CCNA Incident Management Questions

75 of 176 questions · Page 2/3 · Incident Management · Answers revealed

76
Multi-Selecteasy

Which TWO of the following are PRIMARY goals of incident management according to industry best practices?

Select 2 answers
A.Restore normal operations as quickly as possible
B.Minimize business disruption
C.Document all steps for compliance
D.Assign blame to the responsible party
E.Increase the security budget
AnswersA, B

Timely restoration is a primary objective.

Why this answer

The primary goals are to minimize business disruption and restore normal operations quickly. Assigning blame is not a goal; documenting steps is important but secondary; increasing budget is not a direct goal.

77
Multi-Selecteasy

During the detection and analysis phase of incident response, which two activities are essential? (Choose two.)

Select 2 answers
A.Identifying indicators of compromise.
B.Restoring systems from backup.
C.Notifying regulatory bodies.
D.Applying security patches.
E.Determining the scope of the incident.
AnswersA, E

Correct: Critical for detection.

Why this answer

Options A and C are correct because identifying indicators of compromise and determining the scope of the incident are key to understanding the incident. Restoration, patching, and notification are later phases.

78
MCQmedium

Based on the exhibit, which of the following is the MOST likely attack vector?

A.SQL injection attack
B.Privilege escalation via a compromised account
C.Phishing email with malicious attachment
D.Denial of service attack
AnswerB

The logs show signs of root-level access.

Why this answer

The exhibit shows a user account with administrative privileges being used from an unusual geographic location at an anomalous time, followed by lateral movement to a domain controller. This pattern indicates that the initial access was gained through a compromised account, which was then leveraged for privilege escalation to move laterally and access sensitive systems. The attack vector is the misuse of valid credentials, not an injection or social engineering attack.

Exam trap

ISACA often tests the distinction between the initial infection vector (e.g., phishing) and the attack vector used for lateral movement (e.g., compromised credentials), leading candidates to confuse the method of initial access with the method of privilege escalation.

How to eliminate wrong answers

Option A is wrong because SQL injection attacks target web application databases by inserting malicious SQL queries, and the exhibit shows no evidence of web application logs or database error messages; instead, it shows authentication events and lateral movement. Option C is wrong because a phishing email with a malicious attachment would typically result in malware execution or credential harvesting, but the exhibit shows direct use of a legitimate account without any indication of a phishing campaign or attachment download. Option D is wrong because a denial of service attack aims to overwhelm resources and disrupt availability, whereas the exhibit shows successful authentication and lateral movement, indicating an active compromise rather than a service disruption.

79
Multi-Selectmedium

Which THREE of the following are considered key components of an incident response plan?

Select 3 answers
A.Post-incident review process
B.Communication escalation matrix
C.Roles and responsibilities
D.Network diagrams
E.Disaster recovery procedures
AnswersA, B, C

Lessons learned process is integral to improving incident management.

Why this answer

Key components include a communication escalation matrix, defined roles and responsibilities, and a post-incident review process. Disaster recovery procedures are separate, and network diagrams are supporting but not a core component.

80
MCQhard

After a phishing attack, an organization's incident response team identifies that the attacker gained access to an email account and sent internal spear-phishing emails. What is the BEST immediate containment action?

A.Disable the compromised account
B.Reset all user passwords
C.Block the attacker's IP address at the firewall
D.Increase email filtering rules
AnswerA

Immediately disabling the account stops further abuse.

Why this answer

Option D is correct because disabling the compromised account stops further malicious activity. Option A is wrong because blocking the attacker's IP is ineffective if the attacker is using compromised internal accounts. Option B is wrong because resetting passwords across the domain may cause disruption and does not isolate the immediate threat.

Option C is wrong because email filtering may not block internal-to-internal emails.

81
MCQhard

During a security incident, the incident response team discovers that an attacker used a previously unknown vulnerability (zero-day) in a widely used software. Which action should the team take to address this vulnerability in the short term?

A.Implement a virtual patch through an intrusion prevention system (IPS)
B.Recompile the software with additional security controls
C.Immediately disable the software across the organization
D.Deploy a vendor patch as soon as it becomes available
AnswerA

Virtual patching blocks exploit attempts while waiting for a permanent fix.

Why this answer

Applying a vendor patch may not be available for zero-day. Implementing a virtual patch via an IPS provides immediate protection until a permanent fix is available. Recompiling the software (B) is not feasible.

Reimaging all systems (C) does not address the vulnerability. Disabling the software (D) may be too disruptive.

82
MCQmedium

An organization's incident response plan includes a call tree. During an incident, the primary contact is unreachable. What should happen?

A.Escalate to senior management
B.Use a different communication method like email
C.Wait for the primary to become available
D.Move to the next person in the call tree
AnswerD

Correct: The call tree is designed with alternates.

Why this answer

The call tree should have alternates; proceeding to the next person ensures continuity.

83
MCQeasy

A healthcare organization suffers a ransomware attack that encrypts critical patient data. The incident response team activates the incident response plan. The backup administrator reports that the most recent backups are from three days ago and are stored on a disconnected tape drive. However, the organization's legal counsel advises that according to regulatory requirements, patient data must be recoverable within 24 hours. The CEO is considering paying the ransom to avoid extended downtime and regulatory penalties. As the incident manager, what should you recommend?

A.Pay the ransom to ensure quick recovery and avoid regulatory penalties.
B.Report the incident to law enforcement and wait for a decryption key.
C.Restore from the tape backups and accept the three-day data loss.
D.Attempt to negotiate with the attackers for a lower ransom while simultaneously working on backup restoration.
AnswerC

Reliable backup restoration eliminates the need to pay and complies with data recovery, albeit with some loss.

Why this answer

Option B is correct because restoring from known-good offline backups is the best practice, even with a three-day data loss. Paying the ransom (A) is discouraged and may not guarantee recovery. Negotiating (C) is risky and time-consuming.

Waiting for law enforcement (D) delays recovery and may not provide a decryption key in time.

84
Multi-Selecthard

Which THREE of the following are best practices for handling evidence during an incident investigation?

Select 3 answers
A.Document all actions taken during evidence collection.
B.Maintain a chain of custody log.
C.Analyze evidence directly on live systems to avoid delays.
D.Create a forensic image of the affected systems.
E.Store evidence in its original location to avoid disturbance.
AnswersA, B, D

Documentation ensures reproducibility and legal admissibility.

Why this answer

Option A is correct because documenting all actions taken during evidence collection ensures the integrity and admissibility of evidence in legal proceedings. This documentation, often referred to as a 'paper trail' or 'audit log,' must include timestamps, personnel involved, tools used, and any deviations from standard procedures. Without this, the chain of custody is weakened, and the evidence may be challenged as unreliable or tampered with.

Exam trap

The trap here is that candidates may confuse 'analyze evidence directly on live systems' (Option C) as acceptable for speed, but CISM emphasizes preservation of evidence integrity over expedience, and 'store evidence in its original location' (Option E) may seem logical but violates the principle of securing evidence in a controlled chain of custody.

85
MCQmedium

During incident response, a forensic investigator needs to collect evidence from a compromised server. Which action BEST preserves evidence integrity?

A.Perform a graceful shutdown
B.Create a network-based image
C.Pull the power cord
D.Copy files to an external drive
AnswerC

Hard power loss freezes volatile memory and stops all processes.

