1. What does Incident Response primarily refer to?
Difficulty: EasyType: MCQTopic: IR Basics
- Preventing physical access to servers
- Detecting and handling security events effectively
- Monitoring employee attendance
- Maintaining hardware inventory
Incident Response (IR) is the structured process of identifying, investigating, and managing security incidents to reduce impact and restore normal operations.
It ensures the organization reacts quickly and minimizes data or financial loss.
Correct Answer: Detecting and handling security events effectively
2. According to the NIST framework, which of the following is NOT an IR phase?
Difficulty: MediumType: MCQTopic: NIST Phases
- Preparation
- Containment
- Marketing
- Eradication
NIST outlines four key phases of incident response — Preparation, Detection and Analysis, Containment Eradication and Recovery, and Post-Incident Activity.
Marketing is unrelated to the security process.
Correct Answer: Marketing
3. The main goal of Incident Response is to:
Difficulty: EasyType: MCQTopic: IR Goals
- Punish employees responsible for incidents
- Ensure incidents are handled quickly and damage is minimized
- Increase system performance
- Eliminate all threats permanently
The goal of IR is not to eliminate every threat but to contain incidents, limit damage, and resume normal service as soon as possible.
It focuses on coordination, communication, and controlled recovery.
Correct Answer: Ensure incidents are handled quickly and damage is minimized
4. What distinguishes a 'security event' from a 'security incident'?
Difficulty: MediumType: MCQTopic: IR Basics
- Events always require a full investigation
- An incident causes actual harm or policy violation
- Events are more severe than incidents
- They are identical terms
A security event is any observable occurrence, like a login attempt or system alert.
A security incident is when an event leads to compromise, breach, or confirmed malicious activity.
Correct Answer: An incident causes actual harm or policy violation
5. What is the main responsibility of a CSIRT?
Difficulty: MediumType: MCQTopic: CSIRT
- Develop new applications
- Handle and coordinate security incidents within an organization
- Perform hardware maintenance
- Conduct HR training sessions
A Computer Security Incident Response Team (CSIRT) is a specialized group responsible for managing and coordinating incident response across departments.
They analyze alerts, investigate breaches, and recommend containment measures.
Correct Answer: Handle and coordinate security incidents within an organization
6. What is an Indicator of Compromise (IOC)?
Difficulty: MediumType: MCQTopic: IOCs
- A rule for employee attendance
- Evidence suggesting a potential breach or malicious activity
- A security compliance checklist
- A hardware monitoring alert
IOCs are digital clues such as IP addresses, hashes, or domain names that indicate possible intrusion or compromise.
They help analysts detect and correlate suspicious activity early.
Correct Answer: Evidence suggesting a potential breach or malicious activity
7. During an active incident, which communication approach is most appropriate?
Difficulty: MediumType: MCQTopic: communication
- Discuss details publicly on social media
- Keep internal, secure, and need-to-know communication channels
- Share details with all employees
- Allow external vendors to handle all messaging
Effective IR communication avoids information leaks and panic.
Only essential personnel should receive updates through encrypted or approved channels to protect sensitive details.
Correct Answer: Keep internal, secure, and need-to-know communication channels
8. What is an Incident Response playbook?
Difficulty: MediumType: MCQTopic: Playbooks
- A detailed financial report
- A predefined set of steps for handling a specific incident type
- A log file generated by SIEM
- A disaster recovery backup plan
Playbooks standardize how to react to recurring incidents like phishing or ransomware.
They ensure quick, consistent, and effective actions without confusion during real events.
Correct Answer: A predefined set of steps for handling a specific incident type
9. Which metric best measures the efficiency of an IR team?
Difficulty: MediumType: MCQTopic: IR Metrics
- Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR)
- Number of antivirus licenses
- Server uptime percentage
- Employee turnover rate
MTTD shows how fast incidents are identified, while MTTR measures how quickly they’re resolved.
Together, they reflect the maturity and responsiveness of an organization’s IR capability.
Correct Answer: Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR)
10. Why is having an Incident Response plan critical for organizations?
Difficulty: MediumType: SubjectiveTopic: IR Basics
An IR plan defines who acts, how they act, and when they act during security breaches.
Without it, response becomes chaotic, increasing downtime, data loss, and reputational damage. A good plan ensures speed, coordination, and accountability.
11. List and briefly describe the main stages of the incident response process.
Difficulty: MediumType: SubjectiveTopic: NIST Phases
The core stages are:
1. Preparation – building tools, policies, and teams.
2. Identification – detecting and confirming incidents.
3. Containment – limiting the spread and damage.
4. Eradication – removing threats completely.
5. Recovery – restoring normal service.
6. Lessons Learned – reviewing and improving the process.
12. Name some tools commonly used in incident detection and analysis.
Difficulty: MediumType: SubjectiveTopic: IR Tools
Popular tools include SIEMs like Splunk or QRadar, network monitors like Zeek, endpoint tools such as CrowdStrike, and forensics utilities like Volatility.
Each tool collects evidence, correlates alerts, and helps analysts make data-driven decisions.
13. Describe the key roles within an Incident Response team.
Difficulty: MediumType: SubjectiveTopic: IR Roles
Typical roles include:
• IR Manager – coordinates the response.
