CCNA Cbrops Policies Procedures Questions

74 questions · Cbrops Policies Procedures topic · All types, answers revealed

1
MCQhard

A SOC Tier 2 analyst is investigating an alert that was escalated by Tier 1. The analyst needs to perform deeper correlation and malware analysis. Which of the following actions is most appropriate for Tier 2?

A.Analyze the malware sample in a sandbox and correlate with other indicators.
B.Conduct threat hunting to proactively search for threats.
C.Develop new detection rules for the SIEM.
D.Perform initial triage and basic investigation.
AnswerA

Tier 2 handles deeper analysis and correlation.

Why this answer

Tier 2 analysts perform deeper investigation, correlation, and malware analysis.

2
MCQmedium

During an incident, a SOC Tier 1 analyst identifies a series of failed login attempts from an internal IP address. The analyst escalates the alert. What is the primary role of a Tier 2 analyst in this scenario?

A.Monitor alerts and perform initial triage
B.Make decisions on business impact and notification
C.Conduct threat hunting and advanced forensics
D.Perform deeper investigation and correlate events
AnswerD

Tier 2 analysts investigate escalated alerts and correlate data.

Why this answer

Tier 2 analysts perform deeper investigation, correlation, and analysis beyond initial triage.

3
MCQeasy

Which SOC tier is responsible for threat hunting and advanced forensic analysis?

A.Tier 1
B.Tier 3
C.All tiers equally
D.Tier 2
AnswerB

Tier 3 involves threat hunting, advanced forensics, and tool development.

Why this answer

Tier 3 analysts perform proactive threat hunting and complex forensics.

4
MCQeasy

Which organization facilitates threat intelligence sharing among members in a specific sector, such as finance or healthcare?

A.MISP
B.ISAC
C.STIX
D.TAXII
AnswerB

ISACs are sector-based sharing organizations.

Why this answer

ISACs (Information Sharing and Analysis Centers) are sector-specific threat intelligence sharing groups.

5
Multi-Selectmedium

During the Containment, Eradication, and Recovery phase, which TWO actions are typically performed? (Select two.)

Select 2 answers
A.Lessons learned analysis
B.Evidence collection
C.Initial triage
D.Identifying the incident
E.Short-term containment
AnswersB, E

Collecting forensic evidence before eradication.

Why this answer

Short-term containment (e.g., isolating systems) and evidence collection are key activities in this phase.

6
MCQhard

During a risk assessment, a company identifies that the annualized loss expectancy (ALE) for a specific threat is $50,000. The cost to implement a mitigation control is $30,000 with an annual maintenance cost of $5,000. According to risk management principles, what is the most appropriate risk treatment option?

A.Accept the risk because the mitigation cost is higher than the ALE
B.Avoid the risk by discontinuing the activity
C.Transfer the risk by purchasing cyber insurance
D.Mitigate the risk by implementing the control
AnswerD

Since the mitigation cost is less than the ALE, it is cost-effective to mitigate.

Why this answer

If the cost of mitigation ($30,000 + $5,000 = $35,000) is less than the ALE ($50,000), it is cost-effective to mitigate the risk.

7
MCQhard

An organization is implementing an AUP that prohibits personal use of corporate resources. However, an employee uses a company laptop to access personal email, which leads to a malware infection. Which policy violation is most directly implicated?

A.Remote access policy
B.Information security policy
C.Password policy
D.Acceptable Use Policy (AUP)
AnswerD

The AUP prohibits personal use of corporate resources.

Why this answer

The Acceptable Use Policy (AUP) defines acceptable behavior regarding the use of company resources. Personal use that violates the AUP is a direct policy breach.

8
MCQhard

A SOC Tier 3 analyst is performing threat hunting. Which activity best describes the primary focus of a Tier 3 analyst?

A.Monitoring incoming alerts for potential incidents
B.Correlating alerts from multiple sources
C.Proactively searching for advanced threats
D.Creating user accounts and permissions
AnswerC

Threat hunting is a Tier 3 function.

Why this answer

Tier 3 focuses on proactive threat hunting and advanced analysis.

9
Multi-Selecthard

Which TWO standards/protocols are directly associated with threat intelligence sharing as defined by the CyberOps Associate curriculum?

Select 2 answers
A.ISO 27001
B.TAXII
C.OpenIOC
D.STIX
E.MISP
AnswersB, D

Trusted Automated eXchange of Indicator Information is a protocol for sharing STIX.

Why this answer

STIX and TAXII are the primary standards for threat intelligence sharing. OpenIOC and MISP are related but not the core standards defined.

10
Multi-Selecthard

An organization is implementing a threat intelligence sharing program. Which THREE elements are commonly used standards or platforms for sharing threat intelligence?

Select 3 answers
A.MISP
B.ISAC
C.TAXII
D.STIX
E.OpenIOC
AnswersA, C, D

Malware Information Sharing Platform is a platform for sharing.

