Refer to the exhibit. What is most suspicious about this event?
Correct: svchost.exe is a Windows system process and should not run from Temp.
Why this answer
svchost.exe running from the Temp folder is abnormal because it should run from System32.
26 of 176 questions · Page 3/3 · Incident Management topic · Answers revealed
Refer to the exhibit. What is most suspicious about this event?
Correct: svchost.exe is a Windows system process and should not run from Temp.
Why this answer
svchost.exe running from the Temp folder is abnormal because it should run from System32.
During a post-incident review, the incident response team identifies that the root cause of a data breach was a misconfigured firewall rule that allowed unrestricted inbound access from the internet. Which corrective action BEST addresses this issue?
Change management ensures all rule changes are authorized and reviewed, reducing risk.
Why this answer
Implementing a change management process ensures that firewall rule changes are reviewed and approved, preventing misconfigurations. A one-time review (B) is temporary. Penetration testing (C) identifies vulnerabilities but doesn't fix process.
Restoring from backup (D) does not address the configuration issue.
An incident responder is handling a phishing attack that resulted in credential theft. Which TWO actions should be taken FIRST in the containment phase?
Stops further use of the stolen credentials.
Why this answer
Options A and E are correct because resetting the password and disabling the account immediately cut off attacker access. Option B is a good step but not first priority. Option C is forensic, not containment.
Option D is communication, which comes later.
After a major security incident, the incident response team completes the containment, eradication, and recovery phases. The CISO is now planning the post-incident activities. Which activity is MOST critical to ensure that lessons learned are effectively incorporated?
This ensures that the organization learns from the incident and improves future response.
Why this answer
Conducting a post-incident review and updating policies is the most critical post-incident activity because it ensures that the root cause, response gaps, and process deficiencies are formally documented and translated into actionable improvements. This directly supports the continuous improvement cycle required by NIST SP 800-61 and ISO 27035, preventing recurrence of similar incidents.
Exam trap
ISACA often tests the distinction between operational recovery tasks (restoring systems) and strategic improvement tasks (post-incident review), leading candidates to mistakenly prioritize immediate restoration over the learning process that prevents future incidents.
How to eliminate wrong answers
Option A is wrong because public disclosure is a legal or regulatory obligation (e.g., GDPR breach notification) that does not inherently incorporate lessons learned into internal security controls. Option B is wrong because terminating the incident response team's engagement prematurely closes the feedback loop, preventing the capture of process improvements and forensic findings. Option C is wrong because restoring systems to full production status is an operational recovery step, not a learning activity; it does not address why the incident occurred or how to prevent it.
An organization uses a SIEM to correlate security events. The SIEM generates an alert for a possible brute-force attack against an admin account. The incident response team reviews the alert and finds that the account is a service account with a known password. What should the team do NEXT?
Changing the password invalidates the attacker's attempts.
Why this answer
The correct next step is to change the password for the service account because the alert indicates a possible brute-force attack, and a known password represents a compromised credential. Even if the account is a service account, the password must be rotated to prevent unauthorized access. This aligns with the incident response principle of containing the threat by invalidating the compromised authentication factor.
Exam trap
The trap here is that candidates confuse a service account with a user account and choose to investigate the source IP addresses first, forgetting that containment (password change) must precede investigation when a known credential is involved.
How to eliminate wrong answers
Option A is wrong because notifying the service owner is a communication step that should occur after the immediate threat is contained, not as the next action. Option B is wrong because disabling the service account would disrupt dependent services and applications, potentially causing a larger operational impact than the brute-force attempt itself. Option C is wrong because while investigating source IP addresses is a valid forensic step, it does not address the immediate risk of a known password being used in an ongoing attack; containment takes priority over investigation.
Which TWO of the following are key performance indicators (KPIs) commonly used to measure the effectiveness of incident management processes?
MTTD measures how quickly an incident is detected, a key indicator of detection capability.
Why this answer
Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR) are standard KPIs for incident management effectiveness. The other options are either volume metrics or not specific to incident management.
Which TWO of the following are recommended practices when conducting a post-incident review? (Select TWO)
Lessons learned improve future response.
