CCNA Incident Response and Recovery Questions

67 questions · Incident Response and Recovery · All types, answers revealed

1
MCQhard

During a forensic investigation, you find that the attacker used a legitimate Windows tool to exfiltrate data. Which tool is commonly abused for this purpose?

A.Telnet
B.Netcat
C.PowerShell
D.FTP
AnswerC

PowerShell is native to Windows and frequently used for file exfiltration due to its flexibility.

Why this answer

PowerShell is a legitimate Windows administrative tool that attackers commonly abuse for data exfiltration because it provides native access to network protocols (e.g., HTTP, HTTPS, FTP, SMB) and can download/upload files directly from the command line without additional binaries. Its deep integration with the Windows operating system allows scripts to run in memory, bypassing traditional file-based detection mechanisms, making it a favored tool for post-exploitation data theft.

Exam trap

The trap here is that candidates often associate Netcat (a classic hacking tool) with data exfiltration, but the question specifically requires a 'legitimate Windows tool,' and PowerShell is the correct answer because it is built-in and widely abused, whereas Netcat is not native to Windows.

How to eliminate wrong answers

Option A is wrong because Telnet is an unencrypted remote terminal protocol (RFC 854) that lacks native file transfer capabilities; while it can be used to send data manually, it is not commonly abused for automated or stealthy exfiltration due to its lack of encryption and limited scripting support. Option B is wrong because Netcat is a third-party network utility (not a legitimate Windows built-in tool) that can be used for data exfiltration, but the question specifies a 'legitimate Windows tool,' and Netcat is not included by default in Windows. Option D is wrong because FTP is a file transfer protocol that can be used for exfiltration, but the built-in Windows FTP client (ftp.exe) is deprecated and less commonly abused compared to PowerShell, which offers more flexibility and is present on all modern Windows systems.

2
Matchingmedium

Match each incident response phase to its activity.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Train staff and establish policies

Identify potential incidents

Isolate affected systems

Restore normal operations

Why these pairings

These are key phases of the incident response process.

3
MCQeasy

A user reports that their computer is displaying a fake antivirus warning that demands payment. This is an example of which type of attack?

A.Social engineering
B.Ransomware
C.Phishing
D.Scareware
AnswerD

Scareware presents fake security warnings to coerce payment.

Why this answer

Scareware is a type of malware that uses social engineering to trick users into believing their system is infected, then demands payment for a fake removal tool. The fake antivirus warning is a classic scareware tactic, as it creates urgency and fear to coerce payment, unlike ransomware which encrypts files and demands a ransom for decryption.

Exam trap

The trap here is that candidates confuse scareware with ransomware because both demand payment, but scareware does not encrypt files or lock the system—it only displays a fake warning, which is a key distinction tested on the SSCP exam.

How to eliminate wrong answers

Option A is wrong because social engineering is a broad manipulation technique that can be used in many attacks, but the specific attack described (fake antivirus demanding payment) is a form of scareware, not a standalone social engineering attack. Option B is wrong because ransomware typically encrypts files or locks the system and demands payment for decryption or access, whereas scareware only displays a fake warning without actually encrypting data. Option C is wrong because phishing is a social engineering attack that uses deceptive emails or websites to steal credentials or sensitive information, not to display fake antivirus warnings demanding payment.

4
Multi-Selecthard

Which THREE types of evidence are MOST important to collect from a compromised Linux server during forensic acquisition?

Select 3 answers
A.List of running processes
B.Full disk image
C.Network packet captures
D.Contents of RAM (memory dump)
E.System log files
AnswersA, D, E

Processes show malicious activity.

Why this answer

A is correct because capturing a list of running processes from a compromised Linux server preserves volatile evidence of active malicious processes, such as reverse shells or cryptominers, that would be lost on shutdown. This aligns with the order of volatility (RFC 3227), which prioritizes capturing volatile data like process lists before acquiring less volatile evidence like disk images.

Exam trap

The trap here is that candidates often prioritize a full disk image (Option B) as the most critical evidence, overlooking that volatile data (processes, memory, logs) must be collected first to preserve evidence that disappears on shutdown, as per the order of volatility.

5
MCQeasy

A medium-sized company recently experienced a phishing attack where an employee downloaded a malicious attachment, leading to a data breach. The incident response team has identified the affected user and the malware. However, the team is unsure whether the attacker has established persistence. The security analyst must recommend the next step. The company has a standard incident response plan that includes detection, containment, eradication, recovery, and lessons learned. The malware sample has been isolated for analysis. The user's account has been disabled temporarily. The network team has quarantined the user's workstation. The analyst needs to ensure the attacker cannot regain access after the initial cleanup. What should the analyst recommend next?

A.Check system logs for unauthorized registry modifications, scheduled tasks, or startup entries.
B.Perform a full malware analysis of the file to understand its capabilities.
C.Notify affected customers immediately as required by data breach notification laws.
D.Reimage the user's workstation from a known good backup.
AnswerA

Correct: This directly checks for common persistence mechanisms used by attackers.

Why this answer

Option A is correct because the immediate priority after containment is to identify and remove any persistence mechanisms the attacker may have established. Checking system logs for unauthorized registry modifications (e.g., Run keys), scheduled tasks (e.g., schtasks), and startup entries (e.g., Startup folder or services) directly addresses the uncertainty about persistence. This step ensures the attacker cannot regain access after cleanup, aligning with the eradication phase of the incident response plan.

Exam trap

The trap here is that candidates may jump to reimaging (Option D) as a quick fix, but without first verifying and removing persistence, the attacker could have established footholds on other systems or in the backup itself, making reimaging ineffective.

How to eliminate wrong answers

Option B is wrong because performing a full malware analysis is a secondary step that can occur in parallel or after eradication; it does not directly address the immediate need to check for persistence mechanisms. Option C is wrong because notifying affected customers is part of the lessons learned or legal compliance phase, which occurs after containment, eradication, and recovery, not before ensuring the attacker cannot regain access. Option D is wrong because reimaging the workstation from a known good backup is a recovery step that assumes persistence has been checked and removed; if the backup itself is compromised or persistence exists elsewhere, reimaging alone may not prevent re-infection.

6
MCQeasy

A company is developing an incident response plan. Which of the following stakeholders should be included in the initial planning phase?

A.External legal counsel
B.Internal audit
C.Only IT staff
D.Business unit leaders
AnswerD

They provide critical insight into business processes and priorities.

Why this answer

Business unit leaders (Option D) are essential in the initial planning phase because they define the critical assets, operational priorities, and recovery time objectives (RTOs) that shape the incident response strategy. Without their input, the plan may fail to align with business continuity requirements, leading to ineffective resource allocation during an actual incident.

Exam trap

The trap here is that candidates often assume incident response is purely a technical function, leading them to choose 'Only IT staff' (Option C), but the SSCP exam emphasizes that effective planning requires input from business stakeholders to ensure the plan supports organizational resilience, not just technical recovery.

How to eliminate wrong answers

Option A is wrong because external legal counsel is typically consulted during the later stages of plan development or during an actual incident to address regulatory compliance and liability, not during the initial planning phase where internal stakeholders define scope and priorities. Option B is wrong because internal audit provides oversight and compliance validation after the plan is drafted, not during initial planning; their role is to test controls, not to define incident response strategy. Option C is wrong because limiting planning to only IT staff ignores the cross-functional impact of incidents—business units, legal, HR, and PR must be involved to ensure the plan addresses communication, data classification, and operational continuity beyond technical remediation.

7
MCQeasy

If the web server is compromised, which of the following is a likely immediate risk?

A.Direct compromise of the database server
B.Loss of web application data
C.Denial of service to the web server
D.Compromise of user credentials
AnswerA

The lack of internal firewall allows the attacker to pivot to the database.

Why this answer

When a web server is compromised, the immediate risk is direct compromise of the database server because the web server typically holds the database credentials (e.g., in a configuration file like wp-config.php or appsettings.json) and has a trusted network path to the database. An attacker can pivot from the web server to the database server using those credentials, often over port 3306 (MySQL) or 1433 (MSSQL), without needing to bypass additional authentication.

Exam trap

ISC2 often tests the concept that a compromised web server is a pivot point to the database, and the trap here is that candidates mistakenly think 'loss of web application data' or 'compromise of user credentials' is immediate, when in fact those require additional steps after the initial foothold.

How to eliminate wrong answers

Option B is wrong because loss of web application data is a consequence, not an immediate risk; the attacker must first access the database or file system to delete or corrupt data, which is a later step after compromise. Option C is wrong because denial of service to the web server is an attack vector, not a risk that follows from the web server already being compromised; once compromised, the attacker controls the server and can maintain availability for their own purposes. Option D is wrong because compromise of user credentials is a potential outcome, but it is not immediate; the attacker must first extract credentials from the web server's memory, logs, or database, which requires additional steps like dumping process memory or querying the database.

8
MCQmedium

A security analyst detects unusual outbound traffic from a server that normally communicates only with internal systems. The firewall logs show connections to an external IP address on port 443/tcp. Which incident response step should the analyst perform FIRST?

A.Run a full antivirus scan on the server.
B.Isolate the server from the network.
C.Immediately shut down the server.
D.Disconnect the entire network segment.
AnswerB

Containment stops the threat from causing further damage.

Why this answer

The unusual outbound traffic to an external IP on port 443/tcp from a server that normally only communicates internally indicates a potential compromise, such as a command-and-control (C2) channel. The first priority in incident response is containment to prevent further data exfiltration or lateral movement, and isolating the server from the network achieves this without destroying volatile evidence. Shutting down the server or running an antivirus scan could destroy memory-resident malware or forensic artifacts, violating the order of volatility.

