CCNA Incident Response and Management Questions

26 of 101 questions · Page 2/2 · Incident Response and Management · Answers revealed

76
MCQhard

While supporting a hybrid workforce, a developer accidentally committed a cloud access key to a public repository. Logs show the key was used from an unfamiliar IP. What should be done first? During eradication, which decision is most defensible? which evidence should guide the decision?

A.Wait to see whether charges increase
B.Disable or rotate the key and review actions performed with it
C.Block the developer's laptop from Wi-Fi
D.Ask the developer to delete the commit only
AnswerB

The exposed credential must be invalidated and its use scoped through audit logs. In eradication, responders need action that reduces risk while preserving the investigation record.

Why this answer

The correct first step is to disable or rotate the compromised cloud access key and review actions performed with it. This immediately revokes the attacker's access, preventing further unauthorized use, while the review of logs and API calls determines the scope of the breach. Waiting or blocking the developer's laptop does not address the exposed credential or the active threat from the unfamiliar IP.

Exam trap

Cisco often tests the principle of immediate containment over investigation or blame; the trap here is choosing a delay tactic (Option A) or a non-technical, irrelevant action (Option C) instead of the direct, credential-focused containment step.

How to eliminate wrong answers

Option A is wrong because waiting to see whether charges increase is a passive, reactive approach that allows the attacker continued access, potentially leading to data exfiltration, resource abuse, and escalating costs. Option C is wrong because blocking the developer's laptop from Wi-Fi does not revoke the compromised cloud access key; the key can still be used from any other device or IP, and this action does not address the root cause or the ongoing threat.

77
Matchingmedium

Match each security control to its category.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Preventive

Detective

Recovery

Administrative

Technical

Why these pairings

Controls are categorized by their function and nature.

78
MCQeasy

During a post-compromise review, a laptop may contain evidence for a legal investigation. What should the responder document during acquisition? During post-incident improvement, which decision is most defensible? which action should be prioritized before closure?

A.Only the laptop colour
B.Only the ticket priority
C.Only the user's job title
D.Who collected it, when, where, hash values, transfer details, and storage location
AnswerD

Chain of custody records evidence handling and integrity from collection onward. In post-incident improvement, responders need action that reduces risk while preserving the investigation record.

Why this answer

Option D is correct because forensic acquisition requires a complete chain of custody to ensure evidence integrity and admissibility in legal proceedings. Documenting who collected the evidence, when and where it was collected, cryptographic hash values (e.g., SHA-256) to verify data integrity, transfer details (e.g., write-blocker used, network path), and storage location provides a defensible record that meets legal and organizational standards.

Exam trap

CompTIA often tests the misconception that minimal documentation (like color or job title) is sufficient, when in fact comprehensive chain-of-custody details are required for legal defensibility.

How to eliminate wrong answers

Option A is wrong because documenting only the laptop color provides no forensic value and fails to establish chain of custody or evidence integrity. Option B is wrong because documenting only the ticket priority is irrelevant to forensic acquisition and does not capture any evidence-handling details. Option C is wrong because documenting only the user's job title ignores critical acquisition metadata such as collector identity, timestamps, hash values, and storage location, making the evidence indefensible in court.

79
Multi-Selectmedium

Which TWO of the following are key phases of the incident response process as defined by NIST?

Select 2 answers
A.Recovery
B.Containment
C.Preparation
D.Eradication
E.Post-Incident Activity
AnswersC, E

One of the four main phases.

Why this answer

The NIST SP 800-61 Rev. 2 incident response lifecycle consists of four key phases: Preparation, Detection & Analysis, Containment/Eradication/Recovery, and Post-Incident Activity. Option C (Preparation) is correct because it is the foundational phase where policies, tools (e.g., SIEM, EDR), and communication plans are established before any incident occurs. Option E (Post-Incident Activity) is correct because it includes lessons learned, evidence retention, and report generation to improve future response efforts.

Exam trap

Cisco often tests the distinction between the four key NIST phases and the sub-steps within the third phase, causing candidates to mistakenly select Containment, Eradication, or Recovery as separate key phases instead of recognizing they are combined.

80
MCQeasy

While supporting a hybrid workforce, a company wants to test whether legal, PR, IT, and executives understand their roles during a ransomware incident without touching production systems. What exercise is best? During post-incident improvement, which decision is most defensible? which evidence should guide the decision?

