CCNA Cysa Incident Response Questions

34 of 109 questions · Page 2/2 · Cysa Incident Response topic · Answers revealed

76
MCQmedium

An organization is experiencing a DDoS attack targeting its web servers. Which of the following is the BEST short-term containment strategy?

A.Rebuild the web servers from backups.
B.Implement rate limiting on the firewall.
C.Reroute traffic through a DDoS mitigation service.
D.Disable the web server accounts.
AnswerC

This is a common short-term containment for DDoS attacks.

Why this answer

Short-term containment for DDoS often involves rerouting traffic through a scrubbing center or cloud-based DDoS mitigation service that filters malicious traffic.

77
MCQmedium

A security team is responding to a phishing incident that led to credential compromise. Which of the following is the BEST short-term containment action to prevent further damage?

A.Disable the compromised user account.
B.Rebuild the user's workstation.
C.Block the phishing email's source IP at the firewall.
D.Rotate all domain admin passwords.
AnswerA

This immediately stops any further access using the compromised credentials.

Why this answer

Short-term containment aims to stop the attack quickly. Disabling the compromised account prevents the attacker from using the stolen credentials to access resources.

78
MCQeasy

Which of the following is the MOST volatile data according to the order of volatility?

A.Disk storage
B.Swap space
C.RAM
D.CPU registers and cache
AnswerD

Correct. Registers are the most volatile.

Why this answer

CPU registers and cache are the most volatile because they store data only while the system is powered on and actively executing instructions. Unlike RAM, which retains data for a short time after power loss, registers and cache lose their contents almost instantly when power is removed, making them the highest priority in the order of volatility (OOV) for forensic acquisition.

Exam trap

Cisco often tests the misconception that RAM is the most volatile data source, but the correct answer is CPU registers and cache because they are cleared the instant the CPU halts or loses power.

How to eliminate wrong answers

Option A is wrong because disk storage (e.g., HDD/SSD) is non-volatile and retains data even after power loss, making it the least volatile. Option B is wrong because swap space is a region on disk used as virtual memory; while it may contain data from terminated processes, it persists on disk and is less volatile than RAM or CPU registers. Option C is wrong because RAM is volatile but less so than CPU registers and cache; RAM data decays over seconds to minutes after power loss, whereas registers and cache are cleared immediately when the CPU stops executing.

79
Multi-Selectmedium

An incident responder is performing containment of a ransomware incident that has encrypted files on several file servers. Which THREE actions are appropriate for long-term containment and recovery? (Select THREE)

Select 3 answers
A.Blocking the ransomware's command-and-control IP at the firewall
B.Patching the vulnerability exploited by the ransomware
C.Rebuilding affected servers from known-good backups
D.Rotating all service account credentials
E.Isolating the affected network segment
AnswersB, C, D

Patching addresses the root cause and prevents future exploitation.

Why this answer

Long-term containment aims to prevent recurrence and restore normal operations. Rebuilding systems from clean backups ensures removal of malware. Rotating credentials prevents attacker re-entry.

Patching vulnerabilities closes the initial attack vector.

80
MCQmedium

An analyst is investigating a suspected data breach. The analyst needs to identify which files were exfiltrated and preserve evidence. According to the order of volatility, which of the following should the analyst capture FIRST?

A.Contents of the hard drive
B.Network connections and listening ports
C.CPU registers and cache
D.System logs
AnswerC

These are the most volatile and must be captured first.

Why this answer

Order of volatility prioritizes capturing volatile data first. CPU registers and cache are the most volatile, then RAM, swap, disk, etc.

81
MCQmedium

During the detection and analysis phase of incident response, a security analyst identifies suspicious outbound traffic from a workstation to an external IP address known for command and control (C2) activity. Which classification should the analyst assign to this incident?

A.Insider threat
B.Data breach
C.Phishing
D.Malware
AnswerD

C2 communication is a classic indicator of malware infection, such as a botnet or trojan.

