Incident Response MCQ 60 Tests With Answers (2026)
PerfectNotes TeamUpdated: March 2026~15 min practice 60 Questions Β· 3 Levels 60 Questions Β· 3 Levels
Incident Response MCQ practice questions are essential for preparing for competitive exams, certifications, and technical interviews. This comprehensive MCQ platform provides 60 carefully curated practice questions covering critical aspects of security orchestration, digital forensics, and threat containment.
These questions are organized into three progressive difficulty levels of 20 questions each: Basics (covering incident response definitions, SANS PICERL vs. NIST lifecycle, triage, containment goals, and false positive metrics), Concepts (covering Order of Volatility (RFC 3227), logical isolation, sinkholing, threat intel, SOAR automation, and tabletop testing), and Advanced (covering MITRE ATT&CK enterprise tactics, Volatility memory analysis, Windows shimcache/prefetch forensics, and golden SAML/AD FS token compromises). Each question includes a verified, in-depth explanation to reinforce learning.
Practice in Study Mode to reveal answers and detailed explanations instantly, or use Exam Mode for timed testing and real-time scoring to simulate certification conditions under professional standards.
Contents
- 1.Basics (20 Questions)NIST lifecycle Β· roles & responsibilities Β· definitions
- 2.Concepts (20 Questions)Triage Β· playbooks Β· evidence collection Β· threat hunting
- 3.Advanced (20 Questions)Active directory compromise Β· ransomware containment Β· forensic analysis
- 4.Conclusionsummary Β· next steps Β· study tips
- 5.Key Takeawaysquick-fire bullet recap of essential facts
- 6.Quick Review Summaryconcept Β· definition Β· key fact table
- 7.FAQcommon questions answered
Incident Response β Basics
1What is the primary objective of an Incident Response (IR) plan?
CorrectA: To provide a systematic approach to managing and resolving security breaches effectively
An IR plan exists to provide a structured, repeatable methodology for detecting, containing, eradicating, and recovering from security incidents β minimizing damage, reducing recovery time, and preserving evidence for potential legal action.
IncorrectA: To provide a systematic approach to managing and resolving security breaches effectively
An IR plan exists to provide a structured, repeatable methodology for detecting, containing, eradicating, and recovering from security incidents β minimizing damage, reducing recovery time, and preserving evidence for potential legal action.
2According to the NIST computer security incident handling guide (SP 800-61), which is the first phase of the incident response lifecycle?
CorrectC: Preparation
NIST SP 800-61 defines a four-phase lifecycle: (1) Preparation, (2) Detection & Analysis, (3) Containment, Eradication & Recovery, and (4) Post-Incident Activity. Preparation comes first because no response can be effective without pre-established policies, tools, trained staff, and communication channels.
IncorrectC: Preparation
NIST SP 800-61 defines a four-phase lifecycle: (1) Preparation, (2) Detection & Analysis, (3) Containment, Eradication & Recovery, and (4) Post-Incident Activity. Preparation comes first because no response can be effective without pre-established policies, tools, trained staff, and communication channels.
3What is a "Computer Security Incident Response Team" (CSIRT)?
CorrectD: A designated group of professionals responsible for responding to and managing security incidents
A CSIRT (sometimes called CERT or CIRT) is a cross-functional team β typically including security analysts, engineers, legal, and management β tasked with coordinating all activities required to detect, analyze, contain, eradicate, and recover from security incidents.
IncorrectD: A designated group of professionals responsible for responding to and managing security incidents
A CSIRT (sometimes called CERT or CIRT) is a cross-functional team β typically including security analysts, engineers, legal, and management β tasked with coordinating all activities required to detect, analyze, contain, eradicate, and recover from security incidents.
4During an active ransomware attack, what is the primary goal of the "Containment" phase?
CorrectB: To isolate the infected systems and prevent the threat from spreading further across the network
Containment aims to limit the blast radius by isolating infected hosts β via VLAN segmentation, firewall rules, or EDR-initiated network isolation β before ransomware can encrypt additional shares, domain controllers, or backup repositories.
IncorrectB: To isolate the infected systems and prevent the threat from spreading further across the network
Containment aims to limit the blast radius by isolating infected hosts β via VLAN segmentation, firewall rules, or EDR-initiated network isolation β before ransomware can encrypt additional shares, domain controllers, or backup repositories.
5What does an "Event" refer to in the context of cybersecurity?
CorrectB: Any observable occurrence in a system or network, whether benign or malicious
An event is any observable, measurable network or system occurrence β a user login, a file write, a DNS query, a firewall allow/deny. The vast majority of events are benign. Events become significant when correlated into indicators and ultimately classified as incidents.
IncorrectB: Any observable occurrence in a system or network, whether benign or malicious
An event is any observable, measurable network or system occurrence β a user login, a file write, a DNS query, a firewall allow/deny. The vast majority of events are benign. Events become significant when correlated into indicators and ultimately classified as incidents.
6How does an "Event" differ from an "Incident"?
CorrectA: An event is any occurrence, while an incident is an event that negatively impacts the confidentiality, integrity, or availability of systems
NIST defines an incident as "a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices." An event is the raw observable data; an incident is one or more correlated events confirmed to have a negative impact on CIA (Confidentiality, Integrity, Availability).
IncorrectA: An event is any occurrence, while an incident is an event that negatively impacts the confidentiality, integrity, or availability of systems
NIST defines an incident as "a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices." An event is the raw observable data; an incident is one or more correlated events confirmed to have a negative impact on CIA (Confidentiality, Integrity, Availability).
7What is the main purpose of the "Post-Incident Activity" (Lessons Learned) phase?
CorrectC: To analyze how the incident happened and improve future response processes and defenses
The Lessons Learned meeting β ideally held within two weeks of resolution β critically reviews the timeline, root cause, detection gaps, and response effectiveness. Its output directly improves playbooks, detection rules, patch policies, and staff training.
IncorrectC: To analyze how the incident happened and improve future response processes and defenses
The Lessons Learned meeting β ideally held within two weeks of resolution β critically reviews the timeline, root cause, detection gaps, and response effectiveness. Its output directly improves playbooks, detection rules, patch policies, and staff training.
8Which of the following is considered an "Indicator of Compromise" (IoC)?
CorrectD: Unusual outbound network traffic connecting to a known malicious IP address
An IoC is a forensic artifact β such as a malicious IP address, domain, file hash, registry key, or URL β that indicates with high confidence that a system has been compromised. Unusual outbound traffic to a known threat-intel-flagged C2 IP is a classic network-based IoC.
IncorrectD: Unusual outbound network traffic connecting to a known malicious IP address
An IoC is a forensic artifact β such as a malicious IP address, domain, file hash, registry key, or URL β that indicates with high confidence that a system has been compromised. Unusual outbound traffic to a known threat-intel-flagged C2 IP is a classic network-based IoC.
9What is the role of a "Playbook" (or Runbook) in Incident Response?
CorrectA: A set of standardized, step-by-step instructions designed to guide responders through a specific type of incident (e.g., malware outbreak)
IR playbooks remove ambiguity during high-stress incidents. They pre-define decision trees, escalation paths, containment steps, evidence collection procedures, and communication templates for specific incident types β ensuring consistent, repeatable, and audit-ready responses.
