CCNA Incident Response And Management Questions

75 of 101 questions · Page 1/2 · Incident Response And Management topic · Answers revealed

1
Multi-Selectmedium

A security analyst is reviewing lessons learned after a data breach. Which three of the following are key objectives of a post-incident activity phase? (Choose three.)

Select 3 answers
.Conduct a root cause analysis to identify the underlying vulnerabilities.
.Update incident response playbooks based on findings.
.Discipline the employees responsible for the breach.
.Provide recommendations for security control improvements.
.Delete all logs to prevent future misuse of data.
.Restore affected systems to their pre-incident state immediately.

Why this answer

Conducting a root cause analysis is a key objective of the post-incident activity phase because it identifies the underlying vulnerabilities and weaknesses that allowed the breach to occur. This analysis informs the development of corrective actions to prevent recurrence, which is a core goal of lessons learned. Without this step, the organization cannot effectively harden its defenses against similar attacks.

Exam trap

CompTIA often tests the distinction between the recovery phase (restoring systems) and the post-incident phase (analysis and improvement), leading candidates to mistakenly select 'Restore affected systems' as a post-incident objective.

2
Multi-Selectmedium

Which actions are appropriate before restoring systems after malware eradication? (Choose two.)

Select 2 answers
A.Disable all monitoring during restoration
B.Reuse known-compromised credentials
C.Validate backups are clean and restorable
D.Verify persistence mechanisms are removed
AnswersC, D

Recovery depends on trustworthy backups.

Why this answer

Option C is correct because restoring from backups that are themselves infected or corrupted would reintroduce the malware or cause system instability. Before restoration, backups must be validated as clean (e.g., scanned with updated antivirus or checked against known file hashes) and restorable (e.g., tested via a restore dry-run or checksum verification). This ensures the recovery process does not perpetuate the incident.

Exam trap

Cisco often tests the misconception that restoring from backups is a straightforward 'plug-and-play' step, but the trap here is that candidates forget to validate backup integrity and to eliminate persistence mechanisms, leading to re-infection or incomplete recovery.

3
Multi-Selecteasy

Which THREE of the following are common containment techniques used during incident response?

Select 3 answers
A.Disconnect the network cable
B.Shut down the system
C.Reimage the system
D.Block IP addresses at the firewall
E.Change passwords for compromised accounts
AnswersA, D, E

Immediate isolation of a host.

Why this answer

Disconnecting the network cable is a common containment technique because it immediately isolates the affected system from the network, preventing the spread of malware or unauthorized access. This physical disconnection ensures that no further network-based communication can occur, which is critical for containing incidents like ransomware or data exfiltration. It is a rapid, low-level action that does not rely on software or OS controls, making it effective even if the system is compromised.

Exam trap

CompTIA often tests the distinction between containment, eradication, and recovery phases, so the trap here is confusing actions like shutting down or reimaging (which belong to later phases) with true containment techniques that isolate the threat without destroying evidence.

4
MCQmedium

During incident response, the team identifies that an attacker used a compromised third-party vendor account to access the network. Which of the following should the team do first?

A.Change all system passwords
B.Revoke the vendor's access
C.Conduct forensic analysis on the vendor's account
D.Notify law enforcement
AnswerB

Stops the attacker from using the compromised account.

Why this answer

The immediate priority is to contain the breach by revoking the compromised third-party vendor's access. This stops the attacker from using the valid session or credentials to move laterally or exfiltrate data. Changing all system passwords (A) is too broad and time-consuming, while forensic analysis (C) and law enforcement notification (D) are secondary steps that occur after containment.

Exam trap

CompTIA often tests the 'containment before eradication' principle, and the trap here is that candidates choose forensic analysis (C) first, mistakenly thinking evidence preservation is more urgent than stopping the active attack.

How to eliminate wrong answers

Option A is wrong because changing all system passwords is a broad, time-consuming action that does not immediately stop the attacker's active session; the attacker may still have tokens or session cookies that bypass password changes. Option C is wrong because conducting forensic analysis on the vendor's account before revoking access allows the attacker to continue their malicious activities, violating the containment-first principle of incident response. Option D is wrong because notifying law enforcement is a post-containment step; the team must first stop the active threat before involving external parties.

5
Multi-Selectmedium

An organization has detected a ransomware outbreak that has encrypted critical file servers. The incident response team has activated the plan. Which three of the following actions should be taken during the containment and eradication phases? (Choose three.)

Select 3 answers
.Isolate affected systems from the network immediately.
.Power down all systems to prevent further encryption.
.Identify the initial infection vector through log analysis.
.Restore encrypted data from verified, offline backups.
.Notify law enforcement before any containment actions.
.Disable the antivirus software to reduce system load.

Why this answer

Isolating affected systems from the network immediately is correct because it stops the ransomware from spreading laterally to other hosts via SMB, RDP, or other network protocols. This containment step is critical to limit the scope of the outbreak and protect unencrypted assets.

Exam trap

CompTIA often tests the distinction between containment (immediate isolation) and eradication (removal and restoration), and the trap here is that candidates confuse 'powering down' as a valid containment step when it actually destroys forensic evidence and is not recommended in ransomware response.

6
Multi-Selectmedium

During a security incident, a digital forensics investigator must preserve evidence according to best practices. Which three of the following actions align with proper forensic procedures? (Choose three.)

Select 3 answers
.Calculate and document cryptographic hashes of acquired images.
.Boot the suspect system to check for running processes.
.Maintain a documented chain of custody for all evidence.
.Use a write blocker when creating disk images.
.Store original evidence on the same network as the investigation.
.Reinstall the operating system before imaging to ensure stability.

Why this answer

Calculating and documenting cryptographic hashes (e.g., SHA-256) of acquired images ensures data integrity by providing a verifiable fingerprint that can prove the image has not been altered since acquisition. Maintaining a documented chain of custody tracks every person who handled the evidence, preserving its admissibility in legal proceedings. Using a write blocker when creating disk images prevents any accidental writes to the original media, which is critical to avoid altering the evidence.

Exam trap

CompTIA often tests the misconception that booting a system to check processes is acceptable, but in forensic procedures, any live interaction with the original evidence is prohibited to avoid altering the state.

7
MCQmedium

A SOC analyst receives a file from an unknown source via email. The analyst wants to analyze the file without executing it to determine its functionality. Which type of analysis should be performed?

A.Behavioral analysis.
B.Memory analysis.
C.Dynamic analysis.
D.Static analysis.
AnswerD

Static analysis reviews code, headers, and strings without execution.

Why this answer

Static analysis involves examining a file's code, structure, and metadata without executing it, making it the correct choice for determining functionality while avoiding execution risks. Techniques include inspecting strings, headers, and disassembled code to identify malicious indicators like embedded URLs or API calls.

Exam trap

CompTIA often tests the distinction between static and dynamic analysis by emphasizing the 'without executing' condition, leading candidates to confuse behavioral or dynamic analysis as valid options despite the explicit constraint.

How to eliminate wrong answers

Option A is wrong because behavioral analysis requires executing the file in a controlled environment to observe its actions, which contradicts the requirement to analyze without execution. Option B is wrong because memory analysis examines volatile memory (RAM) from a running system, not a file in isolation, and typically requires execution to capture artifacts. Option C is wrong because dynamic analysis involves running the file in a sandbox or debugger to observe runtime behavior, which directly violates the 'without executing it' constraint.

8
MCQeasy

Refer to the exhibit. An analyst reviews file access logs and notices the entries above. Which is the MOST likely conclusion?

A.The file server is misconfigured.
B.It is a false positive due to time zone differences.
C.The user jsmith is performing authorized research.
D.The user jsmith's credentials may have been compromised.
AnswerD

Unusual time and device indicate possible credential misuse.

Why this answer

The exhibit shows file access logs with multiple failed attempts followed by a successful access from an unusual IP address (10.10.10.10) for user jsmith, which is outside the normal corporate subnet. This pattern of brute-force or password-spraying attempts culminating in a successful login from an anomalous location strongly indicates credential compromise, not authorized activity.

Exam trap

CompTIA often tests the distinction between a simple misconfiguration (which would show consistent failures or permission errors) and a security incident (which shows a pattern of failed attempts followed by success from an anomalous source).

How to eliminate wrong answers

Option A is wrong because a misconfigured file server would typically show consistent access failures or permission errors across multiple users, not a pattern of failed logins followed by a single successful login from an unusual IP. Option B is wrong because time zone differences would cause timestamps to appear shifted but would not explain the sequence of multiple failed attempts from a different IP range, nor the successful access from 10.10.10.10. Option C is wrong because authorized research would not involve repeated failed login attempts; legitimate users would either have proper access or request it, not brute-force their way in.

9
MCQeasy

A company has been notified by a partner that sensitive data from their shared database was leaked. The CSIRT has been activated. Who should be notified FIRST according to the incident response plan?

A.The legal department.
B.The incident response team.
C.The affected partner.
D.The CEO.
AnswerB

The IR team is the first point of contact to begin the response process.

Why this answer

According to standard incident response frameworks (NIST SP 800-61, SANS PICERL), the incident response team (CSIRT) must be notified first because they are the trained responders who will contain, analyze, and coordinate the response. In this scenario, the CSIRT has already been activated, but the question asks who should be notified first per the plan—the IR team is the initial point of contact to ensure proper triage and evidence preservation before any external communication occurs.

Exam trap

CompTIA often tests the misconception that external stakeholders (partners, legal, or executives) should be notified immediately, when in fact the IR team must be the first notified to maintain chain of custody and prevent evidence spoliation.

How to eliminate wrong answers

Option A is wrong because the legal department is notified after the IR team has confirmed the incident and gathered initial evidence, not first—premature legal involvement can disrupt technical containment. Option C is wrong because notifying the affected partner first violates confidentiality and could compromise forensic analysis; the IR team must first validate the scope and impact. Option D is wrong because the CEO is a strategic stakeholder notified after technical assessment and legal counsel, not first—operational details must be established before executive escalation.

10
MCQmedium

A web server contains a new file that executes commands through a query parameter. What evidence best confirms web-shell activity? During recovery, which decision is most defensible?

A.Only printer logs
B.Only the CEO's mailbox audit events
C.Web access logs, file timestamps, process execution, and outbound connections from the web service account
D.Only SSL certificate metadata
AnswerC

A web shell leaves evidence across file, web, process, and network telemetry. In recovery, responders need action that reduces risk while preserving the investigation record.

Why this answer

Option C is correct because web-shell activity is confirmed by correlating multiple evidence sources: web access logs show the initial exploit request with a query parameter (e.g., ?cmd=whoami), file timestamps reveal the creation of the malicious file, process execution logs (e.g., Sysmon Event ID 1) show cmd.exe or PowerShell spawned by the web service account, and outbound connections from that account indicate command-and-control (C2) traffic. This multi-source correlation is essential to distinguish a web shell from legitimate administrative activity.

Exam trap

Cisco often tests the misconception that a single log source (like web access logs alone) is sufficient to confirm web-shell activity, but the trap here is that only correlating multiple evidence types (web logs, file timestamps, process execution, and outbound connections) provides defensible proof for recovery decisions.

How to eliminate wrong answers

Option A is wrong because printer logs are irrelevant to web-shell activity; they record print jobs and device status, not HTTP requests, file creation, or process execution. Option B is wrong because the CEO's mailbox audit events only track email access or sending, which does not capture web server query parameters, file timestamps, or process execution; a web shell operates on the server, not via email.

11
MCQhard

After a high-priority SOC escalation, an incident was contained successfully, but delayed escalation allowed the attacker more dwell time. What should the post-incident review produce? During eradication, which decision is most defensible? which response best matches incident-response practice?

A.A generic statement that security is important
B.Deletion of all incident tickets
C.A blame list of individual analysts
D.Specific playbook updates, escalation triggers, owners, and due dates
AnswerD

Lessons learned should translate findings into trackable process improvements. In eradication, responders need action that reduces risk while preserving the investigation record.

Why this answer

Option D is correct because a post-incident review (PIR) should produce actionable improvements, not generic statements or blame. Specific playbook updates, escalation triggers, owners, and due dates directly address the delayed escalation by refining incident response procedures, ensuring future incidents are escalated faster and with clear accountability. This aligns with NIST SP 800-61 Rev. 2 guidance on lessons learned and process improvement.

Exam trap

CompTIA often tests the concept that post-incident reviews must produce concrete, process-improvement artifacts (like updated playbooks) rather than punitive or vague outputs, and candidates mistakenly choose blame or deletion due to a misunderstanding of incident response maturity.

