CCNA Incident Management Questions

26 of 176 questions · Page 3/3 · Incident Management · Answers revealed

151
MCQhard

Refer to the exhibit. What is most suspicious about this event?

A.The user jdoe is not an administrator
B.Event ID 4688 is unusual
C.The process ID is too low
D.The process name svchost.exe running from Temp folder
AnswerD

Correct: svchost.exe is a Windows system process and should not run from Temp.

Why this answer

svchost.exe running from the Temp folder is abnormal because it should run from System32.

152
MCQeasy

During a post-incident review, the incident response team identifies that the root cause of a data breach was a misconfigured firewall rule that allowed unrestricted inbound access from the internet. Which corrective action BEST addresses this issue?

A.Increase the frequency of penetration tests
B.Conduct a one-time review of all firewall rules
C.Restore the firewall configuration from the last known good backup
D.Implement a change management process for firewall modifications
AnswerD

Change management ensures all rule changes are authorized and reviewed, reducing risk.

Why this answer

Implementing a change management process ensures that firewall rule changes are reviewed and approved, preventing misconfigurations. A one-time review (B) is temporary. Penetration testing (C) identifies vulnerabilities but doesn't fix process.

Restoring from backup (D) does not address the configuration issue.

153
Multi-Selectmedium

An incident responder is handling a phishing attack that resulted in credential theft. Which TWO actions should be taken FIRST in the containment phase?

Select 2 answers
A.Disable the user's account temporarily.
B.Notify all users about the phishing campaign.
C.Conduct a forensic analysis of the user's machine.
D.Block the phishing URL at the proxy.
E.Reset the compromised user's password.
AnswersA, E

Stops further use of the stolen credentials.

Why this answer

Options A and E are correct because resetting the password and disabling the account immediately cut off attacker access. Option B is a good step but not first priority. Option C is forensic, not containment.

Option D is communication, which comes later.

154
MCQhard

After a major security incident, the incident response team completes the containment, eradication, and recovery phases. The CISO is now planning the post-incident activities. Which activity is MOST critical to ensure that lessons learned are effectively incorporated?

A.Publishing a public disclosure of the incident.
B.Terminating the incident response team's engagement.
C.Restoring all systems to full production status.
D.Conducting a post-incident review and updating policies.
AnswerD

This ensures that the organization learns from the incident and improves future response.

Why this answer

Conducting a post-incident review and updating policies is the most critical post-incident activity because it ensures that the root cause, response gaps, and process deficiencies are formally documented and translated into actionable improvements. This directly supports the continuous improvement cycle required by NIST SP 800-61 and ISO 27035, preventing recurrence of similar incidents.

Exam trap

ISACA often tests the distinction between operational recovery tasks (restoring systems) and strategic improvement tasks (post-incident review), leading candidates to mistakenly prioritize immediate restoration over the learning process that prevents future incidents.

How to eliminate wrong answers

Option A is wrong because public disclosure is a legal or regulatory obligation (e.g., GDPR breach notification) that does not inherently incorporate lessons learned into internal security controls. Option B is wrong because terminating the incident response team's engagement prematurely closes the feedback loop, preventing the capture of process improvements and forensic findings. Option C is wrong because restoring systems to full production status is an operational recovery step, not a learning activity; it does not address why the incident occurred or how to prevent it.

155
MCQhard

An organization uses a SIEM to correlate security events. The SIEM generates an alert for a possible brute-force attack against an admin account. The incident response team reviews the alert and finds that the account is a service account with a known password. What should the team do NEXT?

A.Notify the service owner
B.Disable the service account
C.Investigate the source IP addresses
D.Change the password for the service account
AnswerD

Changing the password invalidates the attacker's attempts.

Why this answer

The correct next step is to change the password for the service account because the alert indicates a possible brute-force attack, and a known password represents a compromised credential. Even if the account is a service account, the password must be rotated to prevent unauthorized access. This aligns with the incident response principle of containing the threat by invalidating the compromised authentication factor.

Exam trap

The trap here is that candidates confuse a service account with a user account and choose to investigate the source IP addresses first, forgetting that containment (password change) must precede investigation when a known credential is involved.

How to eliminate wrong answers

Option A is wrong because notifying the service owner is a communication step that should occur after the immediate threat is contained, not as the next action. Option B is wrong because disabling the service account would disrupt dependent services and applications, potentially causing a larger operational impact than the brute-force attempt itself. Option C is wrong because while investigating source IP addresses is a valid forensic step, it does not address the immediate risk of a known password being used in an ongoing attack; containment takes priority over investigation.