IncorrectA: A set of standardized, step-by-step instructions designed to guide responders through a specific type of incident (e.g., malware outbreak)
IR playbooks remove ambiguity during high-stress incidents. They pre-define decision trees, escalation paths, containment steps, evidence collection procedures, and communication templates for specific incident types β ensuring consistent, repeatable, and audit-ready responses.
10What does the term "Triage" mean in the context of Incident Response?
CorrectC: The initial assessment, categorization, and prioritization of security alerts to determine their severity and required response
Triage (borrowed from emergency medicine) is the rapid first step upon receiving an alert β determining whether it is a true positive or false positive, categorizing its type (malware, insider, DoS), assigning a severity level, and routing it to the appropriate responder or escalation path.
IncorrectC: The initial assessment, categorization, and prioritization of security alerts to determine their severity and required response
Triage (borrowed from emergency medicine) is the rapid first step upon receiving an alert β determining whether it is a true positive or false positive, categorizing its type (malware, insider, DoS), assigning a severity level, and routing it to the appropriate responder or escalation path.
11Why is establishing an out-of-band (OOB) communication channel critical during a severe incident?
CorrectB: It prevents the attacker from monitoring or intercepting the IR team's communications on the compromised internal network
If an attacker has compromised internal email servers, Slack, or network infrastructure, using those same channels reveals investigative steps to the adversary. OOB channels β separate cell phones, personal email, a dedicated Signal group, or a bridged conference line β ensure the IR team can coordinate securely.
IncorrectB: It prevents the attacker from monitoring or intercepting the IR team's communications on the compromised internal network
If an attacker has compromised internal email servers, Slack, or network infrastructure, using those same channels reveals investigative steps to the adversary. OOB channels β separate cell phones, personal email, a dedicated Signal group, or a bridged conference line β ensure the IR team can coordinate securely.
12Which action is typically performed during the "Eradication" phase?
CorrectD: Removing malicious artifacts, such as malware, rootkits, and unauthorized user accounts, from the compromised environment
Eradication follows containment and involves thoroughly removing all traces of the threat: deleting malware, revoking backdoor accounts, purging persistence mechanisms (scheduled tasks, registry run keys), and applying the patches that closed the initial access vector.
IncorrectD: Removing malicious artifacts, such as malware, rootkits, and unauthorized user accounts, from the compromised environment
Eradication follows containment and involves thoroughly removing all traces of the threat: deleting malware, revoking backdoor accounts, purging persistence mechanisms (scheduled tasks, registry run keys), and applying the patches that closed the initial access vector.
13What is a "False Positive" in intrusion detection?
CorrectC: An alert generated by a benign, normal activity that is incorrectly flagged as malicious
A false positive (Type I error) occurs when a detection rule or sensor triggers an alert on legitimate, harmless activity β e.g., a port scan by a vulnerability management tool flagged as an external attack. High false positive rates cause alert fatigue, leading analysts to miss real incidents.
IncorrectC: An alert generated by a benign, normal activity that is incorrectly flagged as malicious
A false positive (Type I error) occurs when a detection rule or sensor triggers an alert on legitimate, harmless activity β e.g., a port scan by a vulnerability management tool flagged as an external attack. High false positive rates cause alert fatigue, leading analysts to miss real incidents.
14What is the "Chain of Custody"?
CorrectA: A chronological paper trail documenting the seizure, custody, control, and transfer of physical or digital evidence
Chain of custody is a legal concept requiring every person who handles evidence to be documented, along with timestamps of acquisition, handling, transfer, and storage. Any break in the chain can render digital evidence inadmissible in court proceedings.
IncorrectA: A chronological paper trail documenting the seizure, custody, control, and transfer of physical or digital evidence
Chain of custody is a legal concept requiring every person who handles evidence to be documented, along with timestamps of acquisition, handling, transfer, and storage. Any break in the chain can render digital evidence inadmissible in court proceedings.
15In incident response, what is the primary function of a SIEM (Security Information and Event Management) system?
CorrectD: To aggregate, correlate, and analyze log data from multiple sources across the network to identify potential threats
A SIEM ingests logs from firewalls, endpoints, servers, cloud platforms, and identity directories, then applies correlation rules and behavioral analytics to surface potential security incidents. It is the primary detection and investigation console for most SOC teams.
IncorrectD: To aggregate, correlate, and analyze log data from multiple sources across the network to identify potential threats
A SIEM ingests logs from firewalls, endpoints, servers, cloud platforms, and identity directories, then applies correlation rules and behavioral analytics to surface potential security incidents. It is the primary detection and investigation console for most SOC teams.
16What is the concept of "Dwell Time"?
CorrectB: The duration a threat actor maintains undetected access within a compromised network before being discovered
Dwell time (also called breakout time or time-to-detect) is a critical IR metric. Industry reports consistently show average dwell times of 3β4 weeks to several months. Long dwell time means the attacker has more opportunity for lateral movement, privilege escalation, and data exfiltration.
IncorrectB: The duration a threat actor maintains undetected access within a compromised network before being discovered
Dwell time (also called breakout time or time-to-detect) is a critical IR metric. Industry reports consistently show average dwell times of 3β4 weeks to several months. Long dwell time means the attacker has more opportunity for lateral movement, privilege escalation, and data exfiltration.
17Who should ideally be included in an Incident Response Team besides technical IT and security staff?
CorrectB: Legal counsel, human resources, and public relations representatives to handle compliance, internal policies, and external communications
Effective IR is cross-functional: legal counsel advises on regulatory notification timelines (GDPR 72-hour rule, HIPAA breach rules) and litigation risks; HR handles insider threat scenarios and employee discipline; PR/Communications manages customer notifications and media inquiries to protect brand reputation.
IncorrectB: Legal counsel, human resources, and public relations representatives to handle compliance, internal policies, and external communications
Effective IR is cross-functional: legal counsel advises on regulatory notification timelines (GDPR 72-hour rule, HIPAA breach rules) and litigation risks; HR handles insider threat scenarios and employee discipline; PR/Communications manages customer notifications and media inquiries to protect brand reputation.
18What does "Recovery" entail in the IR lifecycle?
CorrectD: Restoring systems to normal operations, applying patches, and closely monitoring them for any signs of reinfection
Recovery is the controlled return to normal business operations. It involves restoring from known-good backups, re-imaging endpoints, resetting credentials, deploying missing patches, and implementing enhanced monitoring for recurrence β all while verifying that no persistence mechanisms remain.
IncorrectD: Restoring systems to normal operations, applying patches, and closely monitoring them for any signs of reinfection
Recovery is the controlled return to normal business operations. It involves restoring from known-good backups, re-imaging endpoints, resetting credentials, deploying missing patches, and implementing enhanced monitoring for recurrence β all while verifying that no persistence mechanisms remain.
19Which of the following is an example of an "Insider Threat" incident?
CorrectA: A disgruntled employee deliberately exfiltrating the company's proprietary customer database to a personal cloud drive
Insider threats involve individuals with authorized access (employees, contractors, business partners) who misuse that access β either maliciously (data theft, sabotage) or negligently (misconfiguration, accidental disclosure). Insider threats are particularly dangerous because they bypass most perimeter defenses.
