Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Incident Response and Management practice sets

CS0-003 Incident Response and Management • Complete Question Bank

CS0-003 Incident Response and Management — All Questions With Answers

Complete CS0-003 Incident Response and Management question bank — all 0 questions with answers and detailed explanations.

101
Questions
Free
No signup
Certifications/CS0-003/Practice Test/Incident Response and Management/All Questions
Question 1hardmulti select
Read the full Incident Response and Management explanation →

A host is suspected of running fileless malware. Which artefacts should be collected quickly? (Choose two.)

Question 2mediummulti select
Read the full Incident Response and Management explanation →

A phishing incident led to credential theft. Which containment actions are appropriate? (Choose two.)

Question 3hardmulti select
Read the full Incident Response and Management explanation →

Which actions belong in eradication after a confirmed web-shell compromise? (Choose two.)

Question 4mediummulti select
Read the full Incident Response and Management explanation →

What should be included in incident scoping for ransomware? (Choose three.)

Question 5hardmulti select
Read the full Incident Response and Management explanation →

A legal hold is issued during an investigation. Which actions support it? (Choose two.)

Question 6mediummulti select
Read the full Incident Response and Management explanation →

A tabletop exercise reveals that no one knows who can approve public statements. What should be updated? (Choose two.)

Question 7hardmulti select
Read the full Incident Response and Management explanation →

A responder is acquiring evidence from a potentially compromised server. Which actions support forensic integrity? (Choose two.)

Question 8hardmulti select
Study the full AAA explanation →

An attacker used a stolen cloud token. Which evidence helps determine blast radius? (Choose two.)

Question 9mediummulti select
Read the full Incident Response and Management explanation →

Which actions are appropriate before restoring systems after malware eradication? (Choose two.)

Question 10hardmulti select
Read the full Incident Response and Management explanation →

A root-cause analysis finds that an alert fired but was never triaged. Which corrective actions are useful? (Choose two.)

Question 11mediummultiple choice
Read the full Incident Response and Management explanation →

A user reports approving an unexpected OAuth consent prompt for an app named 'Invoice Reader'. The app now has mailbox read permissions. What should the incident responder do first? During detection and analysis, which decision is most defensible?

Question 12hardmultiple choice
Read the full Incident Response and Management explanation →

File shares show rapid encryption and ransom-note creation from one workstation. What is the best immediate containment action? During containment, which decision is most defensible?

Question 13easymultiple choice
Read the full Incident Response and Management explanation →

A developer accidentally committed a cloud access key to a public repository. Logs show the key was used from an unfamiliar IP. What should be done first? During eradication, which decision is most defensible?

Question 14mediummultiple choice
Read the full Incident Response and Management explanation →

A web server contains a new file that executes commands through a query parameter. What evidence best confirms web-shell activity? During recovery, which decision is most defensible?

Question 15hardmultiple choice
Read the full Incident Response and Management explanation →

A laptop may contain evidence for a legal investigation. What should the responder document during acquisition? During post-incident improvement, which decision is most defensible?

Question 16easymultiple choice
Read the full Incident Response and Management explanation →

A server suspected of running fileless malware is still powered on. Which evidence should be captured first if it is safe to do so? During detection and analysis, which decision is most defensible?

Question 17mediummultiple choice
Read the full Incident Response and Management explanation →

After containing a compromised host, analysis shows persistence through a scheduled task and a stolen service account. What is required before recovery? During containment, which decision is most defensible?

Question 18hardmultiple choice
Read the full Incident Response and Management explanation →

An incident was contained successfully, but delayed escalation allowed the attacker more dwell time. What should the post-incident review produce? During eradication, which decision is most defensible?

Question 19easymultiple choice
Read the full Incident Response and Management explanation →

A malware alert affects a single kiosk with no sensitive access. A second alert shows the same malware on a domain admin workstation. What should drive severity? During recovery, which decision is most defensible?

Question 20mediummultiple choice
Read the full Incident Response and Management explanation →

A company wants to test whether legal, PR, IT, and executives understand their roles during a ransomware incident without touching production systems. What exercise is best? During post-incident improvement, which decision is most defensible?

Question 21hardmultiple choice
Read the full Incident Response and Management explanation →

In a regulated payment environment, a user reports approving an unexpected OAuth consent prompt for an app named 'Invoice Reader'. The app now has mailbox read permissions. What should the incident responder do first? During detection and analysis, which decision is most defensible? which action best reduces risk without losing evidence?