156
Multi-Selecteasy

Which TWO of the following are key performance indicators (KPIs) commonly used to measure the effectiveness of incident management processes?

Select 2 answers
A.Percentage of incidents resolved within SLA
B.Mean Time to Detect (MTTD)
C.Mean Time to Respond (MTTR)
D.Total cost of incidents
E.Number of incidents per month
AnswersB, C

MTTD measures how quickly an incident is detected, a key indicator of detection capability.

Why this answer

Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR) are standard KPIs for incident management effectiveness. The other options are either volume metrics or not specific to incident management.

157
Multi-Selecthard

Which TWO of the following are recommended practices when conducting a post-incident review? (Select TWO)

Select 2 answers
A.Document lessons learned and improvement actions
B.Update the incident response plan immediately
C.Assign blame to responsible individuals
D.Identify the root cause of the incident
E.Reimage all affected systems
AnswersA, D

Lessons learned improve future response.

Why this answer

Correct: Identifying root cause (B) and documenting lessons learned (C) are key. Assigning blame (A) is discouraged. Updating the IRP (D) is a result, but not the review itself.

Reimaging systems (E) is recovery, not review.

158
MCQeasy

A security analyst notices unusual outbound traffic from a server that is not scheduled for any data transfers. Which step should the analyst take FIRST?

A.Block the IP addresses in the outbound traffic
B.Immediately isolate the server from the network
C.Document the observation and escalate to the incident response team
D.Ignore as it may be a false positive
AnswerC

Proper escalation ensures formal handling.

Why this answer

Option B is correct because starting documentation and escalation is the proper first step per incident response procedures. Option A is wrong because isolating without analysis may disrupt services. Option C is wrong because ignoring is dangerous.

Option D is wrong because blocking without understanding may hide the issue.

159
Multi-Selecthard

Which THREE elements should be included in an incident response plan to ensure effective communication during a security incident?

Select 3 answers
A.Escalation procedures for notifying management and legal
B.Communication protocols and channels for internal coordination
C.List of affected systems and data
D.Public relations strategy for external communication
E.Defined roles and responsibilities for the incident response team
AnswersA, B, E

Escalation ensures timely involvement of decision-makers.

Why this answer

Option A is correct because escalation procedures define the specific thresholds and contact paths for notifying management and legal teams when an incident exceeds predefined severity levels. This ensures that decision-makers are informed promptly to authorize critical actions like legal holds or regulatory notifications, preventing delays that could worsen the incident's impact.

Exam trap

The trap here is that candidates confuse operational data (like affected systems) with communication plan elements, or they mistakenly think a full public relations strategy must be embedded in the IR plan rather than referenced as a separate document.

160
Multi-Selectmedium

Which THREE are essential steps in incident containment? (Choose three.)

Select 3 answers
A.Root cause analysis
B.Notify external regulators
C.Disable compromised accounts
D.Isolate affected systems
E.Preserve forensic evidence
AnswersC, D, E

Disabling accounts stops attacker access through valid credentials.

Why this answer

Isolating affected systems, disabling compromised accounts, and preserving forensic evidence are critical containment steps. Root cause analysis is part of investigation, and notifying regulators is a post-containment step.

161
MCQeasy

A small business without a dedicated incident response team experiences a suspected breach. Who should be primarily responsible for leading the incident response efforts?

A.The CEO of the company.
B.The IT administrator who discovered the breach.
C.The external cybersecurity consultant on retainer.
D.The legal counsel.
AnswerC

Correct: Brings specialized skills and experience.

Why this answer

Option B is correct because external cybersecurity consultants have the expertise needed. The IT administrator may lack training, the CEO is management, and legal counsel provides advice, not leadership.

162
Multi-Selectmedium

Which THREE of the following are key components of an incident response plan? (Select THREE)

Select 3 answers
A.List of all employees' contact information
B.Annual budget for incident response tools
C.Communication and escalation matrix
D.Incident response procedures
E.Roles and responsibilities of team members
AnswersC, D, E

Clear communication paths are critical during an incident.

Why this answer

Correct: Response procedures (A), communication escalation (B), and roles and responsibilities (C) are essential. A budget (D) is not typically part of the plan itself. A list of all employees (E) is too detailed and not a core component.

163
MCQeasy

A manufacturing company has an incident response plan that includes a communication plan. However, during a recent ransomware incident, the team realized that the external legal counsel was not listed in the plan. The incident requires consultation with legal due to potential regulatory implications. The incident response manager needs to address this gap quickly. What should the manager do?

