CCNA Security Operations Questions

65 questions · Security Operations · All types, answers revealed

1
MCQhard

During a ransomware incident, the organization discovers that all production backups have been encrypted by the attacker. What is the most effective recovery approach?

A.Restore from offline immutable backups
B.Restore from system restore points
C.Use a decryption tool from security vendors
D.Pay the ransom to obtain the decryption key
AnswerA

Immutable backups cannot be modified by ransomware and are reliable recovery sources.

Why this answer

Option D is correct because offline immutable backups are not accessible to the ransomware and provide a clean restore point. Option A is wrong because paying ransom does not guarantee decryption. Option B is wrong because system restore points may also be encrypted.

Option C is wrong because decryption tools often fail against modern ransomware.

2
MCQmedium

A threat hunter wants to identify potential lateral movement within the network. Which data source is LEAST useful for this purpose?

A.Windows Event ID 4624 (Logon) from domain controllers
B.Windows Event ID 4648 (Logon with explicit credentials)
C.Windows Event ID 5140 (File share accessed)
D.DNS query logs
AnswerD

DNS logs show name resolution but not lateral movement itself.

Why this answer

Option B is correct because DNS logs primarily show domain resolution requests, which may not directly indicate lateral movement. Option A shows remote logins. Option C shows processes connecting to other systems.

Option D shows authentication events.

3
MCQmedium

During a routine vulnerability scan, a security engineer discovers that a critical web application is running an outdated version of a third-party library with a known remote code execution (RCE) vulnerability. The application is in production and cannot be taken offline immediately. Which of the following is the BEST immediate action to reduce risk?

A.Patch the library directly in the production environment.
B.Implement a virtual patch using a web application firewall (WAF) to block exploitation patterns.
C.Schedule a maintenance window for the next weekend to apply the vendor's patch.
D.Disable the web application until a patch is available.
AnswerB

A virtual patch provides temporary protection without affecting application availability.

Why this answer

Option B is correct because a WAF rule can block exploitation attempts while a permanent fix is developed. Option A might break functionality. Option C is too slow for immediate risk reduction.

Option D might not address the vulnerability entry point.

4
MCQhard

A large enterprise has deployed a security information and event management (SIEM) system that ingests logs from all critical servers, network devices, and endpoints. The SIEM is configured to correlate events and generate alerts for suspicious activities. Recently, the SOC team has been overwhelmed by a high volume of false positive alerts, particularly from the web server farm. The false positives are mainly triggered by legitimate web crawling and scanning activities from partners and internal tools. The SOC manager wants to reduce false positives without missing real threats. As the security architect, you are asked to recommend a solution. Which of the following is the BEST course of action?

A.Increase the event threshold for web server alerts to reduce sensitivity.
B.Disable logging of successful requests on the web servers to reduce log volume.
C.Tune the SIEM to use more aggressive deduplication and aggregation globally.
D.Create allowlists for known legitimate sources (e.g., partner IP ranges, internal scanners) in the SIEM correlation rules.
AnswerD

Directly reduces false positives while maintaining detection for unknown sources.

Why this answer

Option D is correct because creating allowlists for known legitimate sources (e.g., partner IP ranges, internal scanners) in the SIEM correlation rules directly addresses the root cause: false positives from trusted entities. This approach preserves detection sensitivity for unknown or malicious sources while suppressing alerts from pre-vetted IPs, reducing alert fatigue without compromising security coverage.

Exam trap

The trap here is that candidates confuse reducing log volume (Option B) with reducing false positives, or assume that global tuning (Options A and C) is safer than targeted allowlisting, when in fact allowlisting preserves detection fidelity for unknown threats.

How to eliminate wrong answers

Option A is wrong because increasing the event threshold globally would desensitize the SIEM to all web server alerts, potentially missing low-and-slow attacks or novel threats that fall below the new threshold. Option B is wrong because disabling logging of successful requests eliminates valuable forensic data needed for incident investigation and compliance, and does not reduce false positives from scanning activities that may generate 404s or other non-success codes. Option C is wrong because aggressive deduplication and aggregation globally could merge distinct malicious events into a single alert, obscuring attack patterns and causing loss of contextual detail across all log sources, not just web servers.

5
MCQhard

A SOC team uses a SOAR platform to automate incident response. They want to ensure that playbooks run with minimal human intervention but still require approval for actions that could cause service disruption. Which approach should be used?

A.Require analyst sign-off for every playbook action.
B.Use network isolation as a safety net for any action.
C.Implement conditional manual approval for destructive actions.
D.Configure the SOAR to automatically execute all playbook steps.
AnswerC

Conditional approval balances automation and safety.

Why this answer

Option B is correct because conditional manual approval allows automation for low-risk actions and human approval for high-risk ones. Option A fully automated is risky. Option C fully manual reduces efficiency.

Option D is a technical control but doesn't address approval.

6
MCQmedium

Given the exhibit, what is the effect of this S3 bucket policy on an object stored in 'bucket-name'?

A.Requests from outside 10.0.0.0/8 are allowed to read objects.
B.All requests from IPs in 10.0.0.0/8 are allowed to read objects.
C.Only anonymous requests are denied.
D.All requests to the bucket are denied regardless of source IP.
AnswerD

The Deny statement applies to all actions and all principals, so it denies everything.

Why this answer

Option B is correct. The Deny statement will override the Allow because Deny takes precedence. The Allow only allows GetObject from 10.0.0.0/8, but the Deny all actions for all principals will block all access, including GetObject from the allowed IP range.

Option A is wrong because Deny overrides. Option C is wrong because there is an explicit Deny. Option D is wrong because the effect is to deny all, not just outside IPs.

7
MCQmedium

A security analyst notices repeated failed login attempts from a single IP address across multiple user accounts. Which of the following is the BEST immediate action to mitigate this attack?

A.Disable the affected user accounts until the source IP is blocked.
B.Reset the passwords for all affected accounts.
C.Enable multi-factor authentication for all accounts.
D.Implement a rate-limiting rule on the network firewall for the source IP.
AnswerD

Rate-limiting blocks excessive traffic from the source IP, directly halting the brute-force attempt.

Why this answer

Option D is correct because rate-limiting the source IP at the network firewall immediately throttles the number of authentication attempts from that address, mitigating the brute-force attack without disrupting legitimate user access. This is the best immediate action as it directly blocks the attack vector at the network layer, preventing further failed logins while preserving user productivity.

Exam trap

The trap here is that candidates often confuse a long-term security control (like MFA or password resets) with an immediate mitigation technique, failing to recognize that rate-limiting the source IP is the fastest way to stop the ongoing brute-force attack at the network perimeter.

How to eliminate wrong answers

Option A is wrong because disabling affected user accounts would deny service to legitimate users and does not address the root cause—the attacking IP can still target other accounts. Option B is wrong because resetting passwords for all affected accounts is a reactive, time-consuming measure that does not stop the ongoing attack from the same IP; the attacker can simply continue with new attempts. Option C is wrong because enabling multi-factor authentication (MFA) is a strong security improvement but is not an immediate action—it requires user enrollment and configuration, and it does not stop the current burst of failed login attempts from the single IP.

8
MCQmedium

Based on the iptables exhibit, a security analyst has received an alert that an external IP (203.0.113.5) is attempting to connect to TCP port 3389 on the server. Which of the following best describes the current rule set's treatment of this traffic?

A.The connection will be allowed through because there is no explicit DROP rule
B.The connection will be logged and then dropped by the default policy
C.The connection will be accepted because there is a LOG rule
D.The connection will be logged and then dropped by the LOG rule
AnswerB

LOG rule logs, then default policy (DROP) drops the packet.

Why this answer

The correct answer is B. The rule set has a LOG rule for tcp dpt:3389 from any source, which will log the packet but not explicitly accept or drop it; since the policy in the INPUT chain is DROP, the packet will be dropped after being logged. Option A is incorrect because the LOG rule does not drop, only logs.

Option C is incorrect because there is no ACCEPT rule for 3389. Option D is incorrect because the default policy is DROP.