Why this answer

Option B is correct because pulling power ensures memory is preserved and no OS tampering. Option A is wrong because normal shutdown runs processes that can destroy evidence. Option C is wrong because file copy changes timestamps.

Option D is wrong because network imaging may miss volatile memory.

86
MCQeasy

Refer to the exhibit. The security analyst observes these alerts. What is the MOST likely sequence of events?

A.Insider threat: jsmith intentionally exfiltrated data
B.Attacker compromised jsmith's credentials, established C2, and exfiltrated data
C.Network scan from 10.0.0.45 triggered false positives
D.Malware downloaded on jsmith's workstation and exfiltrated data
AnswerB

Pattern matches credential compromise, C2, and exfiltration.

Why this answer

The correct sequence is that an attacker compromised jsmith's credentials, established command-and-control (C2) communication, and then exfiltrated data. The alerts show a brute-force or credential-stuffing attempt from an external IP (10.0.0.45) against jsmith's account, followed by an outbound C2 beacon (e.g., DNS or HTTP) from jsmith's workstation, and finally a large data transfer to an external destination. This matches the typical kill chain: initial access via compromised credentials, persistence via C2, and data exfiltration as the final objective.

Exam trap

ISACA often tests the distinction between a network scan and a targeted credential attack; the trap here is that candidates see the same source IP (10.0.0.45) and assume it's a scan, but the specific sequence of authentication failures followed by C2 and exfiltration indicates a successful compromise, not a reconnaissance scan.

How to eliminate wrong answers

Option A is wrong because the alerts show an external IP (10.0.0.45) initiating the authentication attempts, not an internal user acting maliciously; insider threat would show internal anomalies like abnormal access times or data transfers to internal shares, not external C2 beacons. Option C is wrong because a network scan from 10.0.0.45 would generate multiple connection attempts to various ports/IPs, not a targeted credential attack against a single user followed by C2 traffic and data exfiltration; the specific sequence of authentication failures, beaconing, and data transfer indicates a targeted compromise, not a scan. Option D is wrong because malware downloaded on jsmith's workstation would typically show a file download event (e.g., HTTP GET to a malicious URL) before C2 activity, but the first alert is authentication failures, suggesting credential compromise occurred before any malware delivery; the sequence starts with credential attacks, not download events.

87
Drag & Dropmedium

Order the steps for a risk assessment process according to ISACA's risk management framework.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Risk assessment starts with identification, then analysis, evaluation, treatment, and continuous monitoring.

88
MCQhard

During a security incident, the incident response team discovers that an attacker has exfiltrated data via an encrypted tunnel over HTTPS. Which log source is MOST likely to provide evidence of the exfiltration?

A.Web server access logs
B.Firewall logs
C.Intrusion detection system (IDS) logs
D.Proxy logs
AnswerD

Proxy logs can show all HTTPS traffic, including destinations and data sizes.

Why this answer

Option C is correct because proxy logs capture outgoing HTTPS connections and can show volumes and destinations. Option A is wrong because server logs may not show outbound connections. Option B is wrong because firewall logs only show IPs, not encrypted content details.

Option D is wrong because IDS often cannot inspect encrypted traffic.

89
MCQmedium

During an incident investigation, the response team discovers that the attacker exploited a known vulnerability for which a patch was available but not applied. What should be the team's primary focus during the recovery phase?

A.Applying the missing patch and ensuring all systems are updated.
B.Disciplining the employee responsible for patch management.
C.Conducting a lessons-learned meeting.
D.Reporting the incident to law enforcement.
AnswerA

Correct: Direct remediation of the vulnerability.

Why this answer

Option D is correct because applying the patch addresses the root cause and prevents recurrence. Disciplining employees and reporting to law enforcement are secondary; lessons learned is post-recovery.

90
Multi-Selecthard

An incident response team is analyzing a phishing email that successfully compromised a user's credentials. Which TWO indicators of compromise (IOCs) should the team prioritize collecting? (Choose two.)

Select 2 answers
A.The user's browser history.
B.The IP address of the sending server.
C.The malicious URL or attachment hash.
D.The user's personal phone number.
E.The company's public website.
AnswersB, C

Option C is correct because sending IP is a key IOC for attribution.

Why this answer

Options A and C are correct because URL/hash and sending IP are key IOCs for blocking and attribution. Option B is irrelevant; Option D may be useful but not IOCs; Option E is not an IOC.

91
MCQmedium

After an incident is contained and eradicated, the incident response team conducts a post-incident review. Which of the following is the PRIMARY objective of this review?

A.Update security policies
B.Determine the financial impact
C.Assign blame to the responsible parties
D.Identify process improvements
AnswerD

The review aims to find lessons learned and improve incident response processes.

Why this answer

The main goal of a post-incident review is to identify process improvements to prevent future incidents. Option B is correct.

92
MCQmedium

A multinational corporation has just detected a ransomware attack that encrypted critical files on a file server. The incident response team has been activated. Which of the following should be the FIRST action taken by the team?

A.Restore encrypted files from backup
B.Reboot the file server to clear the encryption
C.Isolate the affected systems from the network
D.Notify law enforcement
AnswerC

Isolation stops the ransomware from spreading and limits damage.

Why this answer

The first priority in ransomware incident response is containment to prevent the encryption from spreading to other systems. Isolating the affected file server from the network (e.g., disabling the network interface or disconnecting the cable) stops the ransomware from communicating with its command-and-control server and encrypting additional shares. This aligns with the NIST SP 800-61 containment strategy and ensures that the incident response team can safely preserve forensic evidence before any remediation.

Exam trap

The trap here is that candidates often choose 'Restore from backup' first because it seems like a direct fix, but CISM emphasizes containment before eradication or recovery to limit damage and preserve forensic integrity.

How to eliminate wrong answers

Option A is wrong because restoring from backup before containment risks re-encrypting the restored files if the ransomware is still active on the network, and it may overwrite forensic evidence. Option B is wrong because rebooting the file server does not clear encryption—ransomware encrypts files at rest using asymmetric cryptography, and a reboot simply restarts the OS without reversing the encryption; it may also trigger the ransomware to encrypt additional data on startup. Option D is wrong because notifying law enforcement is a secondary step that should occur after containment and evidence preservation, and premature notification can delay critical containment actions.

93
Multi-Selectmedium

Which TWO of the following are key components of an effective incident response plan?

Select 2 answers
A.A clear chain of command and escalation procedures.
B.Automatic detection and response tools.
C.Predefined response scripts for every possible incident.
D.A communication plan for internal and external stakeholders.
AnswersA, D

This ensures decision-making authority is defined.

Why this answer

A clear chain of command and escalation procedures ensure that during an incident, decision-making authority and notification paths are predefined, reducing confusion and enabling rapid, coordinated response. This aligns with NIST SP 800-61 incident response guidelines, which emphasize the need for defined roles and communication hierarchies to avoid delays or missteps in critical situations.

Exam trap

ISACA often tests the distinction between the plan's structural components (like chain of command and communication plans) and operational tools or overly rigid scripts, tempting candidates to select automatic tools or exhaustive scripts as key components when they are not foundational to the plan's design.

94
Multi-Selecthard

Which TWO of the following are appropriate actions to take during the detection phase of incident management?

Select 2 answers
A.Activate the incident response team
B.Collect and analyze logs
C.Rebuild systems from backups
D.Conduct root cause analysis
E.Preserve evidence
AnswersA, B

Once an incident is suspected, the team should be mobilized.