Why this answer

STIX, TAXII, and MISP are widely used for threat intelligence sharing. ISAC is an organization, not a standard/platform. OpenIOC is a format but less common now.

11
Multi-Selectmedium

During a security incident involving an insider threat, which TWO roles are most likely to be directly involved in the response?

Select 2 answers
A.Legal counsel
B.HR
C.SOC Tier 1 analyst
D.PR
E.External auditor
AnswersA, B

Legal counsel advises on legal implications and procedures.

Why this answer

HR handles personnel issues, and legal counsel handles legal aspects like termination and potential charges.

12
MCQmedium

An organization is reviewing its risk management process and identifies a risk with a high probability and high impact. Management decides to stop the activity causing the risk. Which risk treatment option is being applied?

A.Risk mitigation
B.Risk acceptance
C.Risk avoidance
D.Risk transfer
AnswerC

Stopping the activity avoids the risk entirely.

Why this answer

Avoidance means eliminating the risk by discontinuing the activity.

13
MCQeasy

Which risk treatment option involves implementing security controls to reduce the likelihood or impact of a risk?

A.Avoid
B.Mitigate
C.Transfer
D.Accept
AnswerB

Mitigate reduces risk through controls.

Why this answer

Mitigate means applying controls to reduce risk.

14
MCQmedium

A company's legal counsel is involved in an incident response due to a data breach. What is the primary role of legal counsel during the incident?

A.Make decisions about business impact
B.Communicate with the public
C.Conduct forensic analysis of affected systems
D.Advise on data breach notification requirements
AnswerD

Legal counsel ensures compliance with notification laws.

Why this answer

Legal counsel ensures compliance with data breach notification laws.

15
MCQeasy

Which risk treatment option involves taking actions to reduce the likelihood or impact of a risk?

A.Mitigate
B.Accept
C.Transfer
D.Avoid
AnswerA

Mitigation reduces risk through controls.

Why this answer

Mitigate means implementing controls to reduce risk.

16
MCQhard

An organization's incident response team has identified a malware infection on a critical server. They need to collect evidence for potential legal action. Which of the following is the most important step to ensure the admissibility of the evidence?

A.Contacting legal counsel before proceeding
B.Documenting the chain of custody for all evidence
C.Creating a forensic image of the affected hard drive
D.Isolating the server from the network
AnswerB

Chain of custody documentation is essential for legal proceedings to prove evidence integrity.

Why this answer

Maintaining a proper chain of custody documents who handled the evidence and ensures it has not been tampered with, which is critical for legal admissibility.

17
Multi-Selecteasy

Which TWO roles are typically responsible for making decisions regarding business impact and external communication during an incident? (Select two.)

Select 2 answers
A.PR
B.Legal counsel
C.CISO
D.Incident handler
E.HR
AnswersA, C

PR manages external communication.

Why this answer

CISO decides on business impact; PR handles external communication.

18
MCQhard

An organization is required to preserve data that may be relevant to a lawsuit. Which legal process is invoked to prevent destruction of this data?

A.E-discovery
B.Legal hold
C.Chain of custody
D.Data retention policy
AnswerB

Legal hold ensures data is preserved for litigation.

Why this answer

A legal hold is issued to preserve data relevant to litigation.

19
MCQhard

During a security incident, the CISO decides to contain a compromised server by isolating it from the network. Which role is primarily responsible for making this containment decision based on business impact?

A.CISO
B.Incident handler
C.Legal counsel
D.PR representative
AnswerA

The CISO evaluates business impact and authorizes containment.

Why this answer

The CISO is the decision-maker for business impact and authorizes containment actions.

20
Multi-Selectmedium

In the context of risk management, which THREE are valid risk treatment options?

Select 3 answers
A.Monitor
B.Ignore
C.Mitigate
D.Transfer
E.Accept
AnswersC, D, E

Mitigation reduces risk through controls.

Why this answer

The four risk treatment options are accept, avoid, transfer, and mitigate. Monitor is not a treatment option; it is part of ongoing management.

21
MCQmedium

After resolving a security incident, the IR team conducts a lessons learned meeting. Which of the following are typical outputs of this post-incident activity? (Choose three.)

A.Recommendations for policy or procedure changes
B.Creation of new detection signatures for future incidents
C.Immediate containment of the incident
D.Development of metrics to measure response effectiveness
E.Updated incident response plan based on findings
AnswerA, D, E

Lessons learned often result in policy or procedure improvements.

Why this answer

Lessons learned leads to updating the IR plan, identifying metrics to measure performance, and recommending changes to policies.

22
MCQmedium

An organization has implemented a new password policy requiring 12-character passwords with complexity. Which risk treatment option is this an example of?

A.Risk mitigation
B.Risk transfer
C.Risk acceptance
D.Risk avoidance
AnswerA

Implementing password policy reduces the likelihood of unauthorized access.

Why this answer

Implementing controls to reduce risk is mitigation.

