CCNA Incident Management Questions

75 of 176 questions · Page 1/3 · Incident Management · Answers revealed

1
MCQeasy

During an incident, the incident response team is communicating with affected stakeholders. According to best practices, which of the following should be communicated FIRST?

A.A summary of actions taken so far
B.Detailed technical analysis
C.A timeline of all events
D.The root cause of the incident
AnswerA

A high-level summary keeps stakeholders informed while the team works on deeper analysis.

Why this answer

Initial communication should provide a high-level summary of the situation and immediate actions taken to inform stakeholders without overwhelming them with technical details. Option B is correct.

2
MCQhard

An organization is under a DDoS attack that is saturating their internet link. The incident response team needs to mitigate the attack. Which action should be taken first?

A.Activate cloud-based DDoS mitigation services.
B.Shut down all public-facing services.
C.Implement rate limiting on the perimeter firewall.
D.Contact the ISP to null-route the attack IPs.
AnswerA

Correct: Scalable and effective.

Why this answer

Option D is correct because cloud-based DDoS mitigation services are designed to absorb large-scale attacks. Rate limiting may be insufficient; null-routing can block legitimate traffic; shutting down services is a last resort.

3
MCQeasy

Refer to the exhibit. The exhibit shows network traffic from a server to a database. What does this pattern MOST likely indicate?

A.Query optimization issue
B.SQL injection attempt
C.Normal application load
D.Database server crash
AnswerB

SQL injection tools often create many connections to execute queries, matching the pattern.

Why this answer

A rapid increase in connections to a database in a short time is typical of an automated SQL injection tool testing and exploiting vulnerabilities. Normal application load would be steadier, and a crash would show no connections. Option C is correct.

4
Multi-Selectmedium

Which TWO of the following are key indicators of a potential insider threat incident? (Select exactly 2)

Select 2 answers
A.Multiple failed login attempts from an external IP address
B.An increase in network traffic to a known malicious domain
C.A user accessing large volumes of data not related to their job function
D.An employee logging in during non-business hours and downloading files
E.A user updating their password as required by policy
AnswersC, D

This suggests data theft or espionage.

Why this answer

Option C is correct because a user accessing large volumes of data unrelated to their job function is a classic behavioral anomaly indicating potential data exfiltration. This pattern often precedes an insider threat incident, as the user may be collecting sensitive information for unauthorized purposes, such as selling it or using it for personal gain. Security information and event management (SIEM) systems typically flag such access based on deviations from baseline user behavior, triggering further investigation.

Exam trap

The trap here is that candidates often confuse external attack indicators (like failed logins or malicious domain traffic) with insider threat indicators, failing to recognize that insider threats are characterized by anomalous internal behavior, not external network events.

5
MCQhard

You are the incident response manager for a financial services company. The company has a hybrid infrastructure with on-premises servers and cloud services. At 2:00 AM, the SIEM generates a critical alert: a database server in the DMZ is communicating with a known malicious IP address on port 443. The server contains customer PII. The on-call security analyst reports that the server is running and the connection is active. The incident response plan states that any confirmed compromise of PII must be reported to the regulator within 72 hours. You have the following options: A) Immediately isolate the server by disconnecting it from the network, then begin forensic analysis. B) Leave the server connected to gather more intelligence about the attacker's actions, but block only the malicious IP at the firewall. C) Shut down the server to preserve evidence and prevent data exfiltration. D) Copy the server's disk over the network for forensic analysis before taking any action. Which option is the BEST course of action?

A.Isolate the server immediately
B.Shut down the server
C.Copy the disk over the network
D.Block the malicious IP and monitor the server
AnswerD

This stops the exfiltration while allowing observation of other activities.

Why this answer

Option D is the best course of action because it balances the need to stop the immediate data exfiltration threat with the preservation of forensic evidence and the regulatory requirement to report a PII breach within 72 hours. By blocking only the malicious IP at the firewall, you sever the active command-and-control (C2) channel on port 443 while keeping the server running, which allows you to collect volatile data (e.g., memory, active processes, network connections) and perform live forensics without destroying evidence. This approach also avoids the risk of losing critical evidence that would occur with a hard shutdown or isolation, and it provides time to confirm the scope of the compromise before the 72-hour clock starts for regulatory reporting.

Exam trap

ISACA often tests the misconception that shutting down or isolating a server immediately is always the safest action, but in reality, this destroys volatile evidence and can violate forensic chain-of-custody requirements, making Option D the correct balance between containment and evidence preservation.

How to eliminate wrong answers

Option A is wrong because immediately isolating the server by disconnecting it from the network will sever the active C2 channel but also destroy volatile evidence (e.g., memory contents, active network connections) and may trigger anti-forensic mechanisms in the malware, such as self-deletion or encryption of logs. Option B is wrong because shutting down the server (power-off) will cause loss of volatile memory (RAM), which often contains encryption keys, active malware processes, and network session data critical for understanding the attacker's actions; it also risks damaging the integrity of the disk if the malware has write-caching or pending writes. Option C is wrong because copying the disk over the network while the server is actively compromised could alert the attacker to your actions, may fail if the malware interferes with network file transfers, and does not address the immediate data exfiltration risk—the malicious IP is still active and the connection is ongoing.

6
MCQeasy

A small marketing firm with 50 employees experiences a ransomware attack. The IT administrator quickly isolates the infected workstations by disconnecting them from the network. The company has a backup strategy that performs nightly backups to an on-premises NAS device. The administrator restores the affected systems from the most recent backup, but some files remain encrypted. The users report that the backups from the last two days show corruption as well. The firm does not have a formal incident response plan. The owner is anxious to get back to work and asks the administrator what to do next. What should the administrator do?

A.Restore from an older backup taken before the infection
B.Contact law enforcement immediately
C.Pay the ransom to get the decryption key
D.Run a full antivirus scan on the restored systems
AnswerA

Older backups are likely unencrypted and can be restored after verifying integrity.

Why this answer

Restoring from an older backup (before the ransomware infection occurred) is the most likely way to get clean data. Paying the ransom is not recommended as it encourages attackers and there is no guarantee. Contacting law enforcement is a good step but not the immediate technical solution.

Running an antivirus scan is insufficient for decryption.

7
MCQmedium

During an incident investigation, the forensic analyst discovers that a malware sample communicates with an external IP address. The organization's incident response plan requires a decision on whether to block the IP at the firewall. What should the incident response team do FIRST?

A.Monitor the connection further without taking action.
B.Block the IP address immediately to prevent data exfiltration.
C.Notify law enforcement about the IP address.
D.Check threat intelligence feeds to confirm maliciousness.
AnswerD

Verification through threat intelligence ensures the action is justified.

Why this answer

Option D is correct because the incident response team must first validate the maliciousness of the IP address using threat intelligence feeds before taking any irreversible action. Blocking an IP without confirmation could disrupt legitimate business operations or tip off an attacker, and the CISM framework emphasizes evidence-based decision-making during incident response.

Exam trap

The trap here is that candidates often choose 'Block the IP immediately' (Option B) because they equate speed with effective containment, but CISM stresses that containment actions must be risk-informed and validated to avoid collateral damage and legal liability.

How to eliminate wrong answers

Option A is wrong because passively monitoring a confirmed malware communication without action risks ongoing data exfiltration and violates the principle of timely containment. Option B is wrong because immediately blocking the IP without verification could cause a denial of service to legitimate services hosted on that IP (e.g., a shared CDN or cloud provider) and may destroy forensic evidence of the C2 channel. Option C is wrong because notifying law enforcement is premature before internal validation and containment; law enforcement notification typically occurs after the organization has confirmed maliciousness and secured its own evidence chain.

8
MCQeasy

During an incident, the CIRT leader decides to contain a compromised server by disconnecting it from the network. However, this action may result in loss of volatile forensics data. What should the CIRT leader do?

A.Proceed with disconnection immediately to prevent further damage
B.Keep the server connected but block all inbound/outbound traffic
C.Perform a full disk imaging before disconnection
D.Collect volatile data (memory, processes) before disconnecting
AnswerD

This preserves forensic evidence while allowing containment.

Why this answer

Option D is correct because volatile data (e.g., memory contents, running processes, network connections) is lost when power is removed or the network interface is disabled. The CIRT leader must follow the order of volatility (RFC 3227) and capture this data first to preserve forensic evidence before containment actions that alter the system state.

Exam trap

The trap here is that candidates may prioritize containment speed (Option A) over forensic preservation, forgetting that volatile data is irrecoverable once the system is powered off or disconnected.

