SSCP · topic practice

Incident Response and Recovery practice questions

Practise Systems Security Certified Practitioner SSCP Incident Response and Recovery practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Incident Response and Recovery

What the exam tests

What to know about Incident Response and Recovery

Incident Response and Recovery questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common Incident Response and Recovery exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

Incident Response and Recovery questions

20 questions · select your answer, then reveal the explanation

A security analyst detects unusual outbound traffic from a server that normally communicates only with internal systems. The firewall logs show connections to an external IP address on port 443/tcp. Which incident response step should the analyst perform FIRST?

During a security incident, the IR team collects memory dumps from an infected workstation. The analysis reveals a process injecting code into 'svchost.exe'. Which technique is most likely being used?

A company's incident response plan includes a step to preserve evidence. Which action BEST ensures the integrity of forensic evidence?

After a ransomware attack, the recovery team must restore encrypted files from backups. The backups are stored on a separate network segment and were last verified three days ago. What should the team do FIRST?

During a security incident, the IR team discovers that an attacker used a valid user account to access sensitive data. The account had multifactor authentication (MFA) enabled. Which attack technique most likely bypassed the MFA?

A security analyst is reviewing logs and finds multiple failed login attempts from an external IP address followed by a successful login. Which type of attack is most likely occurring?

An organization's incident response plan is tested annually. After a real incident, the team finds that the plan did not address cloud-based assets. What is the BEST action?

Which TWO actions are appropriate during the containment phase of incident response?

Which THREE types of evidence are MOST important to collect from a compromised Linux server during forensic acquisition?

Which TWO components are essential for an effective disaster recovery plan (DRP)?

A security analyst reviews the firewall log exhibit. Which type of activity is indicated?

Exhibit

Refer to the exhibit.

Exhibit: Firewall log snippet
```
2024-03-15 10:23:45 ALLOW TCP 192.168.1.100:34567 -> 10.0.0.50:3389
2024-03-15 10:23:46 ALLOW TCP 192.168.1.100:34568 -> 10.0.0.50:3389
2024-03-15 10:23:47 ALLOW TCP 192.168.1.100:34569 -> 10.0.0.50:3389
2024-03-15 10:23:48 ALLOW TCP 192.168.1.100:34570 -> 10.0.0.50:3389
2024-03-15 10:23:49 ALLOW TCP 192.168.1.100:34571 -> 10.0.0.50:3389
```

A security analyst sees the event log exhibit. What does this indicate?

Exhibit

Refer to the exhibit.

Exhibit: Windows Event Log
```
Event ID 4625: An account failed to log on.
Subject: Security ID: S-1-5-18, Account Name: SYSTEM
Logon Type: 3
Account For Which Logon Failed: Security ID: NULL SID, Account Name: Administrator
Failure Reason: Unknown user name or bad password.
Status: 0xC000006D
Workstation Name: WORKSTATION1
Source Network Address: 10.0.0.200
```

You are the incident response lead for a medium-sized financial services company. The company uses a hybrid infrastructure with on-premises servers (Active Directory, file shares, and a SQL database) and cloud services (Office 365, Azure VMs). At 2:00 PM on a Tuesday, the helpdesk receives multiple calls that users cannot access the file shares. Simultaneously, the SOC alerts on unusual outbound traffic from the domain controller (DC) to an external IP on port 443. The DC is also running a scheduled antivirus scan. The file server (FS) shows no signs of compromise but is responding slowly. The backup system reports that last night's backup of the DC failed due to a 'volume shadow copy error'. The backup of the FS succeeded. You need to take immediate action. What should you do FIRST?

Drag and drop the steps for performing a risk assessment according to NIST SP 800-30 into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Match each incident response phase to its activity.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Train staff and establish policies

Identify potential incidents

Isolate affected systems

Restore normal operations

An alert shows a successful login from an unusual geographic location. Which of the following is the BEST initial response?

Which backup strategy is MOST suitable for a server with an RTO of 4 hours and an RPO of 15 minutes?

During an incident response, a forensic analyst captures a memory dump from a compromised server. Which of the following is the MOST important step to ensure the integrity of the evidence?

A company detects ransomware on a file server. The ransomware is currently encrypting files. Which containment strategy should be implemented FIRST?

A company is developing an incident response plan. Which of the following stakeholders should be included in the initial planning phase?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Incident Response and Recovery sessions

Start a Incident Response and Recovery only practice session

Every question in these sessions is drawn from the Incident Response and Recovery domain — nothing else.

Related practice questions

Related SSCP topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the SSCP exam test about Incident Response and Recovery?
Incident Response and Recovery questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Incident Response and Recovery questions in a focused session?
Yes — the session launcher on this page draws every question from the Incident Response and Recovery domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other SSCP topics?
Use the topic links above to move to related areas, or go back to the SSCP question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the SSCP exam covers. They are not copied from any real exam or dump site.