Why this answer

During detection, the team activates the incident response team and collects/analyzes logs to confirm the incident. Root cause analysis occurs later, evidence preservation is during containment, and rebuilding is recovery.

95
MCQhard

A security operations center (SOC) analyst receives an alert from the SIEM indicating a potential command and control (C2) communication. The alert is based on a signature that matches known C2 traffic. What is the MOST appropriate next step?

A.Block the destination IP address at the firewall
B.Escalate the alert to the incident response team immediately
C.Verify the alert by correlating with other log sources
D.Perform a full antivirus scan on all endpoints
AnswerC

Correlation with other logs confirms if it's a true positive.

Why this answer

Verifying the alert by checking other log sources (e.g., firewall, DNS) reduces false positives before escalating. Escalating immediately (A) may waste resources. Blocking the IP (C) could be premature if legitimate.

Running a full antivirus scan (D) is a reactive, not investigative step.

96
MCQeasy

A company's IDS alerts on a potential breach. The incident response team is called. What should they do immediately?

A.Verify the alert and assess scope
B.Disconnect all network cables
C.Notify law enforcement
D.Reimage affected systems
AnswerA

Correct: Verification confirms the alert and assessment determines the extent.

Why this answer

The first step is to verify the alert and assess the scope to determine if it's a true positive and understand the impact.

97
Multi-Selecteasy

Which TWO of the following are indicators of a potential security incident?

Select 2 answers
A.Low disk space on a file server.
B.Multiple unexpected system reboots.
C.A new version of a critical software released.
D.A successful login by an authorized user.
E.Unusual outbound network traffic from a server.
AnswersB, E

May indicate malware or unauthorized activity.

Why this answer

Multiple unexpected system reboots (B) are a strong indicator of a potential security incident because they may result from malware, kernel-level exploits, or denial-of-service attacks that crash the operating system. Unusual outbound network traffic from a server (E) often indicates data exfiltration, command-and-control (C2) communication, or a compromised service sending sensitive data to an external host. Both behaviors deviate from baseline operations and warrant immediate investigation under the Incident Management domain.

Exam trap

ISACA often tests the distinction between operational issues (like low disk space) and true security incident indicators, trapping candidates who confuse performance alerts with signs of compromise.

98
MCQeasy

An organization's security monitoring system detects multiple failed login attempts from an internal IP address to a critical database server. The attempts are occurring every few seconds. What is the FIRST step the incident response team should take?

A.Block the IP address at the firewall immediately.
B.Disable the database server to prevent data breach.
C.Verify whether the activity is legitimate.
D.Reset the password of the database service account.
AnswerC

Verification prevents unnecessary actions and confirms the incident.

Why this answer

The first step is to verify if the activity is legitimate or malicious to avoid false positives and understand the context.

99
MCQmedium

A security analyst detects unusual outbound network traffic from a database server to an unknown IP address. The traffic uses encrypted connections on port 443. Which type of attack is MOST likely occurring?

A.Data exfiltration
B.SQL injection
C.Ransomware
D.Denial of service
AnswerA

Encrypted outbound traffic to an unknown IP is a classic sign of data exfiltration.

Why this answer

The encrypted outbound traffic on port 443 (HTTPS) from a database server to an unknown IP is a classic indicator of data exfiltration. Attackers often use encrypted channels to bypass network security controls, as the contents of the traffic cannot be inspected by DLP or IDS/IPS systems. The database server is a high-value target for sensitive data, making this the most likely attack scenario.

Exam trap

The trap here is that candidates may confuse the encrypted traffic on port 443 with legitimate database replication or backup traffic, but the unknown destination IP and unusual outbound pattern from a database server are key red flags for exfiltration, not a normal administrative function.

How to eliminate wrong answers

Option B is wrong because SQL injection is an initial access or data manipulation technique that typically generates database query errors or unexpected SQL traffic, not encrypted outbound connections to unknown IPs. Option C is wrong because ransomware usually involves file encryption and ransom notes, often using known C2 servers or SMB/HTTP for propagation, not stealthy encrypted outbound data streams from a database server. Option D is wrong because a denial of service attack aims to overwhelm resources with high-volume traffic, not stealthy encrypted connections on a single port to an unknown IP.

100
Multi-Selecthard

A security team detects lateral movement within the network using PowerShell scripts. Which TWO actions are MOST effective to contain the threat?

Select 2 answers
A.Conduct memory forensics on affected endpoints.
B.Implement network segmentation to isolate affected VLANs.
C.Disable PowerShell remoting on all systems.
D.Apply the latest security patches to all systems.
E.Isolate the affected systems immediately.
AnswersC, E

Prevents further use of PowerShell for lateral movement.

Why this answer

Options B and D are correct because isolating affected systems stops lateral spread, and disabling PowerShell remoting removes the attack vector. Option A is not precise. Option C is eradication.

Option E is forensic.

101
MCQhard

The SIEM alerts on this traffic. What should the incident analyst do FIRST?

A.Isolate the host for investigation.
B.Accept the traffic as normal.
C.Block the IP at the firewall.
D.Check if the destination is a legitimate CDN.
AnswerA

Option C is correct because the threat intelligence suggests C2, so isolating the host prevents further potential data loss or lateral movement while investigation proceeds.

Why this answer

Option C is correct because the threat intelligence suggests C2, so isolating the host prevents further potential data loss or lateral movement while investigation proceeds. Option A is possible but first step should be containment via isolation. Option B is worth checking but not first.

Option D is incorrect.

102
MCQmedium

Refer to the exhibit. Given the exhibit, which type of incident is MOST likely occurring?

A.Phishing campaign
B.Ransomware attack
C.Insider threat
D.DDoS attack
AnswerC

The user's behavior—accessing and exfiltrating sensitive data—is characteristic of an insider threat.

Why this answer

The exhibit shows a user logging in from an unusual location, attempting unauthorized access, and then exfiltrating sensitive data. This pattern is indicative of an insider threat, as it involves a legitimate user performing malicious actions. Option A is correct.

103
MCQeasy

Based on the exhibit, which role is responsible for notifying affected users about the phishing attack?

A.Technical Lead
B.Legal Counsel
C.Incident Response Manager
D.Communications Lead
AnswerD

The communications lead handles internal and external communications.

Why this answer

The Communications Lead is responsible for notifying affected users about the phishing attack because this role manages external and internal communications, including user notifications, during an incident. In the exhibit, the Communications Lead is explicitly assigned the task of 'Notify affected users' under the communication plan, ensuring timely and accurate messaging to reduce further risk.

Exam trap

ISACA often tests the misconception that the Incident Response Manager handles all communications, but the trap here is that the IR Manager delegates user notification to the Communications Lead to maintain separation of duties and focus on technical containment.

How to eliminate wrong answers

Option A is wrong because the Technical Lead focuses on technical remediation (e.g., isolating systems, analyzing logs) and does not handle user notifications, which is a communications function. Option B is wrong because Legal Counsel advises on regulatory compliance and liability but does not directly notify users; their role is to review messaging for legal risk, not to execute the notification. Option C is wrong because the Incident Response Manager coordinates the overall response and decision-making but delegates user notification to the Communications Lead to avoid bottlenecks and ensure specialized handling.

104
MCQeasy

An organization has an incident response plan that designates a primary and alternate incident response team. During a simulated ransomware attack, the primary team is unavailable. What should the alternate team do FIRST?