A.Tabletop exercise using a realistic ransomware scenario
B.Purchasing a new SIEM without testing procedures
C.Annual password reset only
D.Full destructive malware detonation in production
AnswerA

Tabletops validate decision paths and communication without operational disruption. In post-incident improvement, responders need action that reduces risk while preserving the investigation record.

Why this answer

A tabletop exercise (option A) is the correct choice because it simulates a realistic ransomware scenario in a discussion-based format, allowing legal, PR, IT, and executives to validate their roles and decision-making processes without impacting production systems. This aligns with NIST SP 800-61r2 guidelines for testing incident response plans through low-impact, discussion-driven exercises, ensuring cross-functional coordination without risking data integrity or availability.

Exam trap

Cisco often tests the distinction between 'testing the plan' (tabletop) and 'testing the technology' (SIEM purchase or password reset), where candidates mistakenly choose a technical solution like a new SIEM because they focus on detection tools rather than validating human roles and decision-making processes.

How to eliminate wrong answers

Option B is wrong because purchasing a new SIEM without testing procedures introduces untested technology into the environment, which can create false positives/negatives and operational gaps, and does not validate human roles during an incident. Option C is wrong because an annual password reset only addresses a single authentication control and does not test the multi-team response, communication, or decision-making required during a ransomware incident, leaving critical gaps in legal, PR, and executive coordination.

81
Drag & Dropmedium

Arrange the steps for a typical penetration testing engagement in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Penetration testing follows a structured methodology: recon, scanning, exploitation, post-exploitation, and reporting.

82
MCQhard

File shares show rapid encryption and ransom-note creation from one workstation. What is the best immediate containment action? During containment, which decision is most defensible?

A.Run vulnerability scans on every subnet first
B.Restore backups before isolating the host
C.Email all users the ransom note
D.Isolate the workstation and disable its active sessions to file servers
AnswerD

Containment should stop encryption spread while preserving evidence for analysis. In containment, responders need action that reduces risk while preserving the investigation record.

Why this answer

Option D is correct because the immediate priority is to stop the ransomware from encrypting more data and spreading laterally. Isolating the workstation (e.g., disabling its network interface or disconnecting the cable) and terminating its active SMB sessions to file servers cuts off the encryption process at the source, preventing further damage while preserving forensic evidence.

Exam trap

Cisco often tests the principle that containment must be immediate and technical (e.g., isolating the host) rather than investigative (scanning) or restorative (backups), and the trap here is that candidates may think scanning or restoring is a valid first step, when in fact it wastes critical time during active encryption.

How to eliminate wrong answers

Option A is wrong because running vulnerability scans is a time-consuming, passive step that does nothing to halt active encryption or lateral movement; containment must come first. Option B is wrong because restoring backups before isolating the host risks re-infection if the ransomware is still active on the network, and it violates the containment-first principle of incident response. Option C is wrong because emailing the ransom note to all users is not a containment action; it may cause panic, spread misinformation, and does not stop the encryption or disable the attacker's access.

83
Multi-Selectmedium

During the post-incident analysis phase of an incident response process, which of the following activities are considered essential best practices? Choose all that apply. (There are four correct answers.)

Select 4 answers
.Creating a detailed timeline of the incident from detection to containment and recovery.
.Identifying gaps in existing security controls that allowed the incident to occur.
.Updating playbooks and incident response plans based on lessons learned.
.Performing a root cause analysis to determine the underlying cause of the incident.
.Immediately deleting all logs related to the incident to free up storage space.
.Notifying law enforcement and regulatory bodies before conducting any internal investigation.

Why this answer

A detailed timeline is essential for reconstructing the sequence of events, identifying the initial compromise vector, and measuring response effectiveness. It provides a factual basis for all subsequent analysis and reporting, ensuring that the incident response team can accurately assess the scope and impact of the incident.

Exam trap

CompTIA often tests the distinction between 'immediate containment actions' and 'post-incident analysis best practices,' where candidates mistakenly select actions that are appropriate during the containment phase (like preserving evidence) but not during the analysis phase, or they confuse notification requirements with internal investigation priorities.