9
MCQeasy

A security analyst observes anomalous outbound network traffic from a server that normally only performs internal functions. According to the incident response plan, what should the analyst do first?

A.Follow the incident response plan
B.Contain the server by disconnecting it from the network
C.Immediately shut down the server
D.Ignore the traffic as it might be a false positive
AnswerA

The incident response plan provides procedures for initial actions, including identification and reporting.

Why this answer

Option A is correct because the first step in incident response is to follow the established plan to ensure proper handling and minimize damage. Option B is wrong because containment should follow identification and reporting. Option C is wrong because shutting down may destroy evidence.

Option D is wrong because ignoring is risky.

10
MCQhard

An organization deploys a new web application that stores sensitive data in a backend database. During a penetration test, the tester discovers that the application is vulnerable to SQL injection via a search field. Which of the following design changes would best mitigate this vulnerability without significantly impacting functionality?

A.Deploy a web application firewall (WAF) to filter malicious payloads.
B.Rewrite the database query to use parameterized prepared statements.
C.Move all database queries to stored procedures.
D.Implement client-side input validation to block special characters.
AnswerB

Parameterized queries ensure user input is treated as data, not executable code, preventing SQL injection.

Why this answer

Option B is correct because parameterized prepared statements separate SQL logic from user input, ensuring that any input supplied via the search field is treated strictly as data, not executable code. This directly prevents SQL injection by eliminating the possibility of an attacker altering the query structure, regardless of the input content.

Exam trap

CompTIA often tests the misconception that stored procedures are inherently safe against SQL injection, but the trap is that they only prevent injection if they use parameterized queries internally—otherwise, they are just as vulnerable as inline SQL.

How to eliminate wrong answers

Option A is wrong because a WAF is a reactive, signature-based or heuristic filter that can be bypassed with carefully crafted payloads (e.g., encoding, obfuscation) and does not address the root cause of the vulnerability. Option C is wrong because stored procedures alone do not prevent SQL injection if they still concatenate user input into dynamic SQL strings; the protection comes from using parameterized queries within the stored procedure, not from the stored procedure itself. Option D is wrong because client-side validation can be easily bypassed by disabling JavaScript or using tools like cURL or Burp Suite to send raw HTTP requests, and it provides no server-side defense against injection.

11
MCQeasy

Based on the exhibit, which vulnerability is being exploited?

A.Cross-site request forgery (CSRF)
B.SQL injection
C.Directory traversal
D.Cross-site scripting (XSS)
AnswerC

The path contains ../ to escape web root and read system files.

Why this answer

Option D is correct because the GET request uses ../ to traverse directories and access /etc/passwd, typical of directory traversal attack. Option A is wrong because SQL injection would show SQL syntax. Option B is wrong because XSS would contain scripts.

Option C is wrong because CSRF requires cross-site requests.

12
MCQeasy

A security analyst receives an alert indicating an internal host is sending outbound traffic on TCP port 25 to multiple external IP addresses. Which action should the analyst take first to investigate potential data exfiltration?

A.Submit a change request to implement an email content filter.
B.Check if the host is configured as a mail server in the organization's asset database.
C.Block the outbound traffic on the firewall to prevent potential data exfiltration.
D.Run a full antivirus scan on the host to detect any malware.
AnswerB

This step quickly confirms if the traffic is expected, avoiding unnecessary escalation.

Why this answer

Option B is correct because the first step in investigating potential data exfiltration over TCP port 25 (SMTP) is to verify whether the host is authorized to send email. If the host is a legitimate mail server, the traffic may be normal; if not, it could indicate malware or a misconfigured application exfiltrating data via SMTP. This aligns with the CAS-004 objective of validating asset roles before escalating to containment.

Exam trap

The trap here is that candidates often jump to containment (blocking traffic) or remediation (antivirus scan) without first verifying the host's authorized role, which Cisco tests to ensure you follow a structured incident response process (identify before contain).

How to eliminate wrong answers

Option A is wrong because submitting a change request to implement an email content filter is a reactive, long-term control that does not address the immediate need to determine if the traffic is malicious; it also assumes the traffic is unauthorized without investigation. Option C is wrong because blocking outbound traffic on the firewall without first confirming the host's role could disrupt legitimate business operations (e.g., if the host is a mail server) and violates the principle of least disruption during incident response. Option D is wrong because running a full antivirus scan is a secondary step that may detect malware but does not confirm whether the host is authorized to send SMTP traffic; it also delays the critical triage step of asset verification.

13
MCQmedium

A healthcare organization has suffered a ransomware attack. The ransomware encrypted all files on file servers and workstations, and a ransom note demands payment in cryptocurrency. The backup systems were also encrypted because the backup service account had write access to the backup repository. The organization's cybersecurity team has activated the incident response plan. Which of the following is the BEST course of action?

A.Restore data from the encrypted backups using a third-party decryption tool.
B.Isolate all affected systems from the network immediately to prevent further encryption.
C.Begin restoring systems from any clean backups located on removable media.
D.Pay the ransom to obtain the decryption key and restore operations quickly.
AnswerB

Containment stops the spread and limits damage.

Why this answer

Option A is correct because containment (isolating infected systems) is the priority to prevent spread to remaining systems. Option B is dangerous as paying the ransom encourages further attacks and provides no guarantee of recovery. Option C is futile if backups are compromised.

Option D focuses on restoration without containment, risking re-encryption.

14
MCQmedium

A security engineer is configuring a SIEM and wants to reduce false positives while ensuring that real attacks are detected. Which of the following approaches would best achieve this balance?

A.Aggregate all logs from all sources and create a single correlation rule for each attack type.
B.Use the default correlation rules provided by the SIEM vendor without modification.
C.Block all traffic from external IP addresses that are not on the organization's whitelist.
D.Tune correlation rules based on the organization's asset inventory, network architecture, and threat intelligence.
AnswerD

Custom tuning ensures rules are relevant and accurate, reducing false positives while detecting true threats.

Why this answer

Option D is correct because tuning correlation rules to the organization's specific asset inventory, network architecture, and threat intelligence directly reduces false positives by filtering out irrelevant events while ensuring that real attacks against known assets are detected. This approach leverages contextual knowledge to adjust thresholds, exclude noise, and prioritize alerts that match the actual attack surface, achieving the desired balance between sensitivity and specificity.

Exam trap

The trap here is that candidates often confuse network security controls (like blocking IPs) with SIEM tuning techniques, or assume that default rules or aggregation alone can achieve optimal detection without contextual customization.

How to eliminate wrong answers

Option A is wrong because aggregating all logs from all sources into a single correlation rule for each attack type ignores the need for context-specific tuning, leading to excessive noise and false positives from irrelevant or duplicate events. Option B is wrong because using default correlation rules without modification fails to account for the organization's unique environment, resulting in either missed attacks (if rules are too narrow) or overwhelming false positives (if rules are too broad). Option C is wrong because blocking all traffic from external IPs not on a whitelist is a network access control measure, not a SIEM tuning technique, and it would disrupt legitimate business traffic while not addressing false positives in detection logic.

15
MCQhard

A security analyst reviews the above Windows security events from a domain controller. What is the most likely conclusion about the activity?

A.The jsmith account is performing routine administrative tasks with standard user privileges.
B.An attacker has compromised the jsmith account and used it to perform lateral movement and access sensitive data.
C.The Administrator account is locked out due to repeated failed logon attempts.
D.A user named jsmith is attempting to reset the Administrator password via network logon.
AnswerB

The sequence matches typical PtH: failed logon as admin, then successful interactive logon with high privileges, then accessing admin share.

Why this answer

Event ID 4624 with Logon Type 3 (network logon) from jsmith to the domain controller, followed by Event ID 4670 (permissions on an object changed) on a sensitive file share, indicates lateral movement and privilege escalation. The combination of network authentication and subsequent access to sensitive data is a classic indicator of an attacker using compromised credentials to move laterally within the network.