A.Contact the primary team members for instructions.
B.Declare a disaster and escalate to senior management.
C.Execute the incident response plan as documented.
D.Assess the situation and then activate the plan.
AnswerD

Assessment first ensures appropriate response based on current conditions.

Why this answer

Option D is correct because the alternate team must first assess the situation to understand the scope, impact, and validity of the ransomware attack before activating the plan. This aligns with the NIST SP 800-61 incident response lifecycle, where detection and analysis precede containment, eradication, and recovery. Jumping directly to execution without assessment could lead to inappropriate response actions, such as isolating systems that are not affected or failing to preserve critical forensic evidence.

Exam trap

The trap here is that candidates often confuse 'activating the plan' with 'executing the plan immediately,' but CISM emphasizes that assessment is a mandatory first step before any plan activation to ensure the response is appropriate for the specific incident.

How to eliminate wrong answers

Option A is wrong because the primary team is unavailable by design in this scenario, and contacting them for instructions would cause unnecessary delay and violate the purpose of having an alternate team. Option B is wrong because declaring a disaster and escalating to senior management is premature; the incident must first be assessed to determine if it meets the disaster declaration criteria, which typically involve significant business impact or data loss. Option C is wrong because executing the incident response plan as documented without first assessing the situation ignores the need to tailor the response to the specific ransomware variant, affected systems, and current network state, which could lead to ineffective or harmful actions.

105
MCQhard

An organization's incident response policy requires preserving evidence in its original state. During a live incident on a critical server, the incident response team needs to capture volatile data, such as running processes and network connections, which would be lost if the system were shut down. The team has a forensic workstation with various tools. What tool should the team use to capture the volatile data before taking the system offline?

A.WinHex
B.dd command
C.FTK Imager
D.Memory dump tool (e.g., winpmem)
AnswerD

Memory dump tools are designed to capture volatile data from RAM.

Why this answer

Volatile data from memory is best captured using a dedicated memory acquisition tool like winpmem or similar. FTK Imager and WinHex are primarily for disk imaging. The dd command is used for disk copying, not memory.

Memory dumps capture volatile data.

106
MCQmedium

A security operations center analyst receives an alert from the SIEM indicating a possible data exfiltration. The analyst is unsure if it is a true positive. What is the MOST appropriate action?

A.Review additional logs to confirm
B.Escalate to the incident response manager
C.Immediately block the source IP
D.Quarantine the affected system
AnswerA

Reviewing additional logs provides context and helps confirm whether the alert represents a true incident.

Why this answer

Before escalating or taking containment actions, the analyst should gather additional evidence to confirm the alert. Option D is correct.

107
Multi-Selectmedium

Which TWO actions are essential during the detection and analysis phase of incident response?

Select 2 answers
A.Notify law enforcement
B.Disconnect affected systems
C.Determine the scope of the incident
D.Rebuild systems
E.Identify indicators of compromise (IOCs)
AnswersC, E

Correct: Scope assessment is essential to understand impact.

Why this answer

Identifying indicators of compromise and determining the scope are critical during detection and analysis.

108
MCQmedium

A company's incident response team is handling a confirmed ransomware infection that has encrypted files on several servers. The IT director requests that the team immediately restore data from backups to minimize downtime. However, the team suspects that the backup repository may also be compromised because the attacker had administrative credentials. What is the BEST course of action?

A.Proceed with restoration from the most recent backup to restore operations quickly.
B.Rebuild the servers from scratch and restore from an offline backup taken before the compromise.
C.First, clean the backup repository and verify integrity before restoring to prevent re-infection.
D.Engage law enforcement before any restoration activities.
AnswerB

This ensures no malware is reintroduced and the backup is trusted.

Why this answer

Option C is correct because restoring from a known clean offline backup (taken before compromise) ensures the malware is not reintroduced. Option A risks re-infection. Option B cleans the backup repository but may still restore compromised data.

Option D delays recovery unnecessarily.

109
MCQeasy

After a security incident, which step should be taken first?

A.Recovery
B.Lessons learned
C.Containment
D.Eradication
AnswerC

Correct: Immediate containment stops the incident from spreading.

Why this answer

Containment is the first priority to prevent further damage. Eradication, recovery, and lessons learned come later.

110
MCQeasy

Based on the incident response policy exhibit, which phase should include notifying external stakeholders such as law enforcement?

A.Recovery
B.Post-Incident
C.Detection
D.Containment
AnswerB

Post-incident includes reporting and lessons learned, which may involve external notifications.

Why this answer

B is correct because the post-incident phase is the appropriate time to notify external stakeholders such as law enforcement, as it occurs after containment and eradication are complete. During this phase, the incident is fully documented, evidence is preserved, and legal obligations (e.g., breach notification laws like GDPR Article 33 or HIPAA Breach Notification Rule) are fulfilled. Notifying law enforcement earlier could compromise forensic integrity or operational continuity, so it is deliberately deferred to the post-incident stage.

Exam trap

ISACA often tests the misconception that law enforcement must be notified immediately upon detection, but the correct timing is after containment and eradication to avoid compromising evidence and operational response.

How to eliminate wrong answers

Option A is wrong because the recovery phase focuses on restoring systems to normal operations, not on external notifications; law enforcement involvement would disrupt recovery efforts. Option C is wrong because the detection phase is about identifying potential incidents via alerts (e.g., from SIEM or IDS), not about stakeholder communication; premature notification could lead to false alarms. Option D is wrong because the containment phase aims to isolate the incident to prevent further damage (e.g., via network segmentation or host isolation), and involving law enforcement at this stage could interfere with rapid containment actions.

111
MCQeasy

During an incident investigation, the incident response team needs to collect volatile data from a compromised server. Which of the following data should be collected FIRST?

A.Contents of system memory (RAM)
B.Network connection logs from the firewall
C.Contents of the hard drive
D.Event logs from the system
AnswerA

Memory is the most volatile and should be captured first.

Why this answer

Volatile data, such as the contents of system memory (RAM), is lost when the system is powered off. Collecting RAM first preserves evidence of running processes, network connections, and encryption keys that would otherwise be destroyed. This follows the order of volatility (RFC 3227), which mandates capturing the most volatile data first.

Exam trap

The trap here is that candidates often prioritize persistent data like hard drive contents or logs, mistakenly thinking they are more important, but the order of volatility dictates that transient data in RAM must be captured first to avoid permanent loss.

How to eliminate wrong answers

Option B is wrong because network connection logs from the firewall are non-volatile and stored on a separate device, so they can be collected later without risk of loss. Option C is wrong because the contents of the hard drive are non-volatile and can be imaged after the system is powered down, but collecting it first would risk overwriting volatile data in RAM. Option D is wrong because event logs from the system are stored on the hard drive and are non-volatile; they can be collected after volatile data has been captured.

112
MCQhard

An incident response team is dealing with a persistent threat that uses fileless malware. Which containment strategy is most effective?

A.Isolate affected endpoints from the network while preserving memory
B.Disable user accounts
C.Block known malicious IPs
D.Reimage all endpoints
AnswerA

Correct: Contains the threat and preserves forensic data.

Why this answer

Isolating affected endpoints preserves volatile memory evidence needed to analyze fileless malware.

113
Multi-Selecteasy

Which TWO of the following are primary goals of the containment phase in incident response? (Select TWO)

Select 2 answers
A.Restore normal business operations
B.Eradicate the root cause of the incident
C.Preserve evidence for legal proceedings
D.Prevent the incident from spreading to other systems
E.Limit the scope and impact of the incident
AnswersD, E

Containment includes isolating affected systems to prevent spread.