Question 22mediummulti select
Read the full Incident Response and Management explanation →

During containment of a compromised cloud access key, which actions are appropriate? (Choose two.)

Question 23mediummultiple choice
Read the full Incident Response and Management explanation →

In a regulated payment environment, a developer accidentally committed a cloud access key to a public repository. Logs show the key was used from an unfamiliar IP. What should be done first? During eradication, which decision is most defensible? which action best reduces risk without losing evidence?

Question 24hardmultiple choice
Read the full Incident Response and Management explanation →

In a regulated payment environment, a web server contains a new file that executes commands through a query parameter. What evidence best confirms web-shell activity? During recovery, which decision is most defensible? which action best reduces risk without losing evidence?

Question 25easymultiple choice
Read the full Incident Response and Management explanation →

In a regulated payment environment, a laptop may contain evidence for a legal investigation. What should the responder document during acquisition? During post-incident improvement, which decision is most defensible? which action best reduces risk without losing evidence?

Question 26mediummultiple choice
Read the full Incident Response and Management explanation →

In a regulated payment environment, a server suspected of running fileless malware is still powered on. Which evidence should be captured first if it is safe to do so? During detection and analysis, which decision is most defensible? which action best reduces risk without losing evidence?

Question 27hardmultiple choice
Read the full Incident Response and Management explanation →

In a regulated payment environment, after containing a compromised host, analysis shows persistence through a scheduled task and a stolen service account. What is required before recovery? During containment, which decision is most defensible? which action best reduces risk without losing evidence?

Question 28easymultiple choice
Read the full Incident Response and Management explanation →

In a regulated payment environment, an incident was contained successfully, but delayed escalation allowed the attacker more dwell time. What should the post-incident review produce? During eradication, which decision is most defensible? which action best reduces risk without losing evidence?

Question 29mediummultiple choice
Read the full Incident Response and Management explanation →

In a regulated payment environment, a malware alert affects a single kiosk with no sensitive access. A second alert shows the same malware on a domain admin workstation. What should drive severity? During recovery, which decision is most defensible? which action best reduces risk without losing evidence?

Question 30hardmultiple choice
Read the full Incident Response and Management explanation →

In a regulated payment environment, a company wants to test whether legal, PR, IT, and executives understand their roles during a ransomware incident without touching production systems. What exercise is best? During post-incident improvement, which decision is most defensible? which action best reduces risk without losing evidence?

Question 31easymultiple choice
Read the full Incident Response and Management explanation →

While supporting a hybrid workforce, a user reports approving an unexpected OAuth consent prompt for an app named 'Invoice Reader'. The app now has mailbox read permissions. What should the incident responder do first? During detection and analysis, which decision is most defensible? which evidence should guide the decision?

Question 32mediummultiple choice
Read the full Incident Response and Management explanation →

In a regulated payment environment, file shares show rapid encryption and ransom-note creation from one workstation. What is the best immediate containment action? During containment, which decision is most defensible? which action best reduces risk without losing evidence?

Question 33hardmultiple choice
Read the full Incident Response and Management explanation →

While supporting a hybrid workforce, a developer accidentally committed a cloud access key to a public repository. Logs show the key was used from an unfamiliar IP. What should be done first? During eradication, which decision is most defensible? which evidence should guide the decision?

Question 34easymultiple choice
Read the full Incident Response and Management explanation →

While supporting a hybrid workforce, a web server contains a new file that executes commands through a query parameter. What evidence best confirms web-shell activity? During recovery, which decision is most defensible? which evidence should guide the decision?

Question 35mediummultiple choice
Read the full Incident Response and Management explanation →

While supporting a hybrid workforce, a laptop may contain evidence for a legal investigation. What should the responder document during acquisition? During post-incident improvement, which decision is most defensible? which evidence should guide the decision?

Question 36hardmultiple choice
Read the full Incident Response and Management explanation →

While supporting a hybrid workforce, a server suspected of running fileless malware is still powered on. Which evidence should be captured first if it is safe to do so? During detection and analysis, which decision is most defensible? which evidence should guide the decision?

Question 37easymultiple choice
Read the full Incident Response and Management explanation →

While supporting a hybrid workforce, after containing a compromised host, analysis shows persistence through a scheduled task and a stolen service account. What is required before recovery? During containment, which decision is most defensible? which evidence should guide the decision?

Question 38mediummultiple choice
Read the full Incident Response and Management explanation →

While supporting a hybrid workforce, an incident was contained successfully, but delayed escalation allowed the attacker more dwell time. What should the post-incident review produce? During eradication, which decision is most defensible? which evidence should guide the decision?