Exam trap

Cisco often tests the distinction between logon types (e.g., Type 2 for interactive, Type 3 for network) and the specific event IDs associated with account management versus object access, leading candidates to confuse a network logon with a password reset or lockout event.

How to eliminate wrong answers

Option A is wrong because Event ID 4624 with Logon Type 3 indicates a network logon, not a local interactive session, and standard user privileges would not generate Event ID 4670 for permission changes on sensitive objects. Option C is wrong because account lockout would generate Event ID 4740, not the 4624 and 4670 events shown; the Administrator account is not referenced in the provided events. Option D is wrong because a password reset attempt would generate Event ID 4724 (password reset attempt), not a network logon (4624) followed by permission changes (4670); the events show successful authentication and subsequent object access, not a reset attempt.

16
MCQhard

Based on the exhibit, what type of attack is most likely occurring?

A.Man-in-the-middle (MITM) attack
B.Phishing attack
C.Distributed denial-of-service (DDoS) attack
D.Brute-force attack
AnswerD

The log shows repeated failed authentication attempts, typical of brute force.

Why this answer

Option B is correct because multiple failed SSH login attempts from various IPs with different usernames indicate a brute-force attack. Option A is wrong because DDoS would flood traffic, not authentication attempts. Option C is wrong because MITM would involve interception.

Option D is wrong because phishing is social engineering.

17
MCQmedium

A cloud security team uses AWS and has configured a virtual private cloud (VPC) with a public subnet for a web application. The web servers in the public subnet have security groups that allow inbound HTTP/HTTPS from 0.0.0.0/0. The security team receives an alert that an EC2 instance in the public subnet is making outbound connections to an IP address that is listed on a threat intelligence feed as a known mining pool. The instance's security group allows all outbound traffic. The team suspects the instance is compromised and running cryptocurrency mining malware. Which of the following should be the FIRST action to take?

A.Isolate the instance by revoking its security group egress rules temporarily to prevent further communication.
B.Start a full antivirus scan on the instance and monitor the network logs.
C.Take a forensic snapshot of the instance and then terminate it.
D.Modify the security group inbound rules to block traffic from the miner IP only.
AnswerA

Immediate containment by blocking outbound traffic stops the malware from phoning home.

Why this answer

Option D is correct because isolating the instance by revoking its security group egress immediately cuts off the communication to the mining pool, containing the threat. Option A (terminating) loses evidence. Option B (investigating) allows the attack to continue.

Option C (temporary rule blocking specific IP) may not block future connections.

18
Drag & Dropmedium

Drag and drop the steps to set up a SIEM alert for a failed login threshold into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

SIEM rule creation: identify log source, create rule, set threshold, configure response, then enable and test.

19
MCQeasy

An organization wants to implement a solution that automatically detects and blocks malicious traffic based on known signatures and behavioral anomalies. Which of the following should be deployed?

A.Next-generation firewall with application control
B.Web application firewall (WAF)
C.Security information and event management (SIEM) system
D.Network-based IDS/IPS
AnswerD

IDS/IPS combined provides detection and prevention for known signatures and anomalies.

Why this answer

A network-based IDS/IPS (Intrusion Detection/Prevention System) is designed to inspect network traffic in real time, using a combination of signature-based detection (matching known attack patterns) and behavioral/anomaly-based detection (identifying deviations from normal traffic baselines). This dual approach allows it to both detect and automatically block malicious traffic, fulfilling the organization's requirement directly.

Exam trap

The trap here is that candidates often confuse a next-generation firewall's application control with the deep packet inspection and behavioral analysis capabilities of a dedicated IDS/IPS, overlooking that NGFWs typically lack comprehensive signature-based threat detection for non-application-layer attacks.

How to eliminate wrong answers

Option A is wrong because a next-generation firewall with application control primarily focuses on application-layer filtering and policy enforcement, not on deep packet inspection for known attack signatures or behavioral anomaly detection. Option B is wrong because a web application firewall (WAF) is specialized to protect web applications from HTTP/S-specific attacks (e.g., SQL injection, XSS) and does not provide general network-level signature or anomaly detection for all traffic types. Option C is wrong because a security information and event management (SIEM) system aggregates and correlates logs from multiple sources for analysis and alerting, but it does not perform inline traffic inspection or automatic blocking of malicious packets.

20
Multi-Selecthard

A security operations team wants to improve their threat intelligence program. Which THREE of the following are most important for ensuring that threat intelligence is actionable and effectively integrated into security operations?

Select 3 answers
A.Ensure threat intelligence feeds provide timely indicators of compromise (IOCs) that are less than 24 hours old.
B.Require that all threat intelligence sources are completely anonymous to ensure unbiased reporting.
C.Integrate threat intelligence feeds directly into SIEM and SOAR platforms for automated correlation and response.
D.Subscribe to as many threat intelligence feeds as possible to maximize coverage.
E.Prioritize intelligence that includes context such as targeted sectors, attacker motivations, and TTPs.
AnswersA, C, E

Stale IOCs are useless; timeliness is critical for blocking active campaigns.

Why this answer

Option A (timeliness) ensures relevance; Option B (context) allows prioritization; Option D (integration with detection tools) automates response. Option C (volume) can lead to noise. Option E (anonymity) is not a key quality for intelligence.

21
MCQhard

A security engineer needs to design a solution to detect and respond to insider threats involving unauthorized data exfiltration via USB devices. Which of the following is the MOST effective approach?

A.Conduct regular security awareness training on data handling policies.
B.Deploy endpoint detection and response (EDR) agents on all workstations.
C.Disable all USB ports via group policy.
D.Implement a data loss prevention (DLP) solution with device control and content inspection.
AnswerD

DLP can block, log, and alert on unauthorized USB transfers.

Why this answer

Option D is the most effective because a DLP solution with device control and content inspection can monitor, block, or alert on unauthorized data transfers to USB devices by inspecting the content being written (e.g., file types, keywords, patterns) and enforcing policies at the endpoint or network level. This directly addresses the specific threat of data exfiltration via USB, unlike other options that either lack detection or are too restrictive.

Exam trap

The trap here is that candidates often choose EDR (Option B) because they associate it with endpoint security, but EDR is designed for threat detection (e.g., malware, lateral movement), not for granular data exfiltration control via USB, which requires DLP's content-aware inspection and device control capabilities.

How to eliminate wrong answers

Option A is wrong because security awareness training is a preventive control that relies on user compliance and does not provide real-time detection or automated response to unauthorized USB data transfers. Option B is wrong because EDR agents focus on detecting and responding to malware and suspicious process behavior, not on monitoring or blocking file copy operations to removable media. Option C is wrong because disabling all USB ports via group policy is a brute-force approach that prevents legitimate use (e.g., keyboards, mice) and does not allow for granular control or detection of authorized vs. unauthorized data transfers.

22
MCQmedium

Based on the exhibit, what is the primary purpose of the condition in this IAM policy?

A.Enable encryption in transit for the S3 bucket
B.Allow all incoming traffic to the S3 bucket
C.Deny access from the specified IP ranges
D.Restrict access to requests originating from the specified IP ranges
AnswerD

The condition allows only requests from those IPs.

Why this answer

Option C is correct because the condition uses aws:SourceIp to restrict access to specific IP ranges. Option A is wrong because it does not allow all traffic. Option B is wrong because it is an Allow policy with condition.

Option D is wrong because encryption is not addressed.

23
MCQmedium

A small business runs its critical line-of-business application on a single Windows server located in a local data center. The server is accessed by employees remotely via RDP over a VPN. Recently, the server has been experiencing slow performance, and the administrator notices high CPU usage from a process named 'svchost.exe'. The administrator suspects malware but is not sure. The business has no security tools beyond Windows Defender. Management wants to minimize downtime and ensure the server is back to full operation as soon as possible. Which of the following is the BEST course of action for the administrator to take first?

A.Run a full offline scan using Microsoft Defender (Windows Defender Offline) from a bootable media.
B.Restore the server from the most recent backup taken before the performance issues started.
C.Install a third-party antivirus solution and perform a full system scan.
D.Disconnect the server from the network immediately to contain any potential threat.
AnswerA

Can detect and remove malware without affecting the running system, minimizing downtime.