Why this answer

The incident involves communication with a known C2 server, which is characteristic of a malware infection (specifically, a botnet or trojan). This falls under the malware category.

82
Multi-Selectmedium

A company has experienced a ransomware attack that encrypted critical servers. The incident response team is in the containment, eradication, and recovery phase. Which THREE actions are part of long-term containment? (Choose three.)

Select 3 answers
A.Apply security patches to vulnerable systems
B.Rotate all privileged account credentials
C.Isolate the infected systems from the network
D.Block the ransomware's C2 domain at the firewall
E.Rebuild affected servers from clean backups
AnswersA, B, E

Correct. Patching addresses root cause.

Why this answer

Long-term containment involves actions to prevent recurrence, such as patching, rebuilding systems, and rotating credentials.

83
MCQeasy

An incident responder is classifying an incident. The incident involves ransomware encrypting files on multiple workstations, causing significant business disruption. Which severity level should be assigned to this incident?

A.Medium
B.High
C.Informational
D.Low
AnswerB

High severity incidents cause significant disruption, like ransomware on multiple systems.

Why this answer

Ransomware affecting multiple workstations causes high impact and likely critical business disruption, so it should be classified as high or critical severity. The highest typical level is 'Critical' (or similar).

84
Multi-Selecthard

A security analyst is investigating a potential insider threat where a user is suspected of exfiltrating sensitive data via USB drives. The analyst needs to gather evidence while preserving the chain of custody. Which THREE actions should the analyst perform? (Choose THREE.)

Select 3 answers
A.Creating a forensic image of the USB drive using a write blocker
B.Disabling the user's network account immediately
C.Interviewing the user about their activities
D.Documenting the chain of custody for the USB drive
E.Computing a hash of the original USB drive and the forensic image
AnswersA, D, E

This captures the drive data without alteration.

Why this answer

Forensic sound procedures include imaging the drive, hashing to verify integrity, and documenting the chain of custody. Disabling the account is containment, and interviewing is not part of evidence collection.

85
MCQmedium

An analyst is reviewing a suspicious executable using static analysis. Which of the following would provide information about the functions the executable imports from system libraries?

A.Import table analysis
B.PE header analysis
C.String extraction
D.YARA rule creation
AnswerA

Correct. The import table shows imported functions.

Why this answer

The import table lists DLLs and functions that the executable uses, revealing potential capabilities.

86
MCQhard

During a post-incident review, the team identifies that detection was delayed because alerts from multiple sources were not correlated. Which improvement would BEST address this issue?

A.Disable non-critical alerts
B.Implement a SIEM solution
C.Increase the number of security staff
D.Increase logging verbosity
AnswerB

SIEM correlates logs and alerts to detect incidents faster.

Why this answer

Implementing a SIEM (Security Information and Event Management) system correlates alerts from various sources, reducing false positives and improving detection speed.

87
MCQhard

An analyst is performing static analysis on a suspicious executable. The analyst discovers that the PE file has a suspicious section name and a high entropy value. Which tool or technique would be MOST useful for further analyzing the packed nature of the file?

A.Extracting strings from the binary
B.Using a YARA rule to detect the packer
C.Using PEiD or similar packer identifier
D.Running the file in a sandbox
AnswerC

PEiD is designed to detect common packers, cryptors, and compilers.

Why this answer

PEiD or similar tools can detect packers by scanning for known signatures. High entropy and suspicious section names often indicate packing, so using a packer identifier is appropriate.

88
MCQhard

A security analyst is investigating a suspected insider threat incident. The analyst needs to preserve evidence before containment. Which of the following actions should the analyst prioritize to maintain the integrity of digital evidence?

A.Imaging the suspect's hard drive using dd without a write blocker
B.Rebooting the suspect's computer to ensure no hidden processes are running
C.Using a write blocker to create a forensic image of the hard drive
D.Deleting suspicious files to prevent further damage
AnswerC

Write blockers prevent write access, preserving evidence integrity.