How to eliminate wrong answers

Option A is wrong because immediate disconnection destroys volatile evidence (e.g., memory, active network sessions) that may be critical for attribution and root cause analysis. Option B is wrong because blocking all traffic does not prevent the server from being remotely wiped or overwritten by an attacker, and it still risks loss of volatile data if the system crashes or is shut down. Option C is wrong because full disk imaging captures only non-volatile data; volatile data (e.g., RAM, process list) must be collected separately before any power-off or disconnection.

9
MCQhard

Refer to the exhibit. Based on the exhibit, what is the security implication of this S3 bucket policy?

A.Denies all access except from 10.0.0.0/8
B.Allows only users from 10.0.0.0/8 to read and write
C.Allows any authenticated user to read and write objects
D.Allows any user from internal network to read objects, but any user can write objects from anywhere
AnswerD

The first statement restricts reads to the internal IP range, but the second statement has no IP restriction, allowing writes globally.

Why this answer

The policy allows GetObject only from the internal IP range (10.0.0.0/8), but PutObject is allowed from any IP without restriction. This means anyone on the internet can write objects to the bucket. Option B is correct.

10
Multi-Selecthard

An organization suspects a data breach. Which two actions should the incident response team take before notifying affected customers? (Choose two.)

Select 2 answers
A.Determine the root cause of the breach.
B.Confirm that the breach actually occurred.
C.Implement full remediation.
D.Consult with legal counsel regarding notification obligations.
E.Assess the impact on affected individuals.
AnswersB, E

Correct: Essential before any notification.

Why this answer

Options A and C are correct because confirming the breach occurred and assessing the impact on affected individuals are prerequisites for notification. Root cause and remediation can follow, and legal consultation is important but often done in parallel.

11
MCQmedium

During a ransomware incident, the incident response team identifies that the encryption process is still ongoing. The CISO decides to isolate affected systems to prevent further spread. Which of the following is the MOST appropriate next step?

A.Disconnect all network cables to stop the encryption.
B.Contact law enforcement before any internal actions.
C.Restore systems from the most recent backup immediately.
D.Preserve forensic evidence before taking any recovery actions.
AnswerD

Preserving evidence ensures that the incident can be investigated properly.

Why this answer

Option D is correct because preserving forensic evidence is critical before any recovery actions, especially during an ongoing ransomware incident. The encryption process may still be active, and taking immediate recovery steps (like disconnecting cables or restoring backups) could destroy volatile data (e.g., encryption keys in memory, process artifacts, network connections) that are essential for understanding the attack vector, identifying the ransomware variant, and supporting legal or law enforcement actions. The CISO's decision to isolate systems helps contain the spread, but the next priority must be evidence preservation to ensure a thorough investigation and potential prosecution.

Exam trap

The trap here is that candidates often confuse immediate containment (disconnecting cables) with the forensic imperative to preserve volatile evidence, leading them to choose Option A, but CISM emphasizes that evidence preservation takes precedence over hasty recovery actions during an active incident.

How to eliminate wrong answers

Option A is wrong because disconnecting all network cables (a hard power-off or network isolation) can destroy volatile forensic evidence in memory (e.g., encryption keys, running processes, network connections) and may leave systems in an inconsistent state, potentially complicating decryption or recovery. Option B is wrong because contacting law enforcement before any internal actions is not the most appropriate immediate step; while law enforcement should be notified eventually, the priority during an active incident is to contain and preserve evidence, not to delay internal response for external notification. Option C is wrong because restoring systems from the most recent backup immediately, while the encryption is still ongoing, could reintroduce the ransomware if the backup is compromised or if the encryption process is not fully halted, and it also risks overwriting valuable forensic data that could identify the attack's origin.

12
MCQmedium

A large e-commerce company detects a sophisticated attack that has compromised a web application server. The server contains customer payment card information. The incident response team is activated. During triage, the team discovers that the attacker has gained administrative access and installed a backdoor. The company's public relations department wants to issue a press release as soon as possible to maintain customer trust. Legal counsel advises that the breach must be reported to regulators within 72 hours. The technical team is working on containment. What is the MOST important priority for the incident manager at this point?

A.Conduct a thorough forensic investigation to determine the full extent of the breach before taking action.
B.Immediately report the breach to regulators to comply with the 72-hour requirement.
C.Focus on containing the breach and eradicating the threat before any disclosure.
D.Authorize the press release to manage public perception.
AnswerC

Containment stops further damage; communication follows.

Why this answer

Option A is correct because containment and eradication take precedence over communication and reporting. Premature disclosure (B) could cause panic and legal issues. Reporting (C) can be done after containment.

Full investigation (D) can delay containment.

13
MCQmedium

After containing an incident, the incident response team is ready to proceed. According to NIST SP 800-61, what is the next phase?

A.Communication
B.Recovery
C.Eradication
D.Lessons Learned
AnswerC

Correct: Eradication removes the threat from the environment.

Why this answer

Option C is correct because NIST's incident response lifecycle includes Eradication after Containment. Recovery and Lessons Learned come later, and Communication occurs throughout.

14
MCQhard

An incident has been declared involving a ransomware attack that encrypted critical servers. The organization has backups, but the backups were also encrypted. Which of the following is the BEST course of action?

A.Analyze the ransomware to find a decryptor
B.Rebuild the servers from clean images
C.Restore from offline backups
D.Pay the ransom to obtain decryption key
AnswerB

Rebuilding from clean system images ensures a secure, malware-free environment; data may need to be restored from alternate sources.

Why this answer

Since backups are compromised, rebuilding servers from clean images ensures a known good state. Paying the ransom is not recommended, and analyzing the ransomware may not yield a timely decryptor. Option C is correct.

15
Multi-Selecthard

Which TWO criteria should an organization use to prioritize incidents during triage?

Select 2 answers
A.Number of users affected
B.Time of detection
C.Potential business impact
D.Skill level of the responding analyst
E.Sensitivity of the data involved
AnswersC, E

Business impact directly influences priority.

Why this answer

Options B and E are correct: business impact and data sensitivity are key factors. Option A is wrong because the time of detection does not inherently define priority. Option C is wrong because the skill of the analyst is not a triage criterion.

Option D is wrong because the number of affected users is a proxy, but business impact is more holistic.

16
MCQeasy

A user reports that their computer is behaving oddly, and an IT technician finds a suspicious file in the startup folder. The technician is not sure if this is an incident. What should the technician do FIRST?

A.Document the findings and continue monitoring
B.Escalate to the security team
C.Run an antivirus scan
D.Delete the suspicious file
AnswerB

Escalating ensures proper handling and investigation by security professionals.

Why this answer

When unsure, the best practice is to escalate to the security team to investigate further. Deleting the file could destroy evidence, and scanning may not be sufficient. Option B is correct.

17
MCQhard

Based on the exhibit, what is the MOST likely issue?

A.A system is infected with malware that is beaconing to a command and control server.
B.A user is streaming video from a legitimate site.
C.A software update is being downloaded from an external site.
D.A network scan is being performed from the internal IP.
AnswerA

The combination of IDS alert and periodic connections is indicative of C2 activity.

Why this answer

The IDS alert indicates a malware beacon, and the firewall log shows periodic outbound connections to an external IP, which is typical of command and control traffic.

18
MCQhard

An organization's security team detects an unusual spike in outbound traffic from a database server to an external IP address during a routine security scan. The database server contains sensitive customer data. Which of the following is the MOST appropriate initial response?

A.Notify the data protection officer and legal team.
B.Review firewall logs to confirm data exfiltration.
C.Run a full antivirus scan on the database server.
D.Isolate the database server from the network to stop the traffic.
AnswerD

Containment is a top priority to limit impact.

Why this answer

Isolating the database server is the most appropriate initial response because it immediately halts the suspected data exfiltration, containing the incident and preventing further loss of sensitive customer data. In incident management, the priority is to stop the active threat before performing any investigative or notification steps, as per the NIST SP 800-61 incident response lifecycle (Preparation, Detection & Analysis, Containment, Eradication & Recovery). Delaying containment to review logs or run scans allows the exfiltration to continue, increasing the potential damage.

Exam trap

The trap here is that candidates often confuse 'investigation' with 'response' and choose to review logs first (Option B), failing to recognize that in an active incident, containment must precede any forensic analysis to prevent further damage.

How to eliminate wrong answers

Option A is wrong because notifying the data protection officer and legal team is a post-containment step; performing notification before containment wastes critical time and does not stop the ongoing data loss. Option B is wrong because reviewing firewall logs to confirm data exfiltration is a forensic step that should occur after containment; waiting to confirm the exfiltration allows the malicious traffic to continue, potentially exfiltrating more data. Option C is wrong because running a full antivirus scan on the database server is a reactive, slow process that does not address the immediate network-level threat; the spike in outbound traffic indicates an active data transfer, not necessarily a virus, and scanning does not stop the traffic.

19
MCQeasy

An incident response plan (IRP) is being tested. Which metric is MOST indicative of the team's effectiveness during an exercise?