84
MCQmedium

During forensic acquisition, which of the following types of data is considered the MOST volatile?

A.Network connections.
B.Disk.
C.Page file.
D.RAM.
AnswerD

RAM is volatile and changes constantly; it is the most volatile.

Why this answer

RAM (Random Access Memory) is the most volatile data because it loses its contents immediately when power is removed. In forensic acquisition, the order of volatility dictates that RAM must be captured first, as it contains running processes, open network connections, and decrypted data that cannot be recovered from disk. Network connections, while volatile, are a subset of the data stored in RAM and are less critical to capture first.

Exam trap

CompTIA often tests the order of volatility by making candidates confuse 'network connections' as the most volatile because they change rapidly, but the key is that network connection data is stored in RAM, making RAM itself the most volatile component that must be acquired first.

How to eliminate wrong answers

Option A is wrong because network connections are a type of data that resides in RAM and are therefore less volatile than RAM itself; they are captured as part of the RAM dump. Option B is wrong because disk data is non-volatile and persists after power loss, making it the least volatile among the options. Option C is wrong because the page file (swap file) is stored on disk and is non-volatile; it is a secondary storage mechanism, not primary memory.

85
Matchingmedium

Match each network protocol to its well-known port number.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

22

443

53

25

3389

Why these pairings

These are standard well-known port assignments.

86
Multi-Selectmedium

An organization has just experienced a successful phishing attack that led to credential theft. The incident response team is performing analysis. Which three of the following indicators of compromise (IOCs) would be most relevant to investigate? (Choose three.)

Select 3 answers
.Unusual outbound network connections from user workstations.
.A spike in failed login attempts from a single IP address.
.New scheduled tasks created on endpoints without user knowledge.
.Emails with similar subject lines being sent from internal accounts.
.A sudden increase in available disk space on file servers.
.The antivirus definition file being updated automatically.

Why this answer

Unusual outbound network connections from user workstations are a key IOC because after credential theft, attackers often use stolen credentials to establish remote access or exfiltrate data, generating connections to command-and-control (C2) servers or unexpected external IPs. New scheduled tasks created on endpoints without user knowledge indicate persistence mechanisms, as attackers commonly use schtasks.exe or at.exe to maintain access and execute malicious code at regular intervals. Emails with similar subject lines being sent from internal accounts suggest lateral phishing or spam campaigns using compromised accounts to spread malware or harvest additional credentials, a classic post-exploitation behavior.

Exam trap

CompTIA often tests the distinction between indicators of a successful attack (post-compromise IOCs like lateral movement and persistence) versus indicators of an attempted attack (like brute-force failures), so candidates mistakenly choose failed login attempts instead of recognizing that credential theft leads to successful logins and internal propagation.

87
Drag & Dropmedium

Arrange the steps for conducting a risk assessment in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Risk assessment involves asset identification, threat/vulnerability identification, likelihood/impact analysis, risk calculation, and prioritization.

88
Multi-Selectmedium

What should be included in incident scoping for ransomware? (Choose three.)

Select 3 answers
A.Initial infected host and user context
B.The brand of office chairs near the server room
C.Backup integrity and last known clean restore point
D.Shares or systems touched by the compromised account
AnswersA, C, D

The starting point helps identify root cause.

Why this answer

Option A is correct because identifying the initial infected host and user context is critical for understanding the attack vector, containing the threat, and preventing further spread. In ransomware incidents, the first compromised system often reveals the entry point (e.g., phishing email, RDP brute force) and the user account used, which helps scope the blast radius and prioritize remediation.

Exam trap

Cisco often tests the ability to filter out irrelevant physical or administrative details (like office chairs) that distract from the core technical scoping steps required in incident response.

89
MCQeasy

After a high-priority SOC escalation, file shares show rapid encryption and ransom-note creation from one workstation. What is the best immediate containment action? During containment, which decision is most defensible? which response best matches incident-response practice?

A.Run vulnerability scans on every subnet first
B.Restore backups before isolating the host
C.Email all users the ransom note
D.Isolate the workstation and disable its active sessions to file servers
AnswerD

Containment should stop encryption spread while preserving evidence for analysis. In containment, responders need action that reduces risk while preserving the investigation record.