Question 39hardmultiple choice
Read the full Incident Response and Management explanation →

While supporting a hybrid workforce, a malware alert affects a single kiosk with no sensitive access. A second alert shows the same malware on a domain admin workstation. What should drive severity? During recovery, which decision is most defensible? which evidence should guide the decision?

Question 40easymultiple choice
Read the full Incident Response and Management explanation →

While supporting a hybrid workforce, a company wants to test whether legal, PR, IT, and executives understand their roles during a ransomware incident without touching production systems. What exercise is best? During post-incident improvement, which decision is most defensible? which evidence should guide the decision?

Question 41mediummultiple choice
Read the full Incident Response and Management explanation →

After a high-priority SOC escalation, a user reports approving an unexpected OAuth consent prompt for an app named 'Invoice Reader'. The app now has mailbox read permissions. What should the incident responder do first? During detection and analysis, which decision is most defensible? which response best matches incident-response practice?

Question 42hardmultiple choice
Read the full Incident Response and Management explanation →

While supporting a hybrid workforce, file shares show rapid encryption and ransom-note creation from one workstation. What is the best immediate containment action? During containment, which decision is most defensible? which evidence should guide the decision?

Question 43easymultiple choice
Read the full Incident Response and Management explanation →

After a high-priority SOC escalation, a developer accidentally committed a cloud access key to a public repository. Logs show the key was used from an unfamiliar IP. What should be done first? During eradication, which decision is most defensible? which response best matches incident-response practice?

Question 44mediummultiple choice
Read the full Incident Response and Management explanation →

After a high-priority SOC escalation, a web server contains a new file that executes commands through a query parameter. What evidence best confirms web-shell activity? During recovery, which decision is most defensible? which response best matches incident-response practice?

Question 45hardmultiple choice
Read the full Incident Response and Management explanation →

After a high-priority SOC escalation, a laptop may contain evidence for a legal investigation. What should the responder document during acquisition? During post-incident improvement, which decision is most defensible? which response best matches incident-response practice?

Question 46easymultiple choice
Read the full Incident Response and Management explanation →

After a high-priority SOC escalation, a server suspected of running fileless malware is still powered on. Which evidence should be captured first if it is safe to do so? During detection and analysis, which decision is most defensible? which response best matches incident-response practice?

Question 47mediummultiple choice
Read the full Incident Response and Management explanation →

After a high-priority SOC escalation, after containing a compromised host, analysis shows persistence through a scheduled task and a stolen service account. What is required before recovery? During containment, which decision is most defensible? which response best matches incident-response practice?

Question 48hardmultiple choice
Read the full Incident Response and Management explanation →

After a high-priority SOC escalation, an incident was contained successfully, but delayed escalation allowed the attacker more dwell time. What should the post-incident review produce? During eradication, which decision is most defensible? which response best matches incident-response practice?

Question 49easymultiple choice
Read the full Incident Response and Management explanation →

After a high-priority SOC escalation, a malware alert affects a single kiosk with no sensitive access. A second alert shows the same malware on a domain admin workstation. What should drive severity? During recovery, which decision is most defensible? which response best matches incident-response practice?

Question 50mediummultiple choice
Read the full Incident Response and Management explanation →

After a high-priority SOC escalation, a company wants to test whether legal, PR, IT, and executives understand their roles during a ransomware incident without touching production systems. What exercise is best? During post-incident improvement, which decision is most defensible? which response best matches incident-response practice?

Question 51hardmultiple choice
Read the full Incident Response and Management explanation →

During a post-compromise review, a user reports approving an unexpected OAuth consent prompt for an app named 'Invoice Reader'. The app now has mailbox read permissions. What should the incident responder do first? During detection and analysis, which decision is most defensible? which action should be prioritized before closure?

Question 52easymultiple choice
Read the full Incident Response and Management explanation →

After a high-priority SOC escalation, file shares show rapid encryption and ransom-note creation from one workstation. What is the best immediate containment action? During containment, which decision is most defensible? which response best matches incident-response practice?

Question 53mediummultiple choice
Read the full Incident Response and Management explanation →

During a post-compromise review, a developer accidentally committed a cloud access key to a public repository. Logs show the key was used from an unfamiliar IP. What should be done first? During eradication, which decision is most defensible? which action should be prioritized before closure?