A.Total cost of the exercise
B.Number of tools used
C.Mean time to detect (MTTD)
D.Volume of logs generated
AnswerC

MTTD measures how quickly incidents are identified.

Why this answer

Option A is correct because time to detect is a key performance indicator. Option B is wrong because number of tools used does not indicate effectiveness. Option C is wrong because cost of the exercise is not a performance metric.

Option D is wrong because volume of logs is not directly tied to response quality.

20
Multi-Selecthard

Which THREE are key components of an effective post-incident review?

Select 3 answers
A.Document lessons learned
B.Increase security budget
C.Assign blame
D.Update incident response plan
E.Determine root cause
AnswersA, D, E

Correct: Capturing what worked and what didn't drives future improvements.

Why this answer

Determining root cause, documenting lessons learned, and updating the incident response plan are essential.

21
MCQhard

Given the exhibit output from a web server, which connection is MOST suspicious and likely indicates a command-and-control (C2) channel?

A.Connection to 10.0.0.1:54321
B.The listening socket on port 443
C.Connection to 203.0.113.5:44333
D.Connection to 10.0.0.2:54322
AnswerC

External IP with non-standard high port, common for C2.

Why this answer

Connection to 203.0.113.5:44333 is the most suspicious because it uses a non-standard high port (44333) to an external IP address, which is a common technique for C2 traffic to evade detection by blending with HTTPS-like traffic. Legitimate web servers typically connect to well-known ports (e.g., 80, 443) or internal services, not arbitrary external high ports. The exhibit likely shows a netstat output where this outbound connection to an external IP on an unusual port stands out as anomalous.

Exam trap

The trap here is that candidates may focus on the high port numbers (54321, 54322) as suspicious, but the key differentiator is the external IP address versus internal RFC 1918 addresses, which is a classic C2 indicator.

How to eliminate wrong answers

Option A is wrong because 10.0.0.1:54321 is a private IP address (RFC 1918) and port 54321 is often used for legitimate internal services like backup or monitoring, making it less suspicious for C2. Option B is wrong because a listening socket on port 443 is standard for HTTPS web servers and is expected behavior, not indicative of a C2 channel. Option D is wrong because 10.0.0.2:54322 is also a private IP address on a high port, which could be a legitimate internal service or database connection, and lacks the external threat profile of a C2 channel.

22
Multi-Selecteasy

Which THREE of the following are key phases of the incident management lifecycle according to NIST or ISO? (Choose three.)

Select 3 answers
A.Detection & Analysis
B.Encryption
C.Board reporting
D.Containment, Eradication & Recovery
E.Preparation
AnswersA, D, E

Option B is correct as it is a key phase.

Why this answer

Options A, B, D are correct as they are standard phases. Option C is not a phase; Option E is not a formal phase.

23
MCQhard

During a data breach investigation, the team discovers that an attacker exfiltrated data via encrypted HTTPS to a server abroad. Which forensic step is most critical?

A.Capture memory from the endpoint to find encryption keys
B.Analyze firewall logs for the connection
C.Decrypt the traffic using the server's private key
D.Trace the IP address to identify the attacker
AnswerA

Correct: Memory may contain the symmetric keys used for the HTTPS session.

Why this answer

Capturing memory from the endpoint may reveal encryption keys used for the HTTPS session, allowing decryption.

24
MCQmedium

An organization has multiple security tools that generate alerts. The incident response team is overwhelmed by the volume of alerts. Which of the following is the BEST approach to manage this issue?

A.Increase the number of incident response staff.
B.Implement a security information and event management (SIEM) system.
C.Disable all low-priority alerts.
D.Implement alert triage and prioritization processes.
AnswerD

Option D is correct because implementing triage and prioritization reduces alert fatigue by focusing on critical alerts.

Why this answer

Option D is correct because implementing triage and prioritization reduces alert fatigue by focusing on critical alerts. Option A is wrong because it does not address the root cause. Option B is wrong because disabling alerts may hide real threats.

Option C is wrong because SIEM is a tool that may still generate many alerts without process.

25
MCQeasy

An incident response team discovers that an employee's workstation is infected with malware. The workstation contains sensitive customer data. Which of the following is the MOST appropriate containment strategy?

A.Shut down the workstation immediately.
B.Perform a full system wipe and reinstall the OS.
C.Disconnect the workstation from the network.
D.Copy all files to a secure server and then disconnect.
AnswerC

Network isolation is a quick and effective containment measure.

Why this answer

Disconnecting the workstation from the network (Option C) is the most appropriate containment strategy because it immediately stops the malware from communicating with command-and-control servers, prevents lateral movement to other systems, and preserves the volatile evidence (e.g., running processes, memory contents) needed for forensic analysis. This aligns with the NIST SP 800-61 incident response containment phase, which prioritizes isolation over destruction or data exfiltration risk.

Exam trap

The trap here is that candidates often confuse 'containment' with 'eradication' and choose a destructive option like shutdown or wipe, failing to recognize that containment must preserve evidence and prevent spread without destroying forensic artifacts.

How to eliminate wrong answers

Option A is wrong because shutting down the workstation immediately destroys volatile evidence (e.g., active network connections, memory-resident malware, encryption keys) and may trigger anti-forensic mechanisms in the malware. Option B is wrong because performing a full system wipe and OS reinstall destroys all evidence before forensic analysis can determine the root cause, scope of compromise, and whether sensitive customer data was exfiltrated. Option D is wrong because copying all files to a secure server before disconnecting risks spreading the malware to the server and may alter file timestamps or trigger malware behavior during the copy process, violating forensic integrity.

26
MCQmedium

Based on the SIEM alert exhibit, which immediate action should the incident responder take?

A.Block the source IP 10.0.0.55 at the firewall
B.Lock the user account 'jsmith'
C.Increase logging level for the destination server
D.Contact the user 'jsmith' to verify activity
AnswerB

Locking the account prevents further brute-force.

Why this answer

The SIEM alert indicates a successful brute-force login from source IP 10.0.0.55 to the destination server using the account 'jsmith'. Locking the user account immediately stops the attacker from further exploiting the compromised credentials, which is the most direct containment action. Blocking the IP alone would not prevent re-authentication if the attacker switches IPs, and contacting the user wastes critical time during an active incident.

Exam trap

The trap here is that candidates often choose to block the source IP, thinking it stops the attack, but fail to realize the attacker already has valid credentials and can pivot from any IP, making account lockout the only effective containment step.

How to eliminate wrong answers

Option A is wrong because blocking the source IP at the firewall does not address the fact that the attacker already has valid credentials for 'jsmith' and could simply use a different IP to continue the attack. Option C is wrong because increasing logging level is a forensic step that does not contain the active threat; it only gathers more data after the fact. Option D is wrong because contacting the user 'jsmith' to verify activity introduces unnecessary delay and assumes the user is not the attacker, whereas the SIEM alert shows a successful brute-force, indicating the account is already compromised and must be locked immediately.

27
Matchingmedium

Match each data classification level to its handling requirement.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

No restrictions; can be freely distributed

Access limited to employees; no external sharing

Access on need-to-know basis; encryption required

Highly sensitive; strict access control and logging

Subject to legal/compliance requirements (e.g., PII)

Why these pairings

Typical data classification categories.

28
Multi-Selectmedium

Which TWO actions are key components of the 'Containment' phase in incident response?

Select 2 answers
A.Restoring systems from backups
B.Implementing temporary workarounds to stop damage
C.Eradicating malware from infected systems
D.Writing a final incident report
E.Deploying patches or configuration changes to secure systems
AnswersB, E

Short-term containment prevents further harm.

Why this answer

Options B and D are correct: short-term containment stops the bleeding, and long-term containment ensures system hardening. Option A is wrong because eradication comes after containment. Option C is wrong because recovery is after eradication.

Option E is wrong because documentation happens throughout but is not a containment action.

29
MCQhard

A security operations center receives an alert from an IDS indicating possible command and control traffic. The analyst is unsure if it's a true positive. Which combination of actions should be taken first?

A.Disable the IDS signature to prevent further alerts.
B.Immediately block the source IP and escalate to the incident response team.
C.Conduct a full forensic analysis of the affected host.
D.Correlate the alert with firewall and proxy logs and review threat intelligence.
AnswerD

Correct: Validation before action.

Why this answer

Option C is correct because correlating with other logs and threat intelligence helps validate the alert before taking potentially disruptive actions. Blocking prematurely may be a false positive; disabling signatures is dangerous; full forensics is premature.

30
MCQhard

A large enterprise experiences a data breach involving personal identifiable information (PII) of customers. The incident response team has contained the breach and is now in the eradication phase. The CISO wants to ensure that the same vulnerability cannot be exploited again. Which action is MOST critical?