How to eliminate wrong answers

Option A is wrong because a generic statement that security is important provides no measurable, actionable steps to fix the escalation delay or improve the incident response process. Option B is wrong because deletion of all incident tickets destroys forensic evidence, audit trails, and compliance records required for post-incident analysis and potential legal proceedings. Option C is wrong because a blame list of individual analysts fosters a toxic culture, discourages reporting, and violates the principle of a blameless post-mortem focused on process flaws, not individual errors.

12
MCQmedium

After a high-priority SOC escalation, a company wants to test whether legal, PR, IT, and executives understand their roles during a ransomware incident without touching production systems. What exercise is best? During post-incident improvement, which decision is most defensible? which response best matches incident-response practice?

A.Tabletop exercise using a realistic ransomware scenario
B.Purchasing a new SIEM without testing procedures
C.Annual password reset only
D.Full destructive malware detonation in production
AnswerA

Tabletops validate decision paths and communication without operational disruption. In post-incident improvement, responders need action that reduces risk while preserving the investigation record.

Why this answer

A tabletop exercise is the correct choice because it allows the company to validate the incident response plan, communication workflows, and role-specific responsibilities for legal, PR, IT, and executives during a ransomware scenario without any risk to production systems. This aligns with NIST SP 800-61r2 guidance on using discussion-based exercises to test decision-making and coordination under a simulated crisis, avoiding the operational impact of live malware or system changes.

Exam trap

CompTIA often tests the distinction between 'testing understanding' (tabletop) and 'testing technical controls' (simulation or live fire), so the trap here is that candidates may choose a technical solution like a SIEM purchase or password reset, thinking it improves security posture, when the question explicitly asks about testing role understanding without production impact.

How to eliminate wrong answers

Option B is wrong because purchasing a new SIEM without testing procedures does not test role understanding or incident response processes; it introduces a new tool without validating workflows, which can lead to misconfigured alerts and missed detections. Option C is wrong because an annual password reset only addresses credential hygiene and does not test the multi-team coordination, legal obligations, or PR communication required during a ransomware incident. Option D is wrong because full destructive malware detonation in production would cause actual data loss, system downtime, and potential regulatory violations, directly contradicting the requirement to avoid touching production systems.

13
Multi-Selecthard

An attacker used a stolen cloud token. Which evidence helps determine blast radius? (Choose two.)

Select 2 answers
A.The user's monitor brightness
B.Permissions assigned to the principal during the compromise window
C.Audit events performed by the token or principal
D.The logo on the cloud provider website
AnswersB, C

Permissions bound the maximum possible access.

Why this answer

Option B is correct because the permissions assigned to the principal (e.g., an IAM role or user) during the compromise window directly define what actions the attacker could perform with the stolen token. Cloud providers like AWS evaluate permissions at the time of the API call, so the blast radius is limited to the resources and actions allowed by the policies attached at that moment. Without knowing these permissions, you cannot determine which data or services were accessible.

Exam trap

Cisco often tests the misconception that physical or environmental factors (like monitor brightness) are relevant to cloud security incidents, leading candidates to select irrelevant options when they should focus on authorization and logging mechanisms.

14
Multi-Selectmedium

A phishing incident led to credential theft. Which containment actions are appropriate? (Choose two.)

Select 2 answers
A.Reset affected credentials and revoke active sessions
B.Delete all user mailboxes
C.Disable DNS for the entire company indefinitely
D.Search for mailbox rules or OAuth grants created after compromise
AnswersA, D

This cuts off stolen-session and password access.

Why this answer

Option A is correct because immediately resetting compromised credentials and revoking active sessions (e.g., via Azure AD 'Revoke-AzureADUserAllRefreshToken' or Active Directory 'Reset-ADAccountPassword' combined with 'Revoke-AuthenticationTokens') invalidates the attacker's access tokens and session cookies, preventing further lateral movement or data exfiltration. This aligns with the NIST SP 800-61 containment phase, which prioritizes cutting off attacker access while preserving forensic evidence.

Exam trap

Cisco often tests the distinction between 'containment' (stopping the attack) and 'eradication' (removing the root cause), and the trap here is that candidates may choose overly aggressive actions like deleting mailboxes or disabling DNS, mistaking brute-force disruption for precise containment.

15
MCQhard

After containing a ransomware outbreak, the incident response team needs to restore encrypted files. They have verified clean backups from two weeks ago, but some critical files were modified on the day of the attack. What is the best approach?

A.Restore from backups and then apply all available updates
B.Restore critical files from backup and manually update them using change logs
C.Attempt to decrypt files using the ransom key
D.Restore all files from backups
AnswerB

Preserves recent changes while using clean backups for the majority of files.

Why this answer

Option B is correct because restoring critical files from backup and manually updating them using change logs preserves the modifications made on the day of the attack, which are not present in the two-week-old backups. This approach ensures data integrity by combining the clean baseline from backups with the legitimate changes recorded in change logs, avoiding data loss while maintaining security.

Exam trap

CompTIA often tests the misconception that restoring from the most recent clean backup is always sufficient, ignoring the need to preserve post-backup legitimate changes, which leads candidates to choose Option D.

How to eliminate wrong answers

Option A is wrong because applying all available updates after restoration does not recover the modifications made on the day of the attack; updates address vulnerabilities, not data changes. Option C is wrong because attempting to decrypt files using the ransom key is unreliable, as the attacker may not provide the key, the key may be invalid, or decryption could further corrupt files; it also violates the principle of not negotiating with attackers. Option D is wrong because restoring all files from backups would overwrite the critical files modified on the day of the attack, resulting in permanent data loss of those legitimate changes.

16
MCQmedium

A security analyst notices that a system is sending a large amount of data to an external IP address via DNS tunneling. Which containment technique is most appropriate?

A.Change the DNS server settings
B.Disconnect the system from the network
C.Block the external IP at the firewall
D.Disable the DNS service on the system
AnswerB

Immediate isolation prevents any further data exfiltration.

Why this answer

Disconnecting the system from the network (Option B) is the most appropriate containment technique because it immediately stops all data exfiltration, including DNS tunneling traffic, without relying on any other network component. DNS tunneling works by encoding data within DNS queries and responses, so simply changing DNS server settings or blocking the external IP may not stop the attack if the malware uses fallback resolvers or rotates IPs. Disconnecting the system ensures the threat is isolated at the host level, preventing further data loss while preserving forensic evidence.

Exam trap

CompTIA often tests the principle that containment must be immediate and host-level for active data exfiltration, and the trap here is that candidates choose firewall-based blocking (Option C) thinking it stops the traffic, but fail to realize the attacker can easily change IPs or use multiple resolvers, making host isolation the only sure containment.

How to eliminate wrong answers

Option A is wrong because changing the DNS server settings does not stop the tunneling if the malware already has a hardcoded external resolver or uses direct IP connections to the command-and-control server; it also may disrupt legitimate DNS resolution for other systems. Option C is wrong because blocking the external IP at the firewall is a reactive measure that can be bypassed by the attacker using multiple IP addresses, domain generation algorithms (DGAs), or rotating resolvers; it also does not stop data already in transit. Option D is wrong because disabling the DNS service on the system would break all legitimate DNS resolution for that host, potentially alerting the user or causing system instability, and the malware could still tunnel data over other protocols or use raw sockets.

17
MCQeasy

A malware alert affects a single kiosk with no sensitive access. A second alert shows the same malware on a domain admin workstation. What should drive severity? During recovery, which decision is most defensible?

A.Whether the alert arrived first
B.Business impact, privilege level, asset criticality, and spread potential
C.Alphabetical order of hostnames
D.The analyst's preferred dashboard theme
AnswerB

Severity should reflect impact and risk, not only malware family name. In recovery, responders need action that reduces risk while preserving the investigation record.

Why this answer

Option B is correct because severity in incident response is determined by business impact, privilege level, asset criticality, and spread potential, not by timing or trivial factors. A domain admin workstation has elevated privileges and access to sensitive systems, making the same malware far more dangerous than on an isolated kiosk. During recovery, prioritizing based on these factors ensures defensible decisions align with risk management frameworks like NIST SP 800-61.

Exam trap

CompTIA often tests the misconception that alert timing or hostname order determines severity, but the trap here is confusing operational convenience (e.g., first-come-first-serve) with risk-based prioritization required by incident response best practices.

How to eliminate wrong answers

Option A is wrong because the order of alert arrival is irrelevant to severity; incident response prioritizes risk, not chronology. Option C is wrong because alphabetical order of hostnames has no bearing on security impact or recovery priority. Option D is wrong because an analyst's dashboard theme is a UI preference, not a technical factor for severity assessment or defensible recovery decisions.

18
Multi-Selecteasy

An end-user reports receiving an email with an unexpected attachment and urgent language requesting to click a link. Which TWO indicators confirm this is likely a phishing email?

Select 2 answers
A.Personalized greeting using the recipient's name.
B.Unexpected attachment.
C.Internal sender address.
D.Corporate logo in the email.
E.Urgent language.
AnswersB, E

Unexpected attachments are a common phishing tactic.

Why this answer

Option B is correct because unexpected attachments are a classic indicator of phishing, as attackers often use them to deliver malware or initiate social engineering attacks. The email's urgent language (Option E) is also correct, as it pressures the recipient to bypass normal security checks and click a malicious link or open the attachment without verifying the sender.

Exam trap

CompTIA often tests the misconception that personalized greetings or corporate logos are reliable indicators of legitimacy, when in fact these can be easily fabricated by attackers using open-source intelligence (OSINT) or simple HTML/CSS replication.

19
MCQeasy

After a high-priority SOC escalation, a server suspected of running fileless malware is still powered on. Which evidence should be captured first if it is safe to do so? During detection and analysis, which decision is most defensible? which response best matches incident-response practice?

A.Volatile memory and active network/process state
B.Marketing screenshots
C.Archived monthly reports
D.The office seating plan
AnswerA

Fileless malware may reside in memory; volatile evidence disappears when the system is powered off. In detection and analysis, responders need action that reduces risk while preserving the investigation record.

Why this answer

Volatile memory (RAM) and active network/process state must be captured first because fileless malware resides only in memory and leaves no persistent artifacts on disk. If the system is powered off, this evidence is lost forever. Capturing memory with tools like FTK Imager or LiME and recording network connections (netstat -ano) and running processes (tasklist /v) preserves the malware's execution context for analysis.

Exam trap

Cisco often tests the principle of 'order of volatility' (RFC 3227) by presenting plausible but non-volatile options (like logs or disk images) to distract from the correct answer, which is always the most ephemeral data first.

How to eliminate wrong answers

Option B is wrong because marketing screenshots are irrelevant to forensic evidence collection and provide no technical data for malware analysis. Option C is wrong because archived monthly reports are historical business documents, not real-time system state, and cannot capture volatile evidence like memory-resident malware. Option D is wrong because the office seating plan has no bearing on digital forensic evidence collection and is unrelated to incident response procedures.

20
MCQhard

During a post-compromise review, a company wants to test whether legal, PR, IT, and executives understand their roles during a ransomware incident without touching production systems. What exercise is best? During post-incident improvement, which decision is most defensible? which action should be prioritized before closure?

A.Tabletop exercise using a realistic ransomware scenario
B.Purchasing a new SIEM without testing procedures
C.Annual password reset only
D.Full destructive malware detonation in production
AnswerA

Tabletops validate decision paths and communication without operational disruption. In post-incident improvement, responders need action that reduces risk while preserving the investigation record.

Why this answer

A tabletop exercise is the correct choice because it simulates a realistic ransomware scenario in a discussion-based format, allowing legal, PR, IT, and executives to validate their incident response roles and decision-making processes without impacting production systems. This aligns with NIST SP 800-61 Rev. 2 guidance on testing communication and coordination during incident response, ensuring stakeholders understand their responsibilities before a real event.

Exam trap

Cisco often tests the distinction between testing the plan (tabletop) versus testing the technology (simulation or live-fire), and the trap here is assuming that any security improvement (like a new SIEM) inherently validates stakeholder roles, when in fact it only addresses detection capability without testing human decision-making.

How to eliminate wrong answers

Option B is wrong because purchasing a new SIEM without testing procedures does not test stakeholder roles or understanding; it introduces a new tool without validation of detection rules, log sources, or integration, which could lead to false positives or missed alerts during an incident. Option C is wrong because an annual password reset only addresses credential hygiene and does not evaluate the cross-functional coordination, legal obligations, or PR communication required during a ransomware incident, nor does it test the incident response plan.