Exam trap

ISC2 often tests the misconception that immediate shutdown or antivirus scanning is the correct first step, but the trap here is that containment (isolation) must precede any destructive or investigative actions to preserve evidence and limit damage.

How to eliminate wrong answers

Option A is wrong because running a full antivirus scan on the server may alter volatile data (e.g., running processes, network connections) and could trigger the malware to wipe evidence or escalate its behavior, violating the principle of preserving forensic integrity. Option C is wrong because immediately shutting down the server destroys volatile evidence in memory (e.g., active C2 sessions, encryption keys) and may cause the malware to activate a kill switch, whereas isolation preserves the system state for analysis. Option D is wrong because disconnecting the entire network segment is overly disruptive and may impact critical business operations unnecessarily; the correct containment step is to isolate only the compromised server to minimize collateral damage.

9
Multi-Selecthard

During forensic analysis, which THREE pieces of evidence should be preserved in original form?

Select 3 answers
A.Network traffic capture
B.Screenshots of malware dialogs
C.System event logs exported to CSV
D.RAM dump
E.Hard drive image
AnswersA, D, E

PCAP files preserve network evidence.

Why this answer

Network traffic captures (e.g., PCAP files) are raw, bit-for-bit recordings of network packets. They preserve the original timing, headers, and payloads without any transformation, which is critical for accurate forensic reconstruction and chain of custody. Any conversion or export (like CSV) would strip metadata and alter the original evidence.

Exam trap

ISC2 often tests the distinction between original/volatile evidence and derivative/converted evidence, trapping candidates who think exported logs or screenshots are acceptable substitutes for the raw, unaltered source.

10
MCQeasy

An organization experiences a ransomware attack that encrypts critical data. The incident response team isolates affected systems. What is the NEXT step?

A.Reimage systems
B.Notify law enforcement
C.Identify the root cause
D.Restore from backup
AnswerC

After containment, the team must analyze to determine the cause before proceeding to eradication.

Why this answer

After isolating affected systems to contain the ransomware, the next step is to identify the root cause (e.g., how the ransomware entered, which vulnerability was exploited, or which user account was compromised). This aligns with the NIST SP 800-61 incident response lifecycle, where identification and analysis precede eradication and recovery. Without determining the root cause, reimaging or restoring from backup risks reinfection or missing a persistent backdoor.

Exam trap

The trap here is that candidates often jump to 'Restore from backup' (Option D) as the immediate next step, but the SSCP exam emphasizes that containment and root cause analysis must precede recovery to prevent reinfection and ensure the backup is clean.

How to eliminate wrong answers

Option A is wrong because reimaging systems before identifying the root cause may destroy forensic evidence and fail to address the initial infection vector, potentially allowing the attack to recur. Option B is wrong because notifying law enforcement is a legal or compliance step that typically occurs after containment and root cause analysis, and it is not a technical incident response step. Option D is wrong because restoring from backup before understanding the root cause could restore encrypted or compromised data, and the backup itself might be infected or the same vulnerability could be exploited again.

11
MCQmedium

An organization's incident response plan is tested annually. After a real incident, the team finds that the plan did not address cloud-based assets. What is the BEST action?

A.Migrate all cloud assets back on-premises
B.Retrain the IR team on cloud incident response
C.Create a separate cloud incident response plan
D.Update the incident response plan to include cloud scenarios
AnswerD

The plan must be revised based on lessons learned.

Why this answer

The plan should be updated to include cloud assets. Option D is correct. Option A only addresses the symptom; Option B may be unnecessary; Option C adds complexity.

12
MCQmedium

A company uses a SIEM to detect anomalies. An alert indicates a user logged in from two geographically distant locations within 5 minutes. What is the most likely indication?

A.Insider threat
B.Time synchronization issue
C.Credential theft and reuse
D.Misconfigured VPN
AnswerC

This is a classic sign of stolen credentials being used by an attacker.

Why this answer

Option B is correct because such a scenario strongly suggests credential theft and reuse, where an attacker has obtained the user's credentials and is using them from a different location. Option A is less likely as insider threat would not typically require rapid geo-hopping. Option C is possible but less common.

Option D would cause log inconsistencies but not typically this pattern.

13
Multi-Selecteasy

Which TWO of the following are considered key components of a disaster recovery plan?

Select 2 answers
A.SLA (Service Level Agreement)
B.RPO (Recovery Point Objective)
C.RTO (Recovery Time Objective)
D.BCP (Business Continuity Plan)
E.MTBF (Mean Time Between Failures)
AnswersB, C

RPO defines the maximum acceptable data loss in terms of time.

Why this answer

RPO and RTO are fundamental metrics in a disaster recovery plan. RPO defines the maximum acceptable data loss measured in time, dictating the frequency of backups. RTO defines the maximum acceptable downtime after a disaster, setting the target for system restoration.

Both directly drive the technical design of replication, backup schedules, and failover procedures.

Exam trap

ISC2 often tests the distinction between DR plan components (RPO/RTO) and broader business continuity concepts (BCP) or contractual metrics (SLA), leading candidates to confuse SLA with RTO or think BCP is part of the DR plan itself.

14
MCQmedium

Refer to the exhibit. The security analyst sees this event from a user workstation. What is the most likely conclusion?

A.A malware is spreading
B.A legitimate administrator added a user
C.A user is trying to escalate privileges
D.A failed login attempt
AnswerC

The net localgroup command is often used for privilege escalation.

Why this answer

The event shows a user account (likely a standard user) attempting to add itself to a privileged group such as the local Administrators group. This action requires administrative rights, and the attempt by a non-admin user to modify group membership is a classic privilege escalation technique. The security analyst should recognize this as an unauthorized attempt to gain higher access, not a normal administrative action.

Exam trap

ISC2 often tests the distinction between a legitimate administrative action and a privilege escalation attempt by hiding the user context — the trap here is assuming that any group addition is benign, when the key detail is that the action was performed from a non-privileged account.

How to eliminate wrong answers

Option A is wrong because the event describes a single user account modification, not the lateral movement or file propagation characteristic of malware spreading. Option B is wrong because a legitimate administrator would typically use a dedicated admin account or a tool like 'net localgroup Administrators /add' with proper elevation, not from a standard user workstation without evidence of administrative context. Option D is wrong because the event shows a successful addition of a user to a group, not a failed authentication attempt (which would generate Event ID 4625, not 4732 or similar group membership events).

15
MCQmedium

A company detects ransomware on a file server. The ransomware is currently encrypting files. Which containment strategy should be implemented FIRST?

A.Run antivirus to remove the ransomware
B.Notify all users to change passwords
C.Disconnect the server from the network
D.Restore files from backup
AnswerC

Network isolation prevents lateral movement and further encryption.

Why this answer

Option C is correct because the immediate priority in ransomware containment is to isolate the compromised server from the network to prevent the encryption process from spreading to other systems. Disconnecting the network cable or disabling the network interface stops the ransomware from communicating with command-and-control servers and blocks lateral movement via SMB or other protocols. This containment step must occur before any remediation like antivirus scans or file restoration.

Exam trap

The trap here is that candidates often choose to run antivirus first, thinking removal stops the attack, but the SSCP exam emphasizes that containment (stopping the spread) must precede eradication (removing the malware).

How to eliminate wrong answers

Option A is wrong because running antivirus on an actively encrypting server may trigger the ransomware to accelerate encryption or delete files, and removal does not stop the ongoing encryption process. Option B is wrong because notifying users to change passwords is a post-containment or post-incident step; it does not halt the active encryption or network propagation of the ransomware. Option D is wrong because restoring files from backup should only be performed after the ransomware is fully contained and removed; attempting restoration while the ransomware is active will result in immediate re-encryption of restored files.

16
MCQeasy

Refer to the exhibit. A network administrator implements this ACL on a border router. What is the effect?

A.SSH to 192.168.1.100 is permitted from any source
B.SSH is completely blocked
C.All traffic to 192.168.1.100 is permitted
D.Only SSH from external networks is blocked
AnswerA

The permit rule applies to any source destined to that host on port 22.

Why this answer

Option A is correct because the ACL explicitly permits TCP traffic sourced from any IP address destined to 192.168.1.100 on port 22, which is the default port for SSH. Since the ACL is applied inbound on the border router's external interface, it allows SSH connections from any external source to reach the internal host 192.168.1.100, while implicitly denying all other traffic.

Exam trap

ISC2 often tests the implicit deny all at the end of an ACL, leading candidates to mistakenly think that only explicitly denied traffic is blocked, when in fact all traffic not explicitly permitted is denied.

How to eliminate wrong answers

Option B is wrong because the ACL does not block SSH; it explicitly permits SSH to 192.168.1.100, so SSH is not completely blocked. Option C is wrong because the ACL only permits TCP port 22 (SSH) to 192.168.1.100; all other traffic to that IP is implicitly denied by the implicit deny all at the end of the ACL. Option D is wrong because the ACL permits SSH from any source, including external networks, so SSH from external networks is not blocked; it is allowed.

17
Multi-Selectmedium

Which TWO actions are part of the containment phase of incident response?

Select 2 answers
A.Restoring from backups
B.Analyzing root cause
C.Applying temporary patches
D.Isolating affected systems
E.Preserving evidence
AnswersC, D

Temporary patches can contain the vulnerability while permanent fixes are developed.

Why this answer

During the containment phase of incident response, the immediate priority is to stop the incident from spreading or causing further damage. Applying temporary patches (C) can quickly close a vulnerability that is being exploited, while isolating affected systems (D) prevents lateral movement and further compromise. Both actions are short-term measures to contain the threat before eradication and recovery begin.

Exam trap

ISC2 often tests the distinction between containment actions (immediate stop-gap measures) and recovery or analysis actions, so candidates mistakenly select 'restoring from backups' or 'analyzing root cause' as containment steps.