23
Multi-Selecthard

A SOC Tier 1 analyst is processing alerts. Which THREE tasks are typical for a Tier 1 analyst? (Select three.)

Select 3 answers
A.Conduct deep malware analysis
B.Develop new detection signatures
C.Execute basic investigation using standard tools
D.Monitor alerts and events
E.Perform initial triage and categorization
AnswersC, D, E

Tier 1 uses predefined playbooks.

Why this answer

Tier 1 tasks include alert monitoring, initial triage, and basic investigation.

24
Multi-Selectmedium

A SOC analyst is investigating a potential malware outbreak. Which THREE actions should the analyst take to preserve evidence? (Select three.)

Select 3 answers
A.Calculate a hash of the original drive before imaging
B.Reboot the system to clear memory
C.Document the chain of custody
D.Use a write blocker to create a forensic image
E.Run a full antivirus scan to remove malware
AnswersA, C, D

Hashing verifies integrity after imaging.

Why this answer

Hashing before imaging, using write blockers, and maintaining chain of custody are key evidence preservation steps.

25
Multi-Selecteasy

A security analyst is establishing a data classification policy. Which TWO categories are commonly included in a data classification policy?

Select 2 answers
A.Archived
B.Encrypted
C.Backup
D.Confidential
E.Public
AnswersD, E

Confidential data requires strict access controls.

Why this answer

Common categories include public, internal, confidential, and restricted.

26
MCQmedium

An organization is implementing a new remote access policy. Which of the following is a key component that should be included in this policy?

A.Prohibition of personal device usage for any work
B.Mandatory use of social media for communication
C.Requirements for multi-factor authentication
D.Daily password changes for remote users
AnswerC

MFA is a common security control for remote access.

Why this answer

Remote access policies typically specify allowed methods (e.g., VPN), authentication requirements, and security controls.

27
MCQmedium

Which role in the incident response process is primarily responsible for determining the business impact of an incident and making strategic decisions?

A.HR
B.Legal counsel
C.Incident handler
D.CISO
AnswerD

The CISO is accountable for security strategy and decisions affecting business impact.

Why this answer

The CISO is the decision-maker who evaluates business impact and approves major actions.

28
MCQmedium

An incident handler needs to preserve a hard drive from a compromised system. Which two actions are essential to maintain the integrity of the evidence?

A.Store the original drive in a Faraday bag
B.Copy files directly to an external drive using the operating system
C.Use a write blocker when creating the forensic image
D.Compute a cryptographic hash of the original drive before imaging
E.Boot the system from the hard drive to collect volatile data
AnswerC, D

Write blocker ensures no data is written to the source drive.

Why this answer

Option C is correct because a write blocker is a hardware or software tool that intercepts and blocks any write commands to the original drive, ensuring that no data is altered during the forensic imaging process. This is essential to maintain the integrity of the evidence, as any modification could render the data inadmissible in legal proceedings. Without a write blocker, even a simple read operation from the operating system could trigger unintended writes (e.g., metadata updates, file system journaling).

Exam trap

Cisco often tests the misconception that a Faraday bag preserves data integrity, when in fact it only prevents remote communication; the trap is confusing physical isolation (Faraday bag) with write protection (write blocker).

How to eliminate wrong answers

Option A is wrong because a Faraday bag is designed to block electromagnetic signals (e.g., RF, Wi-Fi, cellular) to prevent remote wiping or communication with the device, but it does not prevent physical write operations to the hard drive or preserve data integrity during imaging. Option B is wrong because copying files directly using the operating system modifies file metadata (e.g., access timestamps) and does not capture deleted files, slack space, or unallocated clusters; this violates forensic best practices for bit-for-bit imaging. Option E is wrong because booting from the compromised hard drive would alter the system state (e.g., writing to the page file, updating logs, modifying registry hives), destroying volatile data and potentially overwriting evidence; volatile data collection should be performed before powering off the system, not by booting from the drive.

29
MCQeasy

In the NIST SP 800-61 Rev 2 incident response process, which phase involves activities such as performing lessons learned and updating the incident response plan?

A.Preparation
B.Containment, Eradication, and Recovery
C.Detection and Analysis
D.Post-Incident Activity
AnswerD

This phase includes lessons learned and updates.

Why this answer

Post-Incident Activity includes lessons learned, updating plans, and metrics.

30
MCQeasy

Which security policy defines acceptable use of an organization's IT resources, including internet browsing and email?

A.Password Policy
B.Information Security Policy
C.Remote Access Policy
D.Acceptable Use Policy (AUP)
AnswerD

Correct: AUP sets rules for using IT resources.

Why this answer

AUP specifies what is acceptable and unacceptable use of IT resources.

31
MCQmedium

During the Detection and Analysis phase of incident response, a SOC Tier 1 analyst identifies a potential malware infection on a critical server. What is the FIRST action the analyst should take according to NIST SP 800-61 Rev 2?