21
MCQhard

In a regulated payment environment, after containing a compromised host, analysis shows persistence through a scheduled task and a stolen service account. What is required before recovery? During containment, which decision is most defensible? which action best reduces risk without losing evidence?

A.Reconnect the host because users need it
B.Disable logging to improve performance
C.Close the incident after isolation
D.Remove persistence, rotate affected credentials, and verify no related hosts remain compromised
AnswerD

Recovery should follow eradication of persistence and credential exposure. In containment, responders need action that reduces risk while preserving the investigation record.

Why this answer

Option D is correct because after containing a compromised host, the recovery phase requires removing the persistence mechanism (the scheduled task), rotating the stolen service account credentials to prevent re-authentication, and verifying that no other hosts are compromised via lateral movement. This ensures the threat is fully eradicated before returning the host to production, which is critical in a regulated payment environment where PCI DSS or similar standards mandate thorough remediation.

Exam trap

CompTIA often tests the misconception that containment (isolation) alone is sufficient for recovery, but the exam emphasizes that eradication (removing persistence and rotating credentials) and validation (checking other hosts) are mandatory steps before declaring recovery complete.

How to eliminate wrong answers

Option A is wrong because reconnecting the host without completing eradication and verification reintroduces the compromised system to the network, risking data exfiltration or further lateral movement. Option B is wrong because disabling logging destroys forensic evidence needed for post-incident analysis and compliance reporting, violating regulatory requirements like PCI DSS 10.2. Option C is wrong because closing the incident after isolation without removing persistence and rotating credentials leaves the backdoor active, allowing the attacker to regain access via the scheduled task or stolen account.

22
Multi-Selectmedium

A tabletop exercise reveals that no one knows who can approve public statements. What should be updated? (Choose two.)

Select 2 answers
A.The office seating plan only
B.Contact list and escalation matrix
C.The malware signature database only
D.Incident communication plan with named approval roles
AnswersB, D

Responders need current contacts and escalation paths.

Why this answer

The tabletop exercise revealed a gap in the incident response process: no one knows who can approve public statements. This is a procedural and communication failure, not a technical one. Updating the incident communication plan with named approval roles (Option D) directly addresses this by defining the specific person or role authorized to speak publicly.

The contact list and escalation matrix (Option B) must also be updated to ensure the correct approver can be reached quickly, as it provides the hierarchical path and contact details needed to execute the plan.

Exam trap

Cisco often tests the distinction between technical controls (like signature databases) and procedural/communication controls (like approval roles and contact lists), trapping candidates who confuse operational security tools with incident management processes.

23
MCQmedium

In a regulated payment environment, a server suspected of running fileless malware is still powered on. Which evidence should be captured first if it is safe to do so? During detection and analysis, which decision is most defensible? which action best reduces risk without losing evidence?

A.Volatile memory and active network/process state
B.Marketing screenshots
C.Archived monthly reports
D.The office seating plan
AnswerA

Fileless malware may reside in memory; volatile evidence disappears when the system is powered off. In detection and analysis, responders need action that reduces risk while preserving the investigation record.

Why this answer

In a fileless malware incident, the malware resides in volatile memory (RAM) and active system processes, leaving no persistent artifacts on disk. Capturing volatile memory (e.g., via `memdump` or `LiME`) and active network/process state (e.g., `netstat`, `ps`, `lsof`) preserves the most ephemeral evidence before it is lost upon shutdown or power loss. This aligns with the NIST SP 800-86 forensic order of volatility, which mandates collecting volatile data first.

Exam trap

Cisco often tests the order of volatility (OOV) principle, and the trap here is that candidates may mistakenly prioritize disk-based evidence (e.g., logs or reports) over volatile memory, not realizing that fileless malware leaves no disk footprint and that powering off the server would destroy the primary evidence source.

How to eliminate wrong answers

Option B is wrong because marketing screenshots are irrelevant to forensic evidence of fileless malware and do not capture volatile runtime data. Option C is wrong because archived monthly reports are static, non-volatile records that do not contain real-time process or memory state, and they can be collected later without risk of data loss. Option D is wrong because the office seating plan has no bearing on digital forensic evidence and would not aid in detecting or analyzing fileless malware.

24
MCQhard

After a data breach involving customer PII, the incident response team has contained the incident and eradicated the malware. What is the NEXT step in the remediation process?

A.Close the vulnerability that was exploited.
B.Restore systems from clean backups.
C.Conduct a root cause analysis.
D.Notify all affected customers.
AnswerA

Closing the vulnerability is a key remediation step to prevent reinfection.

Why this answer

Option D is correct because closing the vulnerability prevents recurrence. Root cause analysis is part of post-incident, customer notification is legal/compliance, and system restoration is part of recovery.

25
MCQhard

During a post-compromise review, a web server contains a new file that executes commands through a query parameter. What evidence best confirms web-shell activity? During recovery, which decision is most defensible? which action should be prioritized before closure?

A.Only printer logs
B.Only the CEO's mailbox audit events
C.Web access logs, file timestamps, process execution, and outbound connections from the web service account
D.Only SSL certificate metadata
AnswerC

A web shell leaves evidence across file, web, process, and network telemetry. In recovery, responders need action that reduces risk while preserving the investigation record.

Why this answer

Option C is correct because web-shell activity is best confirmed by correlating web access logs (showing the suspicious file being accessed with a query parameter), file timestamps (indicating when the file was created or modified), process execution logs (showing commands spawned by the web service account), and outbound connections (indicating data exfiltration or command-and-control traffic). This multi-source evidence provides a complete chain of compromise, unlike a single log source.

Exam trap

The trap here is that candidates may think a single log source (like web access logs alone) is sufficient, but Cisco tests the need for multi-source correlation to confirm web-shell activity, as a single log can be misleading or incomplete.

How to eliminate wrong answers

Option A is wrong because printer logs are unrelated to web-server command execution and would not capture web-shell activity, which involves HTTP requests, file creation, and process execution. Option B is wrong because the CEO's mailbox audit events pertain to email activity, not web-server file manipulation or command execution via query parameters. Option D is wrong because SSL certificate metadata only records certificate issuance and validity, not the runtime behavior of a web shell executing commands.

26
MCQhard

In a regulated payment environment, a web server contains a new file that executes commands through a query parameter. What evidence best confirms web-shell activity? During recovery, which decision is most defensible? which action best reduces risk without losing evidence?

A.Only printer logs
B.Only the CEO's mailbox audit events
C.Web access logs, file timestamps, process execution, and outbound connections from the web service account
D.Only SSL certificate metadata
AnswerC

A web shell leaves evidence across file, web, process, and network telemetry. In recovery, responders need action that reduces risk while preserving the investigation record.

Why this answer

Option C is correct because web-shell activity requires evidence of both the initial compromise (web access logs showing the malicious file request, file timestamps indicating creation/modification) and the subsequent command execution (process execution logs from the web service account, outbound connections from that account). This combination confirms the attacker used the query parameter to execute commands and exfiltrate data, which is the core indicator of a web shell in a regulated payment environment.

Exam trap

Cisco often tests the concept that web-shell detection requires correlating multiple log sources (web, file, process, network) rather than relying on a single log type, and the trap here is assuming that any single log (like printer logs or mailbox audits) could provide sufficient evidence of command execution.

How to eliminate wrong answers

Option A is wrong because printer logs are unrelated to web-server command execution; they record print jobs, not HTTP requests, process execution, or network connections, so they cannot confirm web-shell activity. Option B is wrong because the CEO's mailbox audit events only track email access and actions, not web server file creation, query parameter manipulation, or command execution; they are irrelevant to detecting a web shell on a web server.

27
MCQeasy

After a high-priority SOC escalation, a malware alert affects a single kiosk with no sensitive access. A second alert shows the same malware on a domain admin workstation. What should drive severity? During recovery, which decision is most defensible? which response best matches incident-response practice?

A.Whether the alert arrived first
B.Business impact, privilege level, asset criticality, and spread potential
C.Alphabetical order of hostnames
D.The analyst's preferred dashboard theme
AnswerB

Severity should reflect impact and risk, not only malware family name. In recovery, responders need action that reduces risk while preserving the investigation record.

Why this answer

Option B is correct because severity in incident response is determined by business impact, privilege level, asset criticality, and spread potential, not by timing or naming. The domain admin workstation has high privilege and criticality, and the same malware on a kiosk suggests lateral movement potential, making it a higher priority regardless of alert order.

Exam trap

Cisco often tests the misconception that alert timing or hostname order determines priority, when in reality severity must be driven by risk-based factors like business impact and privilege level.

How to eliminate wrong answers

Option A is wrong because the order in which alerts arrive has no bearing on severity; incident response prioritizes based on risk, not chronology. Option C is wrong because alphabetical order of hostnames is irrelevant to security impact and would ignore the critical difference between a kiosk and a domain admin workstation.

28
MCQhard

Refer to the exhibit. A security auditor finds this IAM policy attached to a user account. Which of the following describes the primary security concern?

A.The policy is missing a NotAction element
B.The policy allows read-only access
C.The policy uses a wildcard resource
D.The policy allows all S3 actions, which can lead to data exposure
AnswerD

s3:* includes destructive actions like DeleteBucket and PutObject.

Why this answer

Option B is correct because the policy allows all S3 actions on all resources (s3:* on Resource "*"), which means the user can read, write, delete, and modify any S3 bucket. This extreme level of access can lead to data exposure or deletion. The wildcard resource (C) is part of the problem but the combination of all actions is the core issue.

29
MCQhard

While supporting a hybrid workforce, file shares show rapid encryption and ransom-note creation from one workstation. What is the best immediate containment action? During containment, which decision is most defensible? which evidence should guide the decision?

A.Run vulnerability scans on every subnet first
B.Restore backups before isolating the host
C.Email all users the ransom note
D.Isolate the workstation and disable its active sessions to file servers
AnswerD

Containment should stop encryption spread while preserving evidence for analysis. In containment, responders need action that reduces risk while preserving the investigation record.

Why this answer

Option D is correct because the immediate priority in a ransomware incident is to stop the spread of encryption. Isolating the workstation (e.g., disabling its network interface or physically unplugging it) and terminating its active SMB sessions to file servers prevents the ransomware from encrypting additional shares. This containment step preserves evidence and limits damage without relying on potentially compromised backups or alerting the attacker.

Exam trap

Cisco often tests the principle that containment (stopping the spread) must precede eradication or recovery, tempting candidates to choose a proactive but premature action like scanning or restoring backups.

How to eliminate wrong answers

Option A is wrong because running vulnerability scans during an active ransomware outbreak wastes critical time and does not stop ongoing encryption; scanning should occur after containment. Option B is wrong because restoring backups before isolating the host risks re-encrypting the restored data if the ransomware is still active on the network; isolation must come first. Option C is wrong because emailing the ransom note to all users is not a containment action and may cause panic, spread misinformation, or inadvertently alert the attacker; it also does not stop the encryption process.

30
MCQeasy

After a high-priority SOC escalation, a developer accidentally committed a cloud access key to a public repository. Logs show the key was used from an unfamiliar IP. What should be done first? During eradication, which decision is most defensible? which response best matches incident-response practice?

A.Wait to see whether charges increase
B.Disable or rotate the key and review actions performed with it
C.Block the developer's laptop from Wi-Fi
D.Ask the developer to delete the commit only
AnswerB

The exposed credential must be invalidated and its use scoped through audit logs. In eradication, responders need action that reduces risk while preserving the investigation record.

Why this answer

Option B is correct because the immediate priority in incident response is to contain the breach by disabling or rotating the compromised cloud access key, which prevents further unauthorized use. Reviewing actions performed with the key is essential to assess the scope of the incident, such as data exfiltration or resource manipulation, aligning with the NIST SP 800-61 containment, eradication, and recovery phases. This approach follows the SANS PICERL model, where containment (disabling the key) precedes eradication and recovery.

Exam trap

Cisco often tests the misconception that physical or network-level controls (like blocking Wi-Fi) are sufficient for cloud credential exposure, when in fact the correct first step is to invalidate the credential itself through rotation or disabling.

How to eliminate wrong answers

Option A is wrong because waiting to see whether charges increase violates the fundamental incident response principle of immediate containment; it allows the attacker continued access, potentially leading to greater data loss or resource abuse, and delays critical forensic analysis. Option C is wrong because blocking the developer's laptop from Wi-Fi does not address the root cause—the compromised cloud access key—and may hinder legitimate incident response activities; the key remains active and usable from any IP, including the attacker's, making this action ineffective for containment.

