- A
Contact law enforcement immediately.
Why wrong: Law enforcement contact is not an immediate step in initial containment.
- B
Isolate the workstation from the network.
Isolation contains the threat and prevents spread.
- C
Analyze the macro code in a sandbox.
Why wrong: Analysis is important but not immediate; containment takes priority.
- D
Block the malicious domain at the email gateway.
Blocking the domain prevents additional emails from reaching users.
- E
Delete the phishing email from all mailboxes.
Why wrong: Deleting the email destroys evidence; preserve it.
Quick Answer
The answer is to block the malicious domain at the email gateway and isolate the workstation from the network. These two immediate containment actions for a phishing incident stop the attack at its source and cut off the compromised system from the attacker’s command-and-control server, preventing data exfiltration and lateral movement. Blocking the domain at the gateway prevents further malicious emails from reaching other users, while isolation aligns with the NIST SP 800-61 containment strategy of stopping the spread before deeper analysis. On the ISC2 Certified in Cybersecurity CC exam, this question tests your ability to prioritize containment over eradication or recovery—a common trap is choosing to delete the email or run antivirus first, which are later steps. Remember the memory tip: “Gateway and isolate—don’t hesitate.” This pairs the two immediate actions: stop the inbound threat at the gateway, then isolate the infected host to sever the attacker’s remote control.
ISC2 CC Security Operations Practice Question
This CC practice question tests your understanding of security operations. Read the scenario carefully and evaluate each option against the stated constraints before committing to an answer. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.
A SOC analyst is investigating an incident where an employee's workstation was compromised via a phishing email. The analyst has captured the following indicators: the email originated from a known malicious domain, the attachment was a macro-enabled document, and the macro executed a PowerShell command that downloaded a payload from a remote server. Which TWO actions should the analyst take immediately as part of the incident response process? (Choose two.)
Clue words in this question
Noticing these words before you look at the options changes how you read each choice.
Clue:
"immediately / without restart"Why it matters: Time or reboot constraint — the correct answer must take effect right away without requiring a reboot or reload.
Answer choices
Why each option matters
Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.
Correct answer & explanation
Isolate the workstation from the network.
Option B is correct because isolating the workstation from the network is a critical containment step in incident response. It immediately stops the compromised system from communicating with the attacker's command-and-control server, preventing further data exfiltration or lateral movement. This aligns with the NIST SP 800-61 containment strategy, which prioritizes stopping the spread of an incident before deeper analysis.
Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.
Answer analysis
Option-by-option breakdown
For each option: why learners choose it and why it is or isn't the right answer here.
- ✗
Contact law enforcement immediately.
Why it's wrong here
Law enforcement contact is not an immediate step in initial containment.
- ✓
Isolate the workstation from the network.
Why this is correct
Isolation contains the threat and prevents spread.
Clue confirmation
The clue word "immediately / without restart" in the question point toward this answer.
Related concept
Read the scenario before looking for a memorised answer.
- ✗
Analyze the macro code in a sandbox.
Why it's wrong here
Analysis is important but not immediate; containment takes priority.
- ✓
Block the malicious domain at the email gateway.
Why this is correct
Blocking the domain prevents additional emails from reaching users.
Clue confirmation
The clue word "immediately / without restart" in the question point toward this answer.
Related concept
Read the scenario before looking for a memorised answer.
- ✗
Delete the phishing email from all mailboxes.
Why it's wrong here
Deleting the email destroys evidence; preserve it.
Common exam traps
Common exam trap: answer the scenario, not the keyword
ISC2 often tests the distinction between immediate containment actions (isolate, block at gateway) and later forensic or administrative steps (analyze macro, contact law enforcement, delete emails) to see if candidates understand the priority of stopping the threat first.
Detailed technical explanation
How to think about this question
In a phishing incident involving a macro-enabled document, the PowerShell command often uses techniques like Invoke-WebRequest or System.Net.WebClient to download a payload. Isolating the workstation (e.g., via network access control or disabling the NIC) cuts off the outbound TCP connection to the remote server, which is essential because the payload may be a dropper that establishes persistence or a backdoor. Blocking the malicious domain at the email gateway leverages DNS or SMTP filtering to prevent the same threat from reaching other users, which is a proactive containment measure at the perimeter.
KKey Concepts to Remember
- Read the scenario before looking for a memorised answer.
- Find the constraint that changes the correct option.
- Eliminate answers that are true in general but not in this case.
TExam Day Tips
- Watch for words such as best, first, most likely and least administrative effort.
- Review why wrong options are wrong, not only why the correct option is correct.
Key takeaway
Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.
Real-world example
How this comes up in practice
An employee at a financial services firm receives an email that appears to come from the IT helpdesk, asking them to reset their password via a link. The link leads to a convincing fake portal that harvests credentials. Security teams use phishing simulations and security-awareness training to reduce this attack vector. Questions like this test whether you can identify social engineering techniques and appropriate controls.
What to study next
Got this wrong? Here's your next step.
Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.
- →
Security Operations — study guide chapter
Learn the concepts, then practise the questions
- →
Security Operations practice questions
Targeted practice on this topic area only
- →
All CC questions
500 questions across all exam domains
- →
ISC2 Certified in Cybersecurity CC study guide
Full concept coverage aligned to exam objectives
- →
CC practice test guide
How to use practice tests most effectively before exam day
Related practice questions
Related CC practice-question pages
Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.
Access Controls Concepts practice questions
Practise CC questions linked to Access Controls Concepts.
Business Continuity, DR & Incident Response practice questions
Practise CC questions linked to Business Continuity, DR & Incident Response.
Security Principles practice questions
Practise CC questions linked to Security Principles.
Network Security practice questions
Practise CC questions linked to Network Security.
Security Operations practice questions
Practise CC questions linked to Security Operations.
CC fundamentals practice questions
Practise CC questions linked to CC fundamentals.
CC scenario practice questions
Practise CC questions linked to CC scenario.
CC troubleshooting practice questions
Practise CC questions linked to CC troubleshooting.
Practice this exam
Start a free CC practice session
Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.
FAQ
Questions learners often ask
What does this CC question test?
Security Operations — This question tests Security Operations — Read the scenario before looking for a memorised answer..
What is the correct answer to this question?
The correct answer is: Isolate the workstation from the network. — Option B is correct because isolating the workstation from the network is a critical containment step in incident response. It immediately stops the compromised system from communicating with the attacker's command-and-control server, preventing further data exfiltration or lateral movement. This aligns with the NIST SP 800-61 containment strategy, which prioritizes stopping the spread of an incident before deeper analysis.
What should I do if I get this CC question wrong?
Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.
Are there clue words in this question I should notice?
Yes — watch for: "immediately / without restart". Time or reboot constraint — the correct answer must take effect right away without requiring a reboot or reload.
What is the key concept behind this question?
Read the scenario before looking for a memorised answer.
About these practice questions
Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →
Keep practising
More CC practice questions
- A security analyst discovers that a user's account has been used to access sensitive data outside of normal business hou…
- An organization wants to ensure that data remains unaltered during transmission over the internet. Which security goal i…
- A security auditor discovers that a user has been granted read and write access to a sensitive file, but the user's job…
- A company's network uses 802.1X authentication with PEAP-MSCHAPv2 on wired ports. Users report that after a recent switc…
- During a security audit, a penetration tester captures network traffic and finds that some packets have the IP ID field…
- A security operations team is implementing a new SIEM solution. They want to ensure that logs from all critical systems…
Last reviewed: Jun 30, 2026
This CC practice question is part of Courseiva's free ISC2 certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the CC exam.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.