Question 1: A cybersecurity analyst in a corporation is now dealing with a security breach. The team is managing the incident response process using the CompTIA incident response lifecycle. The team has just completed the third step in the process. What must the team do next?
Preparation
Detection
Analysis
Containment
Question 1 Explanation: Preparation is the first phase, not the next step after analysis.
Detection is the second phase where alerts are identified and validated, which comes before analysis.
Analysis is the third phase involving scoping and impact assessment, which the team just completed.
Containment is the fourth phase where teams stop the attack by isolating systems, making it the correct next step after analysis.
Question 2: A large organization's cybersecurity incident response team receives an alert indicating potential threat actor activity on one of its servers. What should be the team's immediate action based on the incident response lifecycle?
Wait for more alerts to confirm the incident before taking any action
Immediately disconnect the affected server from the network to isolate it
Analyze the alert and its context to determine if a genuine incident has occurred
Notify the CEO to authorize actions before proceeding
Question 2 Explanation: Waiting for more alerts delays response and allows threats to spread.
Immediately disconnecting the server is a containment action that should only occur after confirming the incident, because it risks data loss or operational damage.
Analyzing the alert and its context determines if a genuine incident has occurred, which is the correct immediate action following detection.
Notifying the CEO first creates unnecessary delays in the response process.
Question 3: An organization's computer incident response team (CIRT) receives an alert that shows possible malicious activity on a critical server within the network, and they initiate the CompTIA incident response process. What order must the CIRT follow when performing the CompTIA incident response process?
Preparation, analysis, isolation, containment, recovery
Preparation, detection, analysis, containment, eradication, recovery
Detection, analysis, eradication, restoration, improvement
Isolation, analysis, restoration, eradication, improvement
Question 3 Explanation: Preparation, analysis, isolation, containment, recovery is incorrect because the events are in the wrong order.
Preparation, detection, analysis, containment, eradication, recovery follows the correct sequence of the CompTIA incident response lifecycle, which is different from other organizations' incident response lifecycles.
Detection, analysis, eradication, restoration, improvement is incorrect because eradication comes after containment, not immediately after analysis.
Isolation, analysis, restoration, eradication, improvement is incorrect because it starts with isolation rather than preparation and has the phases in the wrong order.
Question 4: The corporate network has been compromised by sophisticated attackers who have established persistence and may be monitoring email traffic and internal chat communications. The incident commander needs to coordinate the response team and share sensitive investigation details without alerting the intruders. What method of communication should be used?
Standard corporate email and internal messaging platforms
The corporate SIEM platform for team coordination
NetFlow analysis consoles for messaging
Out-of-Band communications such as encrypted chat apps
Question 4 Explanation: Standard corporate email and internal messaging platforms should not be used because attackers may be monitoring these channels.
The corporate SIEM platform is for monitoring security events, not for team communications.
NetFlow analysis consoles analyze network traffic and do not function as communication tools.
Out-of-Band communications such as encrypted chat apps provide separate channels, preventing intruders from detecting the response activities.
Question 5: A SOC is overwhelmed with thousands of daily alerts, the vast majority of which are false positives generated by legitimate scripts. To improve operational efficiency and reduce analyst burnout, they need to refine alerts. What process BEST addresses this calibration?
Tuning SIEM thresholds
Implementing SOAR for complete automation
Conducting threat hunting campaigns
Managing responder fatigue through shift rotation
Question 5 Explanation: Tuning SIEM thresholds refines the system to reduce false positives by adjusting detection rules.
Implementing SOAR automates responses but does not address the root cause of excessive false positives.
Conducting threat hunting campaigns searches for hidden threats but does not reduce alert volume.
Managing responder fatigue through shift rotation helps with human factors but does not fix the excessive alerts.
Question 6: Security analysts notice suspicious patterns of outbound connections from internal workstations to external IP addresses at regular fifteen-minute intervals, strongly suggesting command and control beaconing activity. They need to analyze these communication patterns and data volumes to identify compromised hosts, without storing full packet payloads due to bandwidth and storage constraints. Which technology provides this essential network metadata?
Full packet capture with tcpdump or Wireshark
NetFlow or IPFIX capturing conversation patterns and timestamps
SIEM correlation rules for log aggregation
SOAR playbooks for automated response
Question 6 Explanation: Full packet capture stores complete data packets which requires excessive bandwidth and storage, which is not suitable for the question's requirements.
NetFlow or IPFIX captures conversation patterns, timestamps, and metadata without storing full payloads, providing the necessary network information while conserving resources.
SIEM correlation rules do not specifically provide network flow metadata.
SOAR playbooks automate responses but do not capture network data.