Why this answer

Preserving evidence before containment is crucial. Using a write blocker when imaging a hard drive ensures that the original data is not altered, maintaining the integrity of the evidence.

89
MCQhard

A SOC analyst receives an alert from a threat intelligence platform (TIP) about a new phishing campaign. The indicator is a URL. Which enrichment source is BEST for determining the URL's current hosting infrastructure?

A.VirusTotal
B.WHOIS
C.Shodan
D.Passive DNS
AnswerD

Correct. Passive DNS shows IP history and current resolution.

Why this answer

Passive DNS allows querying historical and current IP addresses associated with a domain, revealing hosting changes.

90
Multi-Selecteasy

An incident response team is conducting post-incident activities after containing a malware outbreak. Which TWO activities should be included in the lessons learned phase? (Choose TWO.)

Select 2 answers
A.Deleting all logs from the incident.
B.Conducting a root cause analysis.
C.Rewriting the organization's security policy from scratch.
D.Updating detection rules based on IOCs.
E.Patching all systems immediately.
AnswersB, D

Root cause analysis identifies why the incident occurred.

Why this answer

Lessons learned involves analyzing the incident to improve future response. Updating detection rules based on IOCs and conducting a root cause analysis are key activities.

91
Multi-Selecteasy

An incident response team is analyzing indicators of compromise (IOCs) from a phishing campaign. Which THREE of the following are commonly used IOC types? (Select THREE.)

Select 3 answers
A.CPU registers
B.IP addresses
C.Domain names
D.Software version numbers
E.File hashes
AnswersB, C, E

IP addresses are common IOCs.

Why this answer

Common IOC types include IP addresses, file hashes, domains, URLs, and email indicators. Software versions are not typically IOCs.

92
MCQeasy

A security analyst is analyzing a suspicious file using static analysis. The analyst wants to identify imported functions to determine the file's capabilities. Which tool or technique is BEST suited for this task?

A.Extracting strings from the file
B.Submitting the file to VirusTotal
C.Running the file in a sandbox like Cuckoo
D.Analyzing the PE header's import table
AnswerD

The import table lists all DLLs and functions the file uses, providing insight into its behavior.

Why this answer

PE header analysis includes examining the import table to see which Windows API functions the executable calls, revealing its potential behavior.

93
MCQmedium

During a forensic analysis, an analyst needs to collect data in order of volatility. Which of the following represents the correct order from most volatile to least volatile?

A.Disk, swap, RAM, CPU registers, logs
B.CPU registers, RAM, swap, disk, logs
C.RAM, CPU registers, swap, disk, logs
D.Logs, disk, swap, RAM, CPU registers
AnswerB

This is the correct order of volatility.

Why this answer

The order of volatility dictates that volatile data in memory (CPU registers, RAM) is collected first, then less volatile data like swap, disk, and logs. The correct sequence is CPU registers, RAM, swap, disk, then logs.

94
Multi-Selectmedium

A security analyst is performing forensic analysis of a compromised system. The analyst needs to acquire disk evidence in a forensically sound manner. Which TWO actions should the analyst take to ensure the integrity of the evidence? (Choose TWO.)

Select 2 answers
A.Calculate a hash of the original drive before imaging
B.Disable the write blocker to speed up the imaging process
C.Use a write blocker when connecting the source drive
D.Power on the system and run a full antivirus scan before imaging
E.Reboot the system to clear any temporary files
AnswersA, C

Hashing the original drive allows later verification that the image matches.

Why this answer

Using a write blocker prevents alteration of the original disk, and computing a hash verifies that the acquired image is an exact copy.

95
MCQeasy

An organization wants to automate the sharing of threat intelligence with other trusted entities using a standardized protocol. Which protocol is specifically designed for this purpose?

A.STIX
B.TAXII
D.MISP
AnswerB

TAXII is the transport protocol for sharing threat intelligence.

Why this answer

TAXII (Trusted Automated eXchange of Indicator Information) is a protocol for exchanging cyber threat intelligence in a standardized format, often used with STIX.