Why this answer

A full offline scan using Microsoft Defender Offline boots the server from a clean environment, bypassing the running operating system where malware can hide or resist detection. This approach directly addresses the suspected malware without relying on the compromised OS, minimizes downtime by avoiding unnecessary restoration or network changes, and uses the only security tool available (Windows Defender) effectively.

Exam trap

CompTIA often tests the principle of 'least disruption first' combined with 'clean environment scanning,' where candidates mistakenly choose immediate network isolation (Option D) or backup restoration (Option B) without first using a low-impact diagnostic tool like an offline scan.

How to eliminate wrong answers

Option B is wrong because restoring from a backup taken before the performance issues started assumes the backup is clean and that the issue is definitively malware, but it could be a non-malware cause (e.g., a corrupted update or misconfiguration) and restoration incurs significant downtime and potential data loss. Option C is wrong because installing a third-party antivirus on a potentially compromised system can itself trigger conflicts, increase downtime, and the scan runs within the same vulnerable OS environment where malware may evade detection. Option D is wrong because immediately disconnecting the server from the network is premature without confirming a threat exists, and it causes unnecessary downtime for a business that relies on remote access via VPN; containment should follow confirmation of an active threat.

24
MCQhard

During a forensic investigation, an analyst finds that a compromised system's memory dump shows signs of a kernel-mode rootkit. Which technique is MOST effective to detect the rootkit without relying on the compromised OS?

A.Run antivirus scans on the disk image.
B.Compare registry snapshots before and after infection.
C.Analyze network packet captures for C2 traffic.
D.Perform memory analysis using volatility on an isolated forensic workstation.
AnswerD

Memory analysis from a dump allows detection of kernel-mode artifacts without trusting the compromised OS.

Why this answer

Option D is correct because memory forensics on a different system allows analysis of the dump without trusting the compromised OS. Option A relies on the OS which may be compromised. Option B is for network traffic, not kernel rootkits.

Option C may not detect rootkits if they hide from registry.

25
MCQmedium

A security analyst at a financial institution is investigating a potential data exfiltration incident. The organization uses a zero-trust network architecture with micro-segmentation. The analyst notices that a database server with sensitive customer financial data has been communicating with an external IP address (198.51.100.45) over port 443 during non-business hours. The database server is not supposed to initiate outbound connections; all outbound traffic is logged and blocked by default except for specific allowlisted IPs and ports. The analyst reviews the firewall logs and finds that the outbound connection to 198.51.100.45 was allowed because the source port was 443, which is an allowed port for inbound HTTPS traffic. The database server is not a web server and does not run any HTTPS services. Which of the following is the best course of action for the analyst to take first?

A.Immediately block the external IP address at the perimeter firewall
B.Disable the database server's network interface
C.Review the database server's recent application logs for any anomalies
D.Check the endpoint detection and response (EDR) logs on the database server for signs of malware or unauthorized processes
AnswerD

Checking EDR logs can quickly indicate whether the server is compromised, guiding further actions.

Why this answer

Option D is correct because the database server is not supposed to initiate outbound connections, yet a connection to an external IP over port 443 was allowed due to source port 443 matching an inbound allow rule. This strongly suggests the server may be compromised, with malware or an unauthorized process using source port 443 to bypass firewall restrictions. Checking EDR logs is the best first step to identify malicious processes or indicators of compromise without prematurely destroying evidence.

Exam trap

The trap here is that candidates assume the firewall allowed the connection because port 443 is legitimate for HTTPS, but the key insight is that the source port (not destination port) was used to bypass egress rules, requiring endpoint-level investigation rather than network-level blocking or application log review.

How to eliminate wrong answers

Option A is wrong because immediately blocking the external IP at the perimeter firewall could alert an attacker and destroy forensic evidence before the scope of the incident is understood. Option B is wrong because disabling the database server's network interface is a drastic, disruptive action that should only be taken after confirming compromise and preserving evidence; it may also cause unnecessary downtime for legitimate services. Option C is wrong because while reviewing application logs may be useful later, the database server is not a web server and does not run HTTPS services, so application logs are unlikely to reveal the root cause of the outbound connection; the anomaly is at the network and process level, best captured by EDR.

26
Multi-Selecteasy

A security analyst is reviewing web server logs and notices repeated requests to URLs containing sequences like '/../../../etc/shadow' and '/../../../etc/passwd'. Which TWO actions should the analyst take as part of the immediate incident response process?

Select 2 answers
A.Check for successful exploitation by reviewing file access logs
B.Block the source IP address at the firewall
C.Run a full antivirus scan on the web server
D.Rebuild the web server from a known good backup
E.Disable the web server until a patch is applied
AnswersA, B

Determines if sensitive files were actually accessed.

Why this answer

The correct actions are A and D. Blocking the source IP at the firewall (A) helps prevent further exploitation attempts. Checking for successful exploitation (D) is critical to determine if any files were accessed or exfiltrated.

Running antivirus (B) is not directly relevant to a directory traversal attack. Rebuilding the server from a known good state (C) is premature without investigation. Disabling the web server (E) is too disruptive and unnecessary if the threat is contained.

27
Multi-Selectmedium

A security analyst is analyzing a network capture and sees repeated TCP SYN packets to a host but no SYN-ACK responses. Which TWO conclusions are MOST likely? (Choose two.)

Select 2 answers
A.The host is out of TCP receive window space.
B.The network has a loop causing packet duplication.
C.The host has accepted the connections.
D.A firewall is dropping the SYN packets before they reach the host.
E.An attacker is performing a SYN flood DDoS attack.
AnswersD, E

Firewalls can block incoming SYN packets, resulting in no response.

Why this answer

Options A and D are correct. A SYN flood without response suggests a DDoS attack (A) or a stateful firewall blocking (D). Option B is incorrect because no SYN-ACK means no connection established.

Option C is unrelated. Option E is possible but less likely than the top two.

28
Multi-Selectmedium

A security analyst is investigating a potential data breach. The logs show that an attacker used a compromised service account to access sensitive files on a file server. Which TWO actions should the analyst take FIRST to contain the incident? (Choose TWO.)

Select 2 answers
A.Check the workstation logs for signs of malware.
B.Notify law enforcement and the organization's legal department.
C.Reset the service account password and revoke any active tokens.
D.Review and modify permissions on the file server to limit the account's access.
E.Restore the affected files from a known good backup.
AnswersC, D

Immediately stops the attacker's access.

Why this answer

Resetting the service account password and revoking active tokens (C) immediately invalidates the attacker's current authentication credentials, preventing further unauthorized access via that compromised account. This is a critical containment step because service accounts often have persistent access and may use long-lived tokens or cached credentials that remain valid until explicitly revoked.

Exam trap

Cisco often tests the distinction between containment, eradication, and recovery phases; the trap here is that candidates may confuse a recovery action (restoring backups) or a notification step (calling law enforcement) with the immediate containment priority of cutting off the attacker's access.

29
MCQmedium

A company wants to reduce the mean time to detect (MTTD) for security incidents. Which technology is most effective for this purpose?

A.Security information and event management (SIEM) with behavior analytics
B.Full disk encryption software
C.Data loss prevention (DLP) system
D.Network-based intrusion detection system (NIDS)
AnswerA

SIEM with UEBA provides real-time correlation and anomaly detection, reducing MTTD.

Why this answer

Option C is correct because SIEM with User and Entity Behavior Analytics (UEBA) baseline normal behavior and detect anomalies quickly. Option A is wrong because IDS only matches signatures. Option B is wrong because DLP focuses on data loss.

Option D is wrong because encryption is for data protection.

30
MCQeasy

Based on the auth.log exhibit, what is the MOST appropriate immediate action to mitigate this attack?

A.Disable root login and remove the admin account.
B.Block the entire 192.168.1.0/24 subnet at the firewall.
C.Configure fail2ban to block the IP address after a threshold of failed attempts.
D.Change the SSH port to a non-standard port.
AnswerC

fail2ban automatically blocks the attacking IP, stopping the attack.