18
MCQhard

An organization has suffered a sophisticated attack where the attacker compromised a domain controller and used it to move laterally to several file servers. The incident response team has isolated the domain controller and some file servers, but they suspect that the attacker may have created hidden accounts and modified permissions to maintain access. The team needs to ensure that the attacker's access is entirely removed before restoring operations. The organization has a large number of users and complex Active Directory structure. The incident response plan outlines containment, eradication, recovery, and post-incident analysis. The team has forensic imaging of the domain controller and file servers. What is the MOST comprehensive approach to eradicate the attacker's presence?

A.Reset all domain user passwords and force a password change at next logon.
B.Use a tool to scan for hidden accounts and reset permissions on all file servers.
C.Perform a forensic analysis of the domain controller to identify all backdoors, hidden accounts, and unauthorized permission changes.
D.Rebuild the domain controller from a known good backup and reset all service account passwords.
AnswerC

Correct: Forensic analysis provides a complete picture of the attacker's actions and allows targeted eradication.

Why this answer

Option C is correct because the most comprehensive approach to eradicate an attacker's presence after a domain controller compromise is to perform a forensic analysis of the domain controller. This analysis can identify all backdoors, hidden accounts (e.g., accounts with the 'ACCOUNTDISABLE' flag removed or created via 'net user' with hidden attributes), unauthorized permission changes (e.g., modified ACLs on AD objects), and other persistence mechanisms like scheduled tasks or service principal name (SPN) modifications. Without this deep analysis, the attacker's access may persist even after password resets or server rebuilds.

Exam trap

The trap here is that candidates often choose password resets or backup restoration as a quick fix, but fail to recognize that sophisticated attackers implant multiple persistence mechanisms (e.g., hidden accounts, modified ACLs, domain-level backdoors) that survive these actions without a comprehensive forensic analysis.

How to eliminate wrong answers

Option A is wrong because resetting all domain user passwords and forcing a password change at next logon does not remove hidden accounts, backdoors, or unauthorized permission changes; the attacker could still use hidden accounts or modified ACLs to regain access. Option B is wrong because scanning for hidden accounts and resetting permissions on file servers only addresses lateral movement targets, not the root compromise on the domain controller; the attacker could still leverage domain-level persistence (e.g., Golden Ticket, DCSync rights) to re-compromise the environment. Option D is wrong because rebuilding the domain controller from a known good backup may reintroduce the same vulnerabilities if the backup is from after the compromise, and resetting only service account passwords does not address hidden user accounts or modified permissions on the domain controller or file servers.

19
MCQhard

You are the incident response lead for a medium-sized financial services company. The company uses a hybrid infrastructure with on-premises servers (Active Directory, file shares, and a SQL database) and cloud services (Office 365, Azure VMs). At 2:00 PM on a Tuesday, the helpdesk receives multiple calls that users cannot access the file shares. Simultaneously, the SOC alerts on unusual outbound traffic from the domain controller (DC) to an external IP on port 443. The DC is also running a scheduled antivirus scan. The file server (FS) shows no signs of compromise but is responding slowly. The backup system reports that last night's backup of the DC failed due to a 'volume shadow copy error'. The backup of the FS succeeded. You need to take immediate action. What should you do FIRST?

A.Run a full malware scan on the domain controller.
B.Restore the file server from last night's backup.
C.Isolate the domain controller from the network.
D.Disable the domain controller's antivirus to improve performance.
AnswerC

Immediate containment stops the attack and preserves evidence.

Why this answer

The domain controller (DC) is showing signs of active compromise: unusual outbound traffic on port 443 (likely C2 communication) and a failed backup due to a volume shadow copy error (indicating attempted destruction of forensic evidence). Isolating the DC first stops the attacker's command-and-control channel and prevents lateral movement, which is the highest priority in incident response. Running a scan or restoring other systems before containment risks allowing the attacker to spread or destroy more data.

Exam trap

The trap here is that candidates see a failed backup and slow file server and jump to recovery actions (restore or scan), failing to recognize that the DC's outbound traffic and VSS error are the highest-priority indicators of an active breach requiring immediate containment.

How to eliminate wrong answers

Option A is wrong because running a full malware scan on a potentially compromised DC while it is still connected to the network could alert the attacker, trigger destructive actions, or allow the scan to be tampered with; containment must precede any scanning. Option B is wrong because restoring the file server from backup does not address the active threat on the DC, and the file server shows no signs of compromise—restoring it prematurely could reintroduce a vulnerability if the DC is later used to reinfect it. Option D is wrong because disabling the antivirus on the DC would remove a critical defense layer, potentially allowing the attacker to operate unimpeded; the antivirus scan is not the cause of the performance issue—the compromise is.

20
MCQmedium

In a forensic investigation, a hash of a suspect file is computed. Which of the following is the primary purpose of hashing in this context?

A.To compress the file
B.To decrypt the file
C.To identify the file owner
D.To verify file integrity
AnswerD

Hashing creates a unique fingerprint to detect changes.

Why this answer

In forensic investigations, hashing (using algorithms like SHA-256 or MD5) produces a unique fixed-size digest of the file's contents. The primary purpose is to verify file integrity by comparing the hash before and after analysis, ensuring the evidence has not been altered. This provides a cryptographic chain of custody, as any change to the file results in a completely different hash value.

Exam trap

ISC2 often tests the misconception that hashing is used for encryption or compression, leading candidates to confuse its integrity-checking role with data transformation or security functions.

How to eliminate wrong answers

Option A is wrong because hashing is not a compression algorithm; compression (e.g., ZIP, gzip) reduces file size for storage or transmission, while hashing produces a fixed-length digest regardless of file size and does not reduce the original data. Option B is wrong because hashing is a one-way function that cannot decrypt data; decryption requires a reversible cipher and a key, whereas hashing is irreversible by design. Option C is wrong because hashing identifies the file's content integrity, not the owner; file ownership is determined by metadata (e.g., NTFS security identifiers or Unix UID/GID) or digital signatures, not by a hash of the file's data.

21
MCQeasy

A company's incident response plan includes a step to preserve evidence. Which action BEST ensures the integrity of forensic evidence?

A.Turn off the system immediately
B.Copy files to a network share
C.Run a checksum on the live system
D.Create a forensic image with write blocker and hash
AnswerD

Forensic imaging with hashing ensures original data is unchanged.

Why this answer

Option D is correct because creating a forensic image with a write blocker ensures that the original data is not altered during acquisition, and hashing (e.g., SHA-256) provides a cryptographic integrity check that can later verify the image is an exact bit-for-bit copy. This preserves the chain of custody and admissibility of evidence in legal proceedings.

Exam trap

The trap here is that candidates confuse 'preserving evidence' with 'preserving system availability' or 'quick data capture,' leading them to choose turning off the system or copying files, which actually destroy or alter forensic integrity.

How to eliminate wrong answers

Option A is wrong because turning off the system immediately can cause loss of volatile data (e.g., RAM contents, network connections) and may trigger anti-forensic mechanisms or corrupt the file system. Option B is wrong because copying files to a network share alters file metadata (e.g., timestamps, access times) and does not capture deleted or hidden data, nor does it provide a verifiable hash of the original media. Option C is wrong because running a checksum on the live system modifies the system state (e.g., reading files changes access times) and the hash is taken from a potentially altered source, so it cannot guarantee the integrity of the original evidence.

22
MCQmedium

A company uses AWS for critical workloads. An analyst notices unauthorized API calls from an IP address outside the company. The logs show that the attacker used stolen access keys belonging to an IAM user with administrative privileges. The incident response team must contain the breach as quickly as possible. The analyst has access to the AWS Management Console and can use the CLI. The team is following the incident response plan. Which action should be taken FIRST to prevent further unauthorized actions?

A.Create a new security group to block the attacker's source IP at the network level.
B.Disable the compromised access keys using the IAM dashboard or CLI.
C.Delete the compromised IAM user immediately.
D.Rotate all IAM user access keys across the entire AWS account.
AnswerB

Correct: This directly stops the attacker's ability to authenticate with those keys.

Why this answer

The immediate priority in an access key compromise is to invalidate the stolen credentials to stop the attacker from making further API calls. Disabling the compromised access keys via the IAM dashboard or CLI (using `aws iam update-access-key --status Inactive`) is the fastest containment action that directly revokes the attacker's authentication token without disrupting other legitimate users or services.

Exam trap

ISC2 often tests the principle of least disruption during containment — candidates may choose to delete the user or block the IP, but the correct first step is to disable the specific compromised credential to stop the attack without breaking other dependencies.

How to eliminate wrong answers

Option A is wrong because creating a security group to block the attacker's source IP at the network level does not prevent the attacker from using the stolen keys from a different IP address, and AWS API calls are not filtered by security groups (which apply only to VPC network traffic, not to the AWS API endpoint). Option C is wrong because deleting the compromised IAM user immediately could cause unintended disruption to any services or automation relying on that user, and it is a more destructive action than simply disabling the keys; the incident response plan typically recommends disabling keys first to preserve the user for forensic analysis. Option D is wrong because rotating all IAM user access keys across the entire account is an overly broad and time-consuming action that could break legitimate operations and is not the first step; the priority is to contain the specific compromised keys, not to rotate every key in the account.

23
MCQhard

Refer to the exhibit. An organization's incident response policy defines these actions. In what sequence should these phases be applied?

A.Isolate, reimage, restore from backup
B.Reimage, isolate, restore
C.Restore, isolate, reimage
D.Isolate, restore, reimage
AnswerA

Containment before eradication before recovery is standard process.