Why this answer

Correct: Limiting further damage (A) and preventing expansion (C) are containment goals. Eradication (B) is a separate phase. Preserving evidence (D) is important but not primary in containment, and restoring operations (E) is recovery.

114
MCQeasy

Based on the exhibit, what is the PRIMARY risk of the automated response policy as configured?

A.Blocking the IP may be ineffective against dynamic IPs
B.The SOC manager may not receive notifications in time
C.Automatic approval may cause unnecessary disruption on false positives
D.The trigger severity is too low
AnswerC

Without manual validation, false positives can lead to business impact.

Why this answer

Option A is correct because auto-approve means the actions execute without human review, which could block legitimate traffic or isolate critical systems on a false positive. Option B is wrong because notifying the SOC manager is a good practice. Option C is wrong because blocking IP is a common action.

Option D is wrong because the trigger level is appropriate for high-severity alerts.

115
MCQmedium

During the identification phase of incident response, which of the following is the MOST reliable indicator of a security incident?

A.A network administrator notices unusual traffic patterns.
B.An employee reports slow computer performance.
C.A vendor sends a vulnerability disclosure.
D.Antivirus software detects a known malware signature.
AnswerD

Direct evidence of malware infection.

Why this answer

Option C is correct because antivirus detection of a known malware signature is a definitive indicator. Options A and B are ambiguous. Option D is a potential threat but not an incident.

116
MCQmedium

A company's incident response team is conducting a tabletop exercise. They are discussing the steps after containment to prevent recurrence. The facilitator asks: 'What is the MOST important next step after containing an incident?' The team considers several options.

A.Identify the root cause of the incident
B.Update the incident response plan with lessons learned
C.Forensically image all affected systems
D.Notify law enforcement about the incident
AnswerA

Root cause analysis is essential to prevent recurrence by addressing the underlying vulnerability or process gap.

Why this answer

Option B is correct because after containment, identifying root cause is crucial to implement corrective actions and prevent recurrence. Option A (forensic imaging) is typically done during containment to preserve evidence. Option C (notify law enforcement) may be required but is not the immediate next step for prevention.

Option D (update the incident response plan) is part of post-incident review, not immediate.

117
Multi-Selecthard

Which THREE are valid sources for threat intelligence that can be used during incident response? (Choose three.)

Select 3 answers
A.Social media posts from employees
B.Industry information sharing groups
C.Vendor vulnerability databases
D.Open-source intelligence (OSINT)
E.Internal network traffic logs
AnswersB, C, D

Information sharing groups (e.g., ISACs) provide curated threat intelligence from peer organizations.

Why this answer

OSINT, industry information sharing groups, and vendor vulnerability databases are established threat intelligence sources. Social media posts from employees are unreliable, and internal network traffic logs are operational data, not threat intelligence.

118
MCQhard

An organization has just recovered from a ransomware attack and restored systems from backups. Before returning to normal operations, what is the MOST important step?

A.Update the incident response plan.
B.Test the restored systems to ensure functionality and security.
C.Notify stakeholders.
D.Conduct a root cause analysis.
AnswerB

Critical to confirm no residual malware or misconfiguration.

Why this answer

Option D is correct because testing restored systems ensures functionality and no residual threats. Options A, B, C are steps that follow after validation.

119
Multi-Selecthard

Which THREE of the following are essential components of an incident response plan? (Select exactly 3)

Select 3 answers
A.A list of all software licenses in the organization
B.Annual budget for security tools
C.Communication plan for internal and external stakeholders
D.Roles and responsibilities of the incident response team
E.Step-by-step procedures for handling different types of incidents
AnswersC, D, E

Communication is critical during incidents.

Why this answer

A communication plan is essential because it defines how the incident response team will coordinate internally and notify external stakeholders such as regulators, law enforcement, customers, and the media. Without a predefined communication plan, critical updates may be delayed or mishandled, leading to regulatory penalties or reputational damage. This aligns with NIST SP 800-61 and CISM best practices for incident management.

Exam trap

ISACA often tests the distinction between operational incident response components (roles, procedures, communication) and supporting organizational artifacts (licenses, budgets) that are not part of the actual response plan.

120
MCQmedium

During incident response, a team discovers that a phishing email successfully compromised a user's credentials. Which containment strategy would BEST limit further damage?

A.Disable the user account
B.Restore the user's system from a backup
C.Block the sender's IP address at the firewall
D.Change all user passwords
AnswerA

Disabling the account effectively blocks the attacker's current access and prevents further actions using that identity.

Why this answer

Disabling the user account immediately stops any ongoing misuse of the compromised credentials, preventing the attacker from accessing additional resources. Option A is correct.

121
MCQeasy

A security analyst detects unusual outbound traffic from a critical server to an unknown external IP address during business hours. Which step should be taken FIRST in the incident response process?

A.Notify law enforcement about the potential breach
B.Isolate the server from the network immediately
C.Contact the server owner to verify the traffic
D.Report the incident to senior management
AnswerC

Verifying with the server owner confirms whether the traffic is authorized, a crucial first step.

Why this answer

The first step is to verify if the traffic is legitimate or malicious. Contacting the server owner helps determine if the traffic is authorized, preventing unnecessary escalation. Immediate containment (C) is premature without verification.

Reporting to management (A) or law enforcement (D) occurs after confirmation.

122
Multi-Selecteasy

Which THREE of the following are key components of an incident response plan?

Select 3 answers
A.List of external contacts (law enforcement, legal, etc.).
B.Annual budget for cybersecurity tools.
C.Communication templates for internal and external stakeholders.
D.Detailed step-by-step procedures for each incident type.
E.Identification of incident response team members and roles.
AnswersA, C, E

Needed for escalation and notification.

Why this answer

Options A, B, and E are correct because the plan should include team members, external contacts, and communication templates. Detailed procedures are in playbooks, not the plan itself. Budget is separate.

123
MCQmedium

Your organization is a multinational corporation with a hybrid cloud infrastructure, including on-premises data centers and AWS, Azure, and GCP environments. You have a distributed incident response team and a central SIEM that aggregates logs from all sources. You are the incident manager on duty when an alert fires indicating that a high-privilege user account (a domain admin) has been observed logging in from an IP address in a country where the company has no operations, at 3:00 AM local time. Subsequent investigation reveals that the same account also has a successful logon from the corporate headquarters at the same time, which is geographically impossible. The SIEM shows a single event for the suspicious logon, and no other indicators of compromise are present. The account has not been used for months. What is the BEST course of action?

A.Restore the domain controller from a recent backup to ensure any malware is removed.
B.Immediately disable the account and reset the password, then begin a forensic investigation to determine the scope of compromise.
C.Contact the employee who owns the account to ask if they recently traveled or used a VPN.
D.Ignore the alert as it is likely a false positive due to SIEM misconfiguration or time zone discrepancy.
AnswerB

Disabling and resetting the account stops any ongoing malicious activity, and investigation can then proceed safely.

Why this answer

Option C is correct because immediate containment (disable account, reset password) is critical to prevent further unauthorized access, followed by forensic investigation. Option A is risky as it may delay action. Option B could alert a potential attacker.

Option D is premature and not targeted.

124
MCQmedium

Based on the exhibit, what is the MOST likely scenario?