• Analysts – investigate alerts and gather data.
• Forensics Experts – collect and preserve evidence.
• Communications Lead – handles internal and external updates.
Clear role separation avoids delays and miscommunication.
14. What are common challenges organizations face in incident response?
Difficulty: MediumType: SubjectiveTopic: IR Challenges
Key challenges include alert fatigue, lack of trained staff, slow communication, incomplete logs, and unclear authority.
Solving these needs better automation, defined procedures, and regular IR drills.
15. Which of the following is an example of a security incident?
Difficulty: EasyType: MCQTopic: Incident Types
- User forgetting their password
- Unauthorized access to sensitive data
- Scheduled maintenance downtime
- Installing OS updates
A security incident occurs when confidentiality, integrity, or availability of data is compromised.
Unauthorized access directly violates confidentiality and requires immediate investigation.
Correct Answer: Unauthorized access to sensitive data
16. How are incidents typically classified in an enterprise environment?
Difficulty: MediumType: MCQTopic: Severity
- By department and team name
- By severity, impact, and priority
- Alphabetically by report time
- By geographic region
Incidents are classified using factors like severity (how serious it is), impact (what systems are affected), and priority (how urgently it must be addressed).
This ensures consistent triage and escalation.
Correct Answer: By severity, impact, and priority
17. Which of the following is NOT a common source of security alerts?
Difficulty: MediumType: MCQTopic: Alert Sources
- SIEM system
- Firewall logs
- Intrusion Detection System
- Employee payroll software
Alert sources usually include SIEM tools, IDS/IPS systems, antivirus software, and firewalls.
Payroll software does not generate security alerts unless it’s being monitored through integrated security layers.
Correct Answer: Employee payroll software
18. What is a 'false positive' in incident detection?
Difficulty: MediumType: MCQTopic: False Positives
- A real attack that was missed
- A legitimate activity flagged as suspicious
- A virus that cannot be removed
- A malware signature update
False positives waste analyst time by alerting on non-malicious actions.
Reducing them requires tuning detection rules and improving contextual analysis.
Correct Answer: A legitimate activity flagged as suspicious
19. Which of the following is an example of an Indicator of Compromise (IOC)?
Difficulty: MediumType: MCQTopic: IOC Types
- IP address communicating with known malware server
- List of authorized employee emails
- Normal system uptime record
- Antivirus installation date
An IOC represents evidence that a system may be compromised.
Examples include suspicious IPs, unusual file hashes, or outbound traffic to malicious domains.
Correct Answer: IP address communicating with known malware server
20. How does an Intrusion Prevention System (IPS) differ from an Intrusion Detection System (IDS)?
Difficulty: MediumType: MCQTopic: IDS IPS
- IDS blocks traffic, IPS only monitors
- IPS can block malicious traffic, IDS only detects
- Both systems work identically
- IDS and IPS are firewalls
An IDS observes and alerts on suspicious traffic, while an IPS takes active measures to block or drop that traffic in real-time.
IPS helps automate containment.
Correct Answer: IPS can block malicious traffic, IDS only detects
21. What is the main function of a SIEM system in incident detection?
Difficulty: MediumType: MCQTopic: SIEM
- Encrypting all network traffic
- Aggregating and correlating security events from multiple sources
- Hosting internal websites
- Managing HR compliance
A SIEM (Security Information and Event Management) platform centralizes logs from servers, applications, and firewalls.
It helps analysts spot suspicious patterns faster using correlation rules.
Correct Answer: Aggregating and correlating security events from multiple sources
22. A ransomware infection that impacts critical servers should be classified as:
Difficulty: MediumType: MCQTopic: Severity
- Low severity
- Medium severity
- High or Critical severity
- Informational
Any incident that disrupts business operations or compromises sensitive data is considered high or critical.
It demands immediate containment and management attention.
Correct Answer: High or Critical severity
23. Which of the following helps analysts detect anomalies through log analysis?
Difficulty: MediumType: MCQTopic: Log Analysis
- Cron job scheduler
- Regex-based search and correlation in SIEM
- Packet sniffer
- Text editor
Analysts often use pattern matching, filters, and correlation queries inside SIEM tools to spot suspicious login attempts or network anomalies.
This helps detect attacks early.
Correct Answer: Regex-based search and correlation in SIEM
24. Explain why incident classification is essential in response management.
Difficulty: MediumType: SubjectiveTopic: Classification
Classification helps teams understand the seriousness and potential impact of an incident.
It determines escalation paths, response priorities, and resource allocation, preventing overreaction to minor issues or underreaction to major ones.
25. Describe a typical severity scale used in classifying security incidents.
Difficulty: MediumType: SubjectiveTopic: Severity
A standard scale includes:
• Informational – harmless alerts.
• Low – small impact, no data loss.
• Medium – localized impact or potential risk.
• High – significant disruption.
• Critical – large-scale or data breach.
This helps standardize triage and communication.
26. What steps are involved in triaging a security alert?
Difficulty: MediumType: SubjectiveTopic: Alert Triage
Triage involves verifying the alert, gathering context, checking scope, and assessing severity.
Analysts validate whether it’s a false positive or real threat, then escalate or close accordingly.