Why this answer

The correct sequence is Isolate, reimage, restore from backup because containment (isolation) must occur first to prevent the incident from spreading, followed by eradication (reimaging) to remove the threat, and finally recovery (restoring from backup) to return the system to a known good state. This aligns with the NIST SP 800-61 incident response lifecycle, where containment, eradication, and recovery are performed in that order.

Exam trap

The trap here is that candidates mistakenly think restoration can occur before eradication, but in practice, restoring from backup without reimaging leaves the system vulnerable if the backup itself is compromised or if the root cause (e.g., a persistent rootkit) remains in the system firmware or boot sector.

How to eliminate wrong answers

Option B is wrong because reimaging before isolation could allow the threat to spread to other systems during the reimage process, violating the containment principle. Option C is wrong because restoring from backup before isolating and reimaging would reintroduce the threat if the backup is compromised, and the system remains vulnerable. Option D is wrong because restoring from backup before reimaging fails to eradicate the root cause; the threat may persist in the restored data or system state.

24
MCQeasy

After an incident, what is the primary purpose of a lessons learned meeting?

A.Update security policies
B.Assign blame
C.Improve future response
D.Document findings for litigation
AnswerC

The main goal is to identify strengths and weaknesses to enhance the IR process.

Why this answer

The primary purpose of a lessons learned meeting after an incident is to identify what worked well and what did not during the response, enabling the team to refine procedures, update playbooks, and improve future incident response effectiveness. This aligns with the continuous improvement cycle in incident management, as outlined in NIST SP 800-61 and ISO 27035, where the focus is on process enhancement rather than punitive measures.

Exam trap

The trap here is that candidates confuse the primary purpose of a lessons learned meeting (process improvement) with secondary outcomes like policy updates or legal documentation, leading them to select A or D instead of C.

How to eliminate wrong answers

Option A is wrong because updating security policies is a possible outcome of a lessons learned meeting, but it is not the primary purpose; the meeting focuses on response process improvement, and policy changes are a secondary action that may follow. Option B is wrong because assigning blame is counterproductive and explicitly discouraged in incident response frameworks; the goal is to foster a blame-free culture to encourage honest reporting and learning. Option D is wrong because documenting findings for litigation is a separate legal activity that may occur after an incident, but it is not the core objective of a lessons learned meeting, which is centered on operational improvement.

25
MCQhard

A company's incident response plan includes a requirement to notify law enforcement within 24 hours of certain security incidents. Which regulation most likely mandates this requirement?

A.SOX
B.PCI DSS
C.GDPR
D.HIPAA
AnswerB

PCI DSS Section 12.10.2 requires notification to law enforcement within 24 hours of a suspected breach.

Why this answer

PCI DSS Requirement 12.10.1 mandates that the incident response plan includes specific procedures to notify law enforcement within 24 hours of detecting a breach involving cardholder data. This is because PCI DSS is a contractual security standard for entities that handle payment card information, and timely law enforcement notification is critical for forensic investigation and legal compliance in payment card fraud cases.

Exam trap

The trap here is that candidates confuse the 24-hour law enforcement notification requirement with GDPR's 72-hour breach notification to the supervisory authority, or assume HIPAA's 60-day rule applies to all healthcare data incidents, when PCI DSS is the only standard with a specific 24-hour law enforcement notification mandate for payment card breaches.

How to eliminate wrong answers

Option A is wrong because SOX (Sarbanes-Oxley Act) focuses on financial reporting accuracy and internal controls for publicly traded companies, not on specific incident notification timelines to law enforcement. Option C is wrong because GDPR requires notification to the supervisory authority within 72 hours of a personal data breach, but it does not mandate law enforcement notification within 24 hours. Option D is wrong because HIPAA requires notification to affected individuals and the Department of Health and Human Services within 60 days for breaches of protected health information, not law enforcement within 24 hours.

26
MCQmedium

A security analyst sees the event log exhibit. What does this indicate?

A.A local user typed wrong password at the console
B.A remote attacker attempted to log on as Administrator
C.An attacker used a nonexistent account
D.The Administrator account is locked out
AnswerB

Logon Type 3 and source IP indicate remote attempt.

Why this answer

The event log shows multiple failed logon attempts for the built-in Administrator account from a remote IP address (e.g., 10.0.0.5) using different passwords, which is a classic brute-force attack pattern. Event ID 4625 (Windows Security Log) with Logon Type 3 (Network logon) and a non-zero workstation name or source network address confirms the attempts originated remotely, not from the console. This indicates a remote attacker is systematically trying to guess the Administrator password.

Exam trap

The trap here is that candidates confuse Logon Type 3 (network) with interactive logon (Type 2) or assume any failed logon for Administrator means a local user, but the presence of a remote IP address and Logon Type 3 specifically indicates a remote brute-force attack.

How to eliminate wrong answers

Option A is wrong because a local user typing the wrong password at the console would generate Event ID 4625 with Logon Type 2 (Interactive) and a local source (e.g., console session), not a remote IP address. Option C is wrong because the event log shows the account name 'Administrator' which exists; a nonexistent account would generate Event ID 4625 with a different status code (e.g., 0xC0000064 for account name not found) and the account name would not match a built-in account. Option D is wrong because a locked-out Administrator account would generate Event ID 4740 (account locked out) or Event ID 4625 with status 0xC0000234 (account locked), not just multiple failed logon attempts with status 0xC000006D (bad password).

27
Multi-Selecteasy

Which TWO components are essential for an effective disaster recovery plan (DRP)?

Select 2 answers
A.Automated failover system
B.Recovery Point Objective (RPO)
C.Business Impact Analysis (BIA)
D.Redundant array of independent disks (RAID)
E.Recovery Time Objective (RTO)
AnswersB, E

RPO defines maximum acceptable data loss.

Why this answer

The Recovery Point Objective (RPO) defines the maximum acceptable data loss measured in time, which directly determines the required backup frequency and data replication strategy. Without an RPO, the DRP cannot specify how much data can be lost, making it impossible to design appropriate backup and recovery mechanisms. This metric is essential because it drives the technical implementation of data protection, such as snapshot intervals or synchronous replication.

Exam trap

ISC2 often tests the distinction between essential DRP components (RPO and RTO) and supporting technologies or prerequisites (BIA, failover systems, RAID), leading candidates to confuse inputs or tools with the plan's core metrics.

28
MCQhard

During an incident response, a forensic analyst captures a memory dump from a compromised server. Which of the following is the MOST important step to ensure the integrity of the evidence?

A.Create a cryptographic hash of the memory dump before analysis
B.Use a write blocker when capturing the memory dump
C.Store the memory dump on the same server for easy access
D.Run antivirus on the memory dump file
AnswerA

Hashing preserves integrity by allowing verification that the evidence has not been modified.

Why this answer

Option B is correct because creating a cryptographic hash immediately after capture provides a fingerprint to prove the evidence hasn't been altered. Option A is unsafe. Option C is unnecessary and could alter the dump.

Option D is not applicable to memory captures.

29
MCQmedium

A security analyst detects unusual outbound traffic from a server to a known malicious IP. The server is running a critical business application. What should the analyst do FIRST?

A.Block all traffic from that server
B.Run antivirus on the server
C.Disconnect the server from the network
D.Alert the system administrator
AnswerC

Disconnecting provides quick containment to prevent further data exfiltration.

Why this answer

Option D is correct because immediate containment by disconnecting the server stops potential data exfiltration. Option A is too broad and may affect operations. Option B delays containment.

Option C is not a containment action.

30
MCQhard

After a ransomware attack, the recovery team restored systems from backups. However, some files remain encrypted. What is the most probable cause?

A.Backups were also encrypted
B.The backup software was compromised
C.The ransomware had a delayed encryption mechanism
D.Restoration process skipped some file types
AnswerA

If the ransomware encrypted files on the backup repository before restoration, restored files would remain encrypted.

Why this answer

If backups were also encrypted, the recovery team would restore encrypted copies of the files, leaving them in an encrypted state after restoration. This occurs when the ransomware has sufficient privileges to encrypt the backup repository or when backups are stored on a mounted volume that the ransomware can access. The most probable cause is that the backup data itself was compromised, not that the restoration process failed.

Exam trap

ISC2 often tests the misconception that restoration process errors (like skipping file types) are the primary cause, when in reality the integrity of the backup source is the critical factor in ransomware recovery scenarios.

How to eliminate wrong answers

Option B is wrong because a compromised backup software would typically prevent restoration entirely or introduce new malware, not leave specific files encrypted after a successful restore. Option C is wrong because a delayed encryption mechanism would encrypt files after restoration, not leave them encrypted from the backup source. Option D is wrong because skipping file types during restoration would result in missing files, not files that are present but still encrypted.

31
MCQhard

What is the analyst's BEST next step?

A.Isolate the system
B.Block PowerShell execution
C.Decode the command to analyze
D.Run a full antivirus scan
AnswerC

Decoding allows the analyst to determine if the command is malicious.

Why this answer

Option C is correct because decoding the encoded PowerShell command will reveal the payload. Option A is premature without understanding the threat. Option B is less helpful.

Option D may break legitimate functionality.

32
MCQeasy

Which backup strategy is MOST suitable for a server with an RTO of 4 hours and an RPO of 15 minutes?

A.Full backup daily, transaction log backup every 15 minutes
B.Full backup daily
C.Full backup monthly, incremental daily
D.Full backup weekly, differential daily
AnswerA

Transaction log backups every 15 minutes meet RPO; full daily allows recovery within RTO.

Why this answer

A full backup daily combined with transaction log backups every 15 minutes meets the RPO of 15 minutes by allowing point-in-time recovery to within that window, and the full backup ensures the RTO of 4 hours is achievable because restoring the full backup plus the transaction logs is a well-understood process that can complete within the time limit. Transaction log backups capture every committed change, enabling granular recovery without requiring a full backup more frequently.