Why this answer

Option D is correct because the immediate priority in a ransomware incident is to contain the threat by isolating the infected workstation from the network to prevent further encryption of file shares. Disabling active sessions to file servers (e.g., using SMB session termination or firewall rules) stops the lateral movement and encryption of shared data. This aligns with the NIST SP 800-61 containment strategy, which prioritizes stopping the spread before any other action.

Exam trap

Cisco often tests the misconception that you should run scans or restore backups first, but the trap here is that immediate containment (isolation) is always the priority to stop the spread, not investigation or recovery.

How to eliminate wrong answers

Option A is wrong because running vulnerability scans on every subnet first wastes critical time during an active ransomware outbreak; scanning does not stop ongoing encryption and is a post-containment step. Option B is wrong because restoring backups before isolating the host would allow the ransomware to continue encrypting newly restored files, and backups should only be used after containment to ensure a clean restore point. Option C is wrong because emailing all users the ransom note is not a containment action; it may cause panic, spread misinformation, and does not stop the encryption process.

90
MCQhard

A company's incident response team is handling a ransomware incident that has encrypted all files on the file server and spread to several workstations. The team has isolated the affected systems and obtained memory dumps and disk images. The CEO demands immediate restoration of operations and suggests paying the ransom to decrypt files quickly. The company has recent backups but they are stored on a network share that was also encrypted. The CISO wants to ensure that the root cause is identified before restoration. As the lead incident responder, which of the following actions should you take NEXT?

A.Pay the ransom and then restore from the decrypted files
B.Restore the backups to a clean environment and then reimage the affected systems
C.Immediately reimage all affected systems and restore from the most recent clean backups
D.Analyze the memory dumps to identify the infection vector and check for persistence mechanisms
AnswerD

Root cause analysis ensures that the vulnerability is fixed before restoration.

Why this answer

Option C is correct because analyzing the memory dumps will help identify the initial infection vector (e.g., phishing email, exploited vulnerability) and any persistence mechanisms. This information is critical to prevent reinfection after restoration. Options A and D skip root cause analysis, risking reinfection.

Option B is ill-advised and may not work.

91
MCQhard

An incident was contained successfully, but delayed escalation allowed the attacker more dwell time. What should the post-incident review produce? During eradication, which decision is most defensible?

A.A generic statement that security is important
B.Deletion of all incident tickets
C.A blame list of individual analysts
D.Specific playbook updates, escalation triggers, owners, and due dates
AnswerD

Lessons learned should translate findings into trackable process improvements. In eradication, responders need action that reduces risk while preserving the investigation record.

Why this answer

Option D is correct because a post-incident review must produce actionable improvements to prevent recurrence. Delayed escalation indicates a failure in detection or notification procedures; therefore, specific playbook updates, escalation triggers, owners, and due dates directly address the root cause by refining incident response workflows and ensuring timely escalation in future incidents.

Exam trap

CompTIA often tests the misconception that post-incident reviews are about assigning blame or cleaning up records, when the correct focus is on process improvement through specific, measurable updates to the incident response plan.

How to eliminate wrong answers

Option A is wrong because a generic statement that security is important provides no concrete, measurable changes to processes or procedures, failing to correct the specific escalation delay. Option B is wrong because deletion of all incident tickets destroys forensic evidence and audit trails required for compliance, legal proceedings, and future analysis under frameworks like NIST SP 800-61. Option C is wrong because a blame list of individual analysts fosters a punitive culture, discourages reporting, and ignores systemic process failures that allowed the escalation delay, contrary to the post-incident review's goal of continuous improvement.

92
MCQmedium

While supporting a hybrid workforce, an incident was contained successfully, but delayed escalation allowed the attacker more dwell time. What should the post-incident review produce? During eradication, which decision is most defensible? which evidence should guide the decision?

A.A generic statement that security is important
B.Deletion of all incident tickets
C.A blame list of individual analysts
D.Specific playbook updates, escalation triggers, owners, and due dates
AnswerD

Lessons learned should translate findings into trackable process improvements. In eradication, responders need action that reduces risk while preserving the investigation record.

Why this answer

Option D is correct because the post-incident review should produce actionable improvements to the incident response process. Specific playbook updates, escalation triggers, owners, and due dates directly address the delayed escalation and excessive dwell time by formalizing when and how to escalate, ensuring accountability and timely response in future incidents.