96
MCQhard

A security analyst is performing memory acquisition on a compromised Linux server using LiME. The analyst needs to capture the memory image with minimal impact on the system. Which of the following parameters should the analyst use to ensure the output is forensically sound?

A.Use the --digest option to calculate a SHA256 hash during acquisition
B.Specify a format that compresses the output to reduce size
C.Ensure the output path is on a write-blocked device
D.Use the --reload option to reload the original kernel module after acquisition
AnswerC

Writing to a write-blocked device prevents accidental modification of evidence.

Why this answer

Using a write blocker ensures the memory capture does not alter the storage media, preserving forensic integrity.

97
Multi-Selectmedium

An organization is experiencing a distributed denial-of-service (DDoS) attack targeting its web servers. The incident response team is implementing containment strategies. Which TWO actions are appropriate for short-term containment of a DDoS attack? (Choose TWO.)

Select 2 answers
A.Rerouting traffic through a DDoS mitigation service or scrubbing center
B.Disabling the accounts of the attackers
C.Applying a security patch to the web server software
D.Rebuilding the web servers from clean images
E.Blocking the attacking IP addresses at the firewall
AnswersA, E

Scrubbing centers filter malicious traffic before it reaches the origin.

Why this answer

Short-term containment for DDoS includes blocking attack traffic at the network perimeter and diverting traffic via a scrubbing center. Patching servers does not stop the attack, and rebuilding is recovery.

98
MCQmedium

An organization uses MISP (Malware Information Sharing Platform) to share threat intelligence with trusted partners. Which of the following standards is commonly used by MISP to structure and exchange threat intelligence data?

A.NetFlow
C.STIX/TAXII
AnswerC

STIX and TAXII are open standards for threat intelligence sharing, widely used in MISP.

Why this answer

STIX (Structured Threat Information Expression) and TAXII (Trusted Automated Exchange of Indicator Information) are standards for exchanging cyber threat intelligence. MISP supports STIX and TAXII for sharing.

99
MCQeasy

A security analyst needs to share threat intelligence with other organizations in a standardized format. Which of the following standards should the analyst use?

B.STIX/TAXII
C.SOAP
AnswerB

STIX/TAXII are the standard for threat intelligence sharing.

Why this answer

STIX (Structured Threat Information Expression) is a standardized language for describing threat intelligence, and TAXII (Trusted Automated eXchange of Indicator Information) is a transport mechanism. Together, they enable sharing.

100
MCQhard

During a forensic investigation, an analyst needs to acquire memory from a Linux server. Which tool is specifically designed for this purpose?

A.dd
B.LiME
C.FTK Imager
D.WinPmem
AnswerB

Correct. LiME is a Linux memory acquisition tool.

Why this answer

LiME (Linux Memory Extractor) is a loadable kernel module for acquiring volatile memory from Linux systems.

101
MCQhard

During a post-incident activity, the CSIRT performs a root cause analysis for a data breach. They discover that the breach originated from a misconfigured S3 bucket that allowed public read access. Which of the following actions should be included in the lessons learned to prevent recurrence?

A.Rotate all access keys for the affected account
B.Disable public access to all S3 buckets permanently
C.Conduct a penetration test on the cloud environment
D.Implement automated compliance checks for cloud storage configurations
AnswerD

Automated checks prevent misconfigurations from going unnoticed.

Why this answer

Implementing automated compliance checks using tools like AWS Config ensures that storage configurations are continuously monitored and misconfigurations are flagged or corrected.

102
MCQmedium

An analyst is performing static analysis on a suspicious executable file. Which of the following would be MOST useful to identify potential malicious behavior without executing the file?

A.Running the file in a sandbox.
B.Monitoring network connections during execution.
C.Analyzing the import table.
D.Checking the file's digital signature.
AnswerC

The import table reveals API calls that suggest malicious behavior.

Why this answer

Static analysis involves examining the file without executing it. The import table shows which Windows API functions the executable uses, which can indicate capabilities such as network communication, file operations, or registry modifications.