A.A user is performing a scheduled task that requires authentication.
B.A user forgot their password and successfully logged in after retrying.
C.An attacker brute-forced the password and then used the credentials to access a file server.
D.A system administrator is testing password policies.
AnswerC

The sequence indicates successful guess followed by lateral movement.

Why this answer

The exhibit shows multiple failed authentication attempts (Event ID 4625) from a single user account within a short time window, followed by a successful logon (Event ID 4624) and then an access event to a file share (Event ID 5140). This pattern of rapid, repeated failures culminating in a single success is characteristic of a brute-force attack, where the attacker guesses the password and then uses the compromised credentials to access a file server.

Exam trap

The trap here is that candidates may misinterpret the failed logons as a user simply forgetting their password (Option B), but the rapid, repeated failures followed by a successful logon and file access clearly indicate a brute-force attack rather than a benign password mistake.

How to eliminate wrong answers

Option A is wrong because scheduled tasks typically use service accounts or stored credentials and do not generate a burst of failed logon events; they would show a single successful logon without preceding failures. Option B is wrong because a user who forgot their password would not generate dozens of failed attempts in rapid succession; they would typically use a password reset workflow or have a few retries, not a sustained brute-force pattern. Option D is wrong because a system administrator testing password policies would likely use a dedicated test account or controlled conditions, not a real user account, and would not follow the failed logons with a file server access event.

125
MCQmedium

During an incident, the response team collects volatile data from a compromised server. Which of the following should be collected FIRST to minimize loss of evidence?

A.Contents of RAM
B.Contents of hard drive
C.Event logs
D.Network configuration
AnswerA

RAM is volatile and will be lost if the system is powered off.

Why this answer

Volatile data, such as the contents of RAM, is lost when a system is powered off. The first priority during incident response is to capture this data because it contains running processes, network connections, encryption keys, and malware that exist only in memory. Collecting RAM first ensures that this critical evidence is preserved before any other actions that might alter the system state.

Exam trap

The trap here is that candidates often confuse the order of volatility (OOV) principle, mistakenly prioritizing non-volatile data like event logs or disk contents because they seem more stable, but the exam tests the understanding that volatile data must be captured first to prevent its permanent loss.

How to eliminate wrong answers

Option B is wrong because the contents of the hard drive are non-volatile and persist after power loss; collecting it first would risk overwriting or losing volatile data in RAM during the acquisition process. Option C is wrong because event logs are stored on the hard drive and are non-volatile; they can be collected later without risk of immediate loss, and accessing them first could alter system state. Option D is wrong because network configuration is also non-volatile and stored in the registry or configuration files on disk; it does not require immediate capture and can be gathered after volatile data is secured.

126
MCQhard

An organization is developing an incident response plan. The CISO wants to ensure that the plan aligns with industry best practices. Which framework should the CISO use as a primary reference?

A.ISO 31000
B.NIST Cybersecurity Framework
C.ITIL
D.NIST SP 800-61
AnswerD

NIST SP 800-61 is the standard for computer security incident handling.

Why this answer

NIST SP 800-61 (Computer Security Incident Handling Guide) is the definitive U.S. government standard for incident response processes, covering preparation, detection, containment, eradication, and recovery. It provides detailed, step-by-step guidance for building an incident response plan, making it the primary reference for aligning with industry best practices.

Exam trap

The trap here is that candidates confuse the NIST Cybersecurity Framework (a broad risk management tool) with NIST SP 800-61 (the specific incident response standard), or they mistakenly think ITIL's 'incident management' covers security incidents when it is designed for IT service disruptions, not security breaches.

How to eliminate wrong answers

Option A is wrong because ISO 31000 is a risk management framework, not an incident response framework; it focuses on risk identification, assessment, and treatment, not on the operational steps of handling incidents. Option B is wrong because the NIST Cybersecurity Framework (CSF) is a high-level risk-based framework for improving cybersecurity posture, not a detailed incident response procedure; it references NIST SP 800-61 for incident response specifics. Option C is wrong because ITIL (Information Technology Infrastructure Library) is a service management framework focused on IT service delivery and support (e.g., incident management as a service desk process), not on security incident response or forensic handling.

127
MCQmedium

During an incident, the incident response team determines that a compromised account was used to exfiltrate data. The account has been disabled. What is the NEXT best action to prevent similar incidents?

A.Notify potentially affected customers
B.Perform a root cause analysis
C.Reset passwords for all user accounts
D.Review authentication logs for other anomalies
AnswerB

Root cause analysis identifies the weakness to prevent recurrence.

Why this answer

Conducting a root cause analysis identifies how the account was compromised (e.g., phishing, weak password), allowing implementation of preventive measures like multifactor authentication. Resetting all passwords (A) is reactive. Notifying affected customers (C) is a legal step after investigation.

Reviewing logs (D) is part of analysis but not the next best preventive action.

128
MCQhard

A multinational corporation experiences a security breach involving customer PII. The incident response team needs to determine notification requirements. Which factor is MOST important in deciding which regulatory bodies to inform?

A.Location of the affected individuals
B.Location of the attacker
C.Location of the company's CIO
D.Location of the data custodian
AnswerA

Breach notification laws are based on the data subjects' residence.

Why this answer

Option D is correct because notification requirements depend on the jurisdiction of the affected individuals. Option A is wrong because the data custodian's location is not always relevant. Option B is wrong because the CIO's location is irrelevant.

Option C is wrong because attacker location does not determine notification obligations.

129
MCQeasy

An analyst receives an alert indicating a potential data exfiltration. The alert shows a host IP address 10.10.50.200 sending large amounts of data to an external IP address 203.0.113.5 over port 443. What should the analyst do FIRST?

A.Block the external IP address immediately
B.Escalate to the incident response team
C.Verify the alert by checking logs and network traffic
D.Isolate the host from the network
AnswerC

Verification ensures the incident is real before further action.

Why this answer

Option C is correct because the first step in incident response is to validate the alert. The analyst must verify that the traffic is indeed anomalous and not legitimate (e.g., a large backup or software update) by examining logs and packet captures. Premature action without verification could disrupt business operations or destroy forensic evidence.

Exam trap

The trap here is that candidates often jump to containment (isolate or block) without first verifying the alert, confusing the urgency of a potential exfiltration with the disciplined step of validation required by the NIST SP 800-61 incident response lifecycle.

How to eliminate wrong answers

Option A is wrong because blocking the external IP immediately could be an overreaction if the traffic is legitimate (e.g., a cloud backup service), and it may destroy evidence or alert the attacker. Option B is wrong because escalation to the incident response team should occur only after the analyst has verified the alert and gathered initial evidence; premature escalation wastes resources. Option D is wrong because isolating the host without verification could disrupt critical services if the traffic is benign, and it may also tip off an insider threat or destroy volatile data.

130
MCQhard

Based on the configuration snippet, what is the expected behavior when an incident is triggered?

A.Standard playbook executed, notification sent, auto containment applied.
B.The incident is logged but no action is taken.
C.Priority override applied, but no notification sent.
D.Auto containment applied without executing any playbook.
AnswerA

Correct: All fields are set accordingly.

Why this answer

Option B is correct because the configuration indicates the standard playbook will be executed, the incident response team will be notified, and containment actions will be automatically applied. Priority override is false, so no override occurs.

131
MCQhard

Based on the exhibit, what is the MOST likely attack vector that led to the compromise?