A.Change all passwords of affected accounts.
B.Notify affected customers about the breach.
C.Deploy additional endpoint protection software.
D.Patch the specific vulnerability identified.
AnswerD

Patching the vulnerability directly prevents re-exploitation.

Why this answer

Patching the specific vulnerability is the most critical action during the eradication phase because it permanently removes the root cause of the breach. Without this step, the same attack vector (e.g., an unpatched SQL injection flaw or a known CVE in a web server) remains exploitable, rendering containment efforts temporary. The CISO's goal to prevent recurrence directly requires eliminating the technical weakness, not just mitigating its symptoms.

Exam trap

ISACA often tests the distinction between containment actions (like password resets) and eradication actions (like patching), tricking candidates into choosing a visible, immediate step over the root-cause fix.

How to eliminate wrong answers

Option A is wrong because changing passwords of affected accounts is a containment and recovery action that addresses credential compromise, not the underlying vulnerability (e.g., a code injection flaw) that allowed the breach. Option B is wrong because notifying customers is a legal and public relations obligation that occurs after eradication, but it does not fix the technical root cause. Option C is wrong because deploying additional endpoint protection software is a preventive control that may detect future attacks but does not remove the existing vulnerability; the attacker could still exploit the same unpatched flaw.

31
Matchingmedium

Match each incident management phase to its activity.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Develop incident response plan and train team

Identify and validate security incidents

Isolate threat, remove malware, restore operations

Conduct lessons learned and update procedures

Notify stakeholders and regulatory bodies

Why these pairings

Incident response phases per CISM.

32
MCQeasy

During incident investigation, which evidence preservation method is most important?

A.Take screenshots of the attack
B.Interview witnesses immediately
C.Create a forensic image of affected drives
D.Reboot the system to capture memory
AnswerC

Correct: Forensic imaging preserves the exact state for analysis.

Why this answer

Creating a forensic image preserves a bit-by-bit copy of the drive for analysis without altering evidence.

33
MCQmedium

According to the exhibit, which role is responsible for conducting forensic analysis?

A.Incident Manager
B.Technical Lead
C.Legal Counsel
D.Communication Lead
AnswerB

Option A is correct because the Technical Lead is responsible for analysis.

Why this answer

Option A is correct because the Technical Lead is responsible for analysis. Option B is wrong because the Incident Manager coordinates. Option C is wrong because Communication Lead handles communications.

Option D is wrong because Legal Counsel provides legal guidance.

34
MCQhard

You are the information security manager for a financial services company that processes credit card transactions. The company uses a mix of on-premises servers and cloud services. During a routine vulnerability scan, you discover that one of the web servers has been compromised with a web shell that allows remote command execution. The server is part of a cluster that handles customer-facing web traffic. The incident response team is activated. The team's immediate actions include isolating the server from the network and taking a forensic image. However, the server is critical for business operations, and management is pressuring you to restore service quickly. The server's logs show that the web shell was uploaded three days ago, and during that time, the server processed approximately 10,000 transactions. The team has not yet fully analyzed the forensic image. You need to decide on the next steps. What should you do FIRST?

A.Wait for the next scheduled patch cycle to apply updates and then restore the server.
B.Restore the server from the most recent clean backup and bring it back online immediately to minimize revenue loss.
C.Notify the payment card industry (PCI) compliance auditor and request guidance on next steps.
D.Conduct a thorough analysis of the forensic image to determine the extent of data access and exfiltration.
AnswerD

Understanding the breach scope is critical for response and notification.

Why this answer

Option B is correct because before restoration, it is essential to assess the scope of the breach to determine if any sensitive data (e.g., credit card numbers) was exfiltrated. This informs legal and compliance obligations. Option A is premature without knowing the full impact.

Option C is too passive; waiting for months is not feasible. Option D may be needed later but is not the first priority.

35
MCQeasy

A security analyst receives an alert from the SIEM indicating a high number of failed login attempts from a single external IP address targeting a public-facing web server. The analyst checks the logs and sees that the attempts are using common usernames. What is the MOST appropriate immediate response?

A.Block the IP address at the firewall.
B.Ignore the alert as it is likely a false positive.
C.Disable the web server.
D.Notify law enforcement.
AnswerA

Immediate containment stops ongoing attacks.

Why this answer

Option A is correct because blocking the IP at the firewall is a quick containment measure to stop the attack. Option B is wrong because ignoring could lead to successful brute-force. Option C is premature as law enforcement is not needed at this stage.

Option D is too drastic and would disrupt business.

36
MCQmedium

During an incident, the incident response team discovers that the attacker used stolen credentials to access the network. What should the team do during the eradication phase?

A.Conduct a security awareness training.
B.Block the attacker's IP addresses.
C.Install additional antivirus software.
D.Reset all user passwords.
AnswerD

Correct: Directly removes attacker's access.

Why this answer

Option B is correct because resetting compromised passwords removes the attacker's access. Blocking IPs is containment; installing AV and training are good but not immediate eradication.

37
MCQmedium

During an incident, the team identifies that a contractor's credentials were used to access sensitive data. Which of the following should be the IMMEDIATE action?

A.Notify the client whose data was accessed.
B.Revoke the contractor's access and terminate the contract.
C.Contact the contractor to ask about the activity.
D.Disable the compromised credentials and initiate forensic investigation.
AnswerD

Option B is correct because disabling credentials stops further misuse, and forensic investigation determines scope.

Why this answer

Option B is correct because disabling credentials stops further misuse, and forensic investigation determines scope. Option A is wrong because termination may be premature. Option C is wrong because alerting the contractor could compromise the investigation.

Option D is wrong because notification should be based on confirmed breach.

38
MCQhard

You are the incident response manager for a mid-sized e-commerce company. At 2:00 PM, the security operations center receives an alert from the intrusion detection system indicating a potential SQL injection attack against the customer database server. The server hosts a critical database containing customer PII and payment card data. The alert shows multiple suspicious queries from an internal IP address 192.168.10.50, which belongs to the development team's jump box. The development team uses this jump box to access production servers for maintenance. The jump box is managed by the IT operations team. The CEO is currently in a meeting with investors and cannot be disturbed. The CISO is on leave. The company has a written incident response plan that designates the IT director as the incident response coordinator in the absence of the CISO. The IT director has limited security knowledge. The database administrator (DBA) reports that the database is experiencing high CPU usage and that some customer records appear to have been modified. You need to take immediate action. What should you do FIRST?

A.Shut down the database server to prevent further data loss
B.Contact the development team lead to ask about the activity
C.Isolate the jump box from the network immediately
D.Escalate the incident to the IT director and request guidance
AnswerC

Stops the attack and preserves evidence.

Why this answer

Isolating the jump box (192.168.10.50) is the correct first action because it immediately stops the active SQL injection attack at its source, preventing further data exfiltration or modification. The suspicious queries originate from this internal IP, and containment is the priority in incident response to halt the threat before investigation or recovery. This aligns with the NIST SP 800-61 containment strategy, which prioritizes stopping the attack vector before preserving evidence or notifying stakeholders.

Exam trap

The trap here is that candidates confuse 'escalation' with 'first action'—they think notifying the IT director is required per the plan, but CISM emphasizes that incident response managers must take immediate containment steps before escalation when an active attack is confirmed.

How to eliminate wrong answers

Option A is wrong because shutting down the database server destroys volatile evidence (e.g., active connections, memory-resident queries) and causes unnecessary business disruption; containment should isolate the attacker, not the asset. Option B is wrong because contacting the development team lead wastes critical time and may tip off a potential insider threat or compromised account; the jump box could be under attacker control, and human verification is unreliable during an active breach. Option D is wrong because escalating to the IT director, who has limited security knowledge, delays decisive containment action; the incident response plan designates the IT director as coordinator, but you, as the incident response manager, have the authority to execute immediate containment steps per your role.

39
MCQmedium

Given the exhibit, what is the most likely classification of this incident?

A.Malware infection
B.Denial of service
C.Brute-force attack
D.Insider threat
AnswerC

Correct: Typical pattern of brute-force password guessing.

Why this answer

Option A is correct because multiple failed logins from the same IP to multiple accounts in a short period indicates a brute-force attack. DoS would target availability; malware and insider threats have different indicators.

40
MCQhard

During a forensic investigation, an incident responder needs to collect memory from a compromised server. What is the BEST method to preserve evidence integrity?

A.Remotely acquire memory using a network connection.
B.Use a live forensic toolkit to capture memory to a network share.
C.Reboot the system into safe mode and then capture memory.
D.Perform a hardware memory acquisition using a write-blocker.
AnswerD

Ensures data integrity and volatile data preservation.

Why this answer

Option C is correct because hardware acquisition with a write-blocker ensures no alteration to the original evidence. Option A and B risk network interference. Option D destroys volatile data.