A.Notify legal counsel after the incident is resolved
B.Use only internal legal department instead of external counsel
C.Ignore legal counsel involvement for this incident
D.Add the legal counsel to the incident response plan immediately
AnswerD

Updating the plan to include all necessary stakeholders is essential for effective communication.

Why this answer

The manager should add legal counsel to the communication plan immediately to ensure they are included in future incidents. Ignoring them or delaying notification could worsen regulatory consequences. Using internal legal might not be sufficient for external counsel needs.

164
MCQmedium

After detecting a ransomware infection on a file server, the incident response team performs containment and eradication. Which step should be prioritized during the recovery phase to minimize business impact?

A.Contact the attackers to negotiate a decryption key
B.Reimage all servers in the same network segment
C.Identify and patch the vulnerability used for entry
D.Restore data from verified clean backups
AnswerD

Restoring from backups is the primary recovery method.

Why this answer

Restoring data from clean backups is the most direct way to recover operations without paying ransom. Identifying the vulnerability (B) is part of eradication, not recovery. Negotiating with attackers (A) is discouraged.

Reimaging all servers (D) may be excessive and cause more downtime.

165
MCQhard

An organization's IDS logs show multiple outbound connections to an external IP address from a server that normally communicates only internally. The logs indicate the process is running under the SYSTEM account. Which of the following BEST describes the likely root cause?

A.A backdoor installed via a previous compromise
B.A misconfigured application
C.An authorized administrative activity
D.A privilege escalation exploit
AnswerA

Outbound connections from SYSTEM account are a classic indicator of a backdoor or remote access Trojan (RAT) placed after initial compromise.

Why this answer

Persistent outbound connections from the SYSTEM account suggest a backdoor installed by a prior compromise that allows remote command execution. Option C is correct.

166
MCQmedium

An organization's incident response team has completed the initial response to a ransomware incident. During the post-incident review, they identify that the detection was delayed because security logs from different systems were not correlated. The team wants to improve detection capabilities. What should the team recommend as the primary improvement?

A.Hire additional security analysts to manually correlate logs
B.Increase the amount of logging on all systems
C.Implement a Security Information and Event Management (SIEM) system
D.Reduce log retention to lower storage costs
AnswerC

SIEM correlates logs from multiple sources to detect incidents in a timely manner.

Why this answer

Implementing a SIEM solution provides centralized log collection and correlation, enabling timely detection. Increasing logging without correlation still results in data silos. Hiring more analysts may help but does not address the root cause of poor correlation.

Reducing log retention would hinder forensic analysis.

167
Multi-Selectmedium

An organization experiences a data breach involving personal information. Which TWO actions should be taken as part of incident response? (Choose two.)

Select 2 answers
A.Immediately issue a press release without consulting legal.
B.Notify the relevant data protection authority within the required timeframe.
C.Ignore the incident if no customers have complained.
D.Conduct a post-incident review to identify lessons learned.
E.Delete all system logs to prevent further exposure.
AnswersB, D

Option B is correct as it is required by regulations.

Why this answer

Options B and D are correct. B is required by regulations; D is best practice. Option A is wrong; Option C is wrong because logs are needed for investigation; Option E is wrong because press release should be coordinated.

168
MCQhard

During an incident investigation, the team discovers that an attacker used a valid user's credentials to access a sensitive database. The user's account had multi-factor authentication (MFA) enabled. How is this MOST likely possible?

A.MFA was not properly configured
B.The attacker guessed the MFA token
C.The user approved a fraudulent MFA prompt
D.The attacker used a man-in-the-middle attack
AnswerC

Attackers can bombard users with MFA requests until they approve one.

Why this answer

MFA fatigue attacks involve repeatedly sending push notifications until the user approves one. Option A is less likely; Option C would not bypass MFA; Option D is not direct.

169
MCQmedium

A company experiences ransomware that encrypts critical servers. Backups are available but were taken 2 weeks ago. What is the best course?

A.Restore from backups immediately
B.Restore from backups after verifying no residual malware and performing security scans
C.Rebuild servers from scratch
D.Pay the ransom
AnswerB

Correct: Ensures a clean environment before restoration.

Why this answer

Restore from backups after verifying no residual malware and performing security scans to ensure clean restoration.

170
Multi-Selectmedium

Which TWO are common challenges in incident management?