A.Exploitation of the nf_conntrack table full condition
B.Credential-based attack using a compromised SSH key from the brute force attempt
C.Vulnerability in the SSH password authentication
D.Successful brute force attack from 10.0.0.50
AnswerB

The failed attempts from 10.0.0.50 likely scanned for weak credentials; the successful login from a different IP used a key, suggesting a stolen key.

Why this answer

Option A is correct because the brute force attempt from 10.0.0.50 failed, but then a successful SSH login from 10.0.0.51 occurred, indicating credential reuse or stolen key from the brute force target. Option B is wrong because the brute force itself failed. Option C is wrong because the conntrack error is a symptom of the attack, not the vector.

Option D is wrong because the admin account used a publickey authentication, not a password vulnerability.

132
Multi-Selectmedium

An incident response plan should include which three key components to ensure effective response? (Choose three.)

Select 3 answers
A.Communication procedures for internal and external stakeholders.
B.Roles and responsibilities of the response team.
C.Detailed step-by-step technical instructions for all possible incidents.
D.A list of pre-approved vendors for forensic services.
E.A method for preserving and handling evidence.
AnswersA, B, E

Correct: Ensures timely information flow.

Why this answer

Options A, C, and E are correct because roles and responsibilities, communication procedures, and evidence handling are fundamental. Detailed technical instructions are impractical, and pre-approved vendors are helpful but not core.

133
MCQhard

Based on the log entries, what is the most likely scenario?

A.A brute-force attack against the root account
B.A remote code execution attempt
C.A legitimate user repeatedly mistyping their password
D.A misconfiguration causing duplicate log entries
AnswerA

Multiple failed attempts in quick succession for the same account and IP is classic brute-force behavior.

Why this answer

The rapid succession of failed SSH login attempts for the root account from the same IP indicates a brute-force attack. Option A is not supported by the logs. Option B is unlikely due to the speed of attempts.

Option C is less likely than an active attack.

134
Multi-Selecteasy

Which TWO are key indicators of a data breach? (Choose two.)

Select 2 answers
A.System performance degradation
B.Unusual outbound network traffic
C.Increased spam emails to the organization
D.Unauthorized access to sensitive data
E.Multiple failed login attempts from a single user
AnswersB, D

Unusual outbound traffic, especially to unknown IPs, is a common sign of data exfiltration.

Why this answer

Unusual outbound traffic and unauthorized access to sensitive data are classic indicators of a data breach. Multiple failed logins may indicate brute force, spam relates to phishing, and performance degradation is too vague.

135
MCQmedium

An organization has a mature incident management process. After a major incident, they conduct a post-incident review. Which activity is MOST important during this review?

A.Identify individuals responsible for the incident
B.Update security tools to block similar attacks
C.Determine root causes and document lessons learned
D.Calculate the total cost of the incident
AnswerC

Root cause analysis and lessons learned drive process improvements.

Why this answer

Option C is correct because identifying root causes and improvements prevents recurrence. Option A (assigning blame) is counterproductive. Option B (updating tools) is part of improvement but not the most important.

Option D (metrics) supports analysis but is not the primary goal.

136
MCQmedium

After a ransomware attack, a company discovers that backups are also encrypted. The incident response team has isolated the affected systems. What should be the next step?

A.Attempt restoration from encrypted backups.
B.Pay the ransom to obtain decryption keys.
C.Isolate additional systems and notify law enforcement.
D.Reimage all systems from known clean media.
AnswerC

Containment and involving authorities are best practices.

Why this answer

Option C is correct because the priority is to contain the incident and then involve law enforcement to investigate, while preserving evidence. Option A is wrong because paying ransom is not recommended and may not guarantee recovery. Option B is wrong because encrypted backups cannot be restored.

Option D is wrong because reimaging destroys forensic evidence.

137
MCQeasy

An organization's incident response plan (IRP) is being updated. Which stakeholder should be included in the IRP development to ensure legal and regulatory requirements are met?

A.Legal counsel
B.External auditors
C.Chief Information Security Officer (CISO)
D.IT manager
AnswerA

Legal counsel ensures compliance with laws and regulations.

Why this answer

Legal counsel ensures the plan complies with relevant laws and regulations, such as breach notification requirements. The CISO (A) oversees security but may not have legal expertise. IT manager (B) focuses on technical aspects.

External auditors (D) are not typically involved in plan development.

138
MCQeasy

An organization's incident response plan includes a step to 'contain the incident.' Which of the following actions is an example of containment?

A.Disconnecting an infected workstation from the network
B.Restoring data from backup
C.Analyzing log files to determine the attack vector
D.Removing malware from the system
AnswerA

This prevents further propagation of malware.

Why this answer

Disconnecting an infected workstation from the network is a classic containment action because it immediately isolates the compromised system, preventing the spread of malware or unauthorized lateral movement to other hosts. Containment focuses on limiting the scope and impact of an incident, not on remediation or investigation. This step aligns with the NIST SP 800-61 incident response lifecycle, where containment is performed before eradication and recovery.

Exam trap

ISACA often tests the distinction between containment, eradication, and recovery, and the trap here is that candidates mistake 'removing malware' (eradication) or 'restoring from backup' (recovery) for containment, because they focus on fixing the problem rather than stopping its spread first.

How to eliminate wrong answers

Option B is wrong because restoring data from backup is a recovery action, not containment; it occurs after the threat is contained and eradicated, aiming to return systems to normal operation. Option C is wrong because analyzing log files to determine the attack vector is part of identification and analysis, not containment; it helps understand the incident but does not stop its spread. Option D is wrong because removing malware from the system is an eradication action, which follows containment; containment must first isolate the threat to prevent further damage before cleanup begins.

139
MCQeasy

Based on the exhibit, what is the first action the incident response team should take?

A.Confirm the IDS alert is not a false positive.
B.Review the web server logs on 192.168.1.10 for evidence of exploitation.
C.Block the source IP 10.5.5.5 on the firewall.
D.Disable the firewall rule 'Allow-Internal-Web'.
AnswerB

Correct: Directly check if the XSS succeeded.

Why this answer

Option C is correct because the first step is to investigate the target web server logs to determine if the XSS attempt was successful. Blocking the source IP or disabling the rule may be premature if the attack was not effective, and confirming a false positive is less direct than reviewing logs.

140
MCQhard

An organization's IR plan is tested annually. After a test, many gaps are identified. What is the best next step?

A.Update the IR plan based on lessons learned and schedule a follow-up test
B.Train all employees on the plan
C.Wait for the next scheduled test in one year
D.Purchase additional security tools
AnswerA

Correct: Continuous improvement reduces gaps.

Why this answer

Updating the plan based on lessons learned and scheduling a follow-up test improves preparedness.

141
MCQhard

During an incident investigation, the security team discovers that an attacker exfiltrated sensitive customer data via encrypted DNS tunneling over a period of three months. The data loss was only noticed after a routine audit. Which of the following weaknesses MOST likely allowed the attacker to remain undetected for so long?

A.Inadequate monitoring of DNS traffic for anomalies
B.Weak password policies
C.Unpatched web server software
D.Lack of data-at-rest encryption
AnswerA

Without monitoring DNS traffic for tunneling, exfiltration can go unnoticed for long periods.