Exam trap

CompTIA often tests the distinction between punitive actions (blame) and process improvements (playbook updates); the trap here is that candidates may confuse accountability with blame, choosing a 'blame list' (Option C) instead of recognizing that systemic fixes are the defensible outcome.

How to eliminate wrong answers

Option A is wrong because a generic statement that security is important provides no measurable, actionable steps to fix the process failure; it lacks specificity and does not prevent recurrence. Option B is wrong because deletion of all incident tickets destroys forensic evidence, audit trails, and lessons-learned data, violating standard retention policies and potentially compliance requirements. Option C is wrong because a blame list of individual analysts fosters a punitive culture, discourages reporting, and ignores systemic process flaws; the focus should be on process improvement, not individual fault.

93
Multi-Selectmedium

A security analyst suspects an insider threat based on unusual data access patterns by an employee. According to best practices, which TWO actions should the analyst take FIRST?

Select 2 answers
A.Restrict the employee's access to sensitive data.
B.Suspend the employee's accounts outright.
C.Immediately notify law enforcement.
D.Collect additional evidence without alerting the employee.
E.Confront the employee about the behavior.
AnswersA, D

Limiting access reduces risk while investigation continues.

Why this answer

Restricting the employee's access to sensitive data (A) is a correct first action because it immediately reduces the risk of further data exfiltration or damage while preserving the ability to investigate. Collecting additional evidence without alerting the employee (D) is also correct because it allows the analyst to build a forensic case covertly, preventing the insider from destroying evidence or altering behavior. Both actions align with the incident response principle of containment before eradication and the need to avoid tipping off a potential adversary.

Exam trap

CompTIA often tests the distinction between 'immediate containment' and 'overreaction' — the trap here is that candidates confuse 'suspending accounts' (a disruptive, all-or-nothing action) with 'restricting access' (a precise, reversible control), leading them to choose B instead of A.

94
MCQeasy

While supporting a hybrid workforce, a web server contains a new file that executes commands through a query parameter. What evidence best confirms web-shell activity? During recovery, which decision is most defensible? which evidence should guide the decision?

A.Only printer logs
B.Only the CEO's mailbox audit events
C.Web access logs, file timestamps, process execution, and outbound connections from the web service account
D.Only SSL certificate metadata
AnswerC

A web shell leaves evidence across file, web, process, and network telemetry. In recovery, responders need action that reduces risk while preserving the investigation record.

Why this answer

Option C is correct because web-shell activity on a web server is best confirmed by correlating web access logs showing unusual query parameters with file timestamps indicating the creation of a new executable file, process execution logs revealing the web service account spawning a shell (e.g., cmd.exe or /bin/sh), and outbound connections from that account to an external IP—this multi-source evidence chain directly matches the behavior of a web shell executing commands via HTTP GET/POST parameters. During recovery, the most defensible decision is to isolate the server and preserve these logs as forensic artifacts, guided by the evidence of unauthorized command execution and outbound C2 traffic.

Exam trap

The trap here is that candidates often focus on a single log source (e.g., only web access logs) and ignore the need for corroborating evidence from process execution and network connections, which Cisco tests to ensure you understand that web-shell confirmation requires correlating multiple indicators across different log types.

How to eliminate wrong answers

Option A is wrong because printer logs only record print jobs and device status, which have no relevance to web-server command execution or web-shell activity—they lack HTTP request details, process execution data, or network connections. Option B is wrong because the CEO's mailbox audit events track email access and sending, not web-server file changes, process spawns, or outbound connections from the web service account—they are entirely unrelated to detecting or confirming a web shell.

95
MCQmedium

In a regulated payment environment, file shares show rapid encryption and ransom-note creation from one workstation. What is the best immediate containment action? During containment, which decision is most defensible? which action best reduces risk without losing evidence?

A.Run vulnerability scans on every subnet first
B.Restore backups before isolating the host
C.Email all users the ransom note
D.Isolate the workstation and disable its active sessions to file servers
AnswerD

Containment should stop encryption spread while preserving evidence for analysis. In containment, responders need action that reduces risk while preserving the investigation record.