41
MCQmedium

Refer to the exhibit. During a ransomware incident, the response team discovers that the backup server is also encrypted. Which phase of the playbook is MOST impacted?

A.Phase 5: Post-Incident
B.Phase 3: Eradication
C.Phase 2: Containment
D.Phase 4: Recovery
AnswerD

Recovery relies on clean backups; encrypted backups hinder restoration.

Why this answer

Option D is correct because the Recovery phase (Phase 4) is most impacted when the backup server is encrypted during a ransomware incident. Without clean, unencrypted backups, the organization cannot restore systems and data to a known good state, which is the primary goal of the Recovery phase. The encryption of backups directly undermines the ability to recover, forcing the team to consider alternative recovery methods such as decryption keys, offline backups, or system rebuilds.

Exam trap

The trap here is that candidates often confuse the Recovery phase with the Eradication phase, thinking that removing the ransomware will automatically restore access to backups, but in reality, encrypted backups require separate decryption or restoration processes that are part of Recovery, not Eradication.

How to eliminate wrong answers

Option A is wrong because the Post-Incident phase (Phase 5) focuses on lessons learned, reporting, and process improvement, not on the immediate technical recovery from encrypted backups. Option B is wrong because the Eradication phase (Phase 3) involves removing malware and closing attack vectors, but the encrypted backups are a recovery obstacle, not an eradication task. Option C is wrong because the Containment phase (Phase 2) aims to isolate the incident to prevent further spread, but the backup server being already encrypted means containment does not address the loss of recovery data.

42
MCQhard

During a cyber incident, the organization's legal counsel advises that certain information about the breach should not be shared with external partners due to ongoing law enforcement investigation. The incident response team must balance transparency with confidentiality. Which of the following is the BEST approach?

A.Seek partner input on what to share
B.Share all information with partners under NDA
C.Provide only non-sensitive overview to partners
D.Withhold all information until investigation ends
AnswerC

A non-sensitive overview maintains transparency while protecting investigative integrity.

Why this answer

Providing a non-sensitive overview keeps partners informed without compromising the investigation. Option B is correct.

43
MCQmedium

You are the information security manager for a mid-sized e-commerce company. The company operates a web application that handles credit card transactions and stores customer data in a backend database. The incident response team has just been alerted to a potential data breach: an intrusion detection system (IDS) flagged a SQL injection attack pattern on the web application's login page. The attack originated from an external IP address (5.5.5.5) and appears to have been successful, as the IDS also detected a large outbound data transfer from the database server to another external IP (6.6.6.6) shortly after. The database server is not segmented from the web server. The company has a legal obligation to report breaches involving cardholder data within 72 hours. The incident response plan is being activated. The team includes a forensic analyst, a network engineer, and a legal advisor. The web application is currently running and serving customers. The CEO wants to minimize business disruption. Which of the following actions should the incident response team take FIRST?

A.Shut down the web application and database server immediately to stop the breach.
B.Isolate the database server from the network and block outbound traffic to the external IP.
C.Patch the SQL injection vulnerability in the web application and continue monitoring.
D.Take a full forensic image of all servers before taking any containment actions.
AnswerB

This stops data exfiltration while preserving the web application's availability.

Why this answer

Option B is correct because the immediate priority is to contain the breach by isolating the compromised database server and blocking outbound traffic to the attacker's IP (6.6.6.6). This stops the exfiltration of cardholder data, preserves evidence on the isolated server, and minimizes business disruption by keeping the web application running. Shutting down servers (Option A) would cause unacceptable downtime, while patching (Option C) or imaging (Option D) without containment would allow continued data loss.

Exam trap

The trap here is that candidates confuse 'stopping the breach' with 'shutting everything down' (Option A), failing to recognize that containment actions like network isolation can halt data loss while preserving business continuity and evidence integrity.

How to eliminate wrong answers

Option A is wrong because shutting down both servers halts business operations, violating the CEO's directive to minimize disruption, and destroys volatile evidence (e.g., network connections, memory) that the forensic analyst needs. Option C is wrong because patching the SQL injection vulnerability does not stop the ongoing exfiltration to 6.6.6.6; the attacker may still have a backdoor or active connection, and data loss continues. Option D is wrong because taking forensic images before containment allows the attacker to continue exfiltrating data during the imaging process, violating the legal obligation to stop the breach within 72 hours.

44
MCQeasy

An organization has just experienced a ransomware attack that encrypted files on several file servers. The incident response team has contained the incident. What is the next critical step?

A.Pay the ransom to recover data.
B.Wipe the affected servers and reimage them.
C.Notify law enforcement.
D.Restore files from clean backups.
AnswerD

Correct: Efficient recovery without paying ransom.

Why this answer

Option A is correct because restoring from clean backups is the most reliable recovery method. Paying ransom is discouraged; notifying law enforcement can come later; wiping servers may be too drastic if backups exist.

45
MCQmedium

During a simulated phishing exercise, several employees clicked a link and entered their credentials on a fake login page. The security team needs to determine the impact. Which of the following should be the NEXT step?

A.Reset the affected employees' passwords and enable multi-factor authentication
B.Implement a security awareness training program
C.Conduct a forensic analysis of the employees' workstations
D.Block the phishing domain at the web proxy
AnswerA

This mitigates the credential compromise.

Why this answer

When credentials are compromised in a phishing attack, the immediate priority is to contain the breach by invalidating the exposed credentials. Resetting the affected employees' passwords and enabling multi-factor authentication (MFA) prevents attackers from using the harvested credentials for unauthorized access, especially if the credentials are reused across other systems. This aligns with the Incident Response phase of containment before moving to eradication or recovery.

Exam trap

The trap here is that candidates may confuse the containment phase with the eradication phase, choosing to block the phishing domain (Option D) instead of immediately neutralizing the compromised credentials, which is the more urgent action to prevent further unauthorized access.

How to eliminate wrong answers

Option B is wrong because implementing a security awareness training program is a long-term preventive measure, not an immediate containment step during active incident response. Option C is wrong because conducting a forensic analysis of the employees' workstations is premature; the phishing link was a server-side credential harvester, not a client-side malware infection, so workstation forensics would not directly address the credential compromise. Option D is wrong because blocking the phishing domain at the web proxy is a reactive defense but does not remediate the already-compromised credentials; the attacker may still use the stolen passwords before the domain is blocked.

46
Multi-Selectmedium

Which TWO actions are appropriate during the containment phase of an incident involving a malware outbreak on multiple workstations?

Select 2 answers
A.Contact all users to warn them about the malware
B.Reimage all affected workstations immediately
C.Isolate infected workstations from the network
D.Notify customers about potential data breach
E.Block known malicious domains and IPs at the firewall
AnswersC, E

Isolation stops lateral movement.

Why this answer

Option C is correct because isolating infected workstations from the network is a primary containment action that prevents the malware from spreading laterally to other systems, limiting the scope of the incident. This is typically achieved by disconnecting network cables, disabling switch ports, or using network access control (NAC) to quarantine the affected hosts, which stops further propagation without destroying forensic evidence.

Exam trap

The trap here is that candidates often confuse containment with eradication or communication, mistakenly selecting 'reimage all affected workstations immediately' as a containment step, when in fact reimaging is an eradication action that should occur after containment and evidence collection.

47
MCQeasy

An organization's incident response plan has not been updated in two years. Which of the following is the MOST likely consequence?

A.The plan will comply with new regulations automatically.
B.The plan will be more effective due to maturity.
C.The plan will be followed exactly as written.
D.The plan may not address current threats and technologies.
AnswerD

Option D is correct because outdated plans may not cover recent attack vectors or system changes.

Why this answer

Option D is correct because outdated plans may not cover recent attack vectors or system changes. Option A is wrong. Option B is wrong because outdated plans may be ignored.

Option C is wrong because regulations change.

48
MCQhard

An organization has implemented a host-based intrusion prevention system (HIPS) on all endpoints. An internal audit reveals that many incidents go undetected because users often disable HIPS when it interferes with applications. Which of the following is the MOST effective control to address this issue?

A.Disable HIPS and rely solely on network-based intrusion detection.
B.Increase the sensitivity of HIPS signatures to detect more threats.
C.Remove the ability for users to disable HIPS.
D.Implement application whitelisting to allow approved applications while HIPS monitors.
AnswerD

Option A is correct because application whitelisting reduces the need to disable HIPS as it prevents unapproved applications from running, reducing conflicts.

Why this answer

Option A is correct because application whitelisting reduces the need to disable HIPS as it prevents unapproved applications from running, reducing conflicts. Option B is wrong because it removes endpoint protection. Option C is wrong because it may increase false positives, causing more disablement.

Option D is wrong because it could break needed applications.