Question 54hardmultiple choice
Read the full Incident Response and Management explanation →

During a post-compromise review, a web server contains a new file that executes commands through a query parameter. What evidence best confirms web-shell activity? During recovery, which decision is most defensible? which action should be prioritized before closure?

Question 55easymultiple choice
Read the full Incident Response and Management explanation →

During a post-compromise review, a laptop may contain evidence for a legal investigation. What should the responder document during acquisition? During post-incident improvement, which decision is most defensible? which action should be prioritized before closure?

Question 56mediummultiple choice
Read the full Incident Response and Management explanation →

During a post-compromise review, a server suspected of running fileless malware is still powered on. Which evidence should be captured first if it is safe to do so? During detection and analysis, which decision is most defensible? which action should be prioritized before closure?

Question 57hardmultiple choice
Read the full Incident Response and Management explanation →

During a post-compromise review, after containing a compromised host, analysis shows persistence through a scheduled task and a stolen service account. What is required before recovery? During containment, which decision is most defensible? which action should be prioritized before closure?

Question 58easymultiple choice
Read the full Incident Response and Management explanation →

During a post-compromise review, an incident was contained successfully, but delayed escalation allowed the attacker more dwell time. What should the post-incident review produce? During eradication, which decision is most defensible? which action should be prioritized before closure?

Question 59mediummultiple choice
Read the full Incident Response and Management explanation →

During a post-compromise review, a malware alert affects a single kiosk with no sensitive access. A second alert shows the same malware on a domain admin workstation. What should drive severity? During recovery, which decision is most defensible? which action should be prioritized before closure?

Question 60hardmultiple choice
Read the full Incident Response and Management explanation →

During a post-compromise review, a company wants to test whether legal, PR, IT, and executives understand their roles during a ransomware incident without touching production systems. What exercise is best? During post-incident improvement, which decision is most defensible? which action should be prioritized before closure?

Question 61mediummulti select
Read the full Incident Response and Management explanation →

An organization has detected a ransomware outbreak that has encrypted critical file servers. The incident response team has activated the plan. Which three of the following actions should be taken during the containment and eradication phases? (Choose three.)

Question 62mediummulti select
Read the full Incident Response and Management explanation →

During a security incident, a digital forensics investigator must preserve evidence according to best practices. Which three of the following actions align with proper forensic procedures? (Choose three.)

Question 63mediummulti select
Read the full Incident Response and Management explanation →

A security analyst is reviewing lessons learned after a data breach. Which three of the following are key objectives of a post-incident activity phase? (Choose three.)

Question 64mediummulti select
Read the full Incident Response and Management explanation →

An organization has just experienced a successful phishing attack that led to credential theft. The incident response team is performing analysis. Which three of the following indicators of compromise (IOCs) would be most relevant to investigate? (Choose three.)

Question 65mediummulti select
Read the full Incident Response and Management explanation →

During the post-incident analysis phase of an incident response process, which of the following activities are considered essential best practices? Choose all that apply. (There are four correct answers.)

Question 66mediumdrag order
Read the full Incident Response and Management explanation →

Arrange the steps for a typical penetration testing engagement in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 67mediumdrag order
Read the full Incident Response and Management explanation →

Arrange the steps for conducting a risk assessment in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 68mediummatching
Read the full Incident Response and Management explanation →

Match each network protocol to its well-known port number.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

22

443

53

25

3389

Question 69mediummatching
Read the full Incident Response and Management explanation →

Match each security control to its category.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Preventive

Detective

Recovery

Administrative

Technical

Question 70easymultiple choice
Read the full VPN explanation →

A security analyst notices a single external IP address attempting to log in to multiple user accounts on the company's VPN server over the past hour. All attempts have failed. What should the analyst do FIRST?

Question 71mediummultiple choice
Read the full Incident Response and Management explanation →

During a ransomware attack, several workstations have been encrypted. The incident response team has identified the ransomware variant and determined it does not have a known decryption tool. Which containment strategy is MOST appropriate?

Question 72hardmultiple choice
Read the full Incident Response and Management explanation →

An incident responder is collecting evidence from a compromised Linux server. The server is still running. Which order of collection adheres to the order of volatility?

Question 73easymultiple choice
Read the full Incident Response and Management explanation →

A company has been notified by a partner that sensitive data from their shared database was leaked. The CSIRT has been activated. Who should be notified FIRST according to the incident response plan?

Question 74mediummultiple choice
Read the full Incident Response and Management explanation →

A SOC analyst receives a file from an unknown source via email. The analyst wants to analyze the file without executing it to determine its functionality. Which type of analysis should be performed?