A.Disconnect the server from the network immediately to contain the threat.
B.Escalate the incident to Tier 3 for advanced malware analysis.
C.Perform initial triage and prioritize the incident based on severity and impact.
D.Notify legal counsel and PR to prepare for potential data breach.
AnswerC

Triage is the first step to assess the incident's scope and urgency.

Why this answer

According to NIST SP 800-61 Rev 2, the first step in the Detection and Analysis phase is to perform initial triage and prioritize the incident based on severity and impact. This ensures that resources are allocated appropriately before any containment or escalation actions are taken. Option C is correct because triage is the foundational action that determines the urgency and scope of the response.

Exam trap

Cisco often tests the misconception that immediate containment (disconnecting the network) is the first action, but NIST explicitly prioritizes triage and prioritization to avoid destroying evidence or overreacting.

How to eliminate wrong answers

Option A is wrong because disconnecting the server immediately may destroy volatile evidence (e.g., running processes, network connections) and could be premature without first assessing the incident's severity and impact. Option B is wrong because escalation to Tier 3 should occur only after initial triage confirms the need for advanced analysis; skipping triage risks misallocating expert resources. Option D is wrong because notifying legal and PR is a post-escalation step that occurs after the incident is confirmed and prioritized, not during initial detection.

32
MCQhard

A security analyst needs to share threat intelligence with other organizations in a standardized, machine-readable format. Which combination of standards should the analyst use?

A.TAXII and MISP
B.STIX and TAXII
C.ISAC and STIX
D.OpenIOC and MISP
AnswerB

STIX provides the data format; TAXII provides the transport mechanism.

Why this answer

STIX is a language for threat intelligence, and TAXII is a protocol for sharing it. They are commonly used together.

33
MCQhard

During an incident, a forensic analyst needs to preserve evidence from a compromised hard drive. Which of the following steps is essential to maintain the chain of custody?

A.Deleting unnecessary files to reduce data volume
B.Storing the hard drive in a standard office drawer
C.Documenting the date, time, and person handling the evidence
D.Creating a bit-for-bit copy without write-blocking
AnswerC

This is essential for chain of custody.

Why this answer

Chain of custody requires documenting each transfer, including who handled evidence and when. Write-blocking prevents alteration, and hashing verifies integrity. Documentation of transfers is key.

34
MCQeasy

During an incident investigation, a forensic analyst needs to preserve the integrity of a hard drive. Which two actions should the analyst take before imaging the drive?

A.Connect the drive directly to the forensic workstation
B.Generate a hash of the drive using SHA-256
C.Use a write blocker
D.Install antivirus software on the drive
AnswerB, C

Hashing before imaging provides a baseline for integrity verification.

Why this answer

Write-blocking prevents modification, and hashing ensures integrity verification before and after imaging.

35
Multi-Selecthard

A security team is implementing a remote access policy. Which TWO controls should be included to ensure secure remote access?

Select 2 answers
A.Multifactor authentication (MFA)
B.Single sign-on (SSO)
C.Password expiration every 90 days
D.Virtual private network (VPN)
E.Guest network access
AnswersA, D

MFA adds an extra layer of security beyond passwords.

Why this answer

MFA and VPN are standard controls for secure remote access.

36
MCQeasy

An employee is suspected of using company resources to access inappropriate websites. Which security policy most directly addresses this behavior?

A.Acceptable Use Policy (AUP)
B.Remote access policy
C.Information security policy
D.Password policy
AnswerA

AUP defines what constitutes acceptable use of company assets, including internet browsing.

Why this answer

The Acceptable Use Policy defines acceptable use of company resources, including internet usage.

37
MCQmedium

Which of the following are responsibilities of the legal counsel role during incident response? (Choose two.)

A.Determining data breach notification requirements
B.Communicating with the media
C.Conducting technical analysis of malware
D.Approving financial expenditures for containment
E.Issuing a legal hold to preserve relevant data
AnswerA, E

Legal counsel advises on legal obligations to notify affected parties.

Why this answer

Legal counsel advises on breach notification requirements and can place legal holds to preserve evidence for litigation.

38
MCQmedium

A SOC analyst at Tier 1 receives an alert for a known malware signature. After initial investigation, the analyst finds that the alert is a false positive caused by an outdated signature. What should the analyst do next?

A.Escalate the alert to Tier 2 for further analysis
B.Update the signature database on the security tools
C.Initiate the containment process
D.Close the alert and document the finding
AnswerD

Tier 1 can close false positive alerts after confirmation and documentation.

Why this answer

Tier 1 analysts handle basic investigation and can close false positives. Updating signatures is outside their scope.

39
Multi-Selectmedium

A security analyst is collecting evidence from a compromised system for legal proceedings. Which TWO actions are critical to preserve the integrity of the evidence?

Select 2 answers
A.Store the evidence in a public folder for easy access
B.Compute a cryptographic hash of the original drive before imaging
C.Delete any sensitive files to protect privacy
D.Run the system normally to capture volatile data
E.Use a write-blocker when creating a forensic image
AnswersB, E

Hash verifies integrity of the original.