Why this answer

Option D is correct because isolating the workstation immediately stops the ransomware from encrypting additional file shares and prevents lateral movement. Disabling active sessions to file servers cuts off the encryption process at the network level, preserving the forensic evidence on the host and shares. This aligns with the NIST SP 800-61 containment strategy of 'stop the bleeding' before any other action.

Exam trap

Cisco often tests the misconception that recovery (backups) or broad scanning should come before containment, but the immediate priority is always to stop the attack from spreading, even if it means delaying evidence collection or recovery.

How to eliminate wrong answers

Option A is wrong because running vulnerability scans on every subnet first wastes critical time during an active ransomware outbreak; scanning does not stop encryption and may alert the attacker. Option B is wrong because restoring backups before isolating the host risks re-encrypting the restored data if the ransomware is still active on the network; containment must precede recovery. Option C is wrong because emailing all users the ransom note spreads panic, may trigger further malicious actions, and does nothing to halt the encryption or preserve evidence.

96
MCQmedium

While supporting a hybrid workforce, a laptop may contain evidence for a legal investigation. What should the responder document during acquisition? During post-incident improvement, which decision is most defensible? which evidence should guide the decision?

A.Only the laptop colour
B.Only the ticket priority
C.Only the user's job title
D.Who collected it, when, where, hash values, transfer details, and storage location
AnswerD

Chain of custody records evidence handling and integrity from collection onward. In post-incident improvement, responders need action that reduces risk while preserving the investigation record.

Why this answer

Option D is correct because forensic acquisition requires a complete chain of custody to ensure evidence admissibility in legal proceedings. Documenting who collected the evidence, when and where it was collected, hash values (e.g., SHA-256) for integrity verification, transfer details (e.g., using a write-blocker and forensic imaging tool like FTK Imager), and the storage location (e.g., secure evidence locker or encrypted NAS) satisfies legal and organizational standards such as NIST SP 800-86.

Exam trap

Cisco often tests the distinction between operational data (e.g., ticket priority, job title) and legally required forensic documentation (chain of custody, hash values, transfer details) to trap candidates who confuse incident response triage with evidence acquisition.

How to eliminate wrong answers

Option A is wrong because documenting only the laptop color provides no forensic value and fails to establish chain of custody or evidence integrity. Option B is wrong because the ticket priority is an operational metric unrelated to forensic evidence handling and does not meet legal admissibility requirements. Option C is wrong because the user's job title is irrelevant to the forensic acquisition process and does not help verify that the evidence was collected, transferred, and stored without tampering.

97
MCQmedium

During a post-compromise review, a malware alert affects a single kiosk with no sensitive access. A second alert shows the same malware on a domain admin workstation. What should drive severity? During recovery, which decision is most defensible? which action should be prioritized before closure?

A.Whether the alert arrived first
B.Business impact, privilege level, asset criticality, and spread potential
C.Alphabetical order of hostnames
D.The analyst's preferred dashboard theme
AnswerB

Severity should reflect impact and risk, not only malware family name. In recovery, responders need action that reduces risk while preserving the investigation record.

Why this answer

Option B is correct because severity in incident response is determined by business impact, privilege level, asset criticality, and spread potential — not by the order of detection. The domain admin workstation has elevated privileges and access to critical systems, making the second alert far more severe even if it arrived later. This aligns with NIST SP 800-61 and common IR frameworks that prioritize containment based on risk to the enterprise.

Exam trap

Cisco often tests the misconception that the first alert or the most recent alert determines severity, when in fact privilege level and asset criticality (especially domain admin vs. kiosk) are the decisive factors.

How to eliminate wrong answers

Option A is wrong because the order of alert arrival has no bearing on severity; a later alert on a higher-privilege asset is more critical. Option C is wrong because hostname alphabetical order is irrelevant to risk assessment and would ignore privilege and asset value. Option D is wrong because an analyst's dashboard theme is a UI preference and has no impact on incident severity or recovery decisions.

98
MCQmedium

The SOC receives an alert from a network sensor showing an internal host communicating with a known malicious IP over HTTPS. The analyst cannot find any process making outbound connections on the host. What should the analyst do next?

A.Capture a memory dump of the host
B.Block the IP at the firewall
C.Check for hidden processes or rootkits using specialized tools
D.Reimage the host immediately
AnswerC

Hidden processes can be detected by tools like rootkit revealers, addressing the anomaly.