Why this answer

The correct answer is A because DNS tunneling exfiltrates data by encoding it within DNS queries and responses, which are often allowed through firewalls without deep inspection. The attacker remained undetected for three months because the security team lacked monitoring of DNS traffic for anomalies, such as unusual query volumes, non-standard record types (e.g., TXT records), or domains with high entropy. Without DNS-specific anomaly detection or a security information and event management (SIEM) system correlating DNS logs, the exfiltration blended into normal traffic.

Exam trap

The trap here is that candidates may focus on the initial breach vector (e.g., unpatched software or weak passwords) rather than the detection failure that allowed the exfiltration to persist undetected for months, which is the core of the question.

How to eliminate wrong answers

Option B is wrong because weak password policies would not directly enable undetected data exfiltration over three months; they might allow initial access but do not explain the persistence of DNS tunneling. Option C is wrong because unpatched web server software could be an initial vector, but the question focuses on the weakness that allowed the attacker to remain undetected for so long, not the entry point. Option D is wrong because lack of data-at-rest encryption does not affect detection of outbound data exfiltration via DNS tunneling; it concerns data confidentiality if storage is compromised, not network monitoring.

142
MCQmedium

After a ransomware incident, the incident response team contains the spread and begins eradication. The team discovers that the ransomware encrypted files on a file server and also deleted shadow copies. Which of the following should the team do NEXT to support recovery?

A.Restore the encrypted files from the most recent backup.
B.Create a forensic image of the file server and affected endpoints.
C.Attempt to decrypt the files using available decryption tools.
D.Notify law enforcement immediately.
AnswerB

Preserving evidence is essential before any recovery actions.

Why this answer

After containment and eradication, the priority is to preserve evidence for root cause analysis and potential legal action. Creating a forensic image of the file server and affected endpoints captures the ransomware artifacts, encryption keys, and system state before any recovery actions that could overwrite critical data. This aligns with the CISM incident management phase of 'lessons learned' and ensures the team can determine the attack vector and prevent recurrence.

Exam trap

The trap here is that candidates assume recovery (restoring backups) is the immediate next step, but CISM emphasizes that evidence preservation must precede any recovery action to support forensic analysis and legal proceedings.

How to eliminate wrong answers

Option A is wrong because restoring from backup before forensic imaging risks destroying volatile evidence (e.g., ransomware binaries, registry keys, or network logs) that is essential for identifying the initial compromise vector. Option C is wrong because attempting decryption without first preserving evidence may alter the system state, and decryption tools are rarely available for modern ransomware; even if successful, the team loses forensic data. Option D is wrong because law enforcement notification is not an immediate technical step for recovery; it should occur after evidence preservation and as part of the incident communication plan, not before forensic imaging.

143
MCQeasy

After successfully containing an incident, the incident response team discovers that the attacker exploited a previously unknown vulnerability in a web application. The vulnerability is not yet patched by the vendor. The organization's management is concerned about the risk of another attack using the same vulnerability. What should the team recommend as the immediate action to reduce this risk?

A.Implement a workaround to mitigate the vulnerability
B.Disable the web application until a patch is available
C.Report the vulnerability to the software vendor
D.Develop an in-house patch for the vulnerability
AnswerA

Workarounds can reduce risk quickly without waiting for a patch.

Why this answer

Implementing a workaround (such as a web application firewall rule or configuration change) reduces the immediate risk while waiting for a vendor patch. Developing a patch in-house is not advisable due to complexity and risk. Reporting to vendor is important but does not provide immediate protection.

Disabling the service may be too disruptive.

144
MCQeasy

An organization's intrusion detection system alerts on a potential C2 communication from an internal host. Which phase of the incident response lifecycle should be initiated first?

A.Post-Incident Activity
B.Preparation
C.Containment, Eradication, and Recovery
D.Detection and Analysis
AnswerD

Alert triggers the detection phase.

Why this answer

Option A is correct because detection and analysis is the first phase after preparation. Option B is wrong because containment follows analysis. Option C is wrong because eradication comes after containment.

Option D is wrong because recovery is after eradication.

145
MCQmedium

Based on the exhibit, an incident involves unauthorized access to a file server containing corporate training videos. No sensitive data is stored there. Which priority should the incident be assigned?

A.Critical
B.Medium
C.High
D.Low
AnswerD

Low-value data, easily restored.

Why this answer

Option D is correct because the training videos are low-value data with no sensitive information and are easily restored. Option A is wrong because no sensitive data or regulatory implications. Option B is wrong because no sensitive business data.

Option C is wrong because no operational data.

146
Multi-Selecteasy

Which TWO of the following are best practices for preserving digital evidence during an incident? (Select exactly 2)

Select 2 answers
A.Create a forensic image of the hard drive using a write blocker
B.Document the chain of custody
C.Interview witnesses before collecting data
D.Run antivirus scans on the affected system
E.Reboot the system to clear memory
AnswersA, B

Write blocker prevents alteration of original data.

Why this answer

Creating a forensic image with a write blocker (Option A) is a best practice because it captures an exact bit-for-bit copy of the storage media without altering the original data. The write blocker intercepts write commands at the hardware or software level, ensuring the integrity of the evidence. This preserves the original state for later analysis and admissibility in legal proceedings.

Exam trap

The trap here is that candidates often confuse 'preserving evidence' with 'immediate remediation'—choosing actions like rebooting or scanning that seem helpful but actually destroy volatile data or alter the evidence, while the exam emphasizes forensic soundness and legal admissibility over speed.

147
MCQeasy

Based on the exhibit, what is the MOST significant gap in incident management?

A.Inconsistent incident classification.
B.Slow response times.
C.High number of incidents.
D.Lack of documentation.
AnswerD

Option C is correct because 45 incidents (37.5%) have no documentation, indicating a process gap.

Why this answer

Option C is correct because 45 incidents (37.5%) have no documentation, indicating a process gap. Option A is not necessarily a gap; Option B is relatively low; Option D cannot be determined.

148
MCQeasy

A security analyst detects a potential data exfiltration from a critical server. According to incident response best practices, what is the first action the analyst should take?

A.Disconnect the server from the network immediately.
B.Notify the incident response manager.
C.Review firewall logs to confirm the exfiltration.
D.Take a forensic image of the server.
AnswerA

Correct: Stops exfiltration and prevents further damage.

Why this answer

Option A is correct because immediate containment is the priority to stop further data loss. Other actions are important but should follow containment.

149
MCQeasy

A security analyst receives an alert indicating a potential data exfiltration from a server. Which of the following should be the FIRST step in the incident response process?

A.Perform a forensic analysis.
B.Escalate to senior management.
C.Isolate the server from the network.
D.Verify the alert to confirm it is not a false positive.
AnswerD

Option C is correct because the first step in incident response is to verify the alert to avoid unnecessary response to false positives.

Why this answer

Option C is correct because the first step in incident response is to verify the alert to avoid unnecessary response to false positives. Option A is wrong because isolation may be premature without verification. Option B is wrong because escalation should occur after confirmation.

Option D is wrong because forensic analysis is done after containment.

150
MCQhard

Refer to the exhibit. An organization uses these firewall rules. After a breach, the IR team finds that the attacker gained access via SSH from an external IP. Which rule is most likely misconfigured?

A.MySQL should be blocked entirely
B.RDP should not be allowed
C.HTTPS should be inspected
D.SSH is allowed from any source instead of only internal
AnswerD

Correct: SSH should be restricted to specific trusted IPs.

Why this answer

The SSH rule allows access from any source, which is a security risk. It should be restricted to internal IPs.

← PreviousPage 2 of 3 · 176 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Incident Management questions.