Exam CISM topic 1 question 699 discussion

Method is the most important.

The information in the IDS logs provides a comprehensive view of the attack, including the type of attack, the time it occurred, the location of the attack, and other relevant details. This information helps the information security manager to: Verify the attack and its impact: By reviewing the IDS logs, the security manager can determine the exact nature of the attack, the extent of the damage, and the systems or data that were impacted. Determine the root cause of the attack: The logs can provide valuable insights into the methods and techniques used by the attacker, allowing the security manager to identify the weaknesses that were exploited and take steps to remediate them. Evaluate the effectiveness of existing security measures: The information in the logs can help the security manager to determine the effectiveness of existing security controls, such as firewalls, intrusion detection systems, and access controls, in detecting and preventing the attack.

Method of operation is the more comprehensive answer. Method of operation includes the procedures used by the adversaries, what vulnerabilities were exploited and what techniques the attacker used. It may also involve an assessment of the current controls to check for effectoveness. Answer option C is not entirely wrong - but from IDS logs you only see a fraction of what the attacker did. It's a very limited view from a single datasource - hence answer D is right.

Guys, THINK LIKE A MANAGER! Do you really think an infosec manager is gonna go through the logs, or is he gonna tell some analyst to go through them and then, based on that, tell the infosec manager what were the methods that attacker has used?

Selected Answer: C

I am going to go with D. An IDS isn't successful all the time so if that aspect the method still needs to be identified therefore making me choose D.

I find that D or C could be correct. The IDS logs can encompass what methods or attacks were used by the attacker but an IDS isn't successful 100% of the time. Therefore, the method still needs to be identified making D the correct answer. This is a bad question in my opinion.

IDS gives the information on how hacker entered the network which is most useful in Incident review.

Understanding the method of operation (often referred to as the modus operandi or tactics, techniques, and procedures - TTPs) used by the attacker is crucial. It allows the organization to determine vulnerabilities that were exploited, review the effectiveness of current controls, and make necessary adjustments to prevent similar future attacks.

D .is correct.

D. Method of operation used by the attacker

Not all incidents are covered by IDS

Option C covers B and D

Method because from that you can learn and optimize the systems for preventention.

When conducting a post-incident review of an attack, the MOST useful information for an information security manager would be: C. Details from intrusion detection system (IDS) logs. In a post-incident review, analyzing the details from intrusion detection system (IDS) logs can provide valuable insights into the attack. IDS logs can contain information about the attack vector, the specific techniques used by the attacker, and the compromised systems or data. By reviewing IDS logs, the information security manager can gain a better understanding of the attack's scope, impact, and potential vulnerabilities exploited.

Details from intrusion detection system (IDS) logs are the most useful to an information security manager when conducting a post-incident review of an attack.

C it is