27. What are the main techniques used in detecting incidents?
Difficulty: MediumType: SubjectiveTopic: Detection
Common techniques include log correlation, anomaly detection, signature-based detection, and behavior-based analysis.
Combining these improves accuracy and reduces false negatives.
28. Compare manual and automated incident detection.
Difficulty: MediumType: SubjectiveTopic: Automation
Manual detection relies on human review of alerts and logs, which allows deep analysis but is slow.
Automated detection uses SIEM and AI tools to catch threats faster but may require tuning to reduce false positives.
29. What is the main purpose of an Incident Response policy?
Difficulty: EasyType: MCQTopic: Policy
- To describe network hardware inventory
- To outline roles, responsibilities, and procedures for handling incidents
- To configure firewall rules
- To detail marketing communication plans
An Incident Response policy defines the scope, authority, and overall approach of the IR process.
It ensures that everyone in the organization knows what to do, who to contact, and how to escalate when an incident occurs.
Correct Answer: To outline roles, responsibilities, and procedures for handling incidents
30. Which activity best represents the Preparation phase of incident response?
Difficulty: MediumType: MCQTopic: Preparation
- Restoring data from backup after a breach
- Training staff and maintaining updated IR playbooks
- Performing root cause analysis
- Sending post-incident reports
Preparation is all about building the capability to respond effectively.
It involves creating playbooks, conducting regular tabletop exercises, ensuring tools are ready, and making sure personnel are trained for different scenarios.
Correct Answer: Training staff and maintaining updated IR playbooks
31. Which of the following should NOT be included in an Incident Response plan?
Difficulty: MediumType: MCQTopic: IR Plan
- Contact details of IR team members
- Step-by-step containment procedures
- Company cafeteria menu
- Escalation matrix and communication flow
An IR plan focuses solely on operational and technical response actions.
It includes roles, escalation paths, contact lists, and containment or recovery procedures — not irrelevant business information like cafeteria schedules.
Correct Answer: Company cafeteria menu
32. What is the purpose of an Incident Response playbook?
Difficulty: MediumType: MCQTopic: Playbooks
- To provide predefined steps for specific incident types
- To record employee performance
- To manage asset inventory
- To generate firewall configurations
Playbooks are tactical guides for common incidents like phishing, ransomware, or insider threats.
They help ensure the response is quick, repeatable, and aligned with best practices, reducing confusion during crises.
Correct Answer: To provide predefined steps for specific incident types
33. What is a tabletop exercise in IR preparation?
Difficulty: MediumType: MCQTopic: Tabletop
- A full system recovery test
- A simulated discussion-based incident drill
- A penetration test on internal systems
- A daily log review process
A tabletop exercise is a scenario-based discussion where IR team members walk through their roles in a simulated incident.
It helps validate procedures, reveal communication gaps, and improve coordination without disrupting live systems.
Correct Answer: A simulated discussion-based incident drill
34. During an incident, communication should be:
Difficulty: MediumType: MCQTopic: communication
- Open to all employees and vendors
- Controlled, confidential, and through secure channels
- Posted on public company forums
- Sent via personal emails
Communication during incidents must prevent leaks and panic.
Only authorized personnel should share verified information using approved and encrypted channels, maintaining confidentiality throughout the process.
Correct Answer: Controlled, confidential, and through secure channels
35. Which role is primarily responsible for coordinating the overall incident response effort?
Difficulty: MediumType: MCQTopic: IR Roles
- Incident Response Manager
- Forensic Analyst
- Helpdesk Technician
- Compliance Officer
The IR Manager oversees the entire response process, ensuring proper escalation, communication, and coordination among technical and non-technical teams.
They also report to management and external authorities if required.
Correct Answer: Incident Response Manager
36. What is the purpose of an escalation matrix in an IR plan?
Difficulty: MediumType: MCQTopic: Escalation
- To track software patch updates
- To define who should be contacted at each severity level
- To record payroll adjustments
- To manage vendor contracts
An escalation matrix ensures incidents are communicated to the right people quickly.
It defines contact points by severity, ensuring critical incidents get immediate executive and technical attention.
Correct Answer: To define who should be contacted at each severity level
37. Why should an Incident Response plan align with the organization's Business Continuity strategy?
Difficulty: MediumType: SubjectiveTopic: Business Impact
Incident Response deals with immediate threats, while Business Continuity ensures operations resume safely.
If both are aligned, response actions support long-term recovery goals and prevent conflicting decisions. For example, containment steps should not worsen downtime beyond acceptable limits.
38. Explain the importance of documentation during an incident.
Difficulty: MediumType: SubjectiveTopic: Documentation
Proper documentation captures what actions were taken, when, and by whom.
It helps during post-incident reviews, forensic investigations, and compliance audits. Without detailed notes, teams can lose visibility into decision-making and evidence chains.
39. Why is regular incident response training necessary for all staff?
Difficulty: MediumType: SubjectiveTopic: Training
Training ensures that not only the IR team but all employees recognize suspicious activities and know how to report them.
Well-trained staff act faster and make fewer mistakes during real incidents, significantly reducing response time and damage.