Why this answer

Write-blocking prevents modification during acquisition, and hashing verifies integrity before and after imaging.

40
MCQmedium

Which threat intelligence sharing standard defines a language and format for representing structured threat information, such as indicators and campaigns?

A.STIX
B.MISP
C.TAXII
D.OpenIOC
AnswerA

STIX defines a structured format for threat information.

Why this answer

STIX is a standardized language for describing threat intelligence, while TAXII is the protocol to share it.

41
MCQhard

A financial institution is evaluating risk treatment options for a newly identified vulnerability in its online banking platform. The vulnerability has a high likelihood of exploitation but low business impact. Which risk treatment option is most appropriate?

A.Transfer
B.Mitigate
C.Accept
D.Avoid
AnswerB

Mitigation through controls reduces the risk to an acceptable level.

Why this answer

Mitigate is appropriate when risk is high likelihood but low impact; controls can reduce likelihood further.

42
Multi-Selecteasy

Which TWO are examples of risk treatment options? (Select two.)

Select 2 answers
A.Neglect
B.Mitigate
C.Ignore
D.Accept
E.Amplify
AnswersB, D

Implementing controls to reduce risk.

Why this answer

Mitigate and accept are common risk treatment options; avoid and transfer are others, but avoid is not listed as a standard option here; the correct ones are mitigate and accept.

43
MCQmedium

A security analyst at a SOC Tier 1 receives an alert about a potential malware infection on a user's workstation. What is the primary responsibility of the Tier 1 analyst in this scenario?

A.Coordinate with legal counsel for data breach notification
B.Conduct initial triage and basic investigation
C.Develop new detection signatures
D.Perform deep forensic analysis of the malware
AnswerB

Tier 1 handles initial triage and basic investigation.

Why this answer

Tier 1 analysts monitor alerts, perform initial triage, and escalate if needed. They conduct basic investigation.

44
MCQhard

During the containment phase of an incident, the IR team decides to power off a compromised server to prevent further damage. However, they later realize that this action may have destroyed volatile evidence. According to best practices, what should the team have done instead?

A.Disconnect the server from the network but leave it running
B.Perform a live forensic image of the server's memory before powering off
C.Immediately power off the server without any imaging
D.Skip evidence collection and focus solely on containment
AnswerB

Live imaging captures volatile data such as memory and running processes.

Why this answer

Short-term containment should preserve evidence; live imaging captures volatile data before power-off.

45
MCQmedium

An organization uses STIX and TAXII to share threat intelligence with an ISAC. What is the purpose of TAXII in this scenario?

A.It stores threat intelligence locally
B.It is a platform for malware analysis
C.It provides a method to transport threat intelligence
D.It defines the format for threat indicators
AnswerC

TAXII is the transport mechanism.

Why this answer

TAXII is a protocol for exchanging STIX data.

46
MCQmedium

A security analyst is investigating a potential data breach. They need to preserve evidence for legal proceedings. Which action should the analyst take to ensure the integrity of the data?

A.Run antivirus scans on the affected system
B.Use a write blocker when creating a forensic image
C.Delete suspicious files to contain the threat
D.Copy files to a network share without write protection
AnswerB

Write blockers prevent any writes to the source drive.

Why this answer

Write-blocking ensures original data is not altered during forensic acquisition.

47
MCQeasy

During which phase of the NIST SP 800-61 Rev 2 incident response process should an organization develop and exercise the incident response plan?

A.Preparation
B.Post-Incident Activity
C.Detection and Analysis
D.Containment, Eradication, and Recovery
AnswerA

Preparation is the first phase where the IR plan, team, and tools are established and exercised.

Why this answer

Preparation includes creating the IR plan, team, tools, and conducting exercises. The other phases occur after an incident is detected.

48
Multi-Selectmedium

Which TWO are components of the NIST SP 800-61 Rev 2 Preparation phase? (Select two.)

Select 2 answers
A.Conducting lessons learned
B.Developing an incident response plan
C.Containing the incident
D.Creating an incident response team
E.Identifying indicators of compromise
AnswersB, D

The IR plan is a key output of Preparation.

Why this answer

Preparation includes developing the IR plan and creating the IR team.

49
MCQmedium

A company's security policy requires that all data classified as 'Confidential' must be encrypted at rest and in transit. This requirement is part of which policy?

A.Remote Access Policy
B.Password Policy
C.Data Classification Policy
D.Acceptable Use Policy
AnswerC

This policy defines classification levels and associated controls like encryption.

Why this answer

The requirement to encrypt 'Confidential' data is a direct outcome of a data classification policy, which defines categories (e.g., Public, Internal, Confidential, Restricted) and mandates specific security controls for each category. Encryption at rest and in transit is a typical control for the 'Confidential' tier, ensuring data is protected using mechanisms like AES-256 for storage and TLS 1.2+ for transmission.