Question 75hardmultiple choice
Read the full Incident Response and Management explanation →

After a data breach involving customer PII, the incident response team has contained the incident and eradicated the malware. What is the NEXT step in the remediation process?

Question 76easymultiple choice
Read the full Incident Response and Management explanation →

Which technology is specifically designed to detect anomalous user behavior that may indicate a compromised account?

Question 77mediummultiple choice
Read the full Incident Response and Management explanation →

During forensic acquisition, which of the following types of data is considered the MOST volatile?

Question 78hardmultiple choice
Read the full Incident Response and Management explanation →

A large e-commerce site is under a DDoS attack targeting its web servers. The incident response team is activated. Which goal should receive the HIGHEST priority during the response?

Question 79mediummultiple choice
Read the full Incident Response and Management explanation →

Refer to the exhibit. An analyst reviews the output from a netstat command on a server. Which connection is MOST likely indicative of command and control (C2) activity?

Exhibit

The following output is from a compromised server:
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 10.0.0.5:3389           192.168.1.10:54321     TIME_WAIT
tcp        0      0 10.0.0.5:54321          198.51.100.20:4444     ESTABLISHED
tcp        0      0 10.0.0.5:22             10.0.0.1:50001        ESTABLISHED
Question 80hardmultiple choice
Read the full Incident Response and Management explanation →

Refer to the exhibit. A security analyst is reviewing an S3 bucket policy in AWS. What is the primary security misconfiguration?

Exhibit

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::company-data/*"
    }
  ]
}
Question 81easymultiple choice
Read the full Incident Response and Management explanation →

Refer to the exhibit. An analyst reviews file access logs and notices the entries above. Which is the MOST likely conclusion?

Exhibit

Log entry:
2025-03-01 14:23:05, user jsmith, action: file_read, file: /shared/HR/payroll.xlsx, source_ip: 192.168.2.100, device: laptop-44, location: office
2025-03-01 03:15:42, user jsmith, action: file_read, file: /shared/HR/payroll.xlsx, source_ip: 10.0.0.55, device: remote-desktop, location: remote
Question 82mediummulti select
Read the full NAT/PAT explanation →

A security analyst suspects an insider threat based on unusual data access patterns by an employee. According to best practices, which TWO actions should the analyst take FIRST?

Question 83hardmulti select
Read the full Incident Response and Management explanation →

Which THREE activities are typically performed during the post-incident activity phase of the incident response lifecycle?

Question 84easymulti select
Read the full Incident Response and Management explanation →

An end-user reports receiving an email with an unexpected attachment and urgent language requesting to click a link. Which TWO indicators confirm this is likely a phishing email?

Question 85easymultiple choice
Read the full Incident Response and Management explanation →

A security analyst detects unusual outbound traffic from a workstation. Which immediate action should the analyst take?

Question 86mediummultiple choice
Read the full Incident Response and Management explanation →

During incident response, the team identifies that an attacker used a compromised third-party vendor account to access the network. Which of the following should the team do first?

Question 87hardmultiple choice
Read the full Incident Response and Management explanation →

After containing a ransomware outbreak, the incident response team needs to restore encrypted files. They have verified clean backups from two weeks ago, but some critical files were modified on the day of the attack. What is the best approach?

Question 88easymultiple choice
Read the full Incident Response and Management explanation →

During a phishing investigation, an employee reports clicking a link and entering credentials. Which of the following should be the first step?

Question 89mediummultiple choice
Read the full Incident Response and Management explanation →

The SOC receives an alert from a network sensor showing an internal host communicating with a known malicious IP over HTTPS. The analyst cannot find any process making outbound connections on the host. What should the analyst do next?

Question 90hardmultiple choice
Read the full Incident Response and Management explanation →

During a post-incident review, the team finds that the detection was delayed by 4 hours because the SIEM rule had a low priority and was not monitored after hours. Which improvement is most effective?

Question 91easymultiple choice
Read the full Incident Response and Management explanation →

A company's IDS generated an alert for a SQL injection attempt against a web server. The web application firewall (WAF) is already in place. What is the best action?

Question 92mediummultiple choice
Read the full DNS explanation →

A security analyst notices that a system is sending a large amount of data to an external IP address via DNS tunneling. Which containment technique is most appropriate?

Question 93hardmultiple choice
Read the full Incident Response and Management explanation →

During forensic analysis of a compromised server, the analyst finds that the attacker deleted the system logs. Which data source is most likely to still contain relevant evidence?