103
MCQhard

A forensic analyst is investigating a suspected data breach involving a compromised workstation. The analyst wants to collect volatile data in accordance with the order of volatility. Which sequence of data collection is correct?

A.Disk → RAM → Swap → CPU registers → Network connections → Archived media
B.RAM → CPU registers → Swap → Network connections → Disk → Archived media
C.Network connections → CPU registers → RAM → Swap → Disk → Archived media
D.CPU registers → RAM → Swap → Disk → Network connections → Archived media
AnswerD

This follows the standard order of volatility.

Why this answer

The order of volatility starts with the most volatile data (CPU registers/cache) and proceeds to the least volatile (archived media).

104
MCQhard

During forensic analysis of a compromised server, an analyst needs to preserve evidence in order of volatility. Which of the following actions should the analyst perform FIRST?

A.Collect log files from the system
B.Create a forensic image of the hard drive
C.Run antivirus scan
D.Acquire a memory dump using WinPmem
AnswerD

Memory is highly volatile and should be captured immediately after securing the system.

Why this answer

According to the order of volatility, CPU registers and cache are the most volatile. However, in practice, capturing memory (RAM) is the first feasible step after powering on the system, as registers are lost on shutdown. The correct order: capture memory first, then try to capture swap, then disk, etc.

105
MCQmedium

An organization has experienced a data breach involving personally identifiable information (PII). The incident response team has contained the breach and eradicated the threat. During the post-incident activity phase, which activity is MOST critical to prevent future similar incidents?

A.Resetting all user passwords
B.Updating the firewall rules to block the attacker's IP
C.Conducting a root cause analysis
D.Restoring data from backups
AnswerC

Root cause analysis identifies why the breach occurred, leading to effective long-term improvements.

Why this answer

Conducting a root cause analysis helps identify the underlying vulnerability or weakness that led to the breach, enabling the organization to implement corrective measures and prevent recurrence.

106
MCQeasy

An analyst receives a threat intelligence feed containing IOCs in STIX format. Which of the following BEST describes the purpose of STIX?

A.A protocol for real-time log collection
B.A framework for automating incident response
C.A standardized language for threat intelligence
D.A tool for malware analysis
AnswerC

STIX defines a common language for describing threats.

Why this answer

STIX (Structured Threat Information Expression) is a standardized language for representing and sharing threat intelligence.

107
MCQmedium

After a DDoS attack, the CSIRT wants to share IOCs with other organizations. Which protocol is specifically designed for automated, real-time threat intelligence sharing?

C.TAXII
D.FTP
AnswerC

Correct. TAXII enables automated sharing of threat indicators.

Why this answer

TAXII (Trusted Automated Exchange of Indicator Information) is the protocol for exchanging threat intelligence over HTTPS.

108
MCQhard

During a forensic investigation of a compromised Linux server, the analyst needs to acquire memory for analysis. The system is running and the analyst cannot power it off. Which tool is MOST appropriate for acquiring memory in this scenario?

A.LiME
B.FTK Imager
C.WinPmem
D.dd
AnswerA

LiME is a Linux memory acquisition tool that can capture RAM from a live system.

Why this answer

LiME (Linux Memory Extractor) is a tool designed for acquiring memory from Linux systems while they are running, and it can be loaded as a kernel module without shutting down.

109
MCQeasy

Which of the following is the correct order of volatility for digital evidence?

A.Swap, RAM, CPU registers, disk, logs
B.Disk, RAM, swap, CPU registers, logs
C.RAM, CPU registers, swap, disk, logs
D.CPU registers, RAM, swap, disk, logs
AnswerD

This is the correct descending order of volatility.

Why this answer

The order of volatility: CPU registers and cache (most volatile), then RAM, then swap/page file, then disk, then network logs, then archived media (least volatile).

← PreviousPage 2 of 2 · 109 questions total

Ready to test yourself?

Try a timed practice session using only Cysa Incident Response questions.