IncorrectA: A disgruntled employee deliberately exfiltrating the company's proprietary customer database to a personal cloud drive
Insider threats involve individuals with authorized access (employees, contractors, business partners) who misuse that access β either maliciously (data theft, sabotage) or negligently (misconfiguration, accidental disclosure). Insider threats are particularly dangerous because they bypass most perimeter defenses.
20Why is "Preparation" considered the most crucial phase of Incident Response?
CorrectC: It ensures the organization has the necessary policies, tools, trained personnel, and communication plans in place before an incident occurs
Preparation is the force multiplier of every subsequent phase. Without pre-defined roles, tested playbooks, deployed tooling (SIEM, EDR), documented asset inventories, and practiced communication trees, even skilled analysts will be slow, disorganized, and ineffective during the high-pressure window of an active incident.
IncorrectC: It ensures the organization has the necessary policies, tools, trained personnel, and communication plans in place before an incident occurs
Preparation is the force multiplier of every subsequent phase. Without pre-defined roles, tested playbooks, deployed tooling (SIEM, EDR), documented asset inventories, and practiced communication trees, even skilled analysts will be slow, disorganized, and ineffective during the high-pressure window of an active incident.
Incident Response β Concepts
1According to the SANS Incident Response framework, how does the lifecycle differ structurally from NIST SP 800-61?
CorrectC: SANS separates Containment, Eradication, and Recovery into three distinct, sequential phases
The SANS PICERL model has six phases: Preparation, Identification, Containment, Eradication, Recovery, Lessons Learned. NIST SP 800-61 compresses Containment, Eradication, and Recovery into a single combined phase. SANS treats them as three separate steps, reflecting a more granular operational view.
IncorrectC: SANS separates Containment, Eradication, and Recovery into three distinct, sequential phases
The SANS PICERL model has six phases: Preparation, Identification, Containment, Eradication, Recovery, Lessons Learned. NIST SP 800-61 compresses Containment, Eradication, and Recovery into a single combined phase. SANS treats them as three separate steps, reflecting a more granular operational view.
2What is the primary difference between a Disaster Recovery Plan (DRP) and an Incident Response Plan (IRP)?
CorrectA: The IRP focuses on identifying and mitigating malicious cyber events; the DRP focuses on restoring IT infrastructure and business operations after a catastrophic event
An IRP is a security-focused document governing the response to active cyber threats. A DRP is a business continuity document focused on recovering IT systems after any catastrophic disruption (natural disaster, hardware failure, ransomware). They complement each other β an IRP may trigger a DRP.
IncorrectA: The IRP focuses on identifying and mitigating malicious cyber events; the DRP focuses on restoring IT infrastructure and business operations after a catastrophic event
An IRP is a security-focused document governing the response to active cyber threats. A DRP is a business continuity document focused on recovering IT systems after any catastrophic disruption (natural disaster, hardware failure, ransomware). They complement each other β an IRP may trigger a DRP.
3When collecting volatile evidence during triage, which of the following should be captured FIRST according to the Order of Volatility?
CorrectD: CPU registers, cache, and the contents of random-access memory (RAM)
RFC 3227 ("Guidelines for Evidence Collection and Archiving") defines the Order of Volatility from most to least volatile: CPU registers/cache β RAM β swap space/paging file β network state β running processes β disk β remote/archival logs. RAM is lost the moment power is removed, making it the highest-priority acquisition target.
IncorrectD: CPU registers, cache, and the contents of random-access memory (RAM)
RFC 3227 ("Guidelines for Evidence Collection and Archiving") defines the Order of Volatility from most to least volatile: CPU registers/cache β RAM β swap space/paging file β network state β running processes β disk β remote/archival logs. RAM is lost the moment power is removed, making it the highest-priority acquisition target.
4What is the "Root Cause Analysis" (RCA) step?
CorrectB: The systematic investigation to identify the fundamental, underlying vulnerability or failure that allowed the incident to occur
RCA looks beyond the immediate "how" (e.g., "a phishing email delivered a macro") to the deeper "why" β such as lack of MFA, unpatched software, missing email filtering, or inadequate security awareness training. Addressing only symptoms without root cause virtually guarantees recurrence.
IncorrectB: The systematic investigation to identify the fundamental, underlying vulnerability or failure that allowed the incident to occur
RCA looks beyond the immediate "how" (e.g., "a phishing email delivered a macro") to the deeper "why" β such as lack of MFA, unpatched software, missing email filtering, or inadequate security awareness training. Addressing only symptoms without root cause virtually guarantees recurrence.
5Which containment strategy is generally preferred when analyzing an advanced persistent threat (APT) that relies on active C2 beacons, assuming business operations permit it?
CorrectD: Isolating the system logically on a quarantined VLAN to monitor the attacker's behavior and identify additional compromised hosts
Immediate hard shutdown destroys volatile RAM evidence and alerts the attacker that they've been detected. Logical isolation (quarantine VLAN) allows the IR team to passively monitor C2 beacons to map lateral movement, identify the full scope of compromise, and collect intelligence on TTPs before executing full eradication.
IncorrectD: Isolating the system logically on a quarantined VLAN to monitor the attacker's behavior and identify additional compromised hosts
Immediate hard shutdown destroys volatile RAM evidence and alerts the attacker that they've been detected. Logical isolation (quarantine VLAN) allows the IR team to passively monitor C2 beacons to map lateral movement, identify the full scope of compromise, and collect intelligence on TTPs before executing full eradication.
6What is an "Indicator of Attack" (IoA) as opposed to an Indicator of Compromise (IoC)?
CorrectC: An IoA focuses on the proactive intent, tactics, and ongoing activities of an attacker, whereas an IoC is reactive evidence that a breach has already happened
IoCs are artifact-based (file hashes, IPs, registry keys) and are retrospective β they prove compromise happened. IoAs are behavior-based (e.g., a non-admin process injecting into lsass.exe, unusual LDAP enumeration) and are prospective β detecting attacker intent and actions in real time, enabling earlier intervention.
IncorrectC: An IoA focuses on the proactive intent, tactics, and ongoing activities of an attacker, whereas an IoC is reactive evidence that a breach has already happened
IoCs are artifact-based (file hashes, IPs, registry keys) and are retrospective β they prove compromise happened. IoAs are behavior-based (e.g., a non-admin process injecting into lsass.exe, unusual LDAP enumeration) and are prospective β detecting attacker intent and actions in real time, enabling earlier intervention.
7What role does "Threat Intelligence" play during an active incident response?
CorrectA: It provides context regarding the attacker's known tactics, techniques, and procedures (TTPs), helping the IR team anticipate the adversary's next moves
During an incident, threat intel (from ISACs, MISP, threat intel platforms, or public reports) accelerates attribution and scoping. Knowing that a particular ransomware group consistently pivots via RDP after initial phishing access, for example, lets the IR team proactively lock down RDP before the attacker moves.
IncorrectA: It provides context regarding the attacker's known tactics, techniques, and procedures (TTPs), helping the IR team anticipate the adversary's next moves
During an incident, threat intel (from ISACs, MISP, threat intel platforms, or public reports) accelerates attribution and scoping. Knowing that a particular ransomware group consistently pivots via RDP after initial phishing access, for example, lets the IR team proactively lock down RDP before the attacker moves.