40. How can an organization assess its incident readiness level?
Difficulty: MediumType: SubjectiveTopic: Preparation
Organizations can perform readiness assessments by evaluating their policies, detection capabilities, communication workflows, and recovery procedures.
Periodic drills, red-team tests, and audits help identify weak areas and improve preparedness before a real attack happens.
41. What are the best practices to continuously improve an Incident Response plan?
Difficulty: MediumType: SubjectiveTopic: Improvement
Continuous improvement involves reviewing lessons learned from past incidents, updating playbooks with new threats, and integrating automation where possible.
Regular audits and feedback sessions keep the plan aligned with evolving risks and technology.
42. What is the primary goal of the containment phase in incident response?
Difficulty: EasyType: MCQTopic: Containment
- Completely eradicate the threat from all systems
- Limit the impact and prevent the incident from spreading
- Identify the root cause of the incident
- Rebuild affected systems immediately
Containment aims to control and minimize the damage of an ongoing incident.
It focuses on isolating affected systems or networks so that the threat does not spread further, buying time for eradication and recovery planning.
Correct Answer: Limit the impact and prevent the incident from spreading
43. What are the two main types of containment strategies?
Difficulty: MediumType: MCQTopic: Containment
- Active and passive containment
- Short-term and long-term containment
- Local and remote containment
- Hardware and software containment
Short-term containment provides immediate isolation—such as disconnecting a system from the network—to stop ongoing damage.
Long-term containment maintains stability while enabling deeper investigation, often using patches or temporary network segmentation until systems are rebuilt.
Correct Answer: Short-term and long-term containment
44. Which action is the best example of short-term containment?
Difficulty: MediumType: MCQTopic: Isolation
- Rebuilding all affected servers from scratch
- Disconnecting infected hosts from the network
- Notifying law enforcement
- Documenting lessons learned
Short-term containment focuses on halting the spread of an incident immediately.
Disconnecting an infected system prevents lateral movement of malware and buys time for forensic analysis and eradication planning.
Correct Answer: Disconnecting infected hosts from the network
45. During containment, why is preserving forensic evidence critical?
Difficulty: MediumType: MCQTopic: Evidence
- To reuse the infected system for production
- To enable accurate investigation and legal processes
- To speed up patch installation
- To overwrite old logs
Forensic evidence helps investigators trace the origin and scope of an attack.
Preserving logs, memory dumps, and network captures ensures that later analysis and legal teams have valid, untampered data to work with.
Correct Answer: To enable accurate investigation and legal processes
46. What is the main goal of the eradication phase?
Difficulty: MediumType: MCQTopic: Eradication
- Blocking all external communication
- Restoring systems from backup
- Removing malicious code and artifacts completely
- Notifying third-party vendors
Eradication focuses on eliminating the root cause of the incident—malware, backdoors, or misconfigurations—so that the threat cannot reappear.
After eradication, verification scans and audits confirm that systems are clean.
Correct Answer: Removing malicious code and artifacts completely
47. The recovery phase in IR aims to:
Difficulty: MediumType: MCQTopic: Recovery
- Collect legal evidence only
- Reintroduce clean systems into production safely
- Completely redesign the IT infrastructure
- Deactivate all user accounts
Recovery is the process of restoring systems to normal operations in a controlled and verified manner.
It includes validating system integrity, patching vulnerabilities, and continuous monitoring for re-infection.
Correct Answer: Reintroduce clean systems into production safely
48. Which step should always occur before bringing systems back online after recovery?
Difficulty: MediumType: MCQTopic: Validation
- Publicly announcing the incident closure
- Re-imaging and validation scans
- Granting new admin accounts to all users
- Deleting all system logs
Before reintroducing a system to production, teams must re-image or verify its integrity and run validation scans.
This ensures that no residual malware or hidden backdoors remain active.
Correct Answer: Re-imaging and validation scans
49. During containment and recovery, what communication approach should be followed?
Difficulty: MediumType: MCQTopic: communication
- Publicly share detailed progress updates
- Use secure internal channels and limit to essential stakeholders
- Ignore communication until incident ends
- Allow affected users to update each other
Confidential communication ensures sensitive details don’t leak externally.
Updates should be limited to IR and management personnel, keeping consistent, verified information flow to avoid confusion or panic.
Correct Answer: Use secure internal channels and limit to essential stakeholders
50. List the key steps involved in containing an incident.
Difficulty: MediumType: SubjectiveTopic: Containment
Containment typically includes:
1. Identifying affected assets.
2. Disconnecting or isolating compromised systems.
3. Blocking malicious IPs or domains.
4. Applying temporary patches or access restrictions.
5. Preserving evidence for investigation.
Each step minimizes spread while maintaining data integrity for future analysis.
51. Describe the major steps in the recovery phase of incident response.
Difficulty: MediumType: SubjectiveTopic: Recovery
Recovery focuses on restoring affected systems safely.
Key steps include re-imaging or cleaning compromised hosts, restoring data from verified backups, reconfiguring network access, verifying system integrity, and gradually reconnecting systems to production with heightened monitoring. After recovery, post-incident reviews confirm success.
52. Why must containment strategies balance speed and risk?
Difficulty: MediumType: SubjectiveTopic: Risk Balance
Containment must act fast to reduce damage but should not destroy critical evidence or interrupt essential services.
