Certified Incident Handler (CIH) Practice Ecam

Disable ads (and more) with a membership for a one time $2.99 payment

Prepare for the Certified Incident Handler (CIH) Exam. Enhance your knowledge with interactive quizzes and detailed insights into cyber incident handling. Boost your exam readiness with our expert-designed questions!

Each practice test/flash card set has 50 randomly selected questions from a bank of over 500. You'll get a new set of questions each time!

Practice this question and more.

Identify the Falco rule that helps an incident responder detect spawning of terminal shells in a cloud environment.

$ kubectl exec -it mysql-db-d5dc6b85d-77hrm -- bash -il
$ log monitor -- alert on shell spawn
$ detect.sh new-shell-instance
$ exec.spawn.monitor -- active

The correct answer is: $ kubectl exec -it mysql-db-d5dc6b85d-77hrm -- bash -il

The correct answer identifies a rule that is focused on monitoring and responding to terminal shell spawning activity in a cloud environment. In this context, the command "kubectl exec" is specifically used to execute a command within a Kubernetes pod, and when appended with flags like "-it" for an interactive terminal and "bash -il" for an interactive shell, it indicates the spawning of a terminal shell session. This is relevant for incident responders as it signals potential unauthorized or suspicious activity, such as an attacker using a terminal shell to interact with the cloud environment. The other options either represent hypothetical commands that do not match standard monitoring practices or lack the specificity necessary to detect shell spawning effectively. Understanding the functionality of "kubectl" in a Kubernetes environment is crucial for incident responders in order to recognize and investigate potential security incidents related to shell access. This practical application allows for timely detection and response to unusual activity that might indicate a security breach or misconfiguration in the cloud infrastructure.