8In the context of a data breach, what is a "Legal Hold"?
CorrectB: A formal directive to preserve all relevant data, preventing its deletion or modification, due to anticipated or ongoing litigation
A legal hold (also litigation hold or preservation notice) is issued by counsel and requires all relevant individuals and systems to suspend normal data destruction schedules. Failure to comply can result in spoliation sanctions β courts may instruct juries to draw adverse inferences against the party that destroyed evidence.
IncorrectB: A formal directive to preserve all relevant data, preventing its deletion or modification, due to anticipated or ongoing litigation
A legal hold (also litigation hold or preservation notice) is issued by counsel and requires all relevant individuals and systems to suspend normal data destruction schedules. Failure to comply can result in spoliation sanctions β courts may instruct juries to draw adverse inferences against the party that destroyed evidence.
9When a responder uses "sinkholing" during the containment phase, what are they doing?
CorrectB: Redirecting malicious network traffic (e.g., botnet C2 communications) away from its intended destination to a controlled, monitored IP address
Sinkholing is a powerful passive containment technique. By seizing or registering the C2 domain (or working with ISPs to redirect its DNS resolution) to an analyst-controlled server, the IR team severs the attacker's command link, maps all infected hosts checking in, and can serve "takedown" responses to neutralize bots.
IncorrectB: Redirecting malicious network traffic (e.g., botnet C2 communications) away from its intended destination to a controlled, monitored IP address
Sinkholing is a powerful passive containment technique. By seizing or registering the C2 domain (or working with ISPs to redirect its DNS resolution) to an analyst-controlled server, the IR team severs the attacker's command link, maps all infected hosts checking in, and can serve "takedown" responses to neutralize bots.
10What is the primary risk of deploying "Automated Containment" (e.g., SOAR isolating a host) without human oversight?
CorrectA: The automation might trigger a false positive and inadvertently isolate a mission-critical business server, causing a self-inflicted denial of service
SOAR playbooks that auto-isolate hosts on certain alert thresholds carry false positive risk. Isolating a domain controller, production database server, or medical device based on a misclassified alert can be more damaging than the original threat β which is why human-in-the-loop approval gates are critical for high-impact automated actions.
IncorrectA: The automation might trigger a false positive and inadvertently isolate a mission-critical business server, causing a self-inflicted denial of service
SOAR playbooks that auto-isolate hosts on certain alert thresholds carry false positive risk. Isolating a domain controller, production database server, or medical device based on a misclassified alert can be more damaging than the original threat β which is why human-in-the-loop approval gates are critical for high-impact automated actions.
11How does "Lateral Movement" affect the scope of an incident response investigation?
CorrectD: It requires the IR team to dramatically expand the scope of the investigation beyond "patient zero" to identify all other internally compromised systems
Lateral movement (using tools like PsExec, WMI, Pass-the-Hash/Ticket, or RDP) means the attacker has propagated internally from the initial beachhead. The IR team must enumerate all pivot points to avoid declaring victory prematurely β leaving attacker footholds that enable rapid re-compromise after remediation.
IncorrectD: It requires the IR team to dramatically expand the scope of the investigation beyond "patient zero" to identify all other internally compromised systems
Lateral movement (using tools like PsExec, WMI, Pass-the-Hash/Ticket, or RDP) means the attacker has propagated internally from the initial beachhead. The IR team must enumerate all pivot points to avoid declaring victory prematurely β leaving attacker footholds that enable rapid re-compromise after remediation.
12What is a "YARA rule" commonly used for during the detection and analysis phase?
CorrectC: To create pattern-matching descriptions that help analysts identify, classify, and hunt for specific malware families or forensic artifacts across the environment
YARA rules use a combination of text strings, byte sequences, and Boolean conditions to describe malware characteristics. During an incident, they enable rapid hunting across the entire endpoint fleet, email archives, and network traffic captures to identify every host containing the malware or its components.
IncorrectC: To create pattern-matching descriptions that help analysts identify, classify, and hunt for specific malware families or forensic artifacts across the environment
YARA rules use a combination of text strings, byte sequences, and Boolean conditions to describe malware characteristics. During an incident, they enable rapid hunting across the entire endpoint fleet, email archives, and network traffic captures to identify every host containing the malware or its components.
13Which phase of the Cyber Kill Chain typically precedes "Command and Control" (C2)?
CorrectA: Exploitation and Installation
Lockheed Martin's Cyber Kill Chain: Reconnaissance β Weaponization β Delivery β Exploitation β Installation β C2 β Actions on Objectives. Exploitation (the vulnerability trigger) and Installation (establishing persistence via a RAT or backdoor) both precede the establishment of a C2 channel.
IncorrectA: Exploitation and Installation
Lockheed Martin's Cyber Kill Chain: Reconnaissance β Weaponization β Delivery β Exploitation β Installation β C2 β Actions on Objectives. Exploitation (the vulnerability trigger) and Installation (establishing persistence via a RAT or backdoor) both precede the establishment of a C2 channel.
14If a responder discovers an active, unencrypted reverse shell on a Linux server, what is the best immediate action to preserve volatile network evidence before containment?
CorrectC: Execute netstat or ss to capture active TCP/UDP connections and their associated Process IDs (PIDs)
Running `netstat -antp` or `ss -tnp` captures the active connection (remote IP, port, PID), which will be lost on reboot or network disconnection. This volatile data enables pivoting to the process (`/proc/[PID]/`) for executable path, open file descriptors, and command-line arguments before any containment action destroys them.
IncorrectC: Execute netstat or ss to capture active TCP/UDP connections and their associated Process IDs (PIDs)
Running `netstat -antp` or `ss -tnp` captures the active connection (remote IP, port, PID), which will be lost on reboot or network disconnection. This volatile data enables pivoting to the process (`/proc/[PID]/`) for executable path, open file descriptors, and command-line arguments before any containment action destroys them.
15What is the purpose of hashing a forensic disk image immediately after acquisition?
CorrectB: To mathematically prove that the forensic image is an exact, unaltered bit-for-bit copy of the original evidence, ensuring its admissibility in court
Computing and recording MD5 and SHA-256 hashes of both the original drive and its forensic image at acquisition time establishes integrity. Any subsequent modification β intentional tampering or accidental corruption β will produce a hash mismatch, invalidating the evidence and potentially resulting in its exclusion from legal proceedings.
IncorrectB: To mathematically prove that the forensic image is an exact, unaltered bit-for-bit copy of the original evidence, ensuring its admissibility in court
Computing and recording MD5 and SHA-256 hashes of both the original drive and its forensic image at acquisition time establishes integrity. Any subsequent modification β intentional tampering or accidental corruption β will produce a hash mismatch, invalidating the evidence and potentially resulting in its exclusion from legal proceedings.
16During eradication, what is a critical prerequisite before bringing a sanitized system back into the production environment?
CorrectD: All known vulnerabilities exploited by the attacker must be fully patched, and passwords must be reset
Returning a sanitized system without patching the initial access vulnerability and rotating all credentials used on the host invites immediate re-compromise β called a "re-infection" event. The attacker's initial foothold must be architecturally eliminated before restoration.