Acting too aggressively may shut down business systems, while slow responses allow threats to spread. The best IR teams use context-driven judgment for each case.
53. Explain why system validation is essential after recovery.
Difficulty: MediumType: SubjectiveTopic: Validation
System validation ensures that the root cause is fully eliminated and normal operations are safe to resume.
It involves vulnerability scans, configuration checks, and integrity validation to confirm no leftover malware, unauthorized users, or open attack paths exist.
54. How can containment and recovery experiences improve future response?
Difficulty: MediumType: SubjectiveTopic: Lessons Learned
Lessons learned from containment and recovery are vital for continuous improvement.
Teams analyze what worked, what failed, and update playbooks, response timelines, and communication flows accordingly. Regular post-mortems turn incidents into training opportunities for stronger resilience.
55. What is Threat Intelligence primarily used for?
Difficulty: EasyType: MCQTopic: IR Basics
- Predicting and understanding adversary behavior
- Monitoring employee attendance
- Generating financial reports
- Managing hardware inventory
Threat Intelligence provides context about current or emerging cyber threats.
It helps analysts understand attacker motives, methods, and tools so they can anticipate attacks, strengthen defenses, and respond faster during incidents.
Correct Answer: Predicting and understanding adversary behavior
56. Which of the following best describes an Indicator of Compromise (IOC)?
Difficulty: MediumType: MCQTopic: IOCs
- Evidence suggesting a possible breach
- A confirmed software vulnerability
- A patch management schedule
- A system backup routine
IOCs are digital clues that indicate potential malicious activity.
Examples include IP addresses, domain names, file hashes, or unusual processes. Analysts use them to detect, correlate, and block attacks before full compromise occurs.
Correct Answer: Evidence suggesting a possible breach
57. In the MITRE ATT&CK framework, what do 'tactics' represent?
Difficulty: MediumType: MCQTopic: MITRE ATT&CK
- Specific tools used by attackers
- High-level goals attackers aim to achieve
- Programming languages used in malware
- Security controls for defense
In MITRE ATT&CK, 'tactics' describe the adversary’s objectives, such as Initial Access, Execution, or Persistence.
They represent *why* an attacker performs an action, while 'techniques' describe *how* it’s done.
Correct Answer: High-level goals attackers aim to achieve
58. Which of the following is NOT a typical source of threat intelligence?
Difficulty: MediumType: MCQTopic: Threat Intel
- Open-source feeds (OSINT)
- Dark web monitoring
- Internal incident data
- Employee payroll system
Threat intelligence comes from structured and unstructured sources such as OSINT, vendor feeds, government advisories, and internal logs.
Payroll systems are business applications and do not generate intelligence data.
Correct Answer: Employee payroll system
59. In MITRE ATT&CK, how do 'tactics' differ from 'techniques'?
Difficulty: MediumType: MCQTopic: MITRE ATT&CK
- Tactics describe what attackers do; techniques describe how they do it
- Tactics are tools; techniques are hardware
- They are the same thing
- Techniques describe defensive strategies
Tactics are the strategic goals in an attack chain, such as Lateral Movement or Privilege Escalation.
Techniques explain the specific methods used to achieve those goals, like using RDP or token impersonation.
Correct Answer: Tactics describe what attackers do; techniques describe how they do it
60. Which is NOT one of the common types of threat intelligence?
Difficulty: MediumType: MCQTopic: Threat Intel
- Strategic
- Tactical
- Operational
- Financial
Threat intelligence is typically categorized as strategic (high-level trends), tactical (attack techniques and IOCs), and operational (real-time campaign insight).
Financial data is business-related, not a TI type.
Correct Answer: Financial
61. Why is information sharing between organizations important in threat intelligence?
Difficulty: MediumType: MCQTopic: Intel Sharing
- It helps identify common attack patterns early
- It slows down detection processes
- It violates confidentiality
- It creates duplicate data
Sharing intelligence through platforms like ISACs and STIX/TAXII enables organizations to spot trends faster and collectively respond to emerging threats.
Collaboration turns isolated defenses into community protection.
Correct Answer: It helps identify common attack patterns early
62. Which step comes first in the threat intelligence lifecycle?
Difficulty: MediumType: MCQTopic: IR Analysis
- Analysis
- Collection
- Planning and Direction
- Dissemination
The threat intelligence lifecycle begins with Planning and Direction — deciding what information is needed and how it will be used.
This phase sets clear goals for collection, analysis, and sharing activities.
Correct Answer: Planning and Direction
63. Explain the main stages of the Threat Intelligence lifecycle.
Difficulty: MediumType: SubjectiveTopic: Threat Intel
The threat intelligence lifecycle consists of:
1. Planning and Direction – Define objectives and requirements.
2. Collection – Gather data from internal and external sources.
3. Processing – Clean and normalize the data for analysis.
4. Analysis – Identify patterns, correlate indicators and derive insight.
5. Dissemination – Share the findings with relevant teams.
6. Feedback – Evaluate usefulness and improve future cycles.
Following this cycle keeps intelligence actionable and current.