Why this answer

Option C is correct. The log shows a brute-force attack against SSH. Installing fail2ban will dynamically block the IP after multiple failures.

Option A is too broad and may block legitimate users from that subnet. Option B doesn't address the immediate attack. Option D is good practice but does not stop the ongoing attack immediately.

31
MCQmedium

A security analyst is reviewing alerts from a SIEM and notices multiple failed login attempts from a single IP address to different user accounts over a 5-minute window. What should the analyst do FIRST?

A.Block the IP address at the firewall.
B.Isolate all endpoints that received the login attempts.
C.Check the source IP and correlate with other logs to confirm suspicious activity.
D.Reset all user accounts that were targeted.
AnswerC

Verification is the first step before taking action.

Why this answer

Option B is correct because the first step in incident response is to verify the alert and determine if it is a false positive. Option A is premature without verification. Option C is reactive and may not address the immediate threat.

Option D is excessive and may disrupt operations.

32
Multi-Selectmedium

A SOC wants to improve detection of advanced persistent threats (APTs) that evade traditional signature-based tools. Which TWO approaches are most effective? (Select exactly 2.)

Select 2 answers
A.Reduce the false positive rate of the SIEM
B.Increase log retention period to 12 months
C.Hire additional security analysts
D.Deploy honeypots and deception technology
E.Integrate external threat intelligence feeds into the SIEM
AnswersD, E

Honeypots lure attackers and reveal their presence.

Why this answer

Options A and C are correct because deception technology (honeypots) and threat intelligence feeds help detect unknown threats. Option B increases log storage but not detection capability. Option D reduces noise but not detection of APTs.

Option E increases analysts but is not a technology approach.

33
MCQmedium

A cloud security engineer reviews the above S3 bucket policy. Which of the following is the most significant security concern?

A.The bucket policy grants unnecessary permissions for s3:GetObject.
B.The IP address restriction uses an incorrect format for the condition key.
C.The bucket policy allows public read access to all objects.
D.The bucket policy allows any user to upload objects to the bucket.
AnswerD

The second statement grants s3:PutObject to Principal "*", meaning anyone can write to the bucket.

Why this answer

Option D is correct because the bucket policy statement includes a Principal of '*' and an Action of 's3:PutObject' without any condition restricting who can upload, meaning any unauthenticated user on the internet can write objects to the bucket. This creates a severe data integrity and malware-upload risk, as attackers can place arbitrary content into the bucket, potentially leading to data corruption, storage cost abuse, or serving malicious files.

Exam trap

CompTIA often tests the distinction between read and write permissions in S3 policies, and the trap here is that candidates focus on the IP restriction or the read permission being 'public' while overlooking that the write action (s3:PutObject) has no such restriction, making it the more dangerous vulnerability.

How to eliminate wrong answers

Option A is wrong because s3:GetObject is explicitly allowed only to the specific AWS account root user (AWS:SourceOwner condition) and only from the allowed VPC endpoint, so it is not 'unnecessary'—it is the intended read permission for that trusted principal. Option B is wrong because the IP address restriction uses the 'aws:SourceIp' condition key with a valid CIDR notation (10.0.0.0/16), which is the correct format for IP-based conditions in S3 bucket policies. Option C is wrong because the bucket policy does not allow public read access; the s3:GetObject action is restricted by both the SourceOwner condition and the VpcSourceIp condition, so anonymous users cannot read objects.

34
MCQeasy

A SOC analyst is investigating a potential lateral movement within the network. Which log source is most critical for detecting lateral movement using pass-the-hash or pass-the-ticket attacks?

A.Authentication logs (e.g., Windows Event ID 4624)
B.Antivirus logs
C.DNS logs
D.Firewall logs
AnswerA

Authentication logs track logon events and can reveal anomalous access patterns.

Why this answer

Option D is correct because authentication logs, especially from domain controllers, record logon events that indicate lateral movement. Option A is wrong because firewall logs show network flows but not authentication. Option B is wrong because antivirus logs show malware detections, not lateral movement directly.

Option C is wrong because DNS logs show name resolution.

35
MCQeasy

You are a SOC analyst at a mid-sized company. The SIEM alerts on anomalous outbound traffic from a finance workstation to an external IP address never seen before. The workstation belongs to an employee in the accounts payable department. The alert shows that 500 MB of data was transferred via SMB over the internet, which is unusual because internal file shares are normally used. The employee is currently logged in and is in a meeting across the building. The initial triage confirms the workstation is not domain-joined and has been bypassing corporate firewall rules using a personal VPN. Which of the following actions should you take FIRST?

A.Isolate the workstation by disabling the network port or using endpoint security tools to block connectivity.
B.Escalate the incident to the incident response team lead.
C.Contact the employee's manager to discuss the situation.
D.Interview the employee about the suspicious activity.
AnswerA

Immediate containment stops the exfiltration and limits risk.

Why this answer

Option C is correct because you must contain the exfiltration by disconnecting the workstation from the network. This stops the data transfer and prevents further damage. Option A is premature without containment.

Option B may be necessary but not first. Option D could alert the potential insider.

36
Matchingmedium

Match each security tier or model to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Highest privilege assets like domain controllers

Server and application administration

User workstations and devices

Separates admin accounts by sensitivity

Never trust, always verify

Why these pairings

Tier models and Zero Trust are key concepts in identity and access management.

37
MCQeasy

A company is implementing a SIEM solution and needs to ensure that logs from network devices, servers, and endpoints are collected in a consistent format. Which protocol should be used to transport logs securely?

A.Syslog over UDP
B.Syslog over TLS
C.SFTP
D.SNMP traps
AnswerB

Syslog over TLS ensures encrypted and authenticated log transport.

Why this answer

Option C is correct because Syslog over TLS provides encryption and reliable delivery. Option A is unencrypted. Option B is not a standard log transport protocol.

Option D is for file transfer, not real-time log streaming.

38
MCQhard

A SOC analyst is reviewing an alert about a suspicious process execution on a critical server. The alert shows that cmd.exe spawned from Microsoft Word. Which of the following is the BEST next step for the analyst?

A.Collect a memory dump from the host without any immediate action.
B.Reimage the server to ensure it is clean.
C.Isolate the host from the network and collect a memory dump.
D.Terminate the cmd.exe process immediately.
AnswerC

Isolation prevents lateral movement; memory dump preserves evidence.

Why this answer

Option C is correct because the alert indicates a classic living-off-the-land (LotL) attack where Microsoft Word (likely via a malicious macro) spawns cmd.exe, suggesting code execution. Isolating the host prevents lateral movement and data exfiltration, while collecting a memory dump preserves volatile evidence (e.g., process memory, network connections, injected code) for forensic analysis. Immediate termination (Option D) or reimaging (Option B) would destroy critical evidence, and doing nothing (Option A) risks further compromise.

Exam trap

The trap here is that candidates may choose Option D (terminate the process) thinking it stops the attack, but fail to recognize that isolation and evidence preservation are higher priorities in incident response, as termination destroys volatile data and may not prevent reinfection.

How to eliminate wrong answers

Option A is wrong because taking no immediate action allows the potentially compromised host to continue communicating with an attacker, risking lateral movement or data exfiltration; a memory dump alone without isolation does not contain the threat. Option B is wrong because reimaging the server destroys all volatile evidence (e.g., running processes, network connections, in-memory malware) needed to determine the root cause and scope of the compromise, and it may be premature without confirming persistence. Option D is wrong because terminating cmd.exe alone does not address the underlying malicious macro or payload in Word, and the attacker may have already established persistence or exfiltrated data; it also destroys the process memory that could contain critical forensic artifacts.

39
MCQmedium

A SOC manager is considering implementing a SOAR platform. Which is the primary benefit of SOAR in day-to-day operations?

A.Automated playbook execution and orchestration of response actions
B.Centralized storage of all security logs
C.Elimination of the need for human analysts
D.Reduction in false positive alerts from the SIEM
AnswerA

SOAR automates incident response playbooks, reducing manual effort and response time.