Why this answer
Correct: Identifying root cause (B) and documenting lessons learned (C) are key. Assigning blame (A) is discouraged. Updating the IRP (D) is a result, but not the review itself.
Reimaging systems (E) is recovery, not review.
A security analyst notices unusual outbound traffic from a server that is not scheduled for any data transfers. Which step should the analyst take FIRST?
Proper escalation ensures formal handling.
Why this answer
Option B is correct because starting documentation and escalation is the proper first step per incident response procedures. Option A is wrong because isolating without analysis may disrupt services. Option C is wrong because ignoring is dangerous.
Option D is wrong because blocking without understanding may hide the issue.
Which THREE elements should be included in an incident response plan to ensure effective communication during a security incident?
Escalation ensures timely involvement of decision-makers.
Why this answer
Option A is correct because escalation procedures define the specific thresholds and contact paths for notifying management and legal teams when an incident exceeds predefined severity levels. This ensures that decision-makers are informed promptly to authorize critical actions like legal holds or regulatory notifications, preventing delays that could worsen the incident's impact.
Exam trap
The trap here is that candidates confuse operational data (like affected systems) with communication plan elements, or they mistakenly think a full public relations strategy must be embedded in the IR plan rather than referenced as a separate document.
Which THREE are essential steps in incident containment? (Choose three.)
Disabling accounts stops attacker access through valid credentials.
Why this answer
Isolating affected systems, disabling compromised accounts, and preserving forensic evidence are critical containment steps. Root cause analysis is part of investigation, and notifying regulators is a post-containment step.
A small business without a dedicated incident response team experiences a suspected breach. Who should be primarily responsible for leading the incident response efforts?
Correct: Brings specialized skills and experience.
Why this answer
Option B is correct because external cybersecurity consultants have the expertise needed. The IT administrator may lack training, the CEO is management, and legal counsel provides advice, not leadership.
Which THREE of the following are key components of an incident response plan? (Select THREE)
Clear communication paths are critical during an incident.
Why this answer
Correct: Response procedures (A), communication escalation (B), and roles and responsibilities (C) are essential. A budget (D) is not typically part of the plan itself. A list of all employees (E) is too detailed and not a core component.
A manufacturing company has an incident response plan that includes a communication plan. However, during a recent ransomware incident, the team realized that the external legal counsel was not listed in the plan. The incident requires consultation with legal due to potential regulatory implications. The incident response manager needs to address this gap quickly. What should the manager do?
Updating the plan to include all necessary stakeholders is essential for effective communication.
Why this answer
The manager should add legal counsel to the communication plan immediately to ensure they are included in future incidents. Ignoring them or delaying notification could worsen regulatory consequences. Using internal legal might not be sufficient for external counsel needs.
After detecting a ransomware infection on a file server, the incident response team performs containment and eradication. Which step should be prioritized during the recovery phase to minimize business impact?
Restoring from backups is the primary recovery method.
Why this answer
Restoring data from clean backups is the most direct way to recover operations without paying ransom. Identifying the vulnerability (B) is part of eradication, not recovery. Negotiating with attackers (A) is discouraged.
Reimaging all servers (D) may be excessive and cause more downtime.
An organization's IDS logs show multiple outbound connections to an external IP address from a server that normally communicates only internally. The logs indicate the process is running under the SYSTEM account. Which of the following BEST describes the likely root cause?
Outbound connections from SYSTEM account are a classic indicator of a backdoor or remote access Trojan (RAT) placed after initial compromise.
Why this answer
Persistent outbound connections from the SYSTEM account suggest a backdoor installed by a prior compromise that allows remote command execution. Option C is correct.
An organization's incident response team has completed the initial response to a ransomware incident. During the post-incident review, they identify that the detection was delayed because security logs from different systems were not correlated. The team wants to improve detection capabilities. What should the team recommend as the primary improvement?
SIEM correlates logs from multiple sources to detect incidents in a timely manner.
Why this answer
Implementing a SIEM solution provides centralized log collection and correlation, enabling timely detection. Increasing logging without correlation still results in data silos. Hiring more analysts may help but does not address the root cause of poor correlation.