64. Differentiate between 'data', 'information', and 'threat intelligence'.
Difficulty: MediumType: SubjectiveTopic: Threat Intel
Data is raw facts — such as IP addresses or timestamps.
Information is processed data that has context, for example a list of malicious IPs.
Threat Intelligence goes further by adding analysis and relevance, explaining what the threat means, its intent, and how to act on it.
65. How does the MITRE ATT&CK framework help in incident response?
Difficulty: MediumType: SubjectiveTopic: MITRE ATT&CK
MITRE ATT&CK maps adversary tactics and techniques across the attack lifecycle.
During IR, analysts use it to classify observed behaviors, understand attacker goals, and identify gaps in defenses.
It also supports threat hunting and reporting with standardized terminology.
66. What are the main challenges in sharing threat intelligence between organizations?
Difficulty: MediumType: SubjectiveTopic: Intel Sharing
Key challenges include data sensitivity, privacy concerns, legal restrictions, and inconsistent formats across tools.
Organizations fear exposing internal breaches or losing competitive advantage.
Frameworks like STIX and TAXII standardize sharing while preserving security and context.
67. Describe how threat intelligence improves incident response capabilities.
Difficulty: MediumType: SubjectiveTopic: Threat Intel
Threat intelligence provides context that turns raw alerts into actionable insights.
By knowing which adversary groups target their sector and what tools they use, teams can prioritize alerts, focus hunting efforts, and accelerate containment.
It shortens detection time and reduces false positives through better contextual awareness.
68. What is the main objective of digital forensics in incident response?
Difficulty: EasyType: MCQTopic: IR Basics
- To punish the attacker
- To collect, analyze, and preserve digital evidence for investigation
- To upgrade software systems
- To reset user passwords
Digital forensics focuses on identifying, collecting, preserving, and analyzing digital evidence in a legally acceptable way.
It ensures the facts of the incident are accurately established and can support legal or disciplinary actions.
Correct Answer: To collect, analyze, and preserve digital evidence for investigation
69. What does maintaining a 'chain of custody' ensure?
Difficulty: MediumType: MCQTopic: Chain Custody
- Evidence is accessible to all employees
- Evidence remains authentic and untampered throughout investigation
- Evidence can be modified to simplify reports
- Evidence is deleted after analysis
The chain of custody is a formal record documenting who handled the evidence, when, and why.
It guarantees that evidence integrity is maintained from collection to presentation in court or internal proceedings.
Correct Answer: Evidence remains authentic and untampered throughout investigation
70. Which of the following is considered volatile data?
Difficulty: MediumType: MCQTopic: Volatile Data
- Hard disk data
- System logs
- Running processes and memory contents
- Email attachments
Volatile data resides in system memory and disappears when power is lost.
Examples include running processes, network connections, and cached credentials. Collecting volatile data early is crucial in live incident response.
Correct Answer: Running processes and memory contents
71. What is the correct order of volatility when collecting evidence?
Difficulty: MediumType: MCQTopic: Volatility Order
- Memory → Network → Disk → Logs → Backups
- Disk → Backups → Logs → Memory
- Network → Disk → Backups → Memory
- Logs → Memory → Disk → Network
Forensic professionals collect data based on its volatility—starting from the most temporary to the most stable.
Memory and network data are collected first since they can change or disappear quickly, followed by disks, logs, and finally backups.
Correct Answer: Memory → Network → Disk → Logs → Backups
72. What is a forensic image?
Difficulty: MediumType: MCQTopic: Forensic Imaging
- A screenshot of the desktop during an attack
- A bit-by-bit copy of a storage device preserving all data including deleted files
- A PDF report of analysis
- A compressed system log file
A forensic image is an exact replica of a storage medium created using tools like FTK Imager or dd.
It ensures that all data, including hidden or deleted content, is preserved without altering the original evidence.
Correct Answer: A bit-by-bit copy of a storage device preserving all data including deleted files
73. Why are cryptographic hashes (like MD5 or SHA-256) used in digital forensics?
Difficulty: MediumType: MCQTopic: Hashing
- To compress evidence files
- To ensure integrity and prove evidence wasn’t altered
- To encrypt the data for confidentiality
- To speed up file transfer
Hashes generate a unique digital fingerprint of evidence.
If the hash value remains unchanged, it confirms that the evidence has not been modified since collection — a key legal requirement in forensics.
Correct Answer: To ensure integrity and prove evidence wasn’t altered
74. What is the purpose of a write blocker in forensic investigations?
Difficulty: MediumType: MCQTopic: Write Blocker
- To block users from accessing their accounts
- To prevent modification of the source drive during data acquisition
- To increase data transfer speed
- To encrypt evidence automatically
A write blocker ensures no data is written to the evidence drive during imaging.
It preserves the original state of the drive, guaranteeing evidence authenticity throughout the acquisition process.
Correct Answer: To prevent modification of the source drive during data acquisition
75. Which of these tools is commonly used for digital forensics?
Difficulty: MediumType: MCQTopic: IR Tools
- Wireshark
- Nmap
- FTK Imager
- Burp Suite
FTK Imager is a popular forensic tool used to acquire and preview data without altering the source.
It supports imaging drives, verifying hashes, and exporting evidence in court-acceptable formats.