31
MCQhard

While supporting a hybrid workforce, a server suspected of running fileless malware is still powered on. Which evidence should be captured first if it is safe to do so? During detection and analysis, which decision is most defensible? which evidence should guide the decision?

A.Volatile memory and active network/process state
B.Marketing screenshots
C.Archived monthly reports
D.The office seating plan
AnswerA

Fileless malware may reside in memory; volatile evidence disappears when the system is powered off. In detection and analysis, responders need action that reduces risk while preserving the investigation record.

Why this answer

Volatile memory (RAM) and active network/process state must be captured first because fileless malware resides only in memory and leaves no persistent artifacts on disk. If the system is powered off, all evidence of the malware's execution (e.g., injected code, network connections, running processes) is lost forever. This follows the order of volatility (RFC 3227), which prioritizes capturing the most ephemeral data before any other forensic step.

Exam trap

Cisco often tests the order of volatility (RFC 3227) by presenting plausible but non-volatile evidence options (like disk images or logs) to trick candidates into ignoring the critical need to capture RAM first when dealing with memory-resident threats.

How to eliminate wrong answers

Option B is wrong because marketing screenshots are irrelevant to forensic analysis and provide no technical evidence of fileless malware activity. Option C is wrong because archived monthly reports are historical, non-volatile data that do not capture the current in-memory state of the system; they cannot reveal active processes, network connections, or injected code that define fileless malware.

32
MCQhard

During a post-incident review, the team finds that the detection was delayed by 4 hours because the SIEM rule had a low priority and was not monitored after hours. Which improvement is most effective?

A.Increase the priority of the rule
B.Add automated response actions to the rule
C.Include the rule in a watchlist
D.Implement 24/7 SOC operations
AnswerD

Ensures that alerts are monitored around the clock.

Why this answer

Option B is correct because implementing 24/7 SOC coverage directly addresses the lack of after-hours monitoring. Other options do not resolve the root cause of off-hours detection gaps.

33
MCQeasy

A security analyst detects unusual outbound traffic from a workstation. Which immediate action should the analyst take?

A.Run a full antivirus scan
B.Create a memory dump
C.Disconnect the network cable
D.Reimage the system
AnswerC

Immediate containment prevents further data loss.

Why this answer

Option C is correct because disconnecting the network cable immediately isolates the workstation from the network, containing potential data exfiltration or lateral movement. This is the first step in incident response containment, as it stops the suspicious outbound traffic without destroying volatile evidence like running processes or network connections.

Exam trap

CompTIA often tests the distinction between containment, eradication, and recovery phases; the trap here is that candidates confuse immediate containment (disconnect) with forensic collection (memory dump) or remediation (reimage), leading them to choose a later-phase action instead of the first response step.

How to eliminate wrong answers

Option A is wrong because running a full antivirus scan takes time and may alert the attacker or trigger destructive actions before containment; it also does not stop ongoing outbound traffic. Option B is wrong because creating a memory dump is a forensic step that should occur after containment, not as an immediate action, and it does not halt the suspicious traffic. Option D is wrong because reimaging the system destroys all evidence and prevents forensic analysis of the incident; it is a recovery step, not an immediate containment action.

34
MCQmedium

You are a security analyst for a mid-sized financial services company. At 2:30 PM, the endpoint detection and response (EDR) console alerts on three workstations in the accounting department, indicating that files are being encrypted with a '.encrypt' extension and a ransom note named 'READ_ME_NOW.html' has been dropped. The workstations are connected to a file server that hosts shared financial records and a domain controller that handles authentication. The file server and domain controller have not shown signs of compromise yet. Your incident response plan states that containment must begin within 15 minutes of detection. Based on your analysis of the EDR telemetry, the encryption process appears to be spreading via SMB connections from the first infected workstation. Which of the following is the BEST immediate containment action to prevent further spread while preserving evidence?

A.Immediately isolate the three workstations by disconnecting their network cables at the patch panel or disabling their switch ports.
B.Shut down the file server and domain controller to protect critical systems from potential encryption.
C.Power off the three infected workstations immediately to contain the encryption process.
D.Apply the latest SMB vulnerability patch to the file server and domain controller to block the propagation vector.
AnswerA

Isolating at the network level stops lateral movement and preserves the system state for evidence collection.

Why this answer

Option A is correct because immediately isolating the three infected workstations at the network level (disconnecting cables or disabling switch ports) stops the SMB-based encryption propagation without destroying volatile forensic data. This containment action preserves the running processes, memory, and disk state for later analysis, which would be lost if the systems were powered off. The 15-minute containment window makes network isolation the fastest and most effective method to halt lateral movement while maintaining evidence integrity.

Exam trap

CompTIA often tests the distinction between containment (stopping the spread) and eradication (removing the threat), and the trap here is that candidates confuse immediate containment with remediation actions like patching or shutting down systems, which either take too long or destroy evidence.

How to eliminate wrong answers

Option B is wrong because shutting down the file server and domain controller would disrupt business operations for all users, not just the infected workstations, and would not stop the encryption already running on the three workstations; it also destroys volatile evidence on those critical servers. Option C is wrong because powering off the infected workstations destroys volatile evidence (memory, active network connections, running processes) that is crucial for forensic analysis and attribution, and it does not prevent the encryption process from having already spread via SMB if other systems are already compromised. Option D is wrong because applying a patch is a remediation step, not an immediate containment action; it takes time to download and install, and it does not stop the active encryption and propagation that is already occurring over SMB connections from the infected workstations.

35
MCQmedium

After containing a compromised host, analysis shows persistence through a scheduled task and a stolen service account. What is required before recovery? During containment, which decision is most defensible?

A.Reconnect the host because users need it
B.Disable logging to improve performance
C.Close the incident after isolation
D.Remove persistence, rotate affected credentials, and verify no related hosts remain compromised
AnswerD

Recovery should follow eradication of persistence and credential exposure. In containment, responders need action that reduces risk while preserving the investigation record.

Why this answer

Option D is correct because before recovery, you must remove the persistence mechanism (the scheduled task), rotate the stolen service account credentials to prevent re-entry, and verify that no other hosts are compromised using the same foothold. This ensures the attacker cannot regain access after the host is restored to production, which is a fundamental step in the eradication phase of incident response.

Exam trap

CompTIA often tests the misconception that isolation alone is sufficient to close an incident, but the trap here is that persistence and credential theft require active eradication and credential rotation before recovery can be considered safe.

How to eliminate wrong answers

Option A is wrong because reconnecting a compromised host without completing eradication and recovery steps risks re-infection and lateral movement, violating containment best practices. Option B is wrong because disabling logging during containment destroys forensic evidence and violates the principle of preserving data integrity for post-incident analysis. Option C is wrong because closing the incident after isolation without performing eradication and verification leaves persistence mechanisms and stolen credentials intact, allowing the attacker to regain access.

36
Multi-Selecthard

A responder is acquiring evidence from a potentially compromised server. Which actions support forensic integrity? (Choose two.)

Select 2 answers
A.Calculate and record hashes of acquired images
B.Disable all logging before acquisition
C.Maintain chain-of-custody documentation
D.Edit suspicious files to see whether malware reacts
AnswersA, C

Hashes support integrity verification.

Why this answer

Calculating and recording hashes (e.g., SHA-256) of acquired disk images ensures data integrity by providing a cryptographic fingerprint that can be used later to verify that the evidence has not been altered. This is a foundational step in forensic acquisition, as any modification to the image will produce a different hash, proving tampering or corruption.

Exam trap

Cisco often tests the misconception that disabling logging helps preserve the integrity of the acquisition process, when in fact it destroys potential evidence and violates forensic best practices.

37
MCQhard

After a high-priority SOC escalation, a laptop may contain evidence for a legal investigation. What should the responder document during acquisition? During post-incident improvement, which decision is most defensible? which response best matches incident-response practice?

A.Only the laptop colour
B.Only the ticket priority
C.Only the user's job title
D.Who collected it, when, where, hash values, transfer details, and storage location
AnswerD

Chain of custody records evidence handling and integrity from collection onward. In post-incident improvement, responders need action that reduces risk while preserving the investigation record.

Why this answer

Option D is correct because forensic acquisition requires a complete chain of custody to ensure evidence admissibility in legal proceedings. The responder must document who collected the evidence, the exact date/time, the physical location, cryptographic hash values (e.g., SHA-256) to verify integrity, transfer details (e.g., write-blocker used, destination media), and the final storage location. This aligns with NIST SP 800-86 and ISO 27037 forensic best practices.

Exam trap

CompTIA often tests the misconception that only minimal metadata (like color or priority) is sufficient, when in fact the full chain-of-custody documentation (who, when, where, hashes, transfer, storage) is mandatory for legally defensible evidence.

How to eliminate wrong answers

Option A is wrong because documenting only the laptop color provides no forensic value and fails to establish chain of custody or evidence integrity. Option B is wrong because recording only the ticket priority ignores all critical forensic metadata required for legal admissibility. Option C is wrong because noting only the user's job title does not capture who handled the evidence, when, or how it was preserved, making the evidence indefensible in court.

38
MCQhard

In a regulated payment environment, a company wants to test whether legal, PR, IT, and executives understand their roles during a ransomware incident without touching production systems. What exercise is best? During post-incident improvement, which decision is most defensible? which action best reduces risk without losing evidence?

A.Tabletop exercise using a realistic ransomware scenario
B.Purchasing a new SIEM without testing procedures
C.Annual password reset only
D.Full destructive malware detonation in production
AnswerA

Tabletops validate decision paths and communication without operational disruption. In post-incident improvement, responders need action that reduces risk while preserving the investigation record.

Why this answer

A tabletop exercise (A) is the correct choice because it allows the company to validate roles, communication paths, and decision-making processes for a ransomware incident without any risk to production systems. This aligns with the need to test understanding across legal, PR, IT, and executives in a regulated environment where touching live systems is prohibited. Full destructive detonation (D) would violate regulatory compliance and cause data loss, while purchasing a new SIEM (B) or an annual password reset (C) does not test incident response roles at all.

Exam trap

The trap here is that candidates may confuse a 'test' with a technical simulation or live-fire exercise, overlooking that a tabletop exercise is the only safe and compliant method to validate human roles and decision-making in a regulated environment without impacting production systems or evidence integrity.

How to eliminate wrong answers

Option B is wrong because purchasing a new SIEM without testing procedures does not validate any incident response roles or processes; it is a procurement action that introduces new technology without addressing the specific need to test stakeholder understanding during a ransomware incident. Option C is wrong because an annual password reset is a routine security hygiene task that does not simulate a ransomware scenario or test the coordination of legal, PR, IT, and executive teams; it has no bearing on incident response role validation. Option D is wrong because full destructive malware detonation in production would cause actual data encryption, system downtime, and potential regulatory violations, directly contradicting the requirement to avoid touching production systems and risking evidence loss.

39
MCQmedium

Refer to the exhibit. An analyst reviews the output from a netstat command on a server. Which connection is MOST likely indicative of command and control (C2) activity?

A.10.0.0.5:22 to 10.0.0.1:50001
B.10.0.0.5:54321 to 198.51.100.20:4444
C.All connections are normal.
D.10.0.0.5:3389 to 192.168.1.10:54321
AnswerB

External IP on port 4444 from an ephemeral port is suspicious and common for C2.

Why this answer

Option B is correct because the connection from a high ephemeral port (54321) on the server to an external IP (198.51.100.20) on port 4444 is a classic indicator of C2 activity. Port 4444 is commonly associated with Metasploit's default reverse shell listener and other malware frameworks, while the use of a non-standard high source port and an external destination suggests outbound beaconing or command reception.

Exam trap

CompTIA often tests the candidate's ability to recognize that not all high-port connections are malicious; the trap here is that options A and D use high ephemeral ports but are normal internal administrative traffic, leading candidates to incorrectly flag them as suspicious instead of focusing on the external destination and the specific C2-associated port 4444.

How to eliminate wrong answers

Option A is wrong because SSH (port 22) from the server to an internal IP on a high ephemeral port is a normal administrative connection within the local network, not indicative of C2. Option C is wrong because not all connections are normal; option B clearly shows suspicious characteristics. Option D is wrong because RDP (port 3389) from the server to an internal IP on a high ephemeral port is a standard remote desktop session within the local subnet, not C2 traffic.

40
MCQhard

An incident responder is collecting evidence from a compromised Linux server. The server is still running. Which order of collection adheres to the order of volatility?

