Preparation is the first room in the Incident Response learning path within the TryHackMe learning platform.
The learning path consist of the following rooms:
- Identification & Scoping
- Threat Intel & Containment
- Eradication & Remediation
- Lessons Learned
In this post I will walkthrough the Preparation room.
Task 1: Introduction
Question 1: No answer needed
Task 2: Incident Response Capability
Question 1: What is an observed occurrence within a system?
The answer is in the reading. Look at the first bullets in this task.
Question 2: What is described as a violation of security policies and practices?
This answer is also in the reading, in the same place as question 1.
Question 3: Under which incident response phase do organisations lay down their procedures?
This is answered in the reading under “The Incident Response Process”
- Preparation: Ensures that the organisation can effectively react to a breach with laid down procedures.
Question 4: Under which phase will an organisation resume business operations fully and update its response capabilities?
The answer is in the reading, in the same section as the previous answer, keep rolling down the bullet list until you get to…
Answer: Recovery & Lessons Learned
Task 3: People and Documentation Preparation
Question 1: A group that handles events involving cyber security breaches, comprising individuals with different skills and expertise, is known as?
This answer is in the third paragraph of the reading.
Answer: cyber security incident response team
Question 2: Which documents would be used to accompany any evidence collected and keeps track of who handles the investigation procedures?
This answer is in the reading in the “Communication Plan & Chain of Custody” section.
Answer: chain of custody documents
Task 4: Technology Preparation
Question 1: What would a kit containing the necessary incident-handling tools be called?
This answer is in the last paragraph of the reading. In the section titled “Investigation Capabilities”.
Answer: jump bag
Task 5: Visibility
Question 1: What is the Event ID for the File Created rule associated with the test?
After reading and completing the instructions for the task I used the Find feature to search for File Created. The Event ID associated was…
Question 2: Under the Software Restriction Policies, what is the default security level assigned to all policies?
For this we need to open back up Local Security Policy. In there you should see “Software Restriction Policies, then Security Levels. In there are three choices. I clicked on each to see which one was set as default. See above screenshot.
Question 3: Find the Audit Policy folder under Local Policies. What setting has been assigned to the policy Audit logon events?
Follow the navigation steps in the question to find that that event is set to..
Task 6: Conclusion
Question 1: No answer needed