Exam trap

ISC2 often tests the distinction between RPO and RTO by making candidates think that more frequent full backups are needed for a low RPO, when in fact transaction log or differential backups can achieve the same with less overhead, and the trap here is assuming that incremental or differential backups alone can meet a 15-minute RPO without log backups.

How to eliminate wrong answers

Option B is wrong because a daily full backup alone cannot achieve an RPO of 15 minutes; any data loss would be up to 24 hours. Option C is wrong because monthly full backups with incremental daily backups would require restoring the full backup plus all incrementals, which is slow and cannot guarantee an RTO of 4 hours, and the RPO would be up to 24 hours (not 15 minutes). Option D is wrong because a weekly full backup with differential daily backups still results in an RPO of up to 24 hours (since differentials do not provide point-in-time recovery within 15 minutes), and restoring a full backup plus a differential can be time-consuming, risking the 4-hour RTO.

33
MCQhard

During a security incident, the IR team collects memory dumps from an infected workstation. The analysis reveals a process injecting code into 'svchost.exe'. Which technique is most likely being used?

A.Process hollowing
B.Reflective DLL injection
C.Token stealing
D.DLL injection
AnswerD

DLL injection loads a malicious DLL into a target process.

Why this answer

DLL injection is the most likely technique because it involves a process loading a malicious DLL into the address space of a legitimate process like svchost.exe. This is typically achieved using Windows API calls such as CreateRemoteThread and LoadLibrary, allowing the attacker to execute code within the trusted svchost.exe context, evading detection by blending in with legitimate system processes.

Exam trap

The trap here is that candidates often confuse DLL injection with process hollowing, but process hollowing replaces the process's code entirely, whereas the question describes injecting code into an already running svchost.exe, which aligns with DLL injection.

How to eliminate wrong answers

Option A is wrong because process hollowing replaces the legitimate code of a process (e.g., svchost.exe) with malicious code in its own memory space, but the question specifies code injection into an existing svchost.exe, not replacement of its code. Option B is wrong because reflective DLL injection loads a DLL from memory without using the standard Windows loader (LoadLibrary), but the question does not indicate a need to avoid the loader or bypass detection mechanisms like API monitoring; standard DLL injection is more common for this scenario. Option C is wrong because token stealing is a privilege escalation technique that involves duplicating or impersonating a security token (e.g., using DuplicateTokenEx) to gain higher privileges, not a method for injecting code into a process.

34
MCQhard

To determine how malware initially infected a workstation, which artifact would be MOST useful?

A.Windows Event Log showing process creation
B.Prefetch files
C.Windows registry autorun keys
D.Web browser history
AnswerA

Process creation events can reveal the initial executable that ran.

Why this answer

The Windows Event Log showing process creation (Event ID 4688) provides a chronological record of every executable that ran on the system, including the parent process and command-line arguments. This allows an investigator to trace the initial execution of the malware binary, identifying the exact moment and mechanism (e.g., a dropped file, a script launch, or a scheduled task) that triggered the infection. Other artifacts may indicate persistence or lateral movement, but only process creation logs directly capture the first execution event.

Exam trap

The trap here is that candidates often choose web browser history (Option D) because they assume malware always arrives via the internet, but SSCP tests the understanding that process creation logs are the definitive source for identifying the first execution of any binary, regardless of delivery method.

How to eliminate wrong answers

Option B is wrong because Prefetch files (.pf) record application startup times and load patterns to speed up subsequent launches, but they do not capture the initial infection vector (e.g., how the malware was introduced via email, drive-by download, or removable media). Option C is wrong because Windows registry autorun keys (e.g., Run, RunOnce, RunServices) show persistence mechanisms that execute malware after reboot, not the initial infection event that first introduced the malware to the workstation. Option D is wrong because web browser history only shows URLs visited, not the execution of a downloaded file or the triggering of a malicious script; malware can be delivered without any browser interaction (e.g., via network share or USB).

35
Drag & Dropmedium

Drag and drop the steps for performing a risk assessment according to NIST SP 800-30 into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Risk assessment steps: characterize system, identify threats, identify vulnerabilities, determine risk, then mitigate.

36
MCQmedium

A company's disaster recovery plan includes offsite tape backups. During a test, it is discovered that the tapes are stored at a location that shares the same power grid as the primary site. Which risk does this pose?

A.The tapes may degrade over time
B.The tapes may be inaccessible during a power outage
C.The tapes are not encrypted
D.The recovery time may exceed the RTO
AnswerB

If both sites lose power, the tapes cannot be retrieved for recovery.

Why this answer

Option A is correct because a regional power outage could affect both sites, making the tapes inaccessible. Option B is not specific to this risk. Option C is about media degradation, not power.

Option D is about encryption, unrelated.

37
MCQmedium

Based on the exhibit, which security threat is likely being attempted?

A.DNS poisoning
B.Man-in-the-middle attack
C.Brute-force attack
D.SQL injection
AnswerC

Multiple failed password attempts from a single source in a short time frame is characteristic of a brute-force attack.

Why this answer

The exhibit shows a large number of failed login attempts (e.g., 'Login failed' or 'Authentication error') from a single source IP within a short time window, which is the classic signature of a brute-force attack. This attack systematically tries multiple username/password combinations to gain unauthorized access, and the repeated failure messages in the logs confirm the attempt.

Exam trap

ISC2 often tests the distinction between brute-force attacks and other threats by embedding subtle clues like 'multiple failed logins' in logs, which candidates may misinterpret as a man-in-the-middle attack due to the presence of authentication errors, but the key is the volume and repetition of failures.

How to eliminate wrong answers

Option A is wrong because DNS poisoning involves corrupting DNS resolver caches with false IP mappings, which would show DNS query anomalies or spoofed responses, not repeated login failures. Option B is wrong because a man-in-the-middle attack intercepts and potentially alters communications between two parties, typically indicated by ARP spoofing, SSL certificate mismatches, or unusual traffic patterns, not a flood of authentication failures. Option D is wrong because SQL injection exploits input validation flaws to execute arbitrary SQL commands, which would manifest as database error messages or unexpected query results, not repeated login attempts.

38
MCQhard

During a security incident, the IR team discovers that an attacker used a valid user account to access sensitive data. The account had multifactor authentication (MFA) enabled. Which attack technique most likely bypassed the MFA?

A.Session hijacking
B.MFA fatigue attack
C.Man-in-the-middle (MITM) attack
D.Token theft from the endpoint
AnswerB

The attacker spams MFA requests until the user approves.

Why this answer

MFA fatigue attacks exploit user behavior by bombarding the victim with repeated push notifications until they inadvertently approve an authentication request. Since the attacker already has the valid credentials, they trigger the MFA prompt repeatedly, and the user eventually accepts, granting the attacker access without needing to compromise the MFA mechanism itself.

Exam trap

ISC2 often tests the distinction between technical bypasses (e.g., token theft, MITM) and social/behavioral bypasses (e.g., MFA fatigue), leading candidates to overcomplicate the attack when the simplest explanation—user error under pressure—is correct.

How to eliminate wrong answers

Option A is wrong because session hijacking steals an already-authenticated session token (e.g., via XSS or packet sniffing) and does not involve bypassing MFA at the authentication step; the MFA was already satisfied when the session was created. Option C is wrong because a man-in-the-middle attack intercepts credentials or tokens in transit (e.g., using a rogue access point or SSL stripping) but does not directly cause the user to approve an MFA prompt; it typically targets the authentication handshake, not the user's approval behavior. Option D is wrong because token theft from the endpoint requires physical or remote access to steal a stored OATH token or session cookie, which bypasses MFA by stealing the post-authentication artifact, not by tricking the user into approving a live MFA request.

39
MCQeasy

A security analyst receives an alert indicating a large number of failed login attempts from a single IP. The analyst blocks the IP. What should be done next?

A.Report to management
B.Update the firewall rules
C.Conduct a thorough investigation
D.Monitor for recurrence
AnswerC

Investigation is critical to understand if the attack was successful and if other systems are affected.

Why this answer

Option C is correct because blocking an IP address is an immediate containment action, but it does not confirm the root cause or scope of the incident. A thorough investigation is required to determine whether the failed logins were part of a brute-force attack, credential stuffing, or a misconfigured service, and to check for indicators of compromise (IoCs) such as successful logins from the same IP or lateral movement. Without investigation, the analyst risks missing a broader breach or violating incident response procedures like those outlined in NIST SP 800-61.

Exam trap

The trap here is that candidates assume blocking the IP is the final step, confusing containment with resolution, and overlook the mandatory investigation phase required by incident response frameworks like NIST SP 800-61 or SANS PICERL.

How to eliminate wrong answers

Option A is wrong because reporting to management is a step that typically occurs after the incident is fully analyzed and documented, not immediately after a containment action; premature reporting can lead to incomplete or misleading information. Option B is wrong because updating firewall rules is redundant if the IP was already blocked (likely via a firewall or IPS rule), and the priority is to investigate the incident rather than modify rules without understanding the attack vector. Option D is wrong because monitoring for recurrence is a passive step that should follow investigation and remediation; without understanding the cause, monitoring alone cannot prevent the same attack from succeeding via a different IP or method.

40
MCQhard

A medium-sized e-commerce company uses a SIEM with correlation rules. During peak sales hours, the SIEM generates an alert: multiple failed login attempts from internal IP 172.16.10.50 followed by a successful login to a critical database server. The account used is 'dbadmin', which normally only authenticates from the IT department subnet. The user 'dbadmin' reports that they had to try several passwords because they forgot theirs earlier. The incident responder is under pressure to quickly restore normal operations. Which course of action should the responder take?