A.Memory → network connections → disk → swap space.
B.Disk → memory → network connections → swap space.
C.Memory → network connections → swap space → disk.
D.Network connections → memory → disk → swap space.
AnswerC

This order follows the standard order of volatility: memory, network connections, swap, disk.

Why this answer

Option C is correct because the order of volatility (OOV) dictates that the most volatile data (memory/registers) must be collected first, followed by network connections, then swap space, and finally disk. Memory contains running processes and encryption keys that vanish on power loss; network connections change rapidly; swap space persists longer but is still more volatile than disk. This sequence ensures maximum preservation of ephemeral evidence before it is lost.

Exam trap

Cisco often tests the misconception that swap space is less volatile than disk because it is on disk, but swap is actually more volatile due to frequent overwriting by the kernel's paging mechanism.

How to eliminate wrong answers

Option A is wrong because it places disk before swap space, but swap space is more volatile than disk (swap is a temporary extension of RAM and may contain residual data that is overwritten quickly). Option B is wrong because it starts with disk, which is the least volatile, violating the OOV principle that the most volatile (memory) must be collected first. Option D is wrong because it collects network connections before memory, but memory (RAM) is more volatile than network connection state (which can be re-queried) and must be captured first to avoid losing critical in-memory artifacts.

41
MCQmedium

After a high-priority SOC escalation, a web server contains a new file that executes commands through a query parameter. What evidence best confirms web-shell activity? During recovery, which decision is most defensible? which response best matches incident-response practice?

A.Only printer logs
B.Only the CEO's mailbox audit events
C.Web access logs, file timestamps, process execution, and outbound connections from the web service account
D.Only SSL certificate metadata
AnswerC

A web shell leaves evidence across file, web, process, and network telemetry. In recovery, responders need action that reduces risk while preserving the investigation record.

Why this answer

Option C is correct because web-shell activity requires correlating multiple evidence sources: web access logs show the initial malicious request (e.g., a POST to a PHP file with a query parameter like `?cmd=whoami`), file timestamps confirm when the shell was created, process execution logs (e.g., Sysmon Event ID 1) reveal the spawned child processes (e.g., cmd.exe, powershell.exe), and outbound connections from the web service account (e.g., netstat or firewall logs) indicate command-and-control (C2) or data exfiltration. This multi-source correlation aligns with the NIST SP 800-61 incident-response methodology for validating a compromise.

Exam trap

Cisco often tests the misconception that a single log source (like web access logs alone) is sufficient to confirm a web shell, when in fact incident-response best practice requires correlating multiple evidence types (file, process, network) to rule out false positives and establish a complete attack chain.

How to eliminate wrong answers

Option A is wrong because printer logs (e.g., SNMP or print job records) are unrelated to web-server command execution and provide no evidence of web-shell activity. Option B is wrong because the CEO's mailbox audit events (e.g., Exchange or Outlook logs) only track email access or modifications, not server-side command execution or file creation. Option D is wrong because SSL certificate metadata (e.g., issuer, subject, validity period) only confirms encryption configuration, not whether a web shell was uploaded or executed.

42
MCQeasy

While supporting a hybrid workforce, after containing a compromised host, analysis shows persistence through a scheduled task and a stolen service account. What is required before recovery? During containment, which decision is most defensible? which evidence should guide the decision?

A.Reconnect the host because users need it
B.Disable logging to improve performance
C.Close the incident after isolation
D.Remove persistence, rotate affected credentials, and verify no related hosts remain compromised
AnswerD

Recovery should follow eradication of persistence and credential exposure. In containment, responders need action that reduces risk while preserving the investigation record.

Why this answer

Option D is correct because before recovery, you must remove the persistence mechanism (the scheduled task) to prevent re-infection, rotate the stolen service account credentials to close the attacker's access, and verify no other hosts are compromised via the same account. This aligns with the NIST SP 800-61 recovery phase, which requires eliminating all footholds and validating the scope of compromise before returning the host to production.

Exam trap

Cisco often tests the misconception that isolation alone is sufficient for recovery, but the trap here is that persistence and credential theft require active removal and verification before the host can be safely reintegrated.

How to eliminate wrong answers

Option A is wrong because reconnecting a host that still has active persistence (scheduled task) and compromised credentials would immediately re-expose the network to the attacker. Option B is wrong because disabling logging during containment destroys forensic evidence and violates the principle of preserving data integrity for post-incident analysis. Option C is wrong because closing the incident after isolation without removing persistence and rotating credentials leaves the attacker with a persistent backdoor and valid credentials, ensuring a repeat compromise.

43
MCQhard

During a post-compromise review, after containing a compromised host, analysis shows persistence through a scheduled task and a stolen service account. What is required before recovery? During containment, which decision is most defensible? which action should be prioritized before closure?

A.Reconnect the host because users need it
B.Disable logging to improve performance
C.Close the incident after isolation
D.Remove persistence, rotate affected credentials, and verify no related hosts remain compromised
AnswerD

Recovery should follow eradication of persistence and credential exposure. In containment, responders need action that reduces risk while preserving the investigation record.

Why this answer

Option D is correct because after containing a compromised host, the recovery phase requires removing the persistence mechanism (the scheduled task), rotating the stolen service account credentials to prevent re-authentication, and verifying that no other hosts are compromised via the same lateral movement path. This ensures the attacker cannot regain access and that the incident is fully remediated before closure.

Exam trap

Cisco often tests the misconception that isolation alone is sufficient for closure, but the trap here is that recovery requires active remediation steps (removing persistence and rotating credentials) before the incident can be formally closed.

How to eliminate wrong answers

Option A is wrong because reconnecting the host without removing persistence and rotating credentials would allow the attacker to regain access immediately, violating containment and recovery best practices. Option B is wrong because disabling logging would destroy forensic evidence and blind the security team to ongoing malicious activity, which is never acceptable during incident response. Option C is wrong because closing the incident after isolation without removing persistence and rotating credentials leaves the backdoor active, meaning the attacker can still use the scheduled task and stolen account to re-enter the environment.

44
MCQeasy

A server suspected of running fileless malware is still powered on. Which evidence should be captured first if it is safe to do so? During detection and analysis, which decision is most defensible?

A.Volatile memory and active network/process state
B.Marketing screenshots
C.Archived monthly reports
D.The office seating plan
AnswerA

Fileless malware may reside in memory; volatile evidence disappears when the system is powered off. In detection and analysis, responders need action that reduces risk while preserving the investigation record.

Why this answer

Volatile memory (RAM) and active network/process state must be captured first because fileless malware resides only in memory and leaves no persistent artifacts on disk. Any shutdown or reboot would destroy this evidence, making it impossible to analyze the malware's behavior, network connections, or injected processes. This follows the forensic order of volatility (RFC 3227), which mandates capturing the most volatile data first.

Exam trap

Cisco often tests the order of volatility (RFC 3227) by presenting plausible but non-volatile evidence options, tricking candidates into thinking disk-based artifacts are acceptable when memory must be captured first.

How to eliminate wrong answers

Option B is wrong because marketing screenshots are irrelevant to forensic evidence collection and contain no technical data about malware execution. Option C is wrong because archived monthly reports are static, non-volatile data stored on disk, which would not contain the runtime state of fileless malware that exists only in memory. Option D is wrong because the office seating plan has no bearing on digital forensic evidence collection or malware analysis.

45
MCQmedium

A company wants to test whether legal, PR, IT, and executives understand their roles during a ransomware incident without touching production systems. What exercise is best? During post-incident improvement, which decision is most defensible?

A.Tabletop exercise using a realistic ransomware scenario
B.Purchasing a new SIEM without testing procedures
C.Annual password reset only
D.Full destructive malware detonation in production
AnswerA

Tabletops validate decision paths and communication without operational disruption. In post-incident improvement, responders need action that reduces risk while preserving the investigation record.

Why this answer

A tabletop exercise is the correct choice because it allows stakeholders (legal, PR, IT, executives) to validate their roles and decision-making processes during a ransomware incident without impacting production systems. This aligns with the NIST SP 800-61 incident response testing framework, which emphasizes discussion-based exercises for validating procedures and communication flows. Unlike destructive tests, a tabletop exercise uses a realistic scenario to simulate the incident lifecycle, ensuring role clarity and procedural readiness.

Exam trap

Cisco often tests the distinction between validation exercises (tabletop) and operational changes (SIEM purchase) or security controls (password reset), trapping candidates who confuse testing a process with implementing a tool or policy.

How to eliminate wrong answers

Option B is wrong because purchasing a new SIEM without testing procedures does not validate role understanding or incident response processes; it introduces a tool without verifying operational readiness or integration with existing workflows. Option C is wrong because an annual password reset only addresses a single authentication control and does not test the multi-faceted coordination required during a ransomware incident, such as legal notifications or PR communication. Option D is wrong because full destructive malware detonation in production would disrupt live systems, violate the requirement to avoid touching production, and could cause data loss or service downtime, making it inappropriate for a non-destructive role-validation exercise.

46
MCQeasy

During a post-compromise review, an incident was contained successfully, but delayed escalation allowed the attacker more dwell time. What should the post-incident review produce? During eradication, which decision is most defensible? which action should be prioritized before closure?

A.A generic statement that security is important
B.Deletion of all incident tickets
C.A blame list of individual analysts
D.Specific playbook updates, escalation triggers, owners, and due dates
AnswerD

Lessons learned should translate findings into trackable process improvements. In eradication, responders need action that reduces risk while preserving the investigation record.

Why this answer

Option D is correct because a post-incident review must produce actionable improvements to prevent recurrence. Specific playbook updates, escalation triggers, owners, and due dates directly address the delayed escalation and excessive dwell time by clarifying when and how to escalate, who is responsible, and by when changes must be implemented. This aligns with the NIST SP 800-61 incident response lifecycle, which emphasizes lessons learned leading to process refinement.

Exam trap

Cisco often tests the distinction between punitive actions (blame) and constructive process improvements (playbook updates), expecting candidates to recognize that the goal of a post-incident review is to fix the process, not assign fault.

How to eliminate wrong answers

Option A is wrong because a generic statement that security is important provides no measurable or actionable change to the incident response process, failing to correct the specific escalation failure. Option B is wrong because deletion of all incident tickets destroys forensic evidence and audit trails required for legal proceedings, regulatory compliance, and future analysis; incident tickets must be preserved per retention policies. Option C is wrong because a blame list of individual analysts violates the 'blameless postmortem' principle and discourages reporting of security incidents, undermining the entire incident response program.

47
MCQhard

You are a senior incident responder for a large technology company. During a routine threat hunting exercise, you detect unusual network traffic from a Linux web server to an external IP address that is known to be associated with an advanced persistent threat (APT) group. The web server runs a custom PHP application and is not in the DMZ; instead, it's on the internal network serving a management dashboard. You have captured a memory dump of the web server and analyzed it with volatility. The output shows a suspicious process running with the name 'apache2' but with an invalid parent process (PID 1 is 'apache2' itself). Additionally, you find a kernel module loaded called 'hideproc.ko' that is not part of the standard kernel. The network connections show a reverse shell to the external IP. You need to determine the most effective containment and eradication strategy that minimizes data loss and maintains business continuity while preserving evidence for law enforcement involvement.

A.Revert the web server to a previous snapshot from before the suspected compromise date, then run a full antivirus scan on the restored system.
B.Perform a live forensic analysis of the PHP application logs and database to identify the specific vulnerability used, then apply a hotfix to the application code.
C.Isolate the web server from the network immediately, capture a full disk and memory image, then reimage the server from a trusted backup or OS image, and restore application data from a known clean backup.
D.Block the external IP address at the firewall and block all outbound traffic from the web server except to specific internal IPs, then continue monitoring for other compromised hosts.
AnswerC

Isolation stops the active reverse shell and lateral movement. Imaging preserves evidence of the rootkit and attacker activities. Reimaging ensures the kernel module and any other persistence are removed.

Why this answer

Option C is correct because the presence of a kernel rootkit ('hideproc.ko') and a reverse shell indicates deep, persistent compromise that cannot be cleaned by patching or scanning. Isolating the server preserves volatile evidence (memory, disk) for law enforcement, while reimaging from a trusted backup ensures complete removal of the attacker's foothold, minimizing data loss and restoring business continuity.

Exam trap

The trap here is that candidates may choose a containment-only option (D) or a patch-only option (B) because they underestimate the persistence of kernel-level rootkits, failing to recognize that eradication requires complete reimaging from a trusted source.