Correct Answer: FTK Imager
76. Differentiate between direct, documentary, and testimonial evidence in digital forensics.
Difficulty: MediumType: SubjectiveTopic: Evidence
• **Direct evidence** directly links the suspect to a crime (e.g., an email admitting data theft).
• **Documentary evidence** includes logs, screenshots, or captured files supporting an event.
• **Testimonial evidence** comes from statements made by witnesses or experts. Combining all three provides stronger investigative conclusions.
77. Explain the difference between live forensics and dead forensics.
Difficulty: MediumType: SubjectiveTopic: Live Forensics
Live forensics is performed on running systems to capture volatile data like RAM, active connections, or live malware behavior.
Dead forensics works on powered-off systems or forensic images, analyzing disks, logs, and persistent artifacts. Both complement each other for complete analysis.
78. Why is evidence preservation important during an investigation?
Difficulty: MediumType: SubjectiveTopic: Evidence
Preservation maintains data integrity and ensures that evidence is admissible in legal or compliance investigations.
Tampering, even unintentionally, can invalidate critical proof. Secure storage, controlled access, and proper documentation keep the evidence credible.
79. What details must be recorded in the chain of custody documentation?
Difficulty: MediumType: SubjectiveTopic: Documentation
Chain of custody records include:
1. Unique evidence ID and description.
2. Collection time, date, and location.
3. Name and signature of collector.
4. Transfer details — who handled it next and why.
5. Storage conditions and final disposition.
These details prove authenticity throughout the investigation.
80. How should forensic findings be presented in an investigation report?
Difficulty: MediumType: SubjectiveTopic: Reporting
Reports should be clear, factual, and legally defensible.
Include scope, tools used, findings, timelines, and conclusions without speculation. Visual aids like timelines or hash summaries help non-technical stakeholders understand the evidence flow.
81. What are common mistakes to avoid during digital evidence handling?
Difficulty: MediumType: SubjectiveTopic: Common Pitfalls
Common mistakes include failing to document evidence properly, skipping hash verification, altering source media, or analyzing live data without authorization.
Avoiding these ensures the evidence remains reliable and legally defensible.
82. What is the main goal of a 'lessons learned' review after an incident?
Difficulty: EasyType: MCQTopic: Lessons Learned
- To identify and improve weaknesses in processes and defenses
- To assign blame to specific employees
- To delete all incident data for privacy
- To repeat the same incident steps for practice
The lessons learned phase helps teams understand what went wrong, what worked well, and how to improve response processes.
It turns every incident into a learning opportunity for stronger preparedness.
Correct Answer: To identify and improve weaknesses in processes and defenses
83. Which of the following metrics measures how long it takes to detect an incident?
Difficulty: MediumType: MCQTopic: IR Metrics
- MTTR (Mean Time to Respond)
- MTTD (Mean Time to Detect)
- MTBF (Mean Time Between Failures)
- MTTI (Mean Time to Investigate)
MTTD represents the average time it takes for the security team to discover an incident after it starts.
Lower MTTD indicates faster detection and better monitoring effectiveness.
Correct Answer: MTTD (Mean Time to Detect)
84. What does MTTR (Mean Time to Respond) measure in incident response?
Difficulty: MediumType: MCQTopic: IR Metrics
- Time to rebuild infrastructure after a breach
- Time between security audits
- Average time to contain and remediate an incident after detection
- Average uptime of servers
MTTR tracks how quickly a team acts after detecting an incident.
Reducing MTTR requires automation, predefined playbooks, and efficient coordination among response teams.
Correct Answer: Average time to contain and remediate an incident after detection
85. What does Root Cause Analysis (RCA) aim to identify?
Difficulty: MediumType: MCQTopic: Root Cause
- Who first discovered the incident
- The underlying reason the incident occurred
- The total cost of the incident
- All emails sent during the event
Root Cause Analysis investigates the fundamental technical or procedural issue that allowed the incident to happen.
Once found, it helps teams address the root problem instead of just the symptoms.
Correct Answer: The underlying reason the incident occurred
86. Which section of a post-incident report should summarize business impact and cost?
Difficulty: MediumType: MCQTopic: Reporting
- Technical findings section
- Executive summary
- Appendix
- References
The executive summary presents high-level details such as incident scope, impact, response timeline, and financial implications.
It helps management understand the overall business effect and guides future investments.
Correct Answer: Executive summary
87. Why is internal communication important after incident recovery?
Difficulty: MediumType: MCQTopic: communication
- It helps ensure all teams know what changes were made and why
- It allows gossip about the incident
- It helps hide the details from auditors
- It prevents further reporting
After recovery, communicating internally helps everyone understand system changes, new security controls, and revised procedures.
It prevents confusion and ensures coordinated future responses.
Correct Answer: It helps ensure all teams know what changes were made and why
88. What should be updated immediately after completing a post-incident review?
Difficulty: MediumType: MCQTopic: Policy
- Network diagrams only
- Incident response policies and playbooks
- Employee vacation schedules
- Operating system licenses
Post-incident findings often reveal gaps in existing procedures.
Updating playbooks ensures that lessons learned are implemented so that similar incidents can be handled more effectively next time.