Exam trap

Cisco often tests the distinction between a policy that defines data sensitivity levels (data classification) and a policy that implements access controls (remote access), leading candidates to confuse the encryption requirement with the method of access.

How to eliminate wrong answers

Option A is wrong because a remote access policy governs how users connect from external networks (e.g., VPN protocols, multi-factor authentication), not the classification-based encryption requirements for data. Option B is wrong because a password policy defines rules for password creation, complexity, and expiration (e.g., minimum length, special characters), not encryption of data based on sensitivity. Option D is wrong because an acceptable use policy outlines permitted and prohibited behaviors for company resources (e.g., browsing restrictions, software installation), not data encryption mandates tied to classification labels.

50
MCQmedium

A SOC analyst is investigating a suspected data exfiltration. The analyst needs to preserve evidence from a compromised workstation. Which of the following is the CORRECT procedure to ensure evidence integrity?

A.Use a write-blocker, compute hash of original disk, create image, compute hash of image, and compare hashes.
B.Create a forensic image without write-blocking, then hash the image.
C.Copy all files to an external drive without hashing.
D.Disconnect the hard drive and boot from a live CD to collect data.
AnswerA

This ensures the image is an exact copy.

Why this answer

Proper evidence preservation requires hashing the original disk before imaging and then hashing the image to verify integrity.

51
MCQmedium

An incident handler collects a hard drive from a compromised server. To maintain chain of custody, which information must be documented?

A.The date, time, and signature of each person who handled the evidence
B.The IP address of the server
C.The name of the antivirus software installed
D.The operating system version
AnswerA

This ensures evidence integrity and admissibility.

Why this answer

Chain of custody requires detailed documentation of who handled evidence and when.

52
MCQmedium

An organization is conducting a risk assessment and assigns a monetary value to potential losses. Which risk assessment method is being used?

A.Risk treatment
B.Qualitative risk assessment
C.Risk identification
D.Quantitative risk assessment
AnswerD

Quantitative uses numerical monetary values.

Why this answer

Assigning a monetary value to potential losses is a hallmark of quantitative risk assessment. This method uses numerical data (e.g., dollar amounts, percentages) to calculate metrics such as Single Loss Expectancy (SLE) and Annualized Loss Expectancy (ALE), enabling objective comparison of risks. In contrast, qualitative methods rely on subjective ratings like high/medium/low.

Exam trap

Cisco often tests the distinction between quantitative and qualitative risk assessment by describing a scenario with monetary values (quantitative) versus subjective ratings (qualitative), leading candidates to confuse risk treatment or identification with the assessment method itself.

How to eliminate wrong answers

Option A is wrong because risk treatment is the process of selecting and implementing controls to mitigate risk, not a method for assigning monetary values to losses. Option B is wrong because qualitative risk assessment uses descriptive scales (e.g., high, medium, low) rather than monetary values to evaluate risk. Option C is wrong because risk identification is the step of recognizing potential threats and vulnerabilities, not the phase where monetary values are assigned.

53
MCQmedium

A security analyst receives an alert from the SIEM indicating a large number of failed login attempts from an external IP address targeting a user account. According to the incident response process, what should be the analyst's first action?

A.Initiate the legal hold process to preserve evidence
B.Contain the threat by blocking the IP address on the firewall
C.Escalate the alert to Tier 2 for deeper investigation
D.Perform initial triage to determine the severity and validity
AnswerD

Initial triage is the first step in Detection and Analysis to verify the alert and prioritize.

Why this answer

Initial triage is part of Detection and Analysis to determine if the alert is a true positive and assess its priority.

54
MCQeasy

In the NIST SP 800-61 Rev 2 incident response process, which phase involves documenting lessons learned and updating the incident response plan?

A.Containment, Eradication, and Recovery
B.Detection and Analysis
C.Post-Incident Activity
D.Preparation
AnswerC

Lessons learned and plan updates occur in this phase.

Why this answer

Option C is correct because the Post-Incident Activity phase of NIST SP 800-61 Rev 2 is specifically designed for conducting a lessons learned meeting, documenting findings, and updating the incident response plan based on those insights. This phase ensures continuous improvement of the incident response process by capturing what worked, what didn't, and what changes are needed for future incidents.

Exam trap

Cisco often tests the misconception that lessons learned and plan updates occur during the Detection and Analysis phase, because candidates confuse the analysis of the incident itself with the analysis of the incident response process performance.

How to eliminate wrong answers

Option A is wrong because Containment, Eradication, and Recovery focuses on stopping the incident, removing the threat, and restoring normal operations, not on documenting lessons learned or updating the plan. Option B is wrong because Detection and Analysis involves identifying and verifying an incident and assessing its impact, not on post-incident review or plan updates. Option D is wrong because Preparation involves establishing and training the incident response team and acquiring tools before an incident occurs, not on documenting lessons learned after an incident.

55
MCQhard

A SOC Tier 2 analyst receives an escalated alert about a potential command-and-control (C2) communication. The analyst needs to correlate network logs with threat intelligence. Which data format and transport protocol pair is specifically designed for standardized threat intelligence sharing?