How to eliminate wrong answers

Option A is wrong because reverting to a snapshot does not guarantee the snapshot itself is clean (the APT may have persisted before the snapshot date), and a full antivirus scan cannot detect or remove a kernel-mode rootkit like 'hideproc.ko'. Option B is wrong because live forensic analysis of logs and applying a hotfix addresses the vulnerability but does not remove the already-loaded kernel rootkit or the active reverse shell, leaving the attacker with persistent access. Option D is wrong because blocking the external IP and restricting outbound traffic only contains the immediate C2 channel; the kernel rootkit and backdoor remain on the server, allowing the attacker to pivot or establish alternative egress paths.

48
Multi-Selecthard

A root-cause analysis finds that an alert fired but was never triaged. Which corrective actions are useful? (Choose two.)

Select 2 answers
A.Blame an individual without process review
B.Delete the alert rule because it was inconvenient
C.Define queue ownership and escalation thresholds
D.Add monitoring for stale or unassigned alerts
AnswersC, D

Ownership prevents alerts being orphaned.

Why this answer

Option C is correct because defining queue ownership and escalation thresholds ensures that alerts are assigned to a specific team or individual and have a clear path for escalation if not acknowledged within a defined time. This directly addresses the root cause of the alert never being triaged by enforcing accountability and automated follow-up, which is a standard incident response practice per NIST SP 800-61.

Exam trap

Cisco often tests the misconception that punitive measures (blaming individuals) or removing inconvenient alerts are valid corrective actions, when the correct approach is always to improve process and automation to prevent recurrence.

49
MCQmedium

In a regulated payment environment, a developer accidentally committed a cloud access key to a public repository. Logs show the key was used from an unfamiliar IP. What should be done first? During eradication, which decision is most defensible? which action best reduces risk without losing evidence?

A.Wait to see whether charges increase
B.Disable or rotate the key and review actions performed with it
C.Block the developer's laptop from Wi-Fi
D.Ask the developer to delete the commit only
AnswerB

The exposed credential must be invalidated and its use scoped through audit logs. In eradication, responders need action that reduces risk while preserving the investigation record.

Why this answer

Option B is correct because the immediate priority is to revoke the compromised cloud access key to prevent further unauthorized use, while simultaneously reviewing logs to understand the scope of the attacker's actions. In a regulated payment environment (e.g., PCI DSS), failing to disable the key promptly could lead to a data breach and non-compliance penalties. Reviewing actions with the key is essential for incident response and forensic evidence collection.

Exam trap

Cisco often tests the misconception that containment means physically isolating the user (e.g., blocking Wi-Fi) rather than logically revoking the compromised credential, leading candidates to pick Option C over the correct technical containment action.

How to eliminate wrong answers

Option A is wrong because waiting to see whether charges increase is a passive, reactive approach that allows the attacker continued access, potentially exfiltrating sensitive payment data or escalating privileges — this violates the 'containment' phase of incident response. Option C is wrong because blocking the developer's laptop from Wi-Fi does not revoke the cloud access key; the key remains valid and can still be used from the unfamiliar IP, and it may hinder legitimate incident response activities by isolating the developer without addressing the root cause.

50
MCQeasy

During a phishing investigation, an employee reports clicking a link and entering credentials. Which of the following should be the first step?

A.Conduct user awareness training
B.Block the phishing domain
C.Analyze the email headers
D.Reset the employee's password
AnswerD

Immediate password reset mitigates account compromise.

Why this answer

The immediate priority after credential compromise is to secure the account and prevent unauthorized access. Resetting the employee's password (Option D) invalidates the stolen credentials, stopping the attacker from using them to log in. This aligns with the NIST Incident Response Framework's containment phase, which must occur before any remediation or analysis steps.

Exam trap

Cisco often tests the distinction between containment and remediation; the trap here is that candidates choose 'Analyze the email headers' (Option C) because they confuse forensic analysis with the first step of incident response, but the priority must always be to stop active harm before investigating.

How to eliminate wrong answers

Option A is wrong because user awareness training is a long-term preventive measure, not an immediate containment step; conducting it first would leave the compromised account vulnerable. Option B is wrong because blocking the phishing domain, while useful, does not address the immediate risk of the attacker using the stolen credentials to access the account. Option C is wrong because analyzing email headers is part of the forensic investigation phase, which should follow containment to avoid delaying critical account protection.

51
MCQeasy

Which technology is specifically designed to detect anomalous user behavior that may indicate a compromised account?

A.IDS.
B.UEBA.
C.SIEM.
D.Antivirus.
AnswerB

UEBA uses machine learning to detect anomalous user and entity behavior.

Why this answer

User and Entity Behavior Analytics (UEBA) is specifically designed to establish baselines of normal user behavior and detect anomalous activities—such as unusual login times, impossible travel, or abnormal data access patterns—that may indicate a compromised account. Unlike signature-based tools, UEBA leverages machine learning and statistical modeling to identify deviations from established norms, making it the correct choice for detecting account compromise.

Exam trap

CompTIA often tests the distinction between correlation-based tools (SIEM) and behavior-based tools (UEBA), and the trap here is that candidates confuse SIEM's log aggregation and rule-based alerting with UEBA's machine learning-driven anomaly detection for user behavior.

How to eliminate wrong answers

Option A is wrong because an Intrusion Detection System (IDS) primarily monitors network traffic for known attack signatures or protocol anomalies, not user behavior patterns. Option C is wrong because a Security Information and Event Management (SIEM) system aggregates and correlates logs from multiple sources but relies on predefined rules and signatures rather than behavioral baselining to detect anomalies. Option D is wrong because Antivirus software detects and blocks known malware based on signatures and heuristics, not user behavior or account compromise indicators.

52
MCQmedium

A user reports approving an unexpected OAuth consent prompt for an app named 'Invoice Reader'. The app now has mailbox read permissions. What should the incident responder do first? During detection and analysis, which decision is most defensible?

A.Ignore it if MFA is enabled
B.Delete all emails from the mailbox
C.Only reset the user's Windows password
D.Revoke the app grant, review mailbox access, and identify other users who consented
AnswerD

OAuth consent abuse can persist without password access; revoking grants and scoping exposure contains the incident. In detection and analysis, responders need action that reduces risk while preserving the investigation record.

Why this answer

Option D is correct because the incident responder must first revoke the malicious OAuth app grant to immediately stop the attacker's access via the delegated mailbox permissions. Following revocation, reviewing mailbox access logs (e.g., Mailbox Audit Log, EWS/Graph API calls) is essential to assess the scope of compromise, and identifying other users who consented to the same app is critical to contain lateral movement. This aligns with the NIST SP 800-61 incident response lifecycle's containment and eradication phase.

Exam trap

CompTIA often tests the misconception that password resets or MFA can mitigate OAuth consent attacks, when in reality the OAuth grant is independent of the user's authentication credentials and must be explicitly revoked.

How to eliminate wrong answers

Option A is wrong because MFA does not protect against OAuth consent phishing; once the user grants permissions, the app can access the mailbox without any further authentication, bypassing MFA entirely. Option B is wrong because deleting all emails destroys forensic evidence and does not remove the attacker's persistent access via the OAuth grant, which must be revoked first. Option C is wrong because resetting the Windows password does not invalidate the OAuth refresh token or the delegated permissions; the app retains mailbox access until the grant is explicitly revoked.

53
MCQmedium

After a high-priority SOC escalation, a user reports approving an unexpected OAuth consent prompt for an app named 'Invoice Reader'. The app now has mailbox read permissions. What should the incident responder do first? During detection and analysis, which decision is most defensible? which response best matches incident-response practice?

A.Ignore it if MFA is enabled
B.Delete all emails from the mailbox
C.Only reset the user's Windows password
D.Revoke the app grant, review mailbox access, and identify other users who consented
AnswerD

OAuth consent abuse can persist without password access; revoking grants and scoping exposure contains the incident. In detection and analysis, responders need action that reduces risk while preserving the investigation record.

Why this answer

Option D is correct because the immediate priority is to revoke the malicious OAuth consent grant, which removes the app's access to the mailbox via the Microsoft Graph API. Reviewing mailbox access (e.g., via Exchange Online audit logs) is necessary to assess data exfiltration, and identifying other users who consented helps contain a potential phishing campaign targeting the same app. This follows the NIST SP 800-61 incident response process for containment, eradication, and recovery.

Exam trap

CompTIA often tests the misconception that resetting a password or enabling MFA is sufficient to revoke OAuth app access, when in fact OAuth tokens are independent of user credentials and require explicit grant revocation.

How to eliminate wrong answers

Option A is wrong because MFA does not protect against OAuth consent phishing; once the user grants delegated permissions, the app can access the mailbox using its own tokens without requiring MFA. Option B is wrong because deleting all emails destroys forensic evidence and does not remove the app's persistent access; the OAuth grant must be revoked first. Option C is wrong because resetting the Windows password does not invalidate the OAuth refresh token or the app's granted permissions; the app can continue to access the mailbox via the Microsoft identity platform.

54
Multi-Selecthard

A host is suspected of running fileless malware. Which artefacts should be collected quickly? (Choose two.)

Select 2 answers
A.Memory image or live response data
B.Active network connections and running processes
C.A list of cafeteria purchases
D.A printed office map
AnswersA, B

Fileless activity may exist mainly in memory.

Why this answer

Fileless malware operates in memory without writing to disk, so capturing a memory image or live response data preserves the malicious code, injected DLLs, and process hollowing artifacts that would vanish on reboot. Active network connections and running processes reveal the malware's C2 communications and its in-memory execution context, which are critical for identifying the infection vector and scope.

Exam trap

Cisco often tests the misconception that fileless malware leaves no artifacts at all, leading candidates to overlook memory and live response data, or to choose irrelevant options like cafeteria purchases that seem like a distractor but have no forensic value.

55
MCQeasy

While supporting a hybrid workforce, a user reports approving an unexpected OAuth consent prompt for an app named 'Invoice Reader'. The app now has mailbox read permissions. What should the incident responder do first? During detection and analysis, which decision is most defensible? which evidence should guide the decision?

A.Ignore it if MFA is enabled
B.Delete all emails from the mailbox
C.Only reset the user's Windows password
D.Revoke the app grant, review mailbox access, and identify other users who consented
AnswerD

OAuth consent abuse can persist without password access; revoking grants and scoping exposure contains the incident. In detection and analysis, responders need action that reduces risk while preserving the investigation record.

Why this answer

Option D is correct because the immediate priority is to revoke the malicious OAuth grant to stop the attacker's access, then review the mailbox for any data exfiltration or abuse, and finally identify other users who may have consented to the same app to contain the incident. This follows the NIST SP 800-61 incident response process for detection and analysis, where the most defensible decision is to remove the attacker's foothold and assess the scope of compromise. Ignoring the issue or taking non-targeted actions like password resets or email deletion fails to address the root cause—the OAuth consent grant—which persists independently of user credentials.

Exam trap

CompTIA often tests the misconception that resetting a user's password or enforcing MFA is sufficient to revoke OAuth tokens, when in reality the refresh token persists independently and must be explicitly revoked via the identity provider's admin interface.

How to eliminate wrong answers

Option A is wrong because MFA does not protect against OAuth consent phishing; the attacker obtains a refresh token via the consent grant, which bypasses MFA entirely. Option B is wrong because deleting all emails destroys forensic evidence and does not revoke the attacker's persistent access via the OAuth token. Option C is wrong because resetting the Windows password does not invalidate the OAuth refresh token stored in Azure AD/Entra ID; the app retains mailbox access until the grant is explicitly revoked.

56
MCQeasy

A company's IDS generated an alert for a SQL injection attempt against a web server. The web application firewall (WAF) is already in place. What is the best action?

A.Update the WAF rules
B.Block the source IP at the firewall
C.Shut down the web server
D.Verify if the attack succeeded by checking server logs
AnswerD

Determines if the WAF blocked the injection or if further action is needed.

Why this answer

Option B is correct because the first step is to verify whether the attack succeeded by checking the server logs. Premature blocking or shutdown may be unnecessary.

57
Multi-Selecthard

Which TWO of the following are indicators of potential data exfiltration via DNS?

Select 2 answers
A.Unusual TLS handshake patterns
B.Traffic to known malicious IPs over HTTP
C.Large number of NXDOMAIN responses
D.High volume of TXT record queries
E.Frequent queries to long subdomains
AnswersD, E

TXT records are commonly used to encode exfiltrated data.