IncorrectD: All known vulnerabilities exploited by the attacker must be fully patched, and passwords must be reset
Returning a sanitized system without patching the initial access vulnerability and rotating all credentials used on the host invites immediate re-compromise β called a "re-infection" event. The attacker's initial foothold must be architecturally eliminated before restoration.
17What is "Beaconing" in the context of an incident?
CorrectC: Regular, periodic outbound network requests generated by malware attempting to check in with a Command and Control (C2) server for new instructions
Beaconing is the heartbeat of C2 malware β periodic HTTP/S, DNS, or ICMP outbound callbacks at regular intervals (e.g., every 30β300 seconds with optional jitter). Detecting anomalous beaconing patterns in NetFlow or proxy logs β particularly to rare or newly registered domains β is a key hunting technique.
IncorrectC: Regular, periodic outbound network requests generated by malware attempting to check in with a Command and Control (C2) server for new instructions
Beaconing is the heartbeat of C2 malware β periodic HTTP/S, DNS, or ICMP outbound callbacks at regular intervals (e.g., every 30β300 seconds with optional jitter). Detecting anomalous beaconing patterns in NetFlow or proxy logs β particularly to rare or newly registered domains β is a key hunting technique.
18What is the function of a "Tabletop Exercise"?
CorrectB: A discussion-based session where the IR team and stakeholders walk through a simulated incident scenario to test their plan and coordination
Tabletop exercises are low-cost, high-value preparedness activities. Participants walk through hypothetical scenarios (ransomware, insider threat, supply chain compromise) as a group, identifying process gaps, decision-making bottlenecks, communication failures, and resource deficiencies β without any actual systems being affected.
IncorrectB: A discussion-based session where the IR team and stakeholders walk through a simulated incident scenario to test their plan and coordination
Tabletop exercises are low-cost, high-value preparedness activities. Participants walk through hypothetical scenarios (ransomware, insider threat, supply chain compromise) as a group, identifying process gaps, decision-making bottlenecks, communication failures, and resource deficiencies β without any actual systems being affected.
19Which of the following best describes "Data Exfiltration"?
CorrectD: The unauthorized transfer, copying, or retrieval of sensitive data from a target's network to an attacker-controlled location
Data exfiltration is the attacker's "Actions on Objectives" end goal in many APT and financially motivated campaigns. It can be achieved via DNS tunneling, HTTPS to cloud storage services, email forwarding rules, or physically via USB β making detection challenging without robust DLP and network monitoring.
IncorrectD: The unauthorized transfer, copying, or retrieval of sensitive data from a target's network to an attacker-controlled location
Data exfiltration is the attacker's "Actions on Objectives" end goal in many APT and financially motivated campaigns. It can be achieved via DNS tunneling, HTTPS to cloud storage services, email forwarding rules, or physically via USB β making detection challenging without robust DLP and network monitoring.
20Why might an IR team choose to leave a compromised system running (but monitored) rather than immediately containing it?
CorrectA: To gather valuable intelligence on the attacker's TTPs, identify their ultimate objective, and map their full lateral presence before cutting off access
This controlled observation tactic β sometimes called "slow burn" containment β allows the IR team to gain pivotal intelligence: understanding the attacker's complete footprint, staging servers, persistence mechanisms, and TTPs. The risk vs. benefit must be carefully weighed, particularly if sensitive data is accessible.
IncorrectA: To gather valuable intelligence on the attacker's TTPs, identify their ultimate objective, and map their full lateral presence before cutting off access
This controlled observation tactic β sometimes called "slow burn" containment β allows the IR team to gain pivotal intelligence: understanding the attacker's complete footprint, staging servers, persistence mechanisms, and TTPs. The risk vs. benefit must be carefully weighed, particularly if sensitive data is accessible.
Incident Response β Advanced
1In advanced incident response, what does the MITRE ATT&CK framework provide?
CorrectB: A globally accessible, structured knowledge base of adversary tactics, techniques, and procedures based on real-world observations
MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a publicly available framework of ~200+ techniques organized under 14 enterprise tactics (Initial Access, Execution, Persistence, etc.). It enables IR teams to map attacker behavior to documented techniques, compare detection coverage gaps, and communicate findings in a standardized vocabulary.
IncorrectB: A globally accessible, structured knowledge base of adversary tactics, techniques, and procedures based on real-world observations
MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a publicly available framework of ~200+ techniques organized under 14 enterprise tactics (Initial Access, Execution, Persistence, etc.). It enables IR teams to map attacker behavior to documented techniques, compare detection coverage gaps, and communicate findings in a standardized vocabulary.
2When analyzing a memory dump using the Volatility framework, what does the psxview plugin primarily help an analyst discover?
CorrectD: Hidden or unlinked processes that may have been obfuscated by a rootkit or DKOM (Direct Kernel Object Manipulation)
psxview compares process listings across multiple Windows kernel data structures (PsActiveProcessHead, EPROCESS pool tags, PspCid table, etc.). Rootkits that practice DKOM unlink themselves from one list but not others β discrepancies between the lists reveal hidden processes that standard `ps` or `tasklist` commands would miss.
IncorrectD: Hidden or unlinked processes that may have been obfuscated by a rootkit or DKOM (Direct Kernel Object Manipulation)
psxview compares process listings across multiple Windows kernel data structures (PsActiveProcessHead, EPROCESS pool tags, PspCid table, etc.). Rootkits that practice DKOM unlink themselves from one list but not others β discrepancies between the lists reveal hidden processes that standard `ps` or `tasklist` commands would miss.
3Which Windows artifact is crucial for proving "Program Execution" (that a specific executable was historically run on the system), even if the file itself has been deleted?
CorrectA: Prefetch files (.pf) and Shimcache (AppCompatCache)
Prefetch files (in C:\Windows\Prefetch) record the executable path, run count, last run times, and loaded DLLs. Shimcache (HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache) records executables that were present and potentially run. Both persist after file deletion, making them invaluable execution artifacts in forensic timelines.
IncorrectA: Prefetch files (.pf) and Shimcache (AppCompatCache)
Prefetch files (in C:\Windows\Prefetch) record the executable path, run count, last run times, and loaded DLLs. Shimcache (HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache) records executables that were present and potentially run. Both persist after file deletion, making them invaluable execution artifacts in forensic timelines.
4During a complex APT investigation, you discover an attacker is utilizing "Domain Fronting". What makes this technique exceptionally difficult to block at the perimeter?
CorrectC: The attacker leverages high-reputation Content Delivery Networks (CDNs), making the initial TLS handshake appear to go to a trusted domain, while routing the inner HTTP request to the malicious C2
Domain fronting exploits how CDNs route traffic: the outer TLS SNI field shows a legitimate CDN domain (e.g., *.cloudfront.net), passing firewall/proxy inspection. The inner HTTP Host header (invisible after TLS encryption) routes to the attacker's CDN origin. Blocking the CDN would break legitimate traffic β exactly why major CDNs now prohibit this technique.
IncorrectC: The attacker leverages high-reputation Content Delivery Networks (CDNs), making the initial TLS handshake appear to go to a trusted domain, while routing the inner HTTP request to the malicious C2
Domain fronting exploits how CDNs route traffic: the outer TLS SNI field shows a legitimate CDN domain (e.g., *.cloudfront.net), passing firewall/proxy inspection. The inner HTTP Host header (invisible after TLS encryption) routes to the attacker's CDN origin. Blocking the CDN would break legitimate traffic β exactly why major CDNs now prohibit this technique.