A.OpenIOC and MISP
B.STIX and TAXII
C.MISP and STIX
D.TAXII and OpenIOC
AnswerB

STIX provides standardized threat intel formatting, and TAXII enables sharing.

Why this answer

STIX is the format, TAXII is the transport protocol for sharing threat intelligence.

56
Multi-Selecthard

A company is implementing threat intelligence sharing. Which THREE standards or platforms are used for this purpose? (Select three.)

Select 3 answers
A.SIEM
B.STIX
C.MISP
D.OpenIOC
E.TAXII
AnswersB, C, E

Structured Threat Information Expression.

Why this answer

STIX, TAXII, and MISP are common threat intelligence sharing standards/platforms.

57
MCQhard

An organization uses a qualitative risk assessment to evaluate a new vendor. Which characteristic is typical of qualitative risk assessments?

A.Calculates annual loss expectancy (ALE)
B.Assigns numeric probabilities and impact
C.Uses monetary values to estimate loss
D.Ranks risks using scales such as high, medium, low
AnswerD

Qualitative assessments use descriptive scales.

Why this answer

Qualitative assessments use subjective ratings like high, medium, low.

58
MCQeasy

During which phase of the NIST SP 800-61 Rev 2 incident response process does an organization develop an incident response plan and assemble a team?

A.Containment, Eradication, and Recovery
B.Detection and Analysis
C.Preparation
D.Post-Incident Activity
AnswerC

Correct: Preparation includes planning, team formation, and tool setup.

Why this answer

The Preparation phase includes developing the IR plan, team, tools, and conducting exercises.

59
MCQmedium

During the Containment, Eradication, and Recovery phase, the incident response team collects evidence from a compromised system. Which document is used to record the chain of custody?

A.Data classification policy
B.Acceptable Use Policy
C.Incident response plan
D.Chain of custody form
AnswerD

This form records evidence handling details.

Why this answer

Chain of custody documentation tracks who handled evidence from collection to court presentation.

60
MCQeasy

A SOC Tier 1 analyst receives an alert for a potential malware infection. What is the primary responsibility of the Tier 1 analyst?

A.Communicate with the media
B.Develop detection signatures
C.Conduct advanced malware analysis
D.Perform initial triage and basic investigation
AnswerD

Tier 1 handles initial alert triage and basic investigation.

Why this answer

Tier 1 analysts monitor alerts and perform initial triage to determine if further investigation is needed.

61
Multi-Selectmedium

A SOC Tier 3 analyst is performing advanced threat analysis. Which TWO activities are typical for this tier?

Select 2 answers
A.Forensic analysis of compromised systems
B.Correlating multiple alerts
C.Monitoring SIEM dashboards
D.Initial triage of alerts
E.Threat hunting
AnswersA, E

Advanced forensics is a Tier 3 function.

Why this answer

Tier 3 involves threat hunting and advanced forensics, while Tier 1 handles triage and Tier 2 handles correlation.

62
MCQhard

An organization is conducting a risk assessment and wants to assign numerical values to the likelihood and impact of risks. Which type of risk assessment is being performed?

A.Quantitative risk assessment
B.Operational risk assessment
C.Qualitative risk assessment
D.Hybrid risk assessment
AnswerA

Quantitative uses numerical values.

Why this answer

Quantitative risk assessment uses numerical values (e.g., monetary, percentages) to calculate risk.

63
MCQmedium

After containing a security incident, the incident response team eradicates the malware and restores systems from clean backups. Which phase of the NIST SP 800-61 Rev 2 process does this represent?

A.Preparation
B.Containment, Eradication, and Recovery
C.Post-Incident Activity
D.Detection and Analysis
AnswerB

Eradication and recovery are part of this phase.

Why this answer

Eradication removes the threat, and recovery restores normal operations.

64
MCQeasy

In the context of risk management, which term describes the risk that remains after implementing security controls?

A.Acceptable risk
B.Inherent risk
C.Transfer risk
D.Residual risk
AnswerD

Residual risk remains after controls.

Why this answer

Residual risk is the risk left after controls are applied. It must be accepted or further treated.

65
MCQeasy

A security analyst is triaging an alert about a user downloading a suspicious file. According to the NIST SP 800-61 Rev 2 incident response process, in which phase does initial triage occur?

A.Containment, Eradication, and Recovery
B.Post-Incident Activity
C.Preparation
D.Detection and Analysis
AnswerD

Triage is performed during Detection and Analysis to prioritize incidents.

Why this answer

Initial triage is part of the Detection and Analysis phase, where alerts are evaluated to determine if they are actual incidents.

66
MCQhard

During an incident investigation, the IR team collects evidence from a compromised server. The evidence must be admissible in court. Which documentation is essential to maintain the chain of custody?

A.A log of who accessed the evidence and when
B.The CVSS score of the vulnerability
C.A copy of the incident response plan
D.The organization's acceptable use policy
AnswerA

This maintains the chain of custody.