49
MCQeasy

A security analyst detects an unusual spike in outbound traffic from a database server. Which of the following is the FIRST step in the incident response process?

A.Confirm the incident as a true positive
B.Isolate the server from the network
C.Identify the root cause of the traffic spike
D.Notify senior management
AnswerA

Confirming the alert as a true incident is the initial step to ensure that response efforts are justified.

Why this answer

The first step is to confirm the incident as a true positive before taking further actions like isolation, analysis, or notification. Option C is correct because validating the alert prevents unnecessary escalation and ensures resources are focused on genuine incidents.

50
MCQeasy

Which of the following is the PRIMARY purpose of an incident response plan?

A.To assign blame for security failures
B.To prevent all security incidents from occurring
C.To provide a systematic method for responding to incidents
D.To meet regulatory compliance requirements
AnswerC

The plan ensures consistent and effective response.

Why this answer

The primary purpose of an incident response plan is to establish a structured, systematic methodology for detecting, containing, eradicating, and recovering from security incidents. This ensures that the organization can minimize damage, reduce recovery time and costs, and preserve evidence for forensic analysis. Without a predefined plan, responses become ad hoc, increasing the likelihood of errors and extended downtime.

Exam trap

ISACA often tests the distinction between primary purpose and secondary benefits; candidates mistakenly choose regulatory compliance (Option D) because they confuse a common driver for implementing a plan with its fundamental operational objective.

How to eliminate wrong answers

Option A is wrong because assigning blame is counterproductive and not a goal of incident response; the focus is on learning and improving processes, not on fault-finding. Option B is wrong because incident response plans are designed to manage incidents that occur, not to prevent them; prevention is the domain of risk management and security controls. Option D is wrong because while regulatory compliance may be a benefit, it is not the primary purpose; the core objective is to effectively manage incidents to protect the organization's assets and operations.

51
MCQmedium

A large enterprise with a centralized Security Information and Event Management (SIEM) system is experiencing a high volume of false positive alerts. The security team is overwhelmed and has started to ignore many alerts. During a recent incident, a critical alert indicating lateral movement by an attacker was missed because it was buried among hundreds of false positives. The incident escalated significantly before it was discovered. The CISO has asked the incident response manager to recommend improvements to prevent this from happening again. What should the manager recommend as the primary action?

A.Increase all alert thresholds to reduce volume
B.Tune SIEM rules to eliminate known false positives
C.Hire additional security analysts to handle the load
D.Disable all non-critical alert categories
AnswerB

Fine-tuning rules reduces noise while maintaining detection of true positives.

Why this answer

Tuning the SIEM rules to reduce false positives is the most direct way to improve alert quality without losing coverage. Increasing thresholds may cause missed real alerts. Hiring more staff is a longer-term solution.

Disabling non-critical alerts could remove important detection capabilities.

52
MCQhard

An organization is compromised by an APT that has established multiple backdoors across the network. What is the most effective eradication strategy?

A.Monitor network traffic for anomalies.
B.Remove each backdoor individually using forensics.
C.Rebuild all affected systems from trusted backups after ensuring the attack vector is closed.
D.Isolate compromised segments from the rest of the network.
AnswerC

Correct: Ensures complete removal of persistence.

Why this answer

Option D is correct because rebuilding all affected systems from trusted backups ensures that all backdoors are removed, as the attacker may have hidden persistence. Individual removal may miss some, and monitoring/isolation are not eradication.

53
MCQeasy

An organization experiences a DDoS attack that overwhelms their internet connection. Which containment strategy would be MOST effective?

A.Shut down all external connectivity.
B.Change firewall rules to block all traffic.
C.Add more bandwidth to absorb the attack.
D.Contact the ISP for traffic scrubbing or blackhole routing.
AnswerD

Effective mitigation at network level.

Why this answer

Option D is correct because ISP-level traffic scrubbing mitigates the attack while leaving legitimate traffic intact. Option A blocks all traffic. Option B is the best but we placed it as D.

Option C disrupts connectivity. Option D is the right action.

54
MCQhard

A financial institution has a mature incident response program. During a security incident, the incident response team identifies that a business-critical application is affected. The team must decide whether to continue containing the incident or allow limited operations to continue. Which factor should be given the HIGHEST priority?

A.Maintaining customer trust.
B.Minimizing downtime of the application.
C.Regulatory compliance and data protection.
D.Preserving evidence for potential litigation.
AnswerC

Compliance and data protection are critical and must be prioritized.

Why this answer

In a mature incident response program, regulatory compliance and data protection take precedence because financial institutions are subject to strict data privacy laws (e.g., GDPR, PCI DSS, SOX) that mandate safeguarding sensitive data during an incident. Allowing limited operations could lead to unauthorized data exposure or breach of legal obligations, resulting in severe penalties and reputational damage that outweigh the benefits of continued uptime.

Exam trap

The trap here is that candidates often prioritize minimizing downtime (Option B) or preserving customer trust (Option A) because they focus on business continuity, but CISM emphasizes that regulatory compliance and data protection are non-negotiable and must override operational concerns during a security incident.

How to eliminate wrong answers

Option A is wrong because maintaining customer trust, while important, is a secondary outcome of proper incident handling and not the highest priority when regulatory mandates require immediate containment to prevent data loss. Option B is wrong because minimizing downtime of the application is a business continuity concern, but in a security incident, allowing operations to continue risks further compromise and data exfiltration, which can cause far greater long-term damage. Option D is wrong because preserving evidence for potential litigation is a consideration but should not override the immediate need to comply with data protection laws and stop ongoing unauthorized access or data leakage.

55
Drag & Dropmedium

Order the steps for establishing a security incident response team (IRT).

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Building an IRT starts with defining roles, then recruiting, developing procedures, acquiring tools, and testing.

56
MCQhard

After a ransomware attack, the incident response team successfully restores systems from backups. However, the ransomware encrypts files that were modified after the last backup was taken. Which of the following is the BEST way to minimize future data loss?

A.Train users to save files to network drives.
B.Perform full backups daily instead of weekly.
C.Implement a data loss prevention (DLP) system.
D.Use continuous data protection (CDP) with frequent snapshots.
AnswerD

Option C is correct because CDP provides near-real-time backup, minimizing data loss between backups.

Why this answer

Option C is correct because CDP provides near-real-time backup, minimizing data loss between backups. Option A is wrong because daily backups still have a window of up to 24 hours. Option B is wrong because DLP prevents exfiltration, not data loss.

Option D is wrong because network drives also need backup.

57
MCQhard

A bank detects unusual activity on a server containing sensitive financial data. The activity appears to be from a compromised vendor account that has legitimate remote access to the server for maintenance. The incident manager must decide on containment while maintaining business operations. The vendor account has elevated privileges and is used for routine updates. Disabling the account would delay critical maintenance. What is the BEST course of action?

A.Contact the vendor to ask about the unusual activity.
B.Isolate the affected server from the network while allowing necessary access through a jump box.
C.Disable the vendor's account immediately.
D.Block all remote access from external IPs.
AnswerB

Contains the threat while maintaining essential vendor access securely.

Why this answer

Option C is correct because isolating the server and using a jump box allows controlled access while preventing further compromise. Option A is too disruptive. Option B may block legitimate vendors.

Option D does not address the immediate threat.

58
MCQmedium

A financial institution is designing an incident response plan. They want to ensure that during a ransomware incident, critical transaction systems can be restored within 4 hours. Which metric should be used to measure this requirement?

A.Mean Time to Repair (MTTR)
B.Recovery Time Objective (RTO)
C.Mean Time Between Failures (MTBF)
D.Recovery Point Objective (RPO)
AnswerB

RTO defines the maximum acceptable downtime.

Why this answer

The Recovery Time Objective (RTO) defines the maximum acceptable downtime after a disaster or incident, which directly aligns with the requirement to restore critical transaction systems within 4 hours. In incident management, RTO is the metric used to set the target for system recovery, ensuring business continuity. For ransomware incidents, RTO drives the restoration strategy and resource allocation to meet the 4-hour window.

Exam trap

The trap here is confusing RTO (time to restore) with RPO (data loss tolerance), as both are recovery metrics but address different dimensions—candidates often pick RPO when the question mentions 'restore' without carefully noting the time constraint for restoration versus data age.

How to eliminate wrong answers

Option A (Mean Time to Repair, MTTR) is wrong because MTTR measures the average time taken to repair a failed component after it has failed, not the maximum allowable downtime for a system; it is a reliability metric, not a recovery target. Option C (Mean Time Between Failures, MTBF) is wrong because MTBF measures the average time between inherent failures of a system, indicating reliability, not the recovery time requirement after an incident. Option D (Recovery Point Objective, RPO) is wrong because RPO defines the maximum acceptable data loss measured in time (e.g., how old the restored data can be), not the time to restore operations; it answers 'how much data can we lose?' not 'how fast must we recover?'.

