be used to identify the source of an attack, determine the extent of the damage, and develop a response plan.
B. SNMP alerts: Simple Network Management Protocol (SNMP) is a protocol used for managing and monitoring network devices, such as routers, switches, and servers. SNMP alerts can provide valuable information about network events, such as network downtime, device failures, and security breaches. This information can be used to identify the source of an attack, determine the extent of the damage, and develop a response plan.
C. Encryption policy: Encryption policies define how data is protected while it is stored or transmitted across a network. Encryption policies can help investigators determine if data was stolen during an incident and if it was protected by encryption. They can also be used to identify weaknesses in the encryption process and develop strategies to improve security.
E. IT compliance reports: Compliance reports provide information about whether an organization is complying with relevant regulations, such as HIPAA, PCI DSS, or GDPR. Compliance reports can be used to identify areas of weakness in an organization's security posture and develop strategies to improve compliance.
In summary, during the incident response investigation phase, netflow data, syslog output, and SNMP alerts are important sources of information to identify the source of the attack, determine the scope of the incident, and develop a response plan. Encryption policies and IT compliance reports are also valuable sources of information to improve the organization's security posture and compliance.