Question 94mediummulti select
Read the full Incident Response and Management explanation →

Which TWO of the following are key phases of the incident response process as defined by NIST?

Question 95hardmulti select
Read the full DNS explanation →

Which TWO of the following are indicators of potential data exfiltration via DNS?

Question 96easymulti select
Read the full Incident Response and Management explanation →

Which THREE of the following are common containment techniques used during incident response?

Question 97mediummultiple choice
Read the full NAT/PAT explanation →

Refer to the exhibit. An analyst sees this output from a workstation. Which of the following is the most likely explanation?

Exhibit

C:\> netstat -an
Active Connections
  Proto  Local Address          Foreign Address         State
  TCP    0.0.0.0:80             0.0.0.0:0              LISTENING
  TCP    192.168.1.100:49152    10.0.0.50:443          ESTABLISHED
  TCP    192.168.1.100:49153    203.0.113.5:4444       ESTABLISHED
  TCP    192.168.1.100:49154    203.0.113.5:4444       ESTABLISHED
  TCP    192.168.1.100:49155    203.0.113.5:4444       ESTABLISHED
  UDP    0.0.0.0:123            *:*
Question 98hardmultiple choice
Read the full Incident Response and Management explanation →

Refer to the exhibit. A security auditor finds this IAM policy attached to a user account. Which of the following describes the primary security concern?

Exhibit

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:*",
      "Resource": "*"
    }
  ]
}
Question 99hardmultiple choice
Read the full Incident Response and Management explanation →

A company's incident response team is handling a ransomware incident that has encrypted all files on the file server and spread to several workstations. The team has isolated the affected systems and obtained memory dumps and disk images. The CEO demands immediate restoration of operations and suggests paying the ransom to decrypt files quickly. The company has recent backups but they are stored on a network share that was also encrypted. The CISO wants to ensure that the root cause is identified before restoration. As the lead incident responder, which of the following actions should you take NEXT?

Question 100mediummultiple choice
Read the full network assurance explanation →

You are a security analyst for a mid-sized financial services company. At 2:30 PM, the endpoint detection and response (EDR) console alerts on three workstations in the accounting department, indicating that files are being encrypted with a '.encrypt' extension and a ransom note named 'READ_ME_NOW.html' has been dropped. The workstations are connected to a file server that hosts shared financial records and a domain controller that handles authentication. The file server and domain controller have not shown signs of compromise yet. Your incident response plan states that containment must begin within 15 minutes of detection. Based on your analysis of the EDR telemetry, the encryption process appears to be spreading via SMB connections from the first infected workstation. Which of the following is the BEST immediate containment action to prevent further spread while preserving evidence?

Question 101hardmultiple choice
Read the full Incident Response and Management explanation →

You are a senior incident responder for a large technology company. During a routine threat hunting exercise, you detect unusual network traffic from a Linux web server to an external IP address that is known to be associated with an advanced persistent threat (APT) group. The web server runs a custom PHP application and is not in the DMZ; instead, it's on the internal network serving a management dashboard. You have captured a memory dump of the web server and analyzed it with volatility. The output shows a suspicious process running with the name 'apache2' but with an invalid parent process (PID 1 is 'apache2' itself). Additionally, you find a kernel module loaded called 'hideproc.ko' that is not part of the standard kernel. The network connections show a reverse shell to the external IP. You need to determine the most effective containment and eradication strategy that minimizes data loss and maintains business continuity while preserving evidence for law enforcement involvement.

Practice tests

Scored 10-question sessions with instant feedback and explanations.

CS0-003 Practice Test 1 — 10 Questions→CS0-003 Practice Test 2 — 10 Questions→CS0-003 Practice Test 3 — 10 Questions→CS0-003 Practice Test 4 — 10 Questions→CS0-003 Practice Test 5 — 10 Questions→CS0-003 Practice Exam 1 — 20 Questions→CS0-003 Practice Exam 2 — 20 Questions→CS0-003 Practice Exam 3 — 20 Questions→CS0-003 Practice Exam 4 — 20 Questions→Free CS0-003 Practice Test 1 — 30 Questions→Free CS0-003 Practice Test 2 — 30 Questions→Free CS0-003 Practice Test 3 — 30 Questions→CS0-003 Practice Questions 1 — 50 Questions→CS0-003 Practice Questions 2 — 50 Questions→CS0-003 Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Security OperationsVulnerability ManagementIncident Response and ManagementReporting and Communication

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Incident Response and Management setsAll Incident Response and Management questionsCS0-003 Practice Hub