Why this answer

Chain of custody documentation includes detailed logs of evidence handling, including who collected it and when.

67
MCQmedium

An organization is developing an Acceptable Use Policy (AUP). Which of the following topics is typically covered in an AUP?

A.Password complexity requirements
B.Incident reporting procedures
C.Data classification levels
D.Prohibition of using company resources for illegal activities
AnswerD

AUPs commonly prohibit illegal activities.

Why this answer

An AUP defines acceptable use of IT resources, including prohibiting unauthorized access, personal use guidelines, and security responsibilities.

68
MCQmedium

During a security incident, the incident handler identifies that the breach involves personally identifiable information (PII) of customers. Which role is primarily responsible for determining if legal notification requirements apply?

A.Legal counsel
B.Incident handler
C.HR
D.CISO
AnswerA

Legal counsel interprets laws and notification obligations.

Why this answer

Legal counsel advises on data breach notification laws and regulatory requirements.

69
MCQmedium

A SOC analyst is investigating a possible insider threat. Which team member should be consulted due to the nature of the incident?

A.Public Relations
B.CISO
C.Legal counsel
D.Human Resources
AnswerD

HR is consulted for insider threats involving employees.

Why this answer

HR is involved in insider threat cases due to employee relations.

70
MCQmedium

A SOC Tier 2 analyst is investigating an alert that was escalated from Tier 1. The analyst suspects the malware is using a new variant of ransomware. What is the most appropriate next step for the Tier 2 analyst?

A.Notify legal counsel immediately
B.Escalate directly to Tier 3 for advanced analysis
C.Perform malware analysis and correlate with other alerts
D.Delete the affected files to contain the spread
AnswerC

This is typical Tier 2 responsibility.

Why this answer

Tier 2 conducts deeper investigation, including malware analysis and correlation with other data.

71
Multi-Selectmedium

After a security incident, the IR team holds a lessons learned meeting. Which THREE activities are part of the Post-Incident Activity phase?

Select 3 answers
A.Developing metrics to measure IR effectiveness
B.Identifying improvements to the IR process
C.Updating the incident response plan
D.Conducting initial triage of new alerts
E.Restoring systems from backup
AnswersA, B, C

Metrics help track performance over time.

Why this answer

Post-incident activities include identifying improvements, updating the IR plan, and creating metrics.

72
MCQeasy

Which of the following is the CORRECT order of the NIST SP 800-61 Rev 2 incident response lifecycle phases?

A.Containment Eradication and Recovery, Detection and Analysis, Preparation, Post-Incident Activity
B.Post-Incident Activity, Preparation, Detection and Analysis, Containment Eradication and Recovery
C.Preparation, Detection and Analysis, Containment Eradication and Recovery, Post-Incident Activity
D.Detection and Analysis, Preparation, Containment Eradication and Recovery, Post-Incident Activity
AnswerC

This is the correct sequence.

Why this answer

The correct order is Preparation, Detection and Analysis, Containment Eradication and Recovery, and Post-Incident Activity.

73
MCQeasy

During which phase of the NIST SP 800-61 Rev 2 incident response process would the incident response team conduct initial triage and determine whether an event qualifies as an incident?

A.Detection and Analysis
B.Preparation
C.Containment, Eradication, and Recovery
D.Post-Incident Activity
AnswerA

This phase includes identifying incidents and performing initial triage.

Why this answer

Initial triage and identification of incidents occur in the Detection and Analysis phase.

74
MCQhard

An organization is implementing a threat intelligence sharing program. They want to exchange both structured indicators and full reports with other members of their ISAC. Which combination of standards/protocols should they choose? (Choose two.)

A.Snort rules
B.TAXII
C.OpenIOC
D.STIX
E.MISP
AnswerB, D

TAXII is the protocol for exchanging STIX content.

Why this answer

STIX (Structured Threat Information Expression) is the standard for representing structured threat indicators and full reports, while TAXII (Trusted Automated Exchange of Indicator Information) is the protocol for exchanging that STIX content over HTTPS. Together, they enable ISAC members to share both machine-readable indicators and human-readable reports in a standardized, automated manner.

Exam trap

Cisco often tests the distinction between a data model (STIX) and a transport protocol (TAXII), and candidates mistakenly choose MISP as a standard instead of recognizing it as a platform that implements these standards.

How to eliminate wrong answers

Option A is wrong because Snort rules are a signature format for intrusion detection systems, not a standard for exchanging threat intelligence between organizations. Option C is wrong because OpenIOC is a format for representing indicators of compromise, but it does not include a transport protocol for sharing full reports or support the structured report exchange required by an ISAC. Option E is wrong because MISP is a platform for threat intelligence sharing, not a standard or protocol; it can use STIX and TAXII for exchange, but MISP itself is not a standard/protocol combination.

Ready to test yourself?

Try a timed practice session using only Cbrops Policies Procedures questions.