Question 7: In digital forensics, why is the order of volatility significant during the data acquisition process?
The order of volatility determines whether the data is legal or not
The order of volatility impacts whether the evidence can be used in court
The order of volatility ensures evidence from fragile sources gets collected before less fragile sources
The order of volatility applies to physical crime scenes, not digital ones
Question 7 Explanation: The order of volatility does not determine whether data is legal.
The order of volatility does not directly impact whether evidence can be used in court.
The order of volatility ensures evidence from fragile sources like RAM gets collected before less fragile sources like disk drives, preventing loss of temporary data.
The order of volatility applies specifically to digital evidence, not physical crime scenes.
Question 8: What is the primary risk when using the live acquisition method during a cybersecurity investigation?
It does not capture volatile memory data
It requires physically unplugging the system, which can lead to data loss
It will not alter data on the disk, protecting evidence integrity
It may alert the threat actor and allow time for anti-forensic actions
Question 8 Explanation: Live acquisition does capture volatile memory data from RAM, which is its purpose, so the first answer is wrong.
Live acquisition does not require physically unplugging the system; that describes static acquisition.
Live acquisition can alter data on the disk because running the system may modify files.
Live acquisition may alert the threat actor and allow time for anti-forensic actions because the system remains running and is potentially monitored by attackers.
Question 9: First responders arrive at the desk of a suspected compromised workstation and observe a USB drive connected to the system with a suspicious script actively running in the terminal window, along with an unrecognized wireless adapter plugged into the back of the computer. Before taking any action that might alter the system, they photograph the screen and carefully video record all connected devices. What is the reason for this?
Video recording ensures that no one can tamper with the collected evidence
Video recording provides a backup of the evidence
Video recording helps to work out the cost of replacing the workstation
Video recording helps with integrity and proves the evidence originated directly from the crime scene
Question 9 Explanation: Video recording does not prevent tampering; it only documents the status of the scene.
Video recording is not primarily a backup method for evidence files.
Video recording does not calculate replacement costs for workstations.
Video recording helps with integrity and proves the evidence originated directly from the crime scene by documenting the exact status before any changes occur.
Question 10: Security analysts working extended 12-hour shifts during a major ransomware incident are processing hundreds of low-priority informational alerts. This leads to tiredness, decreased attention to detail, slower response times, and missing critical indicators of lateral movement. What is this dangerous situation called?
Command and control sleep
Alert fatigue
Threat hunting exhaustion
Analysis scope creep
Question 10 Explanation: Command and control refers to attacker techniques, not analyst conditions.
Alert fatigue is the condition where processing excessive alerts leads to tiredness, decreased attention, and missed critical events.
Threat hunting exhaustion is not the standard term for this phenomenon.
Analysis scope creep refers to expanding investigation boundaries, not alert overload.
Question 11: Investigators discover that prior to the attack, an adversary spent weeks researching employee names on LinkedIn and social media, scanning the company's public IP address ranges, and harvesting corporate email addresses from public sources to craft convincing spearphishing messages. Which stage of the Cyber Kill Chain does this information gathering represent?
Passive and Active Reconnaissance
Passive Reconnaissance only
Active Reconnaissance only
Weaponization via OSINT
Question 11 Explanation: Passive and Active Reconnaissance describes this best. Passive reconnaissance refers to social media and OSINT, but this question also features active reconnaissance because it says the attacker scanned the target's network, which can be detected by SOC teams.
Passive Reconnaissance only is an incomplete answer because scanning IP addresses is active behavuour.
Active Reconnaissance only is an incomplete answer because social media research is passive.
Weaponization via OSINT is incorrect because weaponization involves creating the malicious payload, not gathering information.
Question 12: A CIRT needs to analyse thousands of files that form forensic evidence for a criminal case. Before doing this, they use software that checks which files are identical, and removes identical copies. This reduces the workload on the CIRT while preserving vital evidence. What is this process and how does it work?
The team are using behavioural analytics software, which works by detecting anomalies
The team are using out-of-band analysis, which works by using a SIEM solution
The team are using deduplication, which works by comparing timestamps and metadata
The team are using deduplication, which works by comparing cryptographic hashes
Question 12 Explanation: Behavioural analytics detects anomalies, not identical files.
Out-of-band analysis is not a standard phrase.
Deduplication comparing timestamps is unreliable because timestamps can be identical for different files.
Deduplication comparing cryptographic hashes identifies identical files by matching unique hash values, allowing removal of duplicates while preserving evidence.
Question 13: Rather than waiting for security alerts to trigger investigations, the security team assumes sophisticated attackers are already present in the network. They proactively search for hidden threats using behavioral analytics, hypothesis-driven investigation, and IOC sweeps without relying on automated tools. What describes this proactive security methodology?