Why this answer

Option D is correct because TXT records are commonly used in DNS tunneling to encode exfiltrated data. Attackers embed data in TXT record queries or responses, and a high volume of such queries is a strong indicator of data exfiltration via DNS.

Exam trap

CompTIA often tests the distinction between DNS tunneling indicators (TXT record volume and long subdomains) and other DNS anomalies like NXDOMAIN responses, which are more associated with DGA or reconnaissance rather than exfiltration.

58
MCQeasy

In a regulated payment environment, an incident was contained successfully, but delayed escalation allowed the attacker more dwell time. What should the post-incident review produce? During eradication, which decision is most defensible? which action best reduces risk without losing evidence?

A.A generic statement that security is important
B.Deletion of all incident tickets
C.A blame list of individual analysts
D.Specific playbook updates, escalation triggers, owners, and due dates
AnswerD

Lessons learned should translate findings into trackable process improvements. In eradication, responders need action that reduces risk while preserving the investigation record.

Why this answer

Option D is correct because a post-incident review in a regulated payment environment must produce actionable improvements to prevent recurrence. Delayed escalation indicates a failure in detection or notification procedures, so the review should yield specific playbook updates, escalation triggers, assigned owners, and due dates to ensure timely response in future incidents. This aligns with NIST SP 800-61r2 and PCI DSS requirements for continuous improvement of incident response processes.

Exam trap

Cisco often tests the misconception that post-incident reviews are about assigning blame or deleting evidence, rather than focusing on process improvement and evidence preservation.

How to eliminate wrong answers

Option A is wrong because a generic statement that security is important provides no measurable, actionable steps to fix the identified procedural gap, and would fail audit scrutiny in a regulated environment. Option B is wrong because deletion of all incident tickets violates evidence preservation requirements under regulations like PCI DSS and GDPR, and destroys the forensic trail needed for root cause analysis and legal proceedings. Option C is wrong because a blame list of individual analysts creates a punitive culture that discourages reporting and collaboration, and does not address the systemic process failure that allowed delayed escalation.

59
Multi-Selectmedium

During containment of a compromised cloud access key, which actions are appropriate? (Choose two.)

Select 2 answers
A.Review audit logs for actions performed with the key
B.Only delete the public repository commit
C.Grant the key administrator privileges for investigation
D.Disable or rotate the exposed key
AnswersA, D

Audit review establishes scope and impact.

Why this answer

Reviewing audit logs for actions performed with the compromised key is appropriate during containment because it allows the incident response team to determine the scope of unauthorized access, identify affected resources, and understand the attacker's actions. This step is critical for informed decision-making before revoking or rotating the key, ensuring that legitimate operations are not disrupted and that forensic evidence is preserved.

Exam trap

Cisco often tests the misconception that immediate revocation or deletion of the key is the only containment step, but the correct approach requires first auditing the key's usage to understand the full impact before taking irreversible actions.

60
MCQhard

A laptop may contain evidence for a legal investigation. What should the responder document during acquisition? During post-incident improvement, which decision is most defensible?

A.Only the laptop colour
B.Only the ticket priority
C.Only the user's job title
D.Who collected it, when, where, hash values, transfer details, and storage location
AnswerD

Chain of custody records evidence handling and integrity from collection onward. In post-incident improvement, responders need action that reduces risk while preserving the investigation record.

Why this answer

Option D is correct because proper chain of custody documentation is critical for evidence admissibility in legal proceedings. The responder must record who collected the evidence, the exact date and time, the physical location, cryptographic hash values (e.g., SHA-256) to verify integrity, transfer details (e.g., chain-of-custody forms), and the secure storage location. This ensures the evidence is not tampered with and can be defended in court.

Exam trap

Cisco often tests the misconception that only superficial details (like colour or job title) are sufficient for documentation, when in fact the full chain of custody—including collector identity, timestamps, hashes, and storage—is mandatory for evidence admissibility.

How to eliminate wrong answers

Option A is wrong because documenting only the laptop colour provides no forensic value—it does not establish chain of custody, integrity, or provenance of the evidence. Option B is wrong because the ticket priority is an administrative metric unrelated to forensic acquisition; it does not help prove the evidence was handled properly or securely. Option C is wrong because the user's job title is irrelevant to the technical acquisition process; it does not record who collected the evidence, when, or how it was preserved.

61
MCQhard

A large e-commerce site is under a DDoS attack targeting its web servers. The incident response team is activated. Which goal should receive the HIGHEST priority during the response?

A.Maintain availability of the service.
B.Implement attribution.
C.Identify the attacker's identity.
D.Quantify the financial loss.
AnswerA

Preserving service availability is the primary goal in a DDoS scenario.

Why this answer

During a DDoS attack targeting web servers, the highest priority is maintaining availability of the service because the primary goal of incident response in this scenario is to preserve business continuity and minimize disruption to legitimate users. The incident response team must first focus on mitigating the attack (e.g., rate-limiting, blackholing traffic, or scaling resources) before any forensic or attribution steps, as service downtime directly impacts revenue and customer trust.

Exam trap

Cisco often tests the principle that during an active incident, the priority is containment and recovery (availability) over forensic activities like attribution or identification, which are handled in later phases of the incident response lifecycle.

How to eliminate wrong answers

Option B is wrong because attribution (identifying the source of the attack) is a secondary goal that typically occurs after the immediate threat is contained; focusing on attribution during the active attack can delay mitigation and prolong downtime. Option C is wrong because identifying the attacker's identity is a forensic objective that is rarely achievable in real-time during a DDoS attack (attackers often use spoofed IPs, botnets, or reflection techniques), and it does not help restore service availability. Option D is wrong because quantifying financial loss is a post-incident activity that should be performed after the attack is mitigated; prioritizing it during the response would divert resources from stopping the attack and restoring service.

62
MCQeasy

In a regulated payment environment, a laptop may contain evidence for a legal investigation. What should the responder document during acquisition? During post-incident improvement, which decision is most defensible? which action best reduces risk without losing evidence?

A.Only the laptop colour
B.Only the ticket priority
C.Only the user's job title
D.Who collected it, when, where, hash values, transfer details, and storage location
AnswerD

Chain of custody records evidence handling and integrity from collection onward. In post-incident improvement, responders need action that reduces risk while preserving the investigation record.

Why this answer

Option D is correct because legal and regulatory requirements demand a complete chain of custody for digital evidence. Documenting who collected the laptop, when, where, hash values (e.g., SHA-256), transfer details, and storage location ensures the evidence is admissible and tamper-proof. This aligns with NIST SP 800-86 and ISO 27037 forensic best practices.

Exam trap

The trap here is that candidates may think minimal documentation (like color or job title) is sufficient, but Cisco tests that only a complete chain-of-custody record satisfies legal admissibility and regulatory compliance.

How to eliminate wrong answers

Option A is wrong because documenting only the laptop color provides no forensic value and fails to establish chain of custody or evidence integrity. Option B is wrong because recording only the ticket priority is irrelevant to evidence handling and does not capture any forensic metadata. Option C is wrong because noting only the user's job title omits critical details like collection time, location, and hash verification, making the evidence legally indefensible.

63
MCQmedium

During a post-compromise review, a developer accidentally committed a cloud access key to a public repository. Logs show the key was used from an unfamiliar IP. What should be done first? During eradication, which decision is most defensible? which action should be prioritized before closure?

A.Wait to see whether charges increase
B.Disable or rotate the key and review actions performed with it
C.Block the developer's laptop from Wi-Fi
D.Ask the developer to delete the commit only
AnswerB

The exposed credential must be invalidated and its use scoped through audit logs. In eradication, responders need action that reduces risk while preserving the investigation record.

Why this answer

Option B is correct because the immediate priority is to invalidate the compromised credential (rotate or disable the key) to prevent further unauthorized access, and then review the actions performed with it to assess the scope of the breach. This aligns with the NIST SP 800-61 incident response lifecycle, specifically the containment phase, where stopping the attacker's access is paramount before eradication or closure.

Exam trap

Cisco often tests the distinction between containment and eradication, where candidates mistakenly choose an eradication step (like blocking a laptop) before completing the critical containment action of revoking the compromised credential.

How to eliminate wrong answers

Option A is wrong because waiting to see whether charges increase is a passive, reactive approach that allows the attacker continued access, potentially leading to more damage and higher costs; it violates the principle of immediate containment. Option C is wrong because blocking the developer's laptop from Wi-Fi addresses a non-issue (the developer's local network access) and does nothing to revoke the cloud access key that is already exposed and being used from an unfamiliar IP; it confuses endpoint security with credential compromise.

64
Multi-Selecthard

Which THREE activities are typically performed during the post-incident activity phase of the incident response lifecycle?

Select 3 answers
A.System restoration from backups.
B.Root cause analysis.
C.Implementation of new security awareness training.
D.Evidence retention for potential legal action.
E.Lessons learned meeting.
AnswersB, D, E

Identifying the root cause is a key post-incident activity.

Why this answer

Root cause analysis (B) is performed during the post-incident activity phase to identify the underlying vulnerability or misconfiguration that allowed the incident to occur. This analysis informs remediation steps and helps prevent recurrence, making it a core activity of this phase.

Exam trap

CompTIA often tests the distinction between recovery-phase actions (e.g., system restoration) and post-incident analysis activities, leading candidates to mistakenly include restoration as a post-incident task.

65
MCQmedium

During a post-compromise review, a server suspected of running fileless malware is still powered on. Which evidence should be captured first if it is safe to do so? During detection and analysis, which decision is most defensible? which action should be prioritized before closure?

A.Volatile memory and active network/process state
B.Marketing screenshots
C.Archived monthly reports
D.The office seating plan
AnswerA

Fileless malware may reside in memory; volatile evidence disappears when the system is powered off. In detection and analysis, responders need action that reduces risk while preserving the investigation record.

Why this answer

In a post-compromise review of a server suspected of running fileless malware, volatile memory (RAM) and active network/process state must be captured first because fileless malware resides only in memory and leaves no persistent artifacts on disk. Capturing this evidence preserves the malware's code, running processes, network connections, and other transient data that would be lost on reboot or shutdown, enabling forensic analysis of the attack.

Exam trap

Cisco often tests the principle of order of volatility (OOV), where candidates mistakenly prioritize disk-based evidence over volatile memory, forgetting that fileless malware exists only in RAM and is destroyed on power loss.

How to eliminate wrong answers

Option B is wrong because marketing screenshots are irrelevant to forensic evidence collection and provide no technical data about fileless malware or system compromise. Option C is wrong because archived monthly reports are historical and non-volatile, containing no real-time process, memory, or network state needed to detect and analyze fileless malware that exists only in memory.

66
MCQhard

In a regulated payment environment, a user reports approving an unexpected OAuth consent prompt for an app named 'Invoice Reader'. The app now has mailbox read permissions. What should the incident responder do first? During detection and analysis, which decision is most defensible? which action best reduces risk without losing evidence?

A.Ignore it if MFA is enabled
B.Delete all emails from the mailbox
C.Only reset the user's Windows password
D.Revoke the app grant, review mailbox access, and identify other users who consented
AnswerD

OAuth consent abuse can persist without password access; revoking grants and scoping exposure contains the incident. In detection and analysis, responders need action that reduces risk while preserving the investigation record.

Why this answer

Option D is correct because the immediate priority is to revoke the malicious OAuth app grant to stop ongoing unauthorized access, then review the mailbox for any data exfiltration or tampering, and finally identify other users who may have consented to the same app to contain a broader compromise. This aligns with the NIST SP 800-61 incident response process for detection and analysis, where the most defensible decision is to remove the attacker's foothold while preserving evidence for forensic analysis. Revoking the grant directly addresses the OAuth consent attack vector, which bypasses traditional password-based controls and MFA.

Exam trap

Cisco often tests the misconception that MFA or password resets are sufficient to stop OAuth-based attacks, when in reality OAuth grants operate outside the authentication boundary and require explicit revocation of the app's permissions.

How to eliminate wrong answers

Option A is wrong because ignoring the incident despite MFA being enabled is a critical mistake — OAuth consent grants allow the app to access the mailbox without requiring the user's password or MFA, so MFA provides no protection against this type of attack. Option B is wrong because deleting all emails from the mailbox destroys potential evidence of data exfiltration, mailbox rules created by the attacker, or other indicators of compromise, violating the principle of preserving evidence during incident response. Option C is wrong because resetting the user's Windows password does not invalidate the OAuth access token or refresh token already issued to the malicious app; the app retains mailbox access via its own credentials, making the password reset ineffective.