5What is the primary operational advantage of utilizing EDR (Endpoint Detection and Response) or XDR solutions during the Containment phase compared to traditional Antivirus?
CorrectB: EDR allows responders to instantly execute remote isolation commands, kill processes, and acquire memory dumps across thousands of endpoints simultaneously
Traditional AV is purely signature-based and passive. EDR platforms provide a bidirectional command channel: responders can push remote isolation rules, execute live queries (process list, network connections, file paths), collect memory/disk artifacts, run YARA scans, and kill processes β all without physical access to any endpoint in real time.
IncorrectB: EDR allows responders to instantly execute remote isolation commands, kill processes, and acquire memory dumps across thousands of endpoints simultaneously
Traditional AV is purely signature-based and passive. EDR platforms provide a bidirectional command channel: responders can push remote isolation rules, execute live queries (process list, network connections, file paths), collect memory/disk artifacts, run YARA scans, and kill processes β all without physical access to any endpoint in real time.
6An attacker has compromised a Kubernetes cluster. You discover they utilized a highly privileged Service Account token to query the API server and list all secrets. What is this technique known as?
CorrectA: Container Escape / Lateral Movement to the Control Plane
Stealing a Service Account token (typically mounted at /var/run/secrets/kubernetes.io/serviceaccount/token) enables the attacker to interact with the Kubernetes API server as that service account. If the SA has cluster-admin or broad RBAC permissions, the attacker can list secrets (including other credentials), schedule malicious pods, pivot to the control plane, and potentially escape to underlying node infrastructure.
IncorrectA: Container Escape / Lateral Movement to the Control Plane
Stealing a Service Account token (typically mounted at /var/run/secrets/kubernetes.io/serviceaccount/token) enables the attacker to interact with the Kubernetes API server as that service account. If the SA has cluster-admin or broad RBAC permissions, the attacker can list secrets (including other credentials), schedule malicious pods, pivot to the control plane, and potentially escape to underlying node infrastructure.
7You are investigating an incident where a Windows process was hijacked. The attacker mapped a legitimate executable into memory, hollowed out its code section, and replaced it with malicious shellcode while maintaining the legitimate process name. What is this evasion technique called?
CorrectD: Process Hollowing
Process hollowing (T1055.012 in MITRE ATT&CK) creates a legitimate process in a suspended state, unmaps its code sections from memory using NtUnmapViewOfSection, writes malicious code into the now-empty memory region, adjusts the entry point, and resumes the process. Task Manager shows a trusted process name while it executes malicious code.
IncorrectD: Process Hollowing
Process hollowing (T1055.012 in MITRE ATT&CK) creates a legitimate process in a suspended state, unmaps its code sections from memory using NtUnmapViewOfSection, writes malicious code into the now-empty memory region, adjusts the entry point, and resumes the process. Task Manager shows a trusted process name while it executes malicious code.
8In digital forensics, what does analyzing the "Slack Space" on a file system potentially reveal?
CorrectC: Remnants of deleted files, passwords, or hidden data residing in the physical disk space between the logical end of a file and the end of the allocation cluster
File system slack is the space between the logical EOF of a file and the end of its allocation cluster (RAM slack) or between the end of the cluster and the start of the next one (drive slack). Attackers can deliberately hide data in slack space. Forensic tools like Autopsy and FTK specifically carve this region to recover fragments of overwritten files.
IncorrectC: Remnants of deleted files, passwords, or hidden data residing in the physical disk space between the logical end of a file and the end of the allocation cluster
File system slack is the space between the logical EOF of a file and the end of its allocation cluster (RAM slack) or between the end of the cluster and the start of the next one (drive slack). Attackers can deliberately hide data in slack space. Forensic tools like Autopsy and FTK specifically carve this region to recover fragments of overwritten files.
9What is the "OODA Loop" and how is it utilized in dynamic threat hunting and incident response?
CorrectC: Observe, Orient, Decide, Act; a decision-making cycle used to rapidly understand an evolving threat environment and execute countermeasures faster than the adversary
Developed by military strategist John Boyd, the OODA Loop (Observe, Orient, Decide, Act) is a decision-making framework applied to dynamic adversarial environments. In IR, the goal is to execute your OODA loop faster than the attacker β gathering threat data, contextualizing it, deciding on a response, and acting β before the adversary achieves their objective.
IncorrectC: Observe, Orient, Decide, Act; a decision-making cycle used to rapidly understand an evolving threat environment and execute countermeasures faster than the adversary
Developed by military strategist John Boyd, the OODA Loop (Observe, Orient, Decide, Act) is a decision-making framework applied to dynamic adversarial environments. In IR, the goal is to execute your OODA loop faster than the attacker β gathering threat data, contextualizing it, deciding on a response, and acting β before the adversary achieves their objective.
10Which of the following is a classic example of "Living off the Land" (LotL) techniques observed during incident response?
CorrectB: The attacker using native OS tools like PowerShell, WMI, and certutil.exe to execute code, download payloads, and move laterally without dropping custom malware
LotL (T1059 family in ATT&CK) is a primary APT evasion strategy: abusing trusted, pre-installed binaries (LOLBins) like PowerShell, certutil.exe, regsvr32.exe, and WMI leaves minimal disk footprint, generates minimal AV alerts, and blends into normal sysadmin activity β making detection almost exclusively behavioral.
IncorrectB: The attacker using native OS tools like PowerShell, WMI, and certutil.exe to execute code, download payloads, and move laterally without dropping custom malware
LotL (T1059 family in ATT&CK) is a primary APT evasion strategy: abusing trusted, pre-installed binaries (LOLBins) like PowerShell, certutil.exe, regsvr32.exe, and WMI leaves minimal disk footprint, generates minimal AV alerts, and blends into normal sysadmin activity β making detection almost exclusively behavioral.
11When responding to an AWS cloud incident involving compromised IAM credentials, what is the best immediate action to contain the threat without destroying evidence?
CorrectD: Attach a "Deny All" inline IAM policy to the compromised user or role to instantly revoke all permissions while preserving the entity for CloudTrail analysis
Deleting the IAM user destroys CloudTrail evidence of what API calls were made using those credentials. Attaching a "Deny *" inline policy (which takes immediate precedence over all allow policies) effectively revokes all permissions instantly while keeping CloudTrail logs attached to the identity. This allows full forensic analysis of the attacker's actions in CloudTrail, GuardDuty, and S3 server access logs.
IncorrectD: Attach a "Deny All" inline IAM policy to the compromised user or role to instantly revoke all permissions while preserving the entity for CloudTrail analysis
Deleting the IAM user destroys CloudTrail evidence of what API calls were made using those credentials. Attaching a "Deny *" inline policy (which takes immediate precedence over all allow policies) effectively revokes all permissions instantly while keeping CloudTrail logs attached to the identity. This allows full forensic analysis of the attacker's actions in CloudTrail, GuardDuty, and S3 server access logs.
12What is the purpose of conducting a "Memory Forensics" analysis instead of purely relying on disk forensics?