Threat hunting
Signature-based detection
Incident response triage
SIEM real-time monitoring
Question 13 Explanation: Threat hunting is the proactive methodology assuming attackers are present, using behavioral analytics and hypothesis-driven searches without waiting for alerts.
Signature-based detection relies on known patterns and automated alerts.
Incident response triage categorizes incidents by severity.
SIEM real-time monitoring is alert-driven, not proactive hunting.
Question 14: Which tool or concept used in cybersecurity monitoring gives a condensed overview of information from various data sources for daily incident response tasks?
SIEM
NIDS
HIPS
NIPS
Question 14 Explanation: SIEM (Security Information and Events Management) dashboards provide a condensed overview of information from various data sources for daily incident response tasks.
NIDS (Network Intrusion Detection Systems) detects network intrusions but does not aggregate multiple data sources.
HIPS (Host Intrusion Prevention Systems) protects individual hosts but does not provide overview dashboards.
NIPS (Network Intrusion Prevention Systems) prevents network intrusions but lacks the centralized correlation of diverse logs.
Question 15: When creating a forensic copy of a suspect hard drive for laboratory analysis, the investigator attaches a hardware device between the source drive and the target workstation that prevents any accidental or automated editing of the original media. This ensures evidence integrity and admissibility. What essential forensic tool is being used?
Faraday cage
Write blocker
Cryptographic hashing
Tamper-evident bags
Question 15 Explanation: Faraday cages block radio signals but do not prevent data from writing to drives.
Write blockers prevent accidental or automated editing of disks during forensic copying.
Cryptographic hashing verifies integrity after copying but does not prevent editing during acquisition.
Tamper-evident bags show physical access but do not prevent data modification during imaging.
Question 16: Which logs help detect any attempts made by a threat actor to attack a wireless network through disassociation events?
System logs from routers
Access logs from switches
Firewall audit logs
Access point logs
Question 16 Explanation: System logs from routers track routing information, not wireless events.
Access logs from switches track wired connections.
Firewall audit logs track policy violations and network traffic.
Access point logs record wireless network events including disassociation attacks and client connections.
Question 17: A law enforcement agency arrives at a corporate office to seize servers suspected of containing evidence of financial crimes. Before imaging the drives, they must ensure they have proper legal authority to conduct the search, to prevent evidence from being excluded in court later. What legal concept is this?
Chain of custody
Legal hold notices
Due process
Order of volatility preservation
Question 17 Explanation: Chain of custody documents who handled the evidence after seizure.
Legal hold notices preserve data from deletion.
Due process requires proper legal authority like court orders before search and seizure.
Order of volatility preservation does not address legal authority.
Question 18: A corporation is notified that it is subject to legal action regarding a data breach. The legal team issues instructions to all employees to preserve any documents, emails, and data related to the incident. It forbids any deletion of potentially relevant information. What is this preservation order called?
Legal hold
Due process
Chain of custody
Evidence tampering prevention
Question 18 Explanation: Legal hold is the order preventing deletion of relevant data when a legal case is anticipated.
Due process ensures fair legal procedures but does not specifically refer to preservation.
Chain of custody tracks evidence handling.
Evidence tampering prevention is a general goal, not the specific legal term.
Question 19: A forensic investigator transports a seized laptop from the crime scene to the forensic laboratory, then passes it to a technician for imaging. The technician then gives the laptop to an officer in a storage facility. At each transfer, they document the date, time, location, and identity of everyone who handled the evidence. What is this form of documentation?
Chain of custody
Order of volatility
Legal hold documentation
Due process verification
Question 19 Explanation: Chain of custody is the documented trail of paperwork recording who handled evidence, when, where, and how it was transferred.
Order of volatility guides the collection sequence.
Legal hold documentation preserves data before collection.
Due process verification ensures legal authority but does not track physical evidence handling.
Question 20: Investigators seize smartphones suspected of containing evidence of crimes. However, they fear the suspects may remotely wipe the devices via cellular signals or Wi-Fi once they realize the phones are compromised. They place the devices in specialized containers that block all Radio Frequency signals during transport to the forensic lab. What preservation tool prevents remote destruction of digital evidence?
Tamper-evident storage bags
Write blockers
Cryptographic hashing
Faraday cages or Faraday bags
Question 20 Explanation: Tamper-evident bags show if physical seals were broken but do not block signals.
Write blockers prevent data editing but do not block radio frequencies.
Cryptographic hashing verifies data integrity but does not prevent remote wiping.
Faraday cages or Faraday bags block all Radio Frequency signals, preventing remote wiping of devices during transport.