Why this answer

Option A is correct because SOAR automates repetitive tasks and orchestrates workflows, enabling faster and consistent incident response. Option B is wrong because SOAR does not directly reduce false positives; that's SIEM tuning. Option C is wrong because SOAR does not replace people.

Option D is wrong because SOAR is not primarily for log storage.

40
MCQhard

A security architect is designing a deception-based detection system for a high-security environment. The goal is to detect lateral movement by attackers who have already breached the perimeter. Which of the following deception techniques would be most effective at identifying an attacker without alerting them to the deception?

A.Configure a network share with honey files and monitor for file access.
B.Create a honeypot web server with known vulnerabilities and monitor for interactions.
C.Deploy fake database tables containing plausible but fictitious data.
D.Plant honey credentials (username/password) for non-existent Active Directory accounts in a common password manager.
AnswerD

Honey credentials are low interaction and high value; usage indicates compromise without tipping off attackers.

Why this answer

Option A is correct because honey tokens that appear as real credentials will be used only by attackers, and if used, provide high-confidence detection. Option B will alert attackers. Option C is easily detectable by experienced attackers.

Option D may be ignored if attackers don't use network shares.

41
Multi-Selectmedium

A security administrator is evaluating ways to improve endpoint detection and response (EDR) capabilities. Which TWO of the following approaches would most effectively enhance the detection of fileless malware attacks?

Select 2 answers
A.Monitor PowerShell script block logging and execution events.
B.Install a network intrusion detection system (NIDS) to inspect traffic.
C.Monitor process creation chain events to detect anomalous parent-child relationships.
D.Enable file integrity monitoring (FIM) on critical system files.
E.Deploy advanced antivirus with machine learning signatures.
AnswersA, C

PowerShell is commonly abused for fileless execution.

Why this answer

Fileless malware often exploits memory and legitimate tools. Option A (monitoring process creation chains) detects abnormal parent-child relationships (e.g., wmic spawning cmd). Option D (monitoring PowerShell script execution) catches malicious scripts.

Option B focuses on files, which may miss fileless. Option C is less effective for memory-resident malware. Option E is generally for network-based detection.

42
MCQhard

A technology company suspects an insider threat is exfiltrating intellectual property. The security team has deployed user and entity behavior analytics (UEBA) and set up data loss prevention (DLP) rules. A UEBA alert flags a senior developer who is accessing the source code repository at 2 AM from a VPN connection that routes through a foreign country. The developer also recently downloaded a large quantity of source code—more than 10 times the normal volume. DLP policies are configured to block emails with attachments over 10 MB. Which of the following should the incident response team do FIRST?

A.Implement stricter DLP policies to block large downloads from the repository.
B.Conduct an informal interview with the developer to ask about the unusual activity.
C.Isolate the developer's workstation and revoke access to the source code repository immediately.
D.Review DLP logs to confirm that no emails containing source code were sent.
AnswerC

Containment is critical given the high risk of active exfiltration.

Why this answer

Option A is correct because the UEBA alert combined with anomalous behavior strongly suggests malicious activity. Immediate isolation prevents exfiltration and preserves evidence. Option B interviews the user, which could alert them and lead to data destruction.

Option C focuses only on DLP, but the exfiltration may not be via email. Option D is a long-term preventive measure, not immediate response.

43
Multi-Selecteasy

Which TWO of the following are key components of a successful incident response plan according to NIST SP 800-61?

Select 2 answers
A.Vulnerability scanning
B.Preparation
C.Patch management
D.User training
E.Detection and Analysis
AnswersB, E

Preparation is a foundational phase of the incident response lifecycle.

Why this answer

NIST SP 800-61 defines the incident response lifecycle as having four phases: Preparation, Detection and Analysis, Containment/Eradication/Recovery, and Post-Incident Activity. Preparation (Option B) is the foundational phase that ensures the organization has the tools, policies, and trained personnel ready before an incident occurs. Detection and Analysis (Option E) is the second phase, focusing on identifying and validating security incidents through monitoring, alerting, and forensic analysis.

Exam trap

Cisco often tests the distinction between activities that are part of the incident response lifecycle phases versus supporting security processes, leading candidates to mistakenly select vulnerability scanning or patch management as core components when they are actually separate operational tasks.

44
MCQeasy

During a security incident, a forensic investigator needs to capture the contents of volatile memory on a compromised server. Which of the following tools should the investigator use?

A.dd
B.Wireshark
C.FTK Imager (with memory capture)
D.Nmap
AnswerC

FTK Imager can capture an image of physical memory (RAM) for analysis.

Why this answer

FTK Imager with memory capture is the correct tool because it is specifically designed to acquire a bit-for-bit copy of volatile memory (RAM) from a live system while preserving forensic integrity. Unlike disk imaging tools, FTK Imager can capture the contents of physical memory, including running processes, network connections, and encryption keys, which are critical for incident response. This tool also generates a hash of the captured memory to ensure data integrity during analysis.

Exam trap

CompTIA often tests the misconception that dd can be used for memory capture because it is a common Linux imaging tool, but dd is designed for block-level disk copying and cannot reliably access volatile memory without specialized drivers or kernel patches.

How to eliminate wrong answers

Option A is wrong because dd is a disk imaging tool that copies block devices (e.g., hard drives) and cannot directly capture volatile memory; it lacks the ability to access the /dev/mem or /dev/kmem interfaces on modern systems without additional kernel modules, and it does not handle memory-specific structures like page tables. Option B is wrong because Wireshark is a network packet analyzer used for capturing and inspecting network traffic, not for acquiring volatile memory; it operates at Layer 2-7 of the OSI model and cannot access system RAM. Option D is wrong because Nmap is a network scanning tool used for port discovery and service enumeration; it has no capability to interact with system memory or perform forensic acquisition.

45
MCQeasy

A forensic analyst needs to collect volatile data from a live Windows system. In which order should the analyst collect the following data? (Order of volatility)

A.Disk image, memory dump, network connections, running processes
B.Memory dump, network connections, running processes, disk image
C.Network connections, running processes, memory dump, disk image
D.Running processes, memory dump, network connections, disk image
AnswerB

This follows the order of volatility from most to least volatile.

Why this answer

Option B is correct because memory is the most volatile and should be collected first, followed by network connections, then processes, and finally disk data. Option A is wrong because disk is less volatile. Option C is wrong because processes should be after memory.

Option D is wrong because network state is more volatile than disk.

46
MCQhard

During a forensic investigation, the examiner discovers that the chain of custody documentation was not properly maintained for a critical hard drive. What is the most likely consequence?

A.The evidence may be ruled inadmissible in legal proceedings
B.The investigation can continue without any impact
C.The data on the drive is automatically deleted
D.The drive must be returned to the owner immediately
AnswerA

Chain of custody ensures evidence integrity; lack of it can lead to exclusion.

Why this answer

Option A is correct because without chain of custody, evidence could be tampered, making it inadmissible in court. Option B is wrong that investigators are still admissible if procedure is followed, but chain of custody is vital. Option C is wrong that analysis is still valid but legally challenged.

Option D is wrong because return to operations is not primary concern.

47
MCQmedium

A financial organization's SOC analysts have observed repeated failed authentication attempts from a single external IP address against multiple user accounts, followed by a successful authentication from the same IP using one of those accounts. Which type of security monitoring rule would be most effective at detecting this attack pattern in real time?

A.Alert when multiple failed logins from a single source IP are followed by a successful login from that IP within 10 minutes.
B.Alert when a user account has three failed logins within 5 minutes followed by a successful login.
C.Alert when a successful authentication occurs immediately after a password reset.
D.Alert on any single failed login attempt from an external IP.
AnswerA

This correlation rule accurately detects the credential stuffing pattern across different accounts from one IP.

Why this answer

The attack pattern involves brute-force attempts followed by a success, which is a classic credential stuffing attack. Option C is a correlation rule that combines multiple failed logins with a subsequent success for the same source IP, which directly captures this behavior. Option A only detects a single failed login, not the pattern.