CorrectA: It allows investigators to uncover fileless malware, active network connections, decrypted payloads, and running processes that exist solely in RAM and leave no footprint on the hard drive
Modern sophisticated attackers use fileless malware techniques (PowerShell Empire, Cobalt Strike's reflective loader, process injection) that exist only in memory. Disk forensics would find nothing. Memory forensics with Volatility or Rekall can recover injected shellcode, decrypted C2 URLs, attacker command history from PowerShell processes, and active network socket information.
IncorrectA: It allows investigators to uncover fileless malware, active network connections, decrypted payloads, and running processes that exist solely in RAM and leave no footprint on the hard drive
Modern sophisticated attackers use fileless malware techniques (PowerShell Empire, Cobalt Strike's reflective loader, process injection) that exist only in memory. Disk forensics would find nothing. Memory forensics with Volatility or Rekall can recover injected shellcode, decrypted C2 URLs, attacker command history from PowerShell processes, and active network socket information.
13You are investigating a potential web server breach and notice multiple requests in the access logs containing %3Cscript%3E and %27%20OR%201%3D1--. What should you instruct the IR team to look for next?
CorrectD: Evidence of successful Cross-Site Scripting (XSS) and SQL Injection payload execution on the backend application
%3Cscript%3E is URL-encoded <script> (XSS payload) and %27%20OR%201%3D1-- is URL-encoded ' OR 1=1-- (classic SQL injection bypass). Finding these patterns in access logs means an attacker probed for both XSS and SQLi vulnerabilities. The IR team should check application error logs, database audit logs, and backend response codes to determine if any payloads executed successfully.
IncorrectD: Evidence of successful Cross-Site Scripting (XSS) and SQL Injection payload execution on the backend application
%3Cscript%3E is URL-encoded <script> (XSS payload) and %27%20OR%201%3D1-- is URL-encoded ' OR 1=1-- (classic SQL injection bypass). Finding these patterns in access logs means an attacker probed for both XSS and SQLi vulnerabilities. The IR team should check application error logs, database audit logs, and backend response codes to determine if any payloads executed successfully.
14What is the concept of a "Golden SAML" attack, and why is it devastating?
CorrectC: The attacker steals the Active Directory Federation Services (AD FS) token-signing certificate, allowing them to forge SAML tokens and access any federated cloud service (e.g., Office 365) as any user, bypassing MFA entirely
Golden SAML (analogous to Kerberos Golden Ticket) uses a stolen AD FS token-signing private key to forge valid SAML assertions for any user, any role, any time β even after password resets or MFA enrollment changes. It was used in the SolarWinds/Solorigate attack to pivot from on-premises to Azure/Office 365 environments and is extraordinarily persistent and difficult to detect.
IncorrectC: The attacker steals the Active Directory Federation Services (AD FS) token-signing certificate, allowing them to forge SAML tokens and access any federated cloud service (e.g., Office 365) as any user, bypassing MFA entirely
Golden SAML (analogous to Kerberos Golden Ticket) uses a stolen AD FS token-signing private key to forge valid SAML assertions for any user, any role, any time β even after password resets or MFA enrollment changes. It was used in the SolarWinds/Solorigate attack to pivot from on-premises to Azure/Office 365 environments and is extraordinarily persistent and difficult to detect.
15During a forensic investigation, you encounter "Timestomping". What does this indicate?
CorrectA: The attacker intentionally modified the MAC (Modified, Accessed, Created) timestamps of malicious files to make them blend in with legitimate OS files and thwart timeline analysis
Timestomping (T1070.006 in ATT&CK) is an anti-forensics technique where attackers alter MACB timestamps (Modified, Accessed, Changed, Birth) using native API calls like SetFileTime. Files may be backdated years to blend with OS installation dates. Detecting timestomping requires comparing $MFT timestamps with $LogFile/$UsnJrnl β the latter are harder to manipulate.
IncorrectA: The attacker intentionally modified the MAC (Modified, Accessed, Created) timestamps of malicious files to make them blend in with legitimate OS files and thwart timeline analysis
Timestomping (T1070.006 in ATT&CK) is an anti-forensics technique where attackers alter MACB timestamps (Modified, Accessed, Changed, Birth) using native API calls like SetFileTime. Files may be backdated years to blend with OS installation dates. Detecting timestomping requires comparing $MFT timestamps with $LogFile/$UsnJrnl β the latter are harder to manipulate.
16What is the primary challenge when utilizing "Full Packet Capture" (FPC) for retrospective incident analysis in a modern enterprise network?
CorrectB: The vast majority of enterprise traffic is encrypted via TLS 1.3, rendering the payload of the captured packets unreadable without the session keys or an SSL decryption broker
TLS 1.3 removed RSA key exchange (which enabled passive decryption with the server's private key) in favor of ephemeral key exchange (ECDHE) β providing perfect forward secrecy. This means even if you've captured every packet, payload decryption requires either session keys (from the endpoint's SSLKEYLOGFILE) or an inline TLS inspection proxy at the network boundary.
IncorrectB: The vast majority of enterprise traffic is encrypted via TLS 1.3, rendering the payload of the captured packets unreadable without the session keys or an SSL decryption broker
TLS 1.3 removed RSA key exchange (which enabled passive decryption with the server's private key) in favor of ephemeral key exchange (ECDHE) β providing perfect forward secrecy. This means even if you've captured every packet, payload decryption requires either session keys (from the endpoint's SSLKEYLOGFILE) or an inline TLS inspection proxy at the network boundary.
17How does an adversary utilize "WMI Event Subscriptions" for persistence on a Windows host?
CorrectA: By configuring Windows Management Instrumentation to trigger a malicious payload execution automatically whenever a specific system event occurs (e.g., system startup, a user logging in, or a specific time)
WMI Permanent Event Subscriptions (T1546.003) consist of an EventFilter (trigger condition), EventConsumer (action), and FilterToConsumerBinding. They survive reboots, are stored in the WMI repository (OBJECTS.DATA) rather than the file system, produce minimal logs unless WMI activity auditing is explicitly enabled, and execute with SYSTEM privileges β making them a stealthy and persistent mechanism.
IncorrectA: By configuring Windows Management Instrumentation to trigger a malicious payload execution automatically whenever a specific system event occurs (e.g., system startup, a user logging in, or a specific time)
WMI Permanent Event Subscriptions (T1546.003) consist of an EventFilter (trigger condition), EventConsumer (action), and FilterToConsumerBinding. They survive reboots, are stored in the WMI repository (OBJECTS.DATA) rather than the file system, produce minimal logs unless WMI activity auditing is explicitly enabled, and execute with SYSTEM privileges β making them a stealthy and persistent mechanism.
18In an IR context, what is the role of a "Sinkhole" when dealing with a newly discovered DGA (Domain Generation Algorithm) botnet?
CorrectB: To proactively register the predictable malicious domains and route the infected hosts' DNS requests to a researcher-controlled server, neutralizing the C2 channel and identifying victims
DGA botnets generate hundreds of pseudo-random domains daily; only the attacker knows which one is the active C2. By reverse-engineering the DGA algorithm and pre-registering domains (or working with registrars and law enforcement), researchers can create a sinkhole to receive all botnet check-ins β identifying the complete victim population and neutralizing the C2 without alerting the bot operator.