Select 2 answers
A.Inadequate communication between teams
B.Lack of executive support
C.Too many technical staff
D.Over-reliance on automation
E.Excessive documentation
AnswersA, B

Correct: Poor communication leads to delays and errors.

Why this answer

Lack of executive support and inadequate communication between teams are frequent obstacles.

171
MCQhard

An organization has a distributed incident response team across multiple time zones. During a critical incident, communication delays occur due to different work hours. Which strategy BEST improves coordination and response time?

A.Require all team members to work overlapping shifts
B.Implement a follow-the-sun incident response model
C.Designate a single incident commander for the entire response
D.Outsource incident response to a managed security service provider
AnswerB

Follow-the-sun ensures continuous coverage by handing off between regions.

Why this answer

Implementing a follow-the-sun model ensures that a team is always available during business hours, reducing delays. A single point of contact (A) creates a bottleneck. Overlapping schedules (B) helps but not as comprehensive as follow-the-sun.

Outsourcing (D) may introduce new issues.

172
MCQmedium

Refer to the exhibit. An analyst sees this alert on the network. What is the most appropriate immediate action?

A.Ignore the alert as it is likely false positive
B.Investigate the source endpoint for compromise
C.Block the source IP 10.0.1.50
D.Block the destination IP 203.0.113.5
AnswerB

Correct: The internal system is likely compromised and needs examination.

Why this answer

The source IP is internal, so the analyst should investigate the internal system for compromise.

173
MCQhard

A multinational financial institution uses a third-party Managed Security Service Provider (MSSP) for 24/7 monitoring of its security infrastructure. During a targeted attack, the MSSP’s analysts detected anomalous activity on a critical server at 2:00 AM. However, due to the service level agreement (SLA) which allows up to 12 hours for notification of lower-priority incidents, the MSSP classified the incident as medium severity and did not notify the internal incident response team until 2:00 PM. By then, the attacker had exfiltrated sensitive customer data. The internal team is conducting a post-incident review. What is the PRIMARY issue that led to the delay?

A.The MSSP analysts lacked technical skills to recognize the incident's true severity
B.The incident severity was incorrectly classified as medium
C.The internal incident response team was not available until 2:00 PM
D.The SLA for notification of medium-severity incidents was too long
AnswerD

The SLA allowed a 12-hour delay which was exploited by the attacker.

Why this answer

The SLA had a notification window that was too long for this type of incident. The classification as medium severity might have been appropriate, but the SLA aggravated the delay. The team's availability and the MSSP's technical skills are secondary or not the root cause.

174
MCQmedium

An organization's incident response team is conducting a lessons learned meeting after a major incident. Which outcome is MOST critical to document?

A.Root cause analysis
B.Detailed timeline of events
C.List of tools used
D.Total cost of the incident
AnswerA

Root cause identifies underlying issues to prevent recurrence.

Why this answer

Option B is correct because root cause analysis prevents recurrence. Option A is wrong although timeline is useful, root cause is more critical. Option C is wrong because cost is not the primary learning objective.

Option D is wrong because tool list is less strategic.

175
MCQhard

A financial institution is hit by a Distributed Denial of Service (DDoS) attack that is overwhelming their internet-facing services. The incident response team activates the plan, but the attack continues to escalate. The CEO is under pressure and asks the incident response manager whether they should pay the ransom demand (the attackers also sent an extortion note demanding payment to stop the attack). The manager must advise the CEO on the best course of action.

A.Engage a DDoS scrubbing service to filter malicious traffic
B.Implement rate limiting on the firewall
C.Shut down all external-facing services
D.Pay the ransom to stop the attack immediately
AnswerA

Scrubbing services can absorb and filter attack traffic while allowing legitimate traffic.

Why this answer

Using DDoS scrubbing services (cloud-based or on-premise) is the recommended technical defense. Paying the ransom encourages future attacks and does not guarantee the attack will stop. Rate limiting may affect legitimate traffic.

Shutting down external access is too drastic and impacts business.

176
MCQeasy

Which of the following is the PRIMARY goal of incident containment?

A.To gather evidence for prosecution.
B.To recover systems to normal operation.
C.To identify the root cause.
D.To prevent further damage and limit the scope of the incident.
AnswerD

Core objective of containment.

Why this answer

Option C is correct because containment aims to prevent further damage and limit scope. Options A, B, D are goals of other phases.

← PreviousPage 3 of 3 · 176 questions total

Ready to test yourself?

Try a timed practice session using only Incident Management questions.