A.Block the user's account immediately to prevent any further access.
B.Reset the user's password and enable multi-factor authentication (MFA).
C.Dismiss the alert as a false positive since the user explained the failed attempts.
D.Investigate the user's recent activity, check for abnormal logins, and look for lateral movement from the source IP.
AnswerD

Thorough investigation is warranted given the anomalous source IP and the critical nature of the target.

Why this answer

Given the alert details and the user's explanation, the responder should investigate further for signs of lateral movement or compromise. Dismissing (A) ignores potential credential stuffing. Resetting password and enabling MFA (B) is good but may not detect ongoing malicious activity.

Blocking the account (D) could be too disruptive if it's a false positive. Investigating (C) allows confirmation and containment if needed.

41
MCQhard

A security analyst reviews a firewall log showing an internal IP attempting outbound connections to multiple external IPs on port 443. The analyst suspects command and control. Which additional data source would be MOST useful for confirmation?

A.NetFlow data
B.System event logs
C.DNS logs
D.Antivirus logs
AnswerC

DNS logs can show domain resolutions, often used by C2 to obfuscate IPs.

Why this answer

DNS logs are the most useful additional data source because C2 traffic often uses domain generation algorithms (DGAs) or connects to known malicious domains. By correlating the outbound connections on port 443 with DNS queries, the analyst can identify suspicious domain lookups that precede the connections, revealing the C2 infrastructure. Unlike NetFlow or system logs, DNS logs directly show the domain names being resolved, which is a key indicator of C2 activity.

Exam trap

The trap here is that candidates often choose NetFlow data (Option A) because it shows traffic flows, but they overlook that DNS logs directly reveal the domain names being resolved, which is critical for identifying C2 domains that may not appear in NetFlow's IP-only view.

How to eliminate wrong answers

Option A is wrong because NetFlow data provides metadata about traffic flows (source/destination IPs, ports, and volume) but does not include the domain names or DNS queries, making it less effective for identifying C2 domains. Option B is wrong because system event logs record local OS events (e.g., process creation, logins) and do not directly capture network-level DNS queries or outbound connection destinations. Option D is wrong because antivirus logs focus on file-based malware detections and may miss network-only C2 activity, especially if the malware is fileless or uses encrypted channels.

42
Multi-Selecthard

Which THREE steps are essential during the identification phase of incident response?

Select 3 answers
A.Eradicate the threat
B.Notify stakeholders
C.Monitor logs and alerts
D.Determine scope of incident
E.Classify incident severity
AnswersC, D, E

Continuous monitoring is key to detecting anomalies.

Why this answer

Options A, B, and D are correct because identification involves monitoring logs and alerts (A), determining the scope and impact (B), and classifying the severity (D). Option C is part of eradication. Option E is part of communication, which may occur but is not essential to identification.

43
Multi-Selecteasy

A security analyst notices unusual outbound traffic from a server. Which TWO actions should be taken immediately as part of the incident response process?

Select 2 answers
A.Conduct a full vulnerability scan on the system.
B.Isolate the affected system from the network.
C.Reimage the system to remove any malware.
D.Capture memory and network traffic for analysis.
E.Notify law enforcement authorities.
AnswersB, D

Isolation is a critical immediate step to contain the incident.

Why this answer

Isolating the affected system (A) prevents further damage or data exfiltration. Capturing memory and network traffic (D) preserves volatile evidence for analysis. Reimaging (B) is premature before investigation.

Notifying law enforcement (C) is not an immediate step. Vulnerability scanning (E) is part of post-incident analysis, not immediate.

44
MCQmedium

An alert shows a successful login from an unusual geographic location. Which of the following is the BEST initial response?

A.Disable the user account
B.Contact the user to verify the login
C.Block the source IP address
D.Reset the user's password
AnswerA

Immediate containment to stop ongoing unauthorized access.

Why this answer

Option A is correct because disabling the account immediately prevents further unauthorized access while the incident is investigated. Option B is premature without confirmation of compromise. Option C may be done after disabling.

Option D is too slow as the first step.

45
Multi-Selectmedium

Which TWO of the following are key components of an incident response plan (IRP) according to NIST SP 800-61?

Select 2 answers
A.Acquisition of forensic tools
B.Hardware inventory
C.Communication plan
D.Testing the plan
E.Annual budget
AnswersC, D

A communication plan is a required component of an IRP.

Why this answer

NIST SP 800-61 (Computer Security Incident Handling Guide) explicitly identifies the communication plan and testing the plan as key components of an incident response plan. The communication plan ensures all stakeholders (internal teams, legal, PR, external partners) are notified and coordinated during an incident, while testing validates the plan's effectiveness through exercises like tabletop or functional drills.

Exam trap

ISC2 often tests the distinction between components of the plan itself (like communication and testing) versus operational activities or supporting resources (like forensic tools or budgets), leading candidates to select items that are part of incident response but not key components of the plan.

46
MCQeasy

An organization suspects a security incident. Which initial step should the incident response team take?

A.Contain the incident
B.Protect evidence
C.Identify the attacker
D.Notify law enforcement
AnswerB

Preserving volatile evidence is the first priority to support forensic analysis.

Why this answer

The initial step in incident response is to protect evidence (Option B) because preserving forensic data ensures the integrity of logs, memory dumps, and disk images for later analysis. According to NIST SP 800-61, the first priority after detection is to secure volatile data (e.g., RAM, network connections) before it is lost, which is critical for determining the scope and root cause of the incident.

Exam trap

The trap here is that candidates confuse the urgency of containment with the priority of evidence preservation, often selecting 'Contain the incident' because it seems immediately necessary, but the SSCP emphasizes that evidence must be secured first to support legal and forensic processes.

How to eliminate wrong answers

Option A is wrong because containment (e.g., isolating systems via VLAN segmentation or disabling network interfaces) should occur only after evidence has been preserved; premature containment can destroy volatile data like active network connections or running processes. Option C is wrong because identifying the attacker is a later analytical goal, not an initial step—focusing on attribution early can waste time and compromise evidence collection. Option D is wrong because notifying law enforcement is a strategic decision that typically occurs after the incident is confirmed and evidence is secured; premature notification may lead to legal complications or loss of control over the investigation.

47
MCQmedium

After an incident, the team identifies that the incident was caused by a missing security patch. Which of the following is the MOST effective way to prevent recurrence?

A.Conduct phishing simulations
B.Increase network monitoring
C.Implement a patch management policy
D.Update the incident response plan
AnswerC

A policy ensures patches are applied in a timely manner, preventing recurrence.

Why this answer

A missing security patch indicates a failure in the vulnerability management lifecycle. Implementing a patch management policy ensures that patches are systematically identified, tested, and deployed, directly addressing the root cause. This is the most effective preventive measure because it establishes a recurring process to close known vulnerabilities before they can be exploited.

Exam trap

The trap here is that candidates often confuse reactive measures (monitoring, response plans) with proactive prevention, or they mistakenly think user training (phishing simulations) addresses a technical configuration failure.

How to eliminate wrong answers

Option A is wrong because phishing simulations address social engineering attacks, not missing patches; they test user awareness, not system configuration. Option B is wrong because increasing network monitoring improves detection of ongoing attacks but does not prevent exploitation of unpatched vulnerabilities. Option D is wrong because updating the incident response plan improves future response efficiency but does not prevent the initial cause—the missing patch—from recurring.

48
Multi-Selectmedium

Which THREE activities are part of the post-incident phase?

Select 3 answers
A.Lessons learned meeting
B.Conduct root cause analysis
C.Notify affected customers
D.Reimage infected computers
E.Update incident response plan
AnswersA, B, E

Post-incident review includes identifying improvements.

Why this answer

Options A, B, and D are correct. Lessons learned meetings, updating the IR plan, and conducting root cause analysis are post-incident activities. Reimaging is eradication, and notifying customers is part of response, though post-incident review may include notification timing.

49
MCQmedium

Based on the exhibit, what is the most likely cause of the web application outage?

A.Network connectivity issue between web and DB
B.Application pool memory leak
C.SQL Server service is down
D.Database server disk failure
AnswerC

The 'Connection refused' error on port 1433 indicates the SQL Server is not listening or is down.

Why this answer

The exhibit shows that the web application is returning HTTP 500 errors, which typically indicate a server-side issue. Since the web server can connect to the database server (as shown by the successful ping), but the application fails, the most likely cause is that the SQL Server service is down, preventing the application from executing queries. This aligns with the correct answer C.

Exam trap

The trap here is that candidates assume a successful ping implies full database availability, but ping only tests network layer connectivity, not the application layer service (SQL Server).

How to eliminate wrong answers

Option A is wrong because the exhibit shows a successful ping from the web server to the database server, indicating network connectivity is intact. Option B is wrong because a memory leak in the application pool would cause gradual performance degradation or application crashes, not an immediate HTTP 500 error with successful network connectivity. Option D is wrong because a disk failure would likely cause SQL Server to log errors or fail to start, but the exhibit does not show disk-related symptoms; the immediate cause is the SQL Server service being down, not the underlying storage.

50
MCQeasy

After containing a malware outbreak, the incident response team needs to ensure the malware is completely removed from all systems. Which phase of the incident response process is this?

A.Post-Incident
B.Eradication
C.Detection
D.Recovery
AnswerB

Eradication involves removing malware and closing vulnerabilities.

Why this answer

The eradication phase is specifically focused on removing the root cause of the incident, such as deleting malware files, registry keys, and disabling malicious services from all affected systems. After containment (which stops the spread), eradication ensures the threat is completely eliminated before recovery begins. This aligns with the NIST SP 800-61 incident response lifecycle, where eradication follows containment and precedes recovery.