Reducing log retention would hinder forensic analysis.
An organization experiences a data breach involving personal information. Which TWO actions should be taken as part of incident response? (Choose two.)
Option B is correct as it is required by regulations.
Why this answer
Options B and D are correct. B is required by regulations; D is best practice. Option A is wrong; Option C is wrong because logs are needed for investigation; Option E is wrong because press release should be coordinated.
During an incident investigation, the team discovers that an attacker used a valid user's credentials to access a sensitive database. The user's account had multi-factor authentication (MFA) enabled. How is this MOST likely possible?
Attackers can bombard users with MFA requests until they approve one.
Why this answer
MFA fatigue attacks involve repeatedly sending push notifications until the user approves one. Option A is less likely; Option C would not bypass MFA; Option D is not direct.
A company experiences ransomware that encrypts critical servers. Backups are available but were taken 2 weeks ago. What is the best course?
Correct: Ensures a clean environment before restoration.
Why this answer
Restore from backups after verifying no residual malware and performing security scans to ensure clean restoration.
Which TWO are common challenges in incident management?
Correct: Poor communication leads to delays and errors.
Why this answer
Lack of executive support and inadequate communication between teams are frequent obstacles.
An organization has a distributed incident response team across multiple time zones. During a critical incident, communication delays occur due to different work hours. Which strategy BEST improves coordination and response time?
Follow-the-sun ensures continuous coverage by handing off between regions.
Why this answer
Implementing a follow-the-sun model ensures that a team is always available during business hours, reducing delays. A single point of contact (A) creates a bottleneck. Overlapping schedules (B) helps but not as comprehensive as follow-the-sun.
Outsourcing (D) may introduce new issues.
Refer to the exhibit. An analyst sees this alert on the network. What is the most appropriate immediate action?
Correct: The internal system is likely compromised and needs examination.
Why this answer
The source IP is internal, so the analyst should investigate the internal system for compromise.
A multinational financial institution uses a third-party Managed Security Service Provider (MSSP) for 24/7 monitoring of its security infrastructure. During a targeted attack, the MSSP’s analysts detected anomalous activity on a critical server at 2:00 AM. However, due to the service level agreement (SLA) which allows up to 12 hours for notification of lower-priority incidents, the MSSP classified the incident as medium severity and did not notify the internal incident response team until 2:00 PM. By then, the attacker had exfiltrated sensitive customer data. The internal team is conducting a post-incident review. What is the PRIMARY issue that led to the delay?
The SLA allowed a 12-hour delay which was exploited by the attacker.
Why this answer
The SLA had a notification window that was too long for this type of incident. The classification as medium severity might have been appropriate, but the SLA aggravated the delay. The team's availability and the MSSP's technical skills are secondary or not the root cause.
An organization's incident response team is conducting a lessons learned meeting after a major incident. Which outcome is MOST critical to document?
Root cause identifies underlying issues to prevent recurrence.
Why this answer
Option B is correct because root cause analysis prevents recurrence. Option A is wrong although timeline is useful, root cause is more critical. Option C is wrong because cost is not the primary learning objective.
Option D is wrong because tool list is less strategic.
A financial institution is hit by a Distributed Denial of Service (DDoS) attack that is overwhelming their internet-facing services. The incident response team activates the plan, but the attack continues to escalate. The CEO is under pressure and asks the incident response manager whether they should pay the ransom demand (the attackers also sent an extortion note demanding payment to stop the attack). The manager must advise the CEO on the best course of action.
Scrubbing services can absorb and filter attack traffic while allowing legitimate traffic.
Why this answer
Using DDoS scrubbing services (cloud-based or on-premise) is the recommended technical defense. Paying the ransom encourages future attacks and does not guarantee the attack will stop. Rate limiting may affect legitimate traffic.
Shutting down external access is too drastic and impacts business.
Which of the following is the PRIMARY goal of incident containment?
Core objective of containment.
Why this answer
Option C is correct because containment aims to prevent further damage and limit scope. Options A, B, D are goals of other phases.
Ready to test yourself?
Try a timed practice session using only Incident Management questions.