Option B detects a success after failures but for a single target user, not the source IP pattern. Option D detects a single login after a reset, which is unrelated.

48
MCQmedium

A SOC analyst is reviewing a large volume of failed login attempts across multiple user accounts from a single external IP address. The attempts use common usernames and passwords over SSH (port 22). Which security control would be most effective at preventing this type of attack?

A.Enforce a minimum password complexity policy for all users.
B.Require multi-factor authentication for all SSH logins.
C.Implement rate limiting on SSH connections per source IP.
D.Add the external IP address to the firewall deny list and implement an IP allowlist for SSH access.
AnswerD

This immediately blocks the attack and prevents any further attempts from that IP.

Why this answer

Option D is correct because the attack is a brute-force or password-spraying attempt from a single external IP. Adding that IP to a firewall deny list immediately blocks all traffic from that source, while implementing an IP allowlist for SSH access ensures only trusted IPs can reach the service. This directly prevents the attack at the network layer, regardless of password strength or authentication method.

Exam trap

The trap here is that candidates often choose rate limiting (Option C) because it seems like a direct mitigation, but they fail to realize that rate limiting only slows the attack, whereas blocking the IP and using an allowlist stops it entirely.

How to eliminate wrong answers

Option A is wrong because enforcing minimum password complexity does not prevent brute-force or password-spraying attacks; it only makes passwords harder to guess, but the attacker can still attempt many combinations. Option B is wrong because requiring multi-factor authentication (MFA) for SSH logins would stop successful authentication even if credentials are guessed, but it does not prevent the attack itself—the attacker can still flood the system with login attempts, consuming resources and generating logs. Option C is wrong because rate limiting on SSH connections per source IP reduces the speed of the attack but does not stop it entirely; the attacker can still attempt logins at a slower rate or rotate through multiple source IPs.

49
MCQhard

A large enterprise is implementing a SOAR platform to automate incident response. The security team wants to create a playbook for handling phishing emails reported by users. The playbook should: 1) validate the reported email by checking headers and attachments, 2) automatically block the sender's domain at the email gateway if malicious, 3) create a ticket, and 4) send an automated response to the user. Which of the following describes the best approach to design this playbook?

A.Create a ticket and route it to a junior analyst for manual investigation, then close after user acknowledgement.
B.Immediately sandbox the attachment and block the sender's domain if the sandbox reports malicious behavior.
C.Use an automated triage step that extracts indicators, then present the verdict to an analyst in a manual approval step before executing blocks.
D.Automatically delete the email from all users' inboxes and send a warning to the organization.
AnswerC

This balances automation with human oversight, reducing false positives.

Why this answer

Option A is correct because a tiered approach with human approval before blocking prevents false positives and aligns with typical SOAR best practices. Option B is too risky without validation. Option C bypasses automated analysis, which defeats automation.

Option D delays response and increases workload.

50
MCQhard

A mid-sized e-commerce company has recently experienced a data breach where customer payment card information was exfiltrated. The security team has identified that the breach originated from a compromised web server that was part of a PCI DSS compliant environment. The server was running outdated software and had several known vulnerabilities. Post-incident analysis reveals that the attacker exploited a SQL injection vulnerability in the order-tracking feature. The incident response team followed NIST SP 800-61 guidelines: they contained the threat, eradicated the malicious code, and restored the server from a known clean backup. However, two weeks after the restoration, the same server is again showing signs of similar malicious activity. The server is still in production and handling credit card transactions. Which of the following is the MOST effective course of action to prevent this recurring compromise?

A.Conduct a thorough code review of the order-tracking feature, implement parameterized queries, and then redeploy the application after passing a static code analysis scan.
B.Replace the web server with a new server running the latest OS and web server version, then redeploy the same web application code.
C.Implement network segmentation to isolate the web server and restrict outbound traffic to only essential services.
D.Increase logging and deploy a WAF in front of the server with rules to block common SQLi patterns.
AnswerA

Directly addresses the SQLi vulnerability at the code level.

Why this answer

The correct answer is C. The root cause is a code-level vulnerability (SQLi) that was not fixed. Just patching the OS or rebuilding with the same software will not remove the vulnerability.

The application code must be reviewed and the SQLi flaw remediated. Option A (replacing the server) does not fix the underlying code. Option B (network segmentation) only contains but does not fix the application vulnerability.

Option D (increasing monitoring) is reactive and does not prevent exploitation.

51
MCQmedium

After a security incident, the IR team identifies that the attacker used a spear-phishing email with an attached malicious macro. Which log source would be MOST crucial to determine the scope of the compromise?

A.Endpoint detection and response (EDR) telemetry
B.Windows Event Logs (Event ID 4688)
C.Proxy server logs
D.Email server logs
AnswerC

Proxy logs reveal connections to C2 servers and data exfiltration attempts.

Why this answer

Option C is correct because proxy logs show outbound HTTP/HTTPS connections, which malware often uses for C2 and data exfiltration. Option A shows email from/to but not system activity. Option B shows local process execution but may not show network connections.

Option D shows endpoint network connections but may not capture all outbound traffic if it's not forwarded.

52
Multi-Selecthard

A CSIRT is developing a threat hunting hypothesis based on the MITRE ATT&CK framework. Which THREE of the following are techniques that threat hunters would commonly investigate for initial access? (Choose three.)

Select 3 answers
A.Exploit public-facing application
B.Spear-phishing attachment
C.Valid accounts
D.Remote services
E.Boot or logon autostart execution
AnswersA, B, C

Exploiting vulnerabilities in internet-facing applications is another common technique.

Why this answer

Options A, B, and D are correct. Spear-phishing, exploitation of public-facing applications, and valid accounts are common initial access techniques. Option C is for lateral movement, and Option E is for persistence.

53
MCQmedium

A threat hunter hypothesizes that a sophisticated attacker is using DNS tunneling for command and control. Which data source would most likely confirm this activity?

A.Network flow data (NetFlow)
B.DNS query logs from authoritative/internal DNS servers
C.Endpoint antivirus alerts
D.Web proxy logs
AnswerB

DNS logs contain query names and types; tunneling leaves unusual patterns.

Why this answer

Option B is correct because DNS logs contain queries and responses; anomalous patterns like large TXT records or high frequency indicate tunneling. Option A is wrong because firewall logs may show traffic but not DNS content. Option C is wrong because antivirus may not detect tunneling.

Option D is wrong because web proxy logs show HTTP traffic.

54
MCQeasy

An organization wants to reduce the attack surface of its web servers by ensuring only necessary modules are enabled. Which practice directly supports this goal?

A.Patch management
B.Application whitelisting and module disablement
C.Regular backups
D.Multi-factor authentication
AnswerB

Whitelisting and disabling unnecessary modules reduce attack surface.

Why this answer

Option A is correct because hardening includes disabling unnecessary services and modules. Option B is about patching, not reducing attack surface directly. Option C is backup strategy.

Option D is about authentication, not module reduction.

55
MCQhard

After containing a confirmed security incident, the incident response team must plan for eradication. What must be done before eradication begins?

A.Conduct a full forensic analysis of all systems
B.Determine the root cause of the incident
C.Begin eradication immediately to minimize dwell time
D.Notify law enforcement agencies
AnswerB

Root cause analysis ensures eradication addresses the entry point and method.

Why this answer

Option C is correct because understanding the root cause ensures complete removal of the threat and prevents re-infection. Option A is wrong that eradication is the next step after containment; root cause analysis is critical. Option B is wrong because forensics can be done during or after eradication.

Option D is wrong because notifying law enforcement is optional and not a prerequisite.

56
MCQhard

A security engineer needs to deploy a host-based intrusion detection system (HIDS) on a critical Linux server without impacting performance. Which configuration is MOST appropriate?

A.Install OSSEC agent with file integrity monitoring and log analysis only.
B.Install Snort in inline mode on the server.
C.Enable Windows Defender on the Linux server.
D.Deploy ClamAV with real-time scanning and OSSEC.
AnswerA

OSSEC is a well-known HIDS that can be configured minimally for performance.