59
MCQhard

After a security incident, the incident response team identifies that the root cause was a phishing email that bypassed the email filter. The email contained a malicious macro that executed PowerShell commands. Which control would be MOST effective in preventing similar incidents in the future?

A.Implement network segmentation for sensitive systems
B.Disable macros in documents originating from external sources
C.Deploy additional antivirus software on endpoints
D.Conduct security awareness training for all employees
AnswerB

This directly prevents the attack vector used in the incident.

Why this answer

Disabling macros in documents from external sources directly addresses the attack vector: the malicious macro that executed PowerShell commands. This control prevents the macro from running, regardless of the email filter's failure, by blocking the execution environment at the endpoint level. It is a preventive technical control that stops the attack before it can proceed.

Exam trap

The trap here is that candidates often choose security awareness training (D) because it seems like a broad solution, but the question asks for the 'most effective' control against a specific technical attack vector, and disabling macros is a direct technical prevention that does not rely on human behavior.

How to eliminate wrong answers

Option A is wrong because network segmentation limits lateral movement after a compromise but does not prevent the initial phishing email or macro execution. Option C is wrong because additional antivirus software relies on signature or heuristic detection, which can be bypassed by obfuscated or zero-day macros; it is a detective/reactive control, not a preventive one. Option D is wrong because security awareness training reduces human error but does not prevent the macro from executing if a user still opens the document; it is a administrative control, not a technical control that blocks the attack vector directly.

60
MCQmedium

An organization's incident response team is notified of a potential denial-of-service (DoS) attack targeting their web application. The team suspects a distributed denial-of-service (DDoS) attack. What is the FIRST step the team should take?

A.Contact the ISP to block the attacking IPs.
B.Shut down the web application to protect resources.
C.Implement rate limiting on the web server.
D.Analyze network traffic to confirm the attack.
AnswerD

Traffic analysis confirms the attack and provides details for response.

Why this answer

Before taking any action, the incident response team must first confirm that a DDoS attack is actually occurring. Analyzing network traffic (e.g., using NetFlow, sFlow, or packet capture) allows the team to distinguish a genuine DDoS from a flash crowd, a misconfiguration, or a legitimate spike in traffic. This step ensures that subsequent mitigation efforts are based on accurate evidence, preventing unnecessary disruption to services.

Exam trap

The trap here is that candidates often jump to immediate mitigation (blocking IPs or shutting down) without first verifying the incident, but the CISM framework emphasizes that the first step in incident response is always to confirm and characterize the event before taking action.

How to eliminate wrong answers

Option A is wrong because contacting the ISP to block attacking IPs is premature without first confirming the attack; moreover, in a DDoS, source IPs are often spoofed, making IP-based blocking ineffective and potentially blocking legitimate users. Option B is wrong because shutting down the web application is a drastic, last-resort action that should only be taken after confirming the attack and exhausting other mitigation options; it unnecessarily denies service to legitimate users. Option C is wrong because implementing rate limiting on the web server is a reactive mitigation step that should be applied only after the attack is confirmed and its characteristics (e.g., traffic patterns, protocols) are understood; premature rate limiting can inadvertently throttle legitimate traffic.

61
MCQeasy

During an incident, the incident response team needs to preserve evidence for legal proceedings. Which of the following is the MOST important action to take?

A.Create a forensic image of affected systems using write-blockers.
B.Document the incident in a free-form text.
C.Take screenshots of system logs.
D.Notify law enforcement immediately.
AnswerA

Option A is correct because creating a forensic image with write-blockers ensures evidence integrity.

Why this answer

Option A is correct because creating a forensic image with write-blockers ensures evidence integrity. Option B is wrong because screenshots can be altered. Option C is wrong because structured documentation is needed.

Option D is wrong because law enforcement is notified after evidence preservation.

62
MCQmedium

A company's incident response team uses a SIEM to detect security events. Which SIEM capability is MOST critical for early detection of a potential incident?

A.Correlation rules
B.Real-time alerting
C.User and entity behavior analytics (UEBA)
D.Long-term log retention
AnswerA

Correlation rules link related events across sources to detect attacks early.

Why this answer

Correlation rules analyze multiple log sources to identify patterns indicating an attack, enabling early detection. Real-time alerting (A) is important but relies on correlation. Log retention (B) aids investigation.

User behavior analytics (D) is advanced but not the most critical for early detection.

63
Multi-Selecteasy

Which THREE steps are essential in the post-incident review process?

Select 3 answers
A.Identify lessons learned and process improvements
B.Update the incident response plan
C.Assign blame for the incident
D.Conduct a root cause analysis
E.Renew vendor contracts
AnswersA, B, D

Continuous improvement is a primary goal.

Why this answer

Options A, C, and D are correct: identifying improvements, root cause analysis, and updating the IRP are key. Option B is wrong because assigning blame is counterproductive. Option E is wrong because vendor contracts are not necessarily reviewed unless relevant.

64
MCQeasy

After a security incident, the incident response team prepares a report detailing the root cause, impact, and lessons learned. Who is the PRIMARY audience for this report?

A.The affected users
B.Senior management and the board of directors
C.The IT support team
D.External auditors
AnswerB

They need to make strategic decisions based on the incident.

Why this answer

The primary audience for a post-incident report detailing root cause, impact, and lessons learned is senior management and the board of directors. They require this information to make strategic decisions about risk acceptance, resource allocation for remediation, and to fulfill fiduciary duties regarding cybersecurity governance. The report provides the business context and financial impact necessary for executive-level oversight, not the technical details needed by operational teams.

Exam trap

The trap here is that candidates confuse the audience for the detailed technical incident report (which goes to IT and the incident response team) with the audience for the lessons-learned executive summary, which is specifically designed for senior management and the board.

How to eliminate wrong answers

Option A is wrong because affected users need only immediate guidance on how to resume normal operations and any required password resets, not a detailed root cause analysis or lessons learned. Option C is wrong because the IT support team requires operational runbooks and specific technical indicators (e.g., IOCs, log snippets, patch versions) to implement fixes, not a high-level executive summary. Option D is wrong because external auditors typically request evidence of incident response process compliance (e.g., chain of custody, timestamps, policy adherence) rather than the strategic lessons-learned report intended for internal governance.

65
Multi-Selectmedium

Which THREE of the following are common challenges in incident response? (Select exactly 3)

Select 3 answers
A.Over-reliance on cloud services
B.Poor coordination between teams
C.Insufficient staffing and expertise
D.Difficulty in identifying the root cause
E.Lack of proper tools and technology
AnswersB, C, E

Silos hinder effective response.

Why this answer

Poor coordination between teams (Option B) is a common challenge in incident response because security incidents often require collaboration across IT, legal, PR, and management. Without clear communication channels and predefined roles, response efforts become fragmented, leading to delays in containment and recovery. This is a well-documented issue in frameworks like NIST SP 800-61, which emphasizes the need for a coordinated incident response plan.

Exam trap

ISACA often tests the distinction between operational challenges during active response (coordination, staffing, tools) versus strategic or post-incident issues (cloud dependency, root cause analysis) to see if candidates confuse the incident response lifecycle phases.

66
MCQhard

An organization's incident response team uses a SIEM system to correlate logs. A malicious insider is able to cover their tracks by deleting logs from the SIEM. Which of the following is the BEST preventive control?

A.Alert when logs are deleted from SIEM.
B.Restrict SIEM access to authorized personnel only.
C.Require multifactor authentication for SIEM access.
D.Implement a separate, write-once log storage that is inaccessible to the SIEM.
AnswerD

Option A is correct because an immutable log storage prevents tampering even if SIEM is compromised.

Why this answer

Option A is correct because an immutable log storage prevents tampering even if SIEM is compromised. Option B is wrong because authentication does not prevent deletions by authorized users. Option C is wrong because alerting does not prevent deletion.

Option D is wrong because insiders may have authorized access.

67
MCQmedium

During a phishing campaign, several employees clicked a malicious link that downloaded a remote access trojan (RAT). The incident response team has isolated the infected endpoints and is analyzing network traffic. They suspect that data may have been exfiltrated but are unsure. The team needs to determine the extent of data exfiltration as quickly as possible. What action should the team take FIRST?

A.Review DNS logs for outbound connections to unknown destinations
B.Block the malicious domain at the firewall
C.Reset all employees' passwords
D.Run a full network scan for open ports
AnswerA

DNS logs can show queries to command-and-control or exfiltration domains, providing evidence.

Why this answer

Reviewing DNS logs can reveal connections to known malicious domains or unusual patterns, helping identify data exfiltration. Blocking the domain is a containment step but doesn't aid analysis. Running a network scan may be too broad.

