Hello folks,
In this write up, we will provide the answers of Becoming a First Responder room which is a part of the Security Engineer learning path under Managing Incidents section. This is freely accessible to all the users of TryHackMe. By successfully completing these challenges you will gain access to tickets that can boost your chances of winning incredible prizes.
You can access the room by clicking here.
Task 1- Introduction
This task will introduce the Prerequisites and Learning Objectives of this room.
I am ready to learn about becoming a first responder!
No answer required
Task 2- Preservation of Evidence
This task will introduce you to Volatility of Evidence, its order and Chain of Custody.
Q 2.1- What priority order for preservation (number only) is given for the Disk?
A 2.1- 4
Q 2.2- What priority order for preservation (number only) is given for Archival Media?
A 2.2- 7
Q 2.3- What priority order for preservation (number only) is given for the Register and Cache?
A 2.3- 1
Q 2.4- What is the term used to describe ensuring that evidence can be used in legal proceedings?
A 2.4- Chain of Custody
Task 3- Alerting the Relevant Stakeholders
This task will introduce you to Incident playbooks, call trees and the responsibility of the First Responder.
Q 3.1- What is the term that describes a defined process that the blue team follows during an incident?
A 3.1- Playbook
Q 3.2- What is the term that describes the structure used to inform all the relevant parties about the incident?
A 3.2- Call Tree
Task 4- Isolation of the Incident
This task will introduce you to the importance of Containment, its methods and the responsibility of the First Responder.
Q 4.1- What containment method can be performed remotely using the EDR?
A 4.1- Virtual Isolation
Q 4.2- What containment method requires the blue team to collect the infected host?
A 4.2- Physical Isolation
Q 4.3- What containment method aims to ensure that the infected host cannot communicate with other hosts?
A 4.3- Network Segmentation
Task 5- Business Continuity Plan
This task will introduce you to DRP (Disaster Recovery Plan), BCP (Business Continuity Plan) and its Metrics.
Q 5.1- What does BCP stand for?
A 5.1- Business Continuity Plan
Q 5.2- What does DRP stand for?
A 5.2- Disaster Recovery Plan
Q 5.3- What BCP metric is used to describe the amount of time required to recover the hardware of our system?
A 5.3- Recovery Time Objective
Q 5.4- What BCP metric is used to describe the average amount of time required to recover our system?
A 5.4- Mean Time to Repair
Task 6- Documentation of Actions
This task will introduce you to the importance of Documentation and its templates.
Q 6.1- What time format should be used in our incident notes to ensure that all times match?
A 6.1- UTC
Task 7- Handing Over
This task will help you to practise what you have learned so far. You can launch the static site and practise your understanding.
Q 7.1 What is the value of the flag you receive after responding to the incident?
A 7.2- THM{I.am.ready.to.become.a.first.responder}
We will be providing the answers for the Security Engineer Learning Path. If you need the explanation to these answers, please comment below and we will provide the explanation as per request.
You can check out our other blogs here.
Happy Pentesting!!!
Team CyberiumX