67
MCQhard

During forensic analysis of a compromised server, the analyst finds that the attacker deleted the system logs. Which data source is most likely to still contain relevant evidence?

A.Memory dump from before the attack
B.Endpoint detection and response (EDR) telemetry
C.Network flow logs
D.Backup tapes
AnswerB

EDR typically records process creations and network connections off-host.

Why this answer

EDR telemetry is the most reliable source because it captures process creation, network connections, file modifications, and registry changes in real-time, storing them off-host. Even if an attacker deletes local system logs, the EDR agent's telemetry stream remains intact on the central management server, providing a forensic timeline of the attacker's actions.

Exam trap

CompTIA often tests the misconception that backup tapes are the ultimate forensic source, but the trap here is that attackers often delete logs during the incident, and only real-time, off-host telemetry (like EDR) preserves the sequence of events that occurred on the compromised host.

How to eliminate wrong answers

Option A is wrong because a memory dump from before the attack would not contain evidence of the attack itself; it captures a snapshot of the system state at that earlier time, not the attacker's activities. Option C is wrong because network flow logs (e.g., NetFlow, IPFIX) only record metadata like source/destination IPs, ports, and byte counts, not the actual system-level events (e.g., log deletion, process execution) that occurred on the compromised server. Option D is wrong because backup tapes contain point-in-time copies of files and system state, but they are typically taken on a schedule (e.g., nightly) and may not include the logs that were deleted during the attack window; moreover, restoring from backup is time-consuming and may overwrite current evidence.

68
MCQeasy

A security analyst notices a single external IP address attempting to log in to multiple user accounts on the company's VPN server over the past hour. All attempts have failed. What should the analyst do FIRST?

A.Block the IP address at the firewall.
B.Notify law enforcement.
C.Verify the logs and escalate to the incident response team.
D.Disable the VPN server.
AnswerC

Verifying logs confirms the incident, and escalation ensures proper handling.

Why this answer

Option C is correct because the first step in incident response is to verify the logs to confirm the activity is not a false positive (e.g., a misconfigured client or legitimate brute-force testing) and then escalate to the incident response team for coordinated action. This aligns with the NIST SP 800-61 incident response lifecycle, where identification and validation precede containment. Blocking or disabling without verification could disrupt legitimate access or destroy forensic evidence.

Exam trap

CompTIA often tests the candidate's ability to resist the urge to immediately contain or notify external parties; the trap here is choosing a reactive containment step (blocking or disabling) before performing the critical validation and escalation step required by the incident response framework.

How to eliminate wrong answers

Option A is wrong because blocking the IP at the firewall without first verifying the logs may be premature; the IP could be a shared NAT address or a false positive, and blocking it could prevent further analysis or alert the attacker. Option B is wrong because law enforcement is typically notified only after the incident is confirmed, scoped, and deemed criminal in nature; notifying them as a first step wastes resources and may violate chain-of-custody procedures. Option D is wrong because disabling the entire VPN server is an extreme containment measure that would deny service to all legitimate users and should only be considered after verification and as part of a coordinated incident response plan.

69
MCQhard

During a post-compromise review, a user reports approving an unexpected OAuth consent prompt for an app named 'Invoice Reader'. The app now has mailbox read permissions. What should the incident responder do first? During detection and analysis, which decision is most defensible? which action should be prioritized before closure?

A.Ignore it if MFA is enabled
B.Delete all emails from the mailbox
C.Only reset the user's Windows password
D.Revoke the app grant, review mailbox access, and identify other users who consented
AnswerD

OAuth consent abuse can persist without password access; revoking grants and scoping exposure contains the incident. In detection and analysis, responders need action that reduces risk while preserving the investigation record.

Why this answer

Option D is correct because the immediate priority is to revoke the malicious OAuth consent grant to stop the attacker's access, then review the mailbox for any data exfiltration or rules created, and finally identify other users who may have consented to the same app to contain the incident. This follows the NIST SP 800-61 incident response process for detection and analysis, ensuring the threat is neutralized and scope is understood before moving to eradication and recovery.

Exam trap

CompTIA often tests the misconception that MFA or password resets are sufficient to revoke OAuth app access, but the trap is that OAuth tokens are independent of the user's authentication factor and require explicit grant revocation.

How to eliminate wrong answers

Option A is wrong because MFA does not protect against OAuth consent phishing; once the user grants permissions, the app has a token that bypasses MFA entirely. Option B is wrong because deleting all emails destroys forensic evidence and does not address the root cause—the attacker still retains access via the OAuth grant. Option C is wrong because resetting the Windows password does not invalidate the OAuth refresh token; the app can continue to access the mailbox using its own stored tokens.

70
MCQhard

Refer to the exhibit. A security analyst is reviewing an S3 bucket policy in AWS. What is the primary security misconfiguration?

A.The bucket policy grants anonymous read access to all objects.
B.The bucket policy allows all actions.
C.The bucket policy does not require encryption.
D.The bucket policy uses an outdated version.
AnswerA

Principal: '*' means anyone, including anonymous users, can read objects.

Why this answer

The bucket policy includes a principal of '*' without any condition restricting access to authenticated users, which grants anonymous (unauthenticated) read access to all objects in the S3 bucket. This violates the principle of least privilege and exposes data to anyone on the internet, making it the primary security misconfiguration.

Exam trap

CompTIA often tests the distinction between a policy that allows 'all actions' versus one that allows 'read access' but with a public principal, tricking candidates into focusing on the action scope rather than the identity granting anonymous access.

How to eliminate wrong answers

Option B is wrong because while the policy allows 's3:GetObject' (not all actions), the core issue is the anonymous principal, not the action scope. Option C is wrong because the policy does not explicitly require encryption, but that is a secondary concern; the primary misconfiguration is the public access grant. Option D is wrong because the policy version (2012-10-17) is current and not outdated; the version field is a syntax requirement, not a security control.

71
Multi-Selecthard

A legal hold is issued during an investigation. Which actions support it? (Choose two.)

Select 2 answers
A.Preserve relevant logs, mailboxes, images, and tickets
B.Let each team decide informally what to delete
C.Purge audit logs to save storage
D.Suspend routine deletion for in-scope evidence
AnswersA, D

Potential evidence must be retained.

Why this answer

A legal hold (litigation hold) requires preservation of all potentially relevant electronically stored information (ESI). Preserving logs, mailboxes, images, and tickets ensures that data is not altered or deleted, maintaining its integrity for forensic analysis and legal proceedings. This action directly supports the hold by preventing spoliation and ensuring compliance with discovery obligations.

Exam trap

Cisco often tests the misconception that cost-saving measures (like purging logs) are acceptable during a legal hold, when in fact any deletion—even for legitimate storage management—violates the preservation requirement and can be considered spoliation.

72
MCQmedium

Refer to the exhibit. An analyst sees this output from a workstation. Which of the following is the most likely explanation?

A.The workstation is receiving NTP time synchronization
B.The workstation is performing a port scan
C.The workstation is a web server
D.The workstation is infected with malware connecting to a C2 server
AnswerD

Multiple connections to the same IP on port 4444 is suspicious.

Why this answer

The output shows repeated outbound TCP connections to a single external IP address on port 443 (HTTPS) with varying source ports, which is characteristic of beaconing behavior. Malware often establishes periodic connections to a command-and-control (C2) server to receive instructions or exfiltrate data, and the pattern of multiple connections from different ephemeral ports to the same destination is a common indicator of such activity.

Exam trap

The trap here is that candidates see HTTPS (port 443) and assume legitimate web server or normal browsing, missing the key indicator of repeated outbound connections to a single external IP, which is a hallmark of C2 beaconing rather than typical client-server communication.

How to eliminate wrong answers

Option A is wrong because NTP time synchronization uses UDP port 123, not TCP port 443, and the output shows TCP connections, not NTP packets. Option B is wrong because a port scan typically involves connections to multiple destination ports on a target, not repeated connections to a single destination port from varying source ports. Option C is wrong because a web server listens on TCP port 80 or 443 for inbound connections, whereas this output shows outbound connections from the workstation to an external IP, indicating client-side behavior.

73
MCQmedium

During a ransomware attack, several workstations have been encrypted. The incident response team has identified the ransomware variant and determined it does not have a known decryption tool. Which containment strategy is MOST appropriate?

A.Disconnect the affected workstations from the network, but leave them powered on.
B.Power off all affected workstations immediately.
C.Run a full antivirus scan on the affected workstations.
D.Restore all affected workstations from backups immediately.
AnswerA

Disconnecting from network stops lateral movement while preserving evidence.

Why this answer

Disconnecting the affected workstations from the network (but leaving them powered on) preserves volatile evidence in memory (e.g., encryption keys, process artifacts) and prevents the ransomware from spreading to other hosts via SMB, RDP, or other lateral movement protocols. Powering off would destroy this critical forensic data, while leaving them connected risks further encryption of network shares.

Exam trap

CompTIA often tests the misconception that immediate power-off is best for safety, but the trap here is that preserving volatile memory for forensic analysis is prioritized over a simple shutdown, especially when no decryption tool exists and evidence may lead to key recovery.

How to eliminate wrong answers

Option B is wrong because immediately powering off workstations destroys volatile memory (RAM) that may contain the ransomware's encryption keys, process handles, or network connections, hindering forensic analysis and potential decryption. Option C is wrong because running a full antivirus scan on already-encrypted files is ineffective—the ransomware binary may be removed, but encrypted files remain unrecoverable without a decryption tool, and scanning consumes time that could allow further spread. Option D is wrong because restoring from backups before containing the threat risks re-infection if the ransomware is still active on the network or if backups are also encrypted; containment must precede recovery.

74
MCQmedium

After a high-priority SOC escalation, after containing a compromised host, analysis shows persistence through a scheduled task and a stolen service account. What is required before recovery? During containment, which decision is most defensible? which response best matches incident-response practice?

A.Reconnect the host because users need it
B.Disable logging to improve performance
C.Close the incident after isolation
D.Remove persistence, rotate affected credentials, and verify no related hosts remain compromised
AnswerD

Recovery should follow eradication of persistence and credential exposure. In containment, responders need action that reduces risk while preserving the investigation record.

Why this answer

Option D is correct because after containment, the incident response process requires removing the persistence mechanism (the scheduled task), rotating the stolen service account credentials to prevent re-authentication, and verifying that no other hosts are compromised (lateral movement check). This aligns with the NIST SP 800-61 recovery phase, which mandates eradication before recovery to ensure the threat is fully removed.

Exam trap

CompTIA often tests the misconception that isolation alone is sufficient to close an incident, but the trap here is that persistence and credential theft require active eradication and verification steps before recovery can begin.

How to eliminate wrong answers

Option A is wrong because reconnecting a compromised host without eradication risks re-infection or lateral movement, violating containment principles. Option B is wrong because disabling logging during an incident destroys forensic evidence and violates chain-of-custody requirements; logging is critical for post-incident analysis. Option C is wrong because closing the incident after isolation without eradication and verification leaves persistence mechanisms and stolen credentials active, allowing the attacker to regain access.

75
MCQmedium

In a regulated payment environment, a malware alert affects a single kiosk with no sensitive access. A second alert shows the same malware on a domain admin workstation. What should drive severity? During recovery, which decision is most defensible? which action best reduces risk without losing evidence?

A.Whether the alert arrived first
B.Business impact, privilege level, asset criticality, and spread potential
C.Alphabetical order of hostnames
D.The analyst's preferred dashboard theme
AnswerB

Severity should reflect impact and risk, not only malware family name. In recovery, responders need action that reduces risk while preserving the investigation record.

Why this answer

Option B is correct because severity in incident response must be driven by business impact, privilege level, asset criticality, and spread potential. The domain admin workstation has elevated privileges and access to sensitive systems, making it a higher priority than a non-sensitive kiosk, regardless of alert order. This aligns with NIST SP 800-61 and common IR frameworks that prioritize containment based on risk, not chronology.

Exam trap

Cisco often tests the misconception that alert chronology or simple asset labels determine severity, when in fact the correct approach is a risk-based assessment incorporating business impact, privilege, criticality, and spread potential.

How to eliminate wrong answers

Option A is wrong because alert arrival time is irrelevant to severity; a later alert on a critical asset should supersede an earlier alert on a low-value asset. Option C is wrong because alphabetical order of hostnames has no bearing on risk or incident response priority. Option D is wrong because an analyst's preferred dashboard theme is a cosmetic preference and does not influence severity decisions.

Page 1 of 2 · 101 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Incident Response And Management questions.