Resetting passwords is important but not for detecting exfiltration.

68
MCQhard

You are the incident response manager for a multinational corporation that processes sensitive financial data. The company has a mature security operations center (SOC) that monitors network traffic, endpoints, and cloud services. At 2:00 AM local time, the SOC alerts you to a critical incident: an internal server (IP 10.10.10.50) is communicating with an external IP address (198.51.100.23) known to be associated with a ransomware group. The server hosts a financial database that is replicated to a secondary site every 6 hours. The last successful replication was at 1:00 AM. The SOC has already isolated the server from the network by blocking its outbound traffic at the firewall. However, the server is still running. The initial investigation suggests that the communication started 30 minutes ago. The database contains customer PII and transactional data. Your incident response plan includes steps for containment, eradication, recovery, and post-incident review. The CEO is being notified and expects a recommendation on the best course of action. The company has a cyber insurance policy that requires timely notification and preservation of evidence. The legal department advises that any action that could destroy evidence must be carefully considered. Which of the following is the BEST course of action?

A.Take a forensic image of the server's memory and disk for analysis, then rebuild the server from a known good backup.
B.Reconnect the server to the network and attempt to negotiate with the attacker if ransomware is detected.
C.Immediately wipe the server and restore from the 1:00 AM backup to minimize downtime.
D.Leave the server isolated but running to monitor the attacker's actions and gather intelligence.
AnswerA

Forensic imaging preserves evidence, and rebuilding ensures a clean system.

Why this answer

Option A is correct because it balances forensic preservation (memory and disk imaging) with recovery from a known good backup, ensuring evidence is intact for legal and insurance requirements while restoring operations. The server is isolated, so imaging can be done safely without risk of further compromise, and the 1:00 AM backup (just one hour before the 2:00 AM communication started) is likely clean, minimizing data loss.

Exam trap

ISACA often tests the misconception that immediate eradication (wiping) is faster and safer, but the trap here is that destroying evidence before forensic imaging violates legal and insurance requirements, and the isolated server can be safely imaged without risk of spread.

How to eliminate wrong answers

Option B is wrong because reconnecting the server to the network to negotiate with attackers would expose the environment to active ransomware deployment, violating containment principles and potentially destroying evidence. Option C is wrong because immediately wiping the server destroys volatile memory evidence (e.g., running processes, network connections) and disk artifacts needed for forensic analysis, which could violate cyber insurance policy requirements for evidence preservation. Option D is wrong because leaving the server isolated but running to monitor attackers risks the ransomware encrypting data in memory or triggering a delayed payload, and the SOC has already blocked outbound traffic, so no actionable intelligence can be gathered from a severed connection.

69
Multi-Selecthard

A security analyst reviews the following alert from the SIEM: 'Multiple failed login attempts from IP 10.0.0.5 to the domain controller within 5 minutes.' Which TWO actions should the analyst take as part of initial incident response?

Select 2 answers
A.Block the IP address in the firewall immediately.
B.Review authentication logs from other servers for similar patterns.
C.Escalate the alert to the incident response team.
D.Reset the password of the targeted account.
E.Check if the source IP belongs to an internal asset.
AnswersB, E

Correlation helps identify a broader attack.

Why this answer

Option B is correct because reviewing authentication logs from other servers for similar patterns helps determine if the failed login attempts are part of a broader brute-force or password-spraying attack targeting multiple systems, not just the domain controller. This lateral analysis is a key initial step in incident response to assess the scope and identify compromised accounts or additional indicators of compromise (IoCs). Option E is correct because verifying whether the source IP belongs to an internal asset is critical to distinguish between an external attacker and a misconfigured internal service or user, which directly impacts the response strategy (e.g., internal remediation vs. external threat containment).

Exam trap

The trap here is that candidates often confuse immediate containment (blocking the IP) with proper triage, failing to recognize that validating the source IP's ownership and correlating logs across systems are essential first steps before any irreversible action is taken.

70
MCQmedium

An incident response team discovers that an attacker used stolen credentials to access a database. Which step is MOST critical during the eradication phase?

A.Reset all passwords and revoke certificates.
B.Implement multi-factor authentication.
C.Patch the database server.
D.Restore the database from backup.
AnswerA

Eliminates attacker's access using stolen credentials.

Why this answer

Option B is correct because resetting passwords and revoking certificates removes the attacker's access. Options A, C, D are either not eradication or less critical.

71
MCQmedium

You are a security analyst for a mid-sized e-commerce company. The company uses a cloud-based email service. Several employees report receiving phishing emails that appear to come from the CEO, asking them to purchase gift cards. The emails have a spoofed sender address but pass SPF and DKIM checks because the attacker compromised a legitimate email account. The CEO's account has been locked, but the attacker may have set up forwarding rules. You need to ensure the attacker cannot use the account further. You have the following options: A) Change the CEO's password and enable MFA, then remove any forwarding rules. B) Delete the CEO's email account and create a new one. C) Block all emails from the CEO's email address at the gateway. D) Restore the CEO's mailbox from a backup taken before the compromise. Which option is the BEST course of action?

A.Block the CEO's email address at the gateway
B.Delete the account and create a new one
C.Restore from backup
D.Change password, enable MFA, and remove forwarding rules
AnswerD

This secures the account and cleans up attacker's persistence.

Why this answer

Option D is the best course of action because the attacker has already compromised the CEO's legitimate account, bypassing SPF and DKIM. Changing the password immediately revokes the attacker's session tokens and access, enabling MFA adds an additional authentication factor to prevent re-entry, and removing any forwarding rules stops the attacker from exfiltrating emails or continuing the phishing campaign through auto-forwarding. This directly addresses the root cause—the compromised account—without disrupting business continuity.

Exam trap

The trap here is that candidates may choose to block the email address at the gateway (Option A) thinking it stops the phishing, but they fail to realize the attacker still has full control of the account and can continue malicious activity without sending emails through the gateway.

How to eliminate wrong answers

Option A is wrong because blocking the CEO's email address at the gateway is a reactive measure that does not remove the attacker's access to the account; the attacker could still use the account to send emails internally or via other channels, and it would also block legitimate CEO emails. Option B is wrong because deleting the account and creating a new one is overly disruptive, causes loss of historical emails and continuity, and does not guarantee the attacker hasn't already set up forwarding rules or exfiltrated data; it also fails to address the need to secure the compromised account first. Option C is wrong because restoring from a backup taken before the compromise would revert the mailbox to a previous state but would not remove the attacker's current access (e.g., session tokens, forwarding rules set after the backup), and the attacker could still regain access if the password and MFA are not updated.

72
MCQhard

A financial institution has an incident involving a suspected data breach of customer PII. The incident response team contains the breach. What should be the NEXT priority according to legal and regulatory requirements?

A.Assess the extent of the breach.
B.Engage a public relations firm.
C.Notify affected customers.
D.Perform a root cause analysis.
AnswerA

Needed to determine legal notification requirements.

Why this answer

Option C is correct because assessing the extent of the breach determines notification scope. Option A can wait. Option B follows after assessment.

Option D is secondary.

73
MCQmedium

During an incident investigation, the team discovers that a compromised account was used to exfiltrate data. Which of the following should the team do NEXT?

A.Determine the scope of the breach by analyzing accessed resources.
B.Reset the password and re-enable the account immediately.
C.Notify the affected users and customers.
D.Delete the compromised account from the system.
AnswerA

Option B is correct because understanding the scope is critical to effective containment and notification.

Why this answer

Option B is correct because understanding the scope is critical to effective containment and notification. Option A is wrong because re-enabling without analysis could allow continued access. Option C is wrong because notification should be based on confirmed impact.

Option D is wrong because deletion may destroy evidence.

74
MCQmedium

After containing a security incident, the team conducts a root cause analysis. They find the breach originated from a compromised third-party vendor account. What is the most effective long-term mitigation?

A.Increase logging on vendor accounts
B.Change all passwords manually
C.Implement vendor access reviews and enforce MFA
D.Terminate the vendor relationship
AnswerC

Correct: Reduces risk of future compromises from vendor accounts.

Why this answer

Implementing vendor access reviews and enforcing MFA addresses the root cause of unauthorized access.

75
MCQmedium

During the eradication phase of an incident response, which action is MOST critical to ensure the threat is fully removed?

A.Delete the malware files from the system.
B.Reset passwords for all user accounts.
C.Update antivirus signatures.
D.Reimage all affected systems from known-good backups.
AnswerD

Only way to guarantee removal of persistent threats.

Why this answer

Option B is correct because reimaging from known-good backups ensures no remnants of malware remain. Option A is not eradication but prevention. Option C may miss hidden malware.

Option D is a post-eradication step.

Page 1 of 3 · 176 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Incident Management questions.