Exam trap

The trap here is confusing eradication with recovery, as candidates often think 'removing malware' is part of getting systems back online, but recovery only begins after the threat is fully eradicated to avoid restoring infected data.

How to eliminate wrong answers

Option A is wrong because the post-incident phase occurs after recovery and involves lessons learned, documentation, and forensic analysis, not active removal of malware. Option C is wrong because detection is the initial phase where the incident is identified through alerts or anomalies, not the phase for removing the threat. Option D is wrong because recovery focuses on restoring systems to normal operation (e.g., restoring from clean backups, reconnecting to networks) after the malware has already been eradicated.

51
MCQeasy

During an incident, the IR team needs to collect volatile data. Which order should they follow?

A.Hard disk, memory, network connections, running processes
B.Network connections, running processes, memory, hard disk
C.Running processes, memory, network connections, hard disk
D.Memory, running processes, network connections, hard disk
AnswerD

Memory is the most volatile and should be captured first.

Why this answer

Option D is correct because volatile data must be collected in order of decreasing volatility to minimize data loss. Memory (RAM) is the most volatile, followed by running processes, network connections, and finally the hard disk, which is non-volatile. This order ensures that transient evidence (e.g., encryption keys, active network sessions) is captured before it disappears.

Exam trap

ISC2 often tests the order of volatility (OOV) principle, and the trap here is that candidates mistakenly think running processes are more volatile than memory, or they confuse the order by prioritizing network connections over process state.

How to eliminate wrong answers

Option A is wrong because it starts with the hard disk, which is non-volatile, and delays collection of memory and network connections, risking loss of critical transient data. Option B is wrong because it places network connections before running processes and memory, but network connections depend on process state and can change rapidly; memory should be captured first to preserve process artifacts. Option C is wrong because it lists running processes before memory, but memory contains the actual process data (e.g., code, variables) that must be captured before processes are terminated or altered.

52
MCQeasy

A security analyst is reviewing logs and finds multiple failed login attempts from an external IP address followed by a successful login. Which type of attack is most likely occurring?

A.Password spraying
B.Brute force attack
C.Credential stuffing
D.Social engineering
AnswerB

Multiple attempts from a single source indicate brute force.

Why this answer

A brute force attack involves systematically trying all possible password combinations until the correct one is found. The log pattern of multiple failed attempts from a single external IP followed by a success is the classic signature of a brute force attack, as the attacker iterates through a password list or character space against the same username.

Exam trap

The trap here is that candidates confuse 'brute force' with 'credential stuffing' because both involve multiple login attempts, but credential stuffing uses known breached credentials (often from different IPs) and shows a higher initial success rate, whereas brute force targets a single account with many guesses from one IP.

How to eliminate wrong answers

Option A is wrong because password spraying involves trying a small set of common passwords against many usernames, not multiple failed attempts from a single IP against one account. Option C is wrong because credential stuffing uses previously breached username/password pairs from other services, which would typically show a high success rate or rapid failures, not a long sequence of failures from one IP. Option D is wrong because social engineering relies on manipulating users (e.g., phishing or pretexting) to reveal credentials, not on automated login attempts visible in logs.

53
MCQmedium

After a ransomware attack, the recovery team must restore encrypted files from backups. The backups are stored on a separate network segment and were last verified three days ago. What should the team do FIRST?

A.Disconnect the infected systems from the network.
B.Verify the integrity and cleanliness of the backup.
C.Contact law enforcement.
D.Restore all files from the most recent backup.
AnswerB

Ensuring backup is clean prevents re-infection.

Why this answer

Before restoring, ensure the backup system is not compromised. Option B is correct. Option A may restore malware; Option C is premature; Option D is not a first step.

54
MCQmedium

A company uses a SOAR platform for incident response. Which factor is most critical for effective automation?

A.High-quality playbooks
B.Integration with all security tools
C.Low false positive rate
D.Real-time threat intelligence feeds
AnswerA

Playbooks define the automated response actions; without quality playbooks, automation is ineffective.

Why this answer

High-quality playbooks are the most critical factor because SOAR automation relies on predefined, tested, and context-rich workflows to orchestrate response actions. Without accurate playbooks that map to specific incident types, automated actions can misidentify threats, execute incorrect containment steps, or fail to adapt to evolving attack patterns, rendering integrations and feeds ineffective.

Exam trap

ISC2 often tests the misconception that more integrations or real-time data automatically improve automation, but the trap here is that without high-quality playbooks, even perfect integrations and feeds lead to chaotic or harmful automated responses.

How to eliminate wrong answers

Option B is wrong because integration with all security tools is not the most critical factor; while broad integration enables data collection and action execution, it is useless without well-defined playbooks to orchestrate those tools effectively. Option C is wrong because a low false positive rate is a prerequisite for any detection system, but SOAR automation specifically depends on playbook logic to handle alerts correctly, not just on alert quality. Option D is wrong because real-time threat intelligence feeds enrich context but do not drive automation; playbooks must incorporate that intelligence into decision trees and response steps for it to be actionable.

55
Multi-Selecthard

Which TWO of the following are appropriate actions when preserving digital evidence at a crime/incident scene?

Select 2 answers
A.Document all actions taken
B.Take photographs of the scene
C.Connect to the internet to check online resources
D.Use the system to check files
E.Power off the system immediately
AnswersA, B

Documentation ensures chain of custody and reproducibility.

Why this answer

Documenting all actions taken (Option A) is a fundamental principle of digital forensics, as it creates a verifiable chain of custody and ensures the integrity of evidence. This documentation includes timestamps, tools used, and any changes made to the system, which is critical for admissibility in legal proceedings. Without proper documentation, the evidence may be challenged as tampered or unreliable.

Exam trap

ISC2 often tests the misconception that immediately powering off a system is always the safest action, but in digital forensics, this can destroy volatile evidence and trigger data loss or corruption.

56
MCQeasy

A company's backup strategy includes weekly full backups and daily differential backups. A ransomware attack occurred on Wednesday, corrupting data. The last full backup was Sunday. Which backup set should be restored first?

A.Wednesday differential backup
B.Sunday full backup
C.Monday differential backup
D.Tuesday differential backup
AnswerB

Full backup must be restored first as it contains the baseline data.

Why this answer

The correct restoration order is to first restore the Sunday full backup, because differential backups contain all changes since the last full backup. Without the full backup as a base, the differential backups cannot be applied. After restoring the full backup, you would then apply the most recent differential backup (Wednesday) to bring the data to the point just before the attack.

Exam trap

The trap here is that candidates often confuse differential backups with incremental backups, mistakenly thinking they need to restore all differentials in order, or they try to restore the most recent differential without the full backup first.

How to eliminate wrong answers

Option A is wrong because the Wednesday differential backup cannot be restored first; it must be applied after the full backup to provide the incremental changes. Option C is wrong because the Monday differential backup is not the most recent differential backup, and restoring it alone would miss changes made on Tuesday and Wednesday. Option D is wrong because the Tuesday differential backup, while more recent than Monday, still requires the full backup first and is not the final differential needed to reach Wednesday's state.

57
Multi-Selecteasy

Which THREE of the following are standard phases of the incident response lifecycle?

Select 3 answers
A.Preparation
B.Containment, Eradication, and Recovery
C.Auditing
D.Budgeting
E.Detection and Analysis
AnswersA, B, E

Preparation is the first phase, involving planning and training.

Why this answer

Option A is correct because Preparation is the foundational phase of the incident response lifecycle, as defined by NIST SP 800-61 Rev. 2. This phase involves establishing policies, creating incident response plans, forming a CSIRT, and provisioning tools (e.g., SIEM, forensic workstations) before any incident occurs. Without proper preparation, all subsequent phases are significantly less effective.

Exam trap

ISC2 often tests candidates by including plausible-sounding business or audit terms (like Auditing or Budgeting) as distractors, expecting test-takers to confuse supporting activities with formal lifecycle phases defined in NIST or SANS frameworks.

58
MCQmedium

During incident response, a team member uses a tool to capture memory from a compromised Windows system. Which of the following best describes the order of volatility?

A.Network connections, memory, disk
B.Disk, memory, network
C.Memory, network, disk
D.Memory, disk, network connections
AnswerA

Network connections change rapidly, memory is less volatile, disk is most persistent.

Why this answer

Option A is correct because the order of volatility dictates that the most volatile data (network connections) should be captured first, followed by memory, and finally disk. Network connections change constantly and are lost when the system is powered off, while memory (RAM) persists until power loss, and disk is the least volatile as it retains data even after shutdown. This sequence ensures critical evidence is preserved before it disappears.

Exam trap

The trap here is that candidates often confuse volatility with importance, assuming disk (which contains persistent data) is more critical to capture first, when in fact the most volatile data (network connections) must be prioritized to prevent loss.

How to eliminate wrong answers

Option B is wrong because it places disk before memory, but disk is less volatile than memory and should be captured last; capturing disk first risks losing transient network and memory data. Option C is wrong because it places memory before network connections, but network connections are more volatile than memory and must be captured first to avoid losing active session data. Option D is wrong because it places disk before network connections, ignoring that network connections are the most volatile and must be captured before both memory and disk.

59
Multi-Selectmedium

An organization has detected a ransomware infection on a critical file server. The incident response team has been activated. Which TWO actions should be performed FIRST during the initial response phase?

Select 2 answers
A.Determine the type of ransomware variant
B.Immediately disconnect the file server from the network
C.Reimage the file server using a known good backup
D.Identify all affected systems and scope of infection
E.Notify law enforcement authorities
AnswersB, D

Correct: Immediate containment prevents further encryption or lateral movement.