IncorrectB: To proactively register the predictable malicious domains and route the infected hosts' DNS requests to a researcher-controlled server, neutralizing the C2 channel and identifying victims
DGA botnets generate hundreds of pseudo-random domains daily; only the attacker knows which one is the active C2. By reverse-engineering the DGA algorithm and pre-registering domains (or working with registrars and law enforcement), researchers can create a sinkhole to receive all botnet check-ins β identifying the complete victim population and neutralizing the C2 without alerting the bot operator.
19What makes "Kerberoasting" a severe post-compromise threat?
CorrectD: It allows any authenticated domain user to request a service ticket and extract the service account's NTLM password hash, which can then be cracked offline to escalate privileges
Kerberoasting (T1558.003) exploits a fundamental Kerberos design: any domain user can request a service ticket (TGS) for any SPN-registered service account. The ticket is encrypted with the service account's NTLM hash. Attackers extract the ticket offline and brute-force it with tools like Hashcat. Service accounts often have privileged AD rights and weak passwords β making successful cracking catastrophic.
IncorrectD: It allows any authenticated domain user to request a service ticket and extract the service account's NTLM password hash, which can then be cracked offline to escalate privileges
Kerberoasting (T1558.003) exploits a fundamental Kerberos design: any domain user can request a service ticket (TGS) for any SPN-registered service account. The ticket is encrypted with the service account's NTLM hash. Attackers extract the ticket offline and brute-force it with tools like Hashcat. Service accounts often have privileged AD rights and weak passwords β making successful cracking catastrophic.
20When tracking an adversary's movement, what does the presence of an unauthorized .vhd or .vhdx file mount often suggest?
CorrectC: The attacker is exfiltrating data, bypassing EDR/DLP solutions by staging the stolen data inside a mounted virtual hard disk, unmounting it, and extracting the single container file
VHD/VHDX container exfiltration is a DLP bypass technique: DLP tools scan file operations on the host file system, but data written inside a mounted VHD may not trigger file-level DLP rules (it appears as disk I/O to the virtual volume). The entire VHD container file is then transferred as a single opaque binary blob, potentially evading content-scanning policies on cloud uploads or email.
IncorrectC: The attacker is exfiltrating data, bypassing EDR/DLP solutions by staging the stolen data inside a mounted virtual hard disk, unmounting it, and extracting the single container file
VHD/VHDX container exfiltration is a DLP bypass technique: DLP tools scan file operations on the host file system, but data written inside a mounted VHD may not trigger file-level DLP rules (it appears as disk I/O to the virtual volume). The entire VHD container file is then transferred as a single opaque binary blob, potentially evading content-scanning policies on cloud uploads or email.
Key Takeaways β Incident Response
- Four Phases (PDCR): Preparation (prevention, monitoring, playbooks), Detection & Analysis (identify, gather evidence, classify), Containment (stop spread + remove attacker), Recovery (restore to normal + post-mortem).
- Time is Critical: Dwell time (days between breach and detection) determines damage scope. Faster detection + containment = smaller impact. Invest in SIEM, EDR, and 24/7 SOC monitoring.
- Evidence Preservation is Legal: Chain of custody, forensic imaging with write-blockers, cryptographic hashing (SHA-256), and proper storage are required for law enforcement prosecution and regulatory compliance (HIPAA, PCI-DSS).
- Playbooks Enable Speed: Documented procedures (ransomware, data breach, DDoS, insider threat) remove decision-making delays during high-stress incidents. Playbooks must be tested regularly via tabletop exercises.
- Containment vs. Recovery: Containment (isolation, credential revocation, firewall blocks) stops spread immediately; recovery (backup restoration, patching, rebuilding) restores normal operation systematically. Both are required.
- IOC Hunting Expands Discovery: Identifying indicators of compromise (hashes, IPs, domains, file paths) allows you to hunt for the same attacker in other systems, expanding breach scope assessment. Share IOCs via threat intelligence feeds.
- Post-Incident Reviews Must Be Blameless: Focus on process failures and control gaps, not individual mistakes. Blameless culture encourages transparency and continuous improvement.
- Coordination & Communication Are Key: IR team must quickly align with system owners, legal, PR, executives, and law enforcement. Poor communication causes delays, missed containment windows, and contradictory public statements that damage trust.
- Insider Threats Are Different: Require careful evidence preservation, HR/Legal coordination, and avoiding tipping off the insider before law enforcement readiness. External breach IR and insider threat IR diverge significantly.
Quick Review & Summary
Use this summary table to consolidate key concepts before or after attempting the questions.
| IR Phase / Activity | Objective | Key Actions |
|---|---|---|
| Preparation | Enable fast, effective response | Develop playbooks, run tabletop exercises, deploy SIEM/EDR/SOC, train team |
| Detection & Analysis | Quickly identify the incident | Alert triage, gather evidence, classify severity, determine scope |
| Short-Term Containment | Stop attack spread immediately | Isolate affected systems, revoke credentials, block attacker IPs/domains |
| Long-Term Containment | Remove attacker presence | Patch systems, rebuild from backups, remove backdoors, verify clean state |
| Recovery | Restore normal operations | Restore from verified clean backups, reconfigure security controls, re-baseline systems |
| Evidence Preservation | Support forensics & prosecution | Chain of custody, write-blocking, cryptographic hashing, secure storage |
| IOC Hunting | Expand breach scope assessment | Identify hashes, IPs, domains, file paths; hunt across all systems; share via threat feeds |
| Post-Incident Review (PIR) | Prevent recurrence | Timeline analysis, 5 Whys root cause, lessons learned, control improvements, training |
| Communication & Coordination | Align all stakeholders | Keep system owners, legal, PR, executives, law enforcement in sync throughout IR |
| Tabletop Exercise | Build team muscle memory | Simulate incidents, test playbooks, identify gaps, train on procedures before real event |
Frequently Asked Questions
Q. What are the four phases of incident response?
Q. What is the difference between containment and recovery in incident response?
Q. Why is evidence preservation critical in incident response?
Q. What is a playbook and how does it improve incident response?
Q. What should a post-incident review (PIR) or retrospective include?
Q. How does insider threat incident response differ from external breach response?
Q. What role does communication and coordination play in incident response?
Q. What is the relationship between indicators of compromise (IOCs) and incident response?
Conclusion: Building Incident Resilience
Incident response is not a reactive afterthought β it is a proactive discipline that strengthens your organization's resilience. These 60 MCQs span incident classification and triage, forensic investigation and evidence preservation, containment and recovery strategies, and post-incident improvements. They reflect the realities of responding to ransomware attacks, data breaches, insider threats, DDoS incidents, and advanced persistent threats (APTs).
A mature IR program combines preparation (playbooks, tabletop exercises, monitoring), rapid detection (SIEM alerting, threat hunting), decisive containment (isolation, credential revocation), thorough recovery (forensic rebuilds, verification), and systematic learning (blameless post-mortems, control improvements).
Test your knowledge by revisiting missed questions, develop or refine playbooks for your organization, and conduct regular tabletop exercises to build team muscle memory before a real incident strikes.
Struggling with some questions? Re-read the full Theory Guide: Incident Response