Why this answer

Option A is correct because OSSEC with file integrity monitoring and log analysis is lightweight and suitable for critical servers. Option B uses a network-based tool not host-based. Option C includes antivirus which is resource-intensive.

Option D is a SIEM, not a HIDS agent.

57
MCQhard

Based on the exhibit, which type of attack is most likely occurring?

A.Pass-the-hash attack
B.Account lockout attack
C.Replay attack
D.Brute force password guessing
AnswerD

The rapid succession of authentication failures for the root user indicates an attempt to guess the password.

Why this answer

The exhibit shows a high number of failed authentication attempts (e.g., Event ID 4625) from a single source IP against multiple user accounts over a short period. This pattern is characteristic of a brute force password guessing attack, where an attacker systematically tries common passwords against many accounts to gain unauthorized access. The absence of successful logins or account lockouts further supports this conclusion.

Exam trap

Cisco often tests the distinction between a brute force attack (many passwords, one account) and a password spraying attack (one password, many accounts), and the trap here is confusing the high volume of failed logins with a replay or pass-the-hash attack, which would show successful authentication or token reuse instead of repeated failures.

How to eliminate wrong answers

Option A is wrong because a pass-the-hash attack uses captured NTLM or Kerberos hashes to authenticate without knowing the plaintext password, and the exhibit shows failed logins with incorrect passwords, not hash reuse. Option B is wrong because an account lockout attack would trigger Event ID 4740 (account locked out) after exceeding the lockout threshold, but the exhibit shows only failed logins without lockout events. Option C is wrong because a replay attack involves capturing and retransmitting valid authentication tokens (e.g., Kerberos TGT or NTLM challenge-response), not repeated failed password attempts.

58
Multi-Selecteasy

Which TWO of the following are primary goals of security operations monitoring? (Choose two.)

Select 2 answers
A.Automate patch deployment
B.Maintain situational awareness of the security posture
C.Conduct vulnerability scans
D.Ensure compliance with regulatory standards
E.Detect security incidents in near real-time
AnswersB, E

Situational awareness is a key outcome of monitoring.

Why this answer

Options A and D are correct. Detection of security incidents and maintaining situational awareness are core monitoring goals. Compliance (B) is a secondary benefit, and vulnerability scanning (C) is a separate process.

59
MCQeasy

A SOC analyst receives an alert indicating that a workstation has been making outbound connections to a known command-and-control (C2) IP address. The analyst initiates the incident response process. Which of the following should be the FIRST action taken?

A.Run a full antivirus scan on the affected workstation.
B.Notify the organization's management and legal team.
C.Delete the suspicious files identified by the antivirus.
D.Isolate the workstation from the network.
AnswerD

Isolation stops the immediate threat and prevents spread.

Why this answer

The first priority in incident response is to contain the threat to prevent further damage. Option D, isolating the workstation, stops the C2 communication and limits lateral movement. Option A (notifying management) is important but not first.

Option B (deleting files) is premature without analysis. Option C (running AV) is reactive and may alert the attacker.

60
Multi-Selecteasy

Which THREE components are essential for a fully functional Security Operations Center (SOC)? (Select exactly 3.)

Select 3 answers
A.Incident response team
B.VPN concentrator
C.Security Information and Event Management (SIEM) system
D.Firewall
E.Standard operating procedures and playbooks
AnswersA, C, E

People are essential for investigation and response.

Why this answer

Options A, C, and E are correct because SIEM for correlation, incident response team, and playbooks are core. Option B is a security control but not a SOC component. Option D is network infrastructure.

61
MCQeasy

During a tabletop exercise, the CSIRT discovers that the organization lacks a clear chain of command for decision-making during incidents. Which document should be updated to address this gap?

A.Incident response plan
B.Business continuity plan
C.Security awareness training material
D.Network topology diagram
AnswerA

The IR plan outlines the chain of command and communication structure.

Why this answer

Option A is correct because the incident response plan should define roles, responsibilities, and escalation paths. Option B is for regular operations. Option C is for network architecture.

Option D is for user training.

62
Multi-Selecthard

During an incident response, the team must perform containment actions. Which TWO actions are considered proper containment? (Select exactly 2.)

Select 2 answers
A.Isolate affected systems from the network
B.Notify law enforcement
C.Disable compromised user accounts
D.Back up the affected systems
E.Patch all vulnerabilities on affected systems
AnswersA, C

Isolation stops lateral movement.

Why this answer

Options B and D are correct because isolating affected systems and disabling compromised accounts prevent further spread. Option A is recovery, not containment. Option C is notification after containment.

Option E is eradication.

63
Multi-Selectmedium

Which TWO of the following are best practices for securing a cloud-based identity and access management (IAM) system? (Select exactly 2.)

Select 2 answers
A.Require users to change passwords every 30 days.
B.Use single sign-on (SSO) for all applications.
C.Implement the principle of least privilege for all user roles.
D.Enable multi-factor authentication (MFA) for all administrative accounts.
E.Create default admin accounts for each department.
AnswersC, D

Limiting privileges reduces the attack surface and potential damage.

Why this answer

The principle of least privilege (C) ensures that users and roles are granted only the permissions necessary to perform their job functions, reducing the attack surface and limiting potential damage from compromised accounts. Enabling multi-factor authentication (D) for administrative accounts adds a critical layer of security beyond passwords, mitigating risks from credential theft or brute-force attacks. Both are foundational controls in cloud IAM frameworks like AWS IAM, Azure AD, or GCP IAM.

Exam trap

CompTIA often tests the misconception that frequent password changes (A) are a security best practice, when in fact modern standards advise against them, and that SSO (B) alone is a security control, whereas it is primarily a convenience feature that requires additional safeguards like MFA.

64
MCQhard

Given the exhibit, what is the MOST likely scenario?

A.A misconfigured application is sending malformed data to a server.
B.An external attacker is scanning the internal network.
C.An internal host is compromised and attacking an external web server.
D.A web vulnerability scanner is performing authorized tests.
AnswerC

The host adapts to firewall rules and launches SQL injection attack.

Why this answer

Option C is correct. The internal host 10.0.1.100 initially tried to connect to port 80 (HTTP) but was denied, then used port 443 (HTTPS) which was allowed, and then performed SQL injection on the web server. This suggests the host is compromised and attempting to attack an external server via HTTPS to bypass firewall rules.

Option A is wrong because the traffic is outward, not inbound. Option B is wrong because SQL injection is detected, and the pattern is deliberate. Option D is wrong because host is active.

65
Multi-Selecthard

Which THREE of the following are effective techniques for detecting advanced persistent threats (APTs) within a network? (Select exactly 3.)

Select 3 answers
A.Using signature-based intrusion detection systems (IDS) to match known attack patterns.
B.Conducting behavioral analysis of endpoint and network activity to detect unusual patterns.
C.Integrating threat intelligence feeds to correlate indicators of compromise (IOCs) with internal logs.
D.Implementing anomaly-based network traffic analysis to identify deviations from baseline behavior.
E.Deploying honeypots to attract and analyze attacker behavior.
AnswersB, C, D

Behavioral analysis can uncover APT activities such as lateral movement and data exfiltration.

Why this answer

Behavioral analysis (option B) is effective against APTs because it establishes a baseline of normal activity and flags deviations, such as unusual lateral movement or data exfiltration patterns, which APTs often exhibit. Unlike signature-based methods, behavioral analysis can detect novel or zero-day attack techniques that do not match known signatures, making it a critical component of an advanced threat detection strategy.

Exam trap

Cisco often tests the distinction between detection techniques that rely on known indicators (signature-based) versus those that detect unknown threats (behavioral/anomaly-based), and candidates may mistakenly think signature-based IDS is sufficient for APTs because they focus on the 'advanced' aspect rather than the 'persistent' and 'unknown' nature of the threat.

Ready to test yourself?

Try a timed practice session using only Security Operations questions.