Why this answer

Option B is correct because immediately disconnecting the file server from the network is a critical containment action that stops the ransomware from encrypting additional files on the server and prevents lateral movement to other systems. This aligns with the first priority in incident response: containment before eradication or recovery. Disconnecting at the switch port or disabling the network interface card (NIC) is preferred over a graceful shutdown to avoid triggering any persistence mechanisms.

Exam trap

ISC2 often tests the misconception that identifying the ransomware variant (Option A) is the first step, but in the SSCP framework, containment (disconnection) and scoping (identifying affected systems) are the immediate priorities during the initial response phase.

60
MCQhard

A company's IDS generated an alert for a suspicious outbound connection to a known C2 server. The incident team discovers the host has been communicating for 2 weeks. Which containment strategy is most appropriate?

A.Perform memory forensics before disconnecting
B.Block the C2 IP at the perimeter
C.Shut down the host
D.Disconnect the host from the network immediately
AnswerA

Memory capture preserves evidence of running processes and network connections.

Why this answer

Performing memory forensics before disconnecting (A) is the most appropriate containment strategy because the host has been compromised for two weeks, meaning the attacker may have deployed rootkits, injected malicious code into system processes, or established persistence mechanisms that reside only in volatile memory. Disconnecting or shutting down the host immediately would destroy this volatile evidence, hindering the incident response team's ability to identify the full scope of the compromise, including the specific malware variant, C2 communication methods, and any lateral movement artifacts. Memory forensics allows the team to capture running processes, network connections, and loaded kernel modules, which are critical for understanding the attacker's tactics and preventing future incidents.

Exam trap

The trap here is that candidates often choose immediate disconnection (D) or IP blocking (B) as a quick containment action, failing to recognize that preserving volatile evidence is a higher priority in a long-term compromise to ensure a complete forensic analysis and effective remediation.

How to eliminate wrong answers

Option B is wrong because simply blocking the C2 IP at the perimeter is a reactive network-level control that does not address the already compromised host; the attacker may have multiple fallback C2 domains or IPs, and the host could still be used for lateral movement or data exfiltration via other channels. Option C is wrong because shutting down the host destroys volatile memory evidence and may trigger anti-forensic mechanisms that wipe logs or encrypt data, while also potentially alerting the attacker that their presence is known. Option D is wrong because disconnecting the host immediately without first performing memory forensics loses critical volatile data such as active network connections, encryption keys in memory, and running malicious processes, which are essential for a thorough investigation and attribution.

61
Multi-Selecteasy

Which TWO roles are typically part of an incident response team?

Select 2 answers
A.Chief Financial Officer
B.Network Administrator
C.Incident Manager
D.Forensic Analyst
E.Legal Counsel
AnswersC, D

The Incident Manager coordinates the response effort.

Why this answer

The Incident Manager (C) is the central coordinator who manages the incident response process, ensures communication among stakeholders, and makes strategic decisions during an incident. The Forensic Analyst (D) is responsible for collecting, preserving, and analyzing digital evidence in a forensically sound manner, often using tools like FTK Imager or EnCase to maintain chain of custody. Both roles are essential for a structured and legally defensible incident response.

Exam trap

The trap here is that candidates often confuse operational support roles (like Network Administrator) with core incident response team roles, or mistakenly include executive/legal positions as permanent team members rather than as external stakeholders consulted on an as-needed basis.

62
Multi-Selectmedium

Which TWO actions are appropriate during the containment phase of incident response?

Select 2 answers
A.Restoring data from backups
B.Removing malware from the system
C.Isolating the affected system from the network
D.Blocking malicious IP addresses at the firewall
E.Analyzing the root cause of the incident
AnswersC, D

Isolation prevents spread.

Why this answer

During the containment phase of incident response, the primary goal is to stop the incident from spreading and to limit damage. Isolating the affected system from the network (Option C) immediately prevents lateral movement of the threat and further data exfiltration. Blocking malicious IP addresses at the firewall (Option D) is another containment action that cuts off communication with known command-and-control servers or attack sources, effectively containing the network-level impact.

Exam trap

ISC2 often tests the distinction between containment, eradication, and recovery phases, and the trap here is that candidates mistakenly classify malware removal or root cause analysis as containment actions, when they actually belong to later phases.

63
MCQmedium

A small business experienced a ransomware attack that encrypted all files on the file server. They have no backups. The attacker demands a ransom. The CEO asks for advice. Which recommendation should the incident responder give?

A.Contact law enforcement and attempt decryption from public tools
B.Wipe the server and restore from the cloud sync if available
C.Pay the ransom immediately to regain access
D.Reinstall the OS and rebuild data from manual copies
AnswerA

Law enforcement can provide guidance, and free decryption tools may be available for some ransomware strains.

Why this answer

Option C is correct because contacting law enforcement and attempting decryption using public tools is the most responsible action. Paying the ransom (A) is discouraged and does not guarantee recovery. Wiping the server (B) and rebuilding from cloud sync would lose all data if no sync exists.

Reinstalling and rebuilding manually (D) is extremely time-consuming and likely impossible without backups.

64
MCQmedium

Refer to the exhibit. A security incident responder sees this alert in the SIEM. What should the responder do first?

A.Check if the source IP is a legitimate internal scanner.
B.Block the source IP at the firewall.
C.Update the firewall signature database.
D.Reboot the internal host 192.168.1.10.
AnswerA

Verifying the source prevents unnecessary action against authorized scanning.

Why this answer

The correct first step is to verify whether the source IP (10.0.0.5) is a legitimate internal scanner (e.g., authorized vulnerability scanner). Option A (blocking) might disrupt legitimate scanning. Option C (rebooting host) is premature.

Option D (updating signatures) does not address the immediate alert.

65
MCQhard

During incident analysis, a forensic examiner finds that the system logs were cleared using a command that writes null bytes. Which artifact is most likely preserved?

A.Event logs from other systems
B.Prefetch files
C.Registry keys
D.Volume shadow copies
AnswerD

Volume Shadow Copies can provide historical snapshots that may contain the original log data.

Why this answer

Volume shadow copies (VSS) are snapshots of the file system at a point in time, stored separately from the active logs. Even if an attacker clears logs by writing null bytes (e.g., using `fsutil` or `wevtutil cl`), VSS may retain a previous version of the logs, making them a critical artifact for forensic recovery.

Exam trap

ISC2 often tests the misconception that cleared logs are permanently lost, but VSS provides a forensic backup that persists independently of active log deletion.

How to eliminate wrong answers

Option A is wrong because event logs from other systems are not directly preserved on the compromised system; they reside on separate hosts and are not affected by local log-clearing commands. Option B is wrong because Prefetch files track application execution, not system event logs, and are not a direct source of cleared log data. Option C is wrong because registry keys store configuration and system state, but they do not contain the actual event log entries that were cleared.

66
MCQhard

Your organization has a mixed environment of Windows and Linux servers. You receive an alert from the EDR that a Linux server is beaconing to a suspicious IP. The server runs a critical application that cannot be taken offline. The security team needs to investigate while maintaining availability. You have access to a jump box with network monitoring tools. Which course of action is most appropriate?

A.Immediately disconnect the server from the network to stop beaconing
B.Block the suspicious IP at the firewall and continue monitoring
C.Use packet capture on the server's network segment to analyze traffic, then use EDR to isolate the process
D.Reimage the server from a known good backup
AnswerC

This allows investigation and containment without taking the server offline.

Why this answer

Option C is correct because it allows the security team to investigate the beaconing activity without disrupting the critical application's availability. Using packet capture on the server's network segment enables analysis of the outbound traffic to the suspicious IP, while EDR can isolate the specific malicious process without taking the entire server offline. This approach balances the need for containment with the requirement to maintain service continuity.

Exam trap

The trap here is that candidates may choose immediate disconnection (Option A) as a reflexive containment action, failing to recognize that the question explicitly requires maintaining availability for a critical application that cannot be taken offline.

How to eliminate wrong answers

Option A is wrong because immediately disconnecting the server from the network would cause a denial of service to the critical application, violating the requirement to maintain availability. Option B is wrong because blocking the suspicious IP at the firewall only addresses the network-level symptom; it does not identify or contain the underlying malicious process on the server, which could continue to beacon to other IPs or perform other harmful actions. Option D is wrong because reimaging the server from a known good backup is a drastic, disruptive step that would take the server offline and destroy potential forensic evidence, contradicting the need to investigate while maintaining availability.

67
MCQhard

A security analyst reviews the firewall log exhibit. Which type of activity is indicated?

A.Brute force attack against RDP service
B.Port scan of the internal network
C.Data exfiltration to an external server
D.Normal administrative remote access
AnswerA

Repeated connections to RDP port suggest password guessing.

Why this answer

The firewall log shows repeated failed RDP (TCP/3389) connection attempts from a single external IP to a single internal IP within a short time window. This pattern of multiple authentication failures against the same service is characteristic of a brute force attack, where an attacker systematically tries common passwords to gain unauthorized access to the RDP service.

Exam trap

ISC2 often tests the distinction between a brute force attack (repeated attempts to the same service) and a port scan (attempts to multiple services), so candidates mistakenly choose 'port scan' when they see many entries, even though all entries target the same port.

How to eliminate wrong answers

Option B is wrong because a port scan would show connection attempts to multiple different ports (e.g., 22, 80, 443, 3389) across one or more target IPs, not repeated attempts to a single port (3389) on a single IP. Option C is wrong because data exfiltration typically involves outbound data transfers to an external server, often using protocols like HTTP/S, FTP, or DNS tunneling, not repeated failed inbound authentication attempts. Option D is wrong because normal administrative remote access would show successful RDP logins (e.g., TCP SYN-ACK followed by session establishment), not a high volume of failed authentication events.

Ready to test yourself?

Try a timed practice session using only Incident Response and Recovery questions.