Why this answer

Option D is correct because the absence of a visible process suggests the presence of a rootkit or hidden process that requires deep analysis. Other options may be premature or incomplete.

99
MCQeasy

A developer accidentally committed a cloud access key to a public repository. Logs show the key was used from an unfamiliar IP. What should be done first? During eradication, which decision is most defensible?

A.Wait to see whether charges increase
B.Disable or rotate the key and review actions performed with it
C.Block the developer's laptop from Wi-Fi
D.Ask the developer to delete the commit only
AnswerB

The exposed credential must be invalidated and its use scoped through audit logs. In eradication, responders need action that reduces risk while preserving the investigation record.

Why this answer

Option B is correct because the immediate priority is to revoke the compromised credential to prevent further unauthorized access. Disabling or rotating the cloud access key stops any ongoing malicious activity, and reviewing the actions performed with it allows the incident response team to assess the scope of the breach, identify affected resources, and determine if any data was exfiltrated or modified. This aligns with the containment and eradication phases of incident response.

Exam trap

Cisco often tests the misconception that physical or network-level controls (like blocking a laptop) are sufficient for cloud credential exposure, when the real threat is the attacker using the key remotely, not the developer's device.

How to eliminate wrong answers

Option A is wrong because waiting to see whether charges increase is a passive, reactive approach that allows the attacker continued access, potentially leading to greater data loss, resource abuse, and financial damage; it violates the principle of immediate containment. Option C is wrong because blocking the developer's laptop from Wi-Fi does not address the root cause—the compromised cloud access key—and the attacker is using the key from an unfamiliar IP, not the developer's device; this action is irrelevant to stopping the unauthorized cloud access.

100
MCQhard

While supporting a hybrid workforce, a malware alert affects a single kiosk with no sensitive access. A second alert shows the same malware on a domain admin workstation. What should drive severity? During recovery, which decision is most defensible? which evidence should guide the decision?

A.Whether the alert arrived first
B.Business impact, privilege level, asset criticality, and spread potential
C.Alphabetical order of hostnames
D.The analyst's preferred dashboard theme
AnswerB

Severity should reflect impact and risk, not only malware family name. In recovery, responders need action that reduces risk while preserving the investigation record.

Why this answer

Option B is correct because severity in incident response is determined by business impact, privilege level, asset criticality, and spread potential. The domain admin workstation has elevated privileges and access to critical systems, making the same malware far more dangerous than on a kiosk. This aligns with NIST SP 800-61 and common IR frameworks that prioritize containment based on risk, not chronology or naming.

Exam trap

Cisco often tests the misconception that the first alert or a simple naming convention should drive severity, when in fact the correct approach is to evaluate the contextual risk factors like privilege and asset criticality.

How to eliminate wrong answers

Option A is wrong because the order of alert arrival does not reflect actual risk; a later alert on a domain admin workstation is far more severe than an earlier one on a kiosk. Option C is wrong because alphabetical order of hostnames has no bearing on security risk or recovery priority; it is a meaningless sorting method that ignores privilege levels and asset criticality.

101
Multi-Selecthard

Which actions belong in eradication after a confirmed web-shell compromise? (Choose two.)

Select 2 answers
A.Remove the web shell and close the exploited vulnerability
B.Reconnect the server before checking persistence
C.Rotate credentials exposed to the compromised web server
D.Only block the analyst's IP address
AnswersA, C

Both malicious artefact and entry path must be addressed.

Why this answer

Option A is correct because removing the web shell eliminates the attacker's foothold, and closing the exploited vulnerability (e.g., patching the application, disabling vulnerable functions like `eval()` or `system()`, or updating a CMS plugin) prevents re-exploitation. This aligns with the eradication phase of incident response, which aims to remove all artifacts of the compromise and harden the system against the same attack vector.

Exam trap

Cisco often tests the distinction between containment (e.g., isolating the server) and eradication (e.g., removing the threat and fixing the root cause), so candidates may mistakenly choose actions that only contain the incident rather than fully eliminate the attacker's access.

← PreviousPage 2 of 2 · 101 questions total

Ready to test yourself?

Try a timed practice session using only Incident Response and Management questions.