Correct Answer: Incident response policies and playbooks
89. Which platform is commonly used to track and document incident reports in organizations?
Difficulty: MediumType: MCQTopic: Reporting Tools
- Jira or ServiceNow
- Microsoft Word only
- Google Sheets
- Slack channels
Incident management platforms like Jira or ServiceNow provide structured workflows to document, track, and review incidents.
They enable collaboration, automation, and consistent reporting across teams.
Correct Answer: Jira or ServiceNow
90. Explain how continuous improvement works in incident response.
Difficulty: MediumType: SubjectiveTopic: Improvement
Continuous improvement means reviewing every incident to identify better ways to detect, respond, and prevent future issues.
Teams analyze metrics, update playbooks, improve automation, and run simulation exercises. Over time, this builds resilience and faster decision-making.
91. Describe the key steps in performing a root cause analysis after an incident.
Difficulty: MediumType: SubjectiveTopic: Root Cause
1. **Define the problem:** Describe what happened and its symptoms.
2. **Collect data:** Gather logs, timelines, and affected systems.
3. **Identify contributing factors:** Analyze both technical and human errors.
4. **Determine root cause:** Use techniques like the 5 Whys or Fishbone diagram.
5. **Recommend actions:** Address not just the failure but also prevention steps like configuration hardening or training.
92. What are the key elements of an effective executive summary in an incident report?
Difficulty: MediumType: SubjectiveTopic: Exec Summary
An executive summary should include:
- Overview of the incident timeline and scope.
- Summary of impact on business and systems.
- Root cause in simple terms.
- Major actions taken and outcomes.
- Recommendations for improvement.
It provides a high-level snapshot for decision-makers without technical jargon.
93. How can post-incident analysis help improve team training?
Difficulty: MediumType: SubjectiveTopic: Training
Every incident reveals real-world lessons that can be converted into training scenarios.
Teams can simulate similar attacks, practice improved playbooks, and learn to communicate faster. It ensures both technical and procedural readiness for future threats.
94. Why are performance metrics important in the post-incident phase?
Difficulty: MediumType: SubjectiveTopic: IR Metrics
Metrics like MTTD and MTTR quantify how efficiently an organization detects and responds to incidents.
Tracking them over time reveals trends, helps justify investments, and proves whether response strategies are improving or stagnating.
95. What policies should be reviewed after a major security incident?
Difficulty: MediumType: SubjectiveTopic: Policy
Policies related to access control, patch management, backups, and third-party risk should be reviewed.
Incident handling procedures and escalation workflows must also be updated based on gaps observed during the incident. Regular reviews prevent repeating mistakes.
96. What does SOAR stand for in cybersecurity?
Difficulty: EasyType: MCQTopic: SOAR
- Security Orchestration, Automation, and Response
- Security Operations and Risk
- System Optimization and Analysis Reporting
- Secure Operations and Recovery
SOAR combines tools, processes, and automation to streamline incident response workflows.
It allows security teams to automate repetitive tasks like alert triage, threat enrichment, and remediation actions across systems.
Correct Answer: Security Orchestration, Automation, and Response
97. Which of the following is NOT a core function of SOAR platforms?
Difficulty: MediumType: MCQTopic: SOAR
- Case management
- Alert triage automation
- Automated threat hunting
- Hardware procurement
SOAR platforms focus on automating workflows such as alert enrichment, playbook execution, and case management.
Hardware procurement is unrelated to incident response automation.
Correct Answer: Hardware procurement
98. What is the main purpose of Endpoint Detection and Response (EDR) tools?
Difficulty: MediumType: MCQTopic: EDR
- To monitor and respond to threats on individual devices
- To manage firewall configurations
- To schedule software updates
- To back up data automatically
EDR tools collect and analyze data from endpoints such as laptops and servers.
They detect suspicious behavior, contain compromised devices, and provide rich forensic data for investigations.
Correct Answer: To monitor and respond to threats on individual devices
99. Which statement best describes a SIEM system?
Difficulty: MediumType: MCQTopic: SIEM
- It automatically blocks all traffic from the internet
- It aggregates, correlates, and analyzes logs from multiple sources
- It encrypts communication between servers
- It manages employee attendance
Security Information and Event Management (SIEM) tools like Splunk or QRadar centralize logs from multiple sources.
They help detect suspicious patterns by correlating events across network, endpoint, and cloud systems.
Correct Answer: It aggregates, correlates, and analyzes logs from multiple sources
100. How does SOAR differ from SIEM?
Difficulty: MediumType: MCQTopic: SIEM SOAR
- SOAR focuses on automation and response, while SIEM focuses on log correlation and alerting
- SOAR stores logs, while SIEM performs automation
- SOAR replaces SIEM completely
- Both perform the same tasks
SIEM collects and analyzes security events to raise alerts. SOAR takes those alerts, enriches them with context, and automatically executes predefined playbooks for faster resolution.
Correct Answer: SOAR focuses on automation and response, while SIEM focuses on log correlation and alerting
101. Why is threat intelligence integration important in IR automation?
Difficulty: MediumType: MCQTopic: TI Integration
- It increases hardware performance
- It enriches alerts with context for faster decision making
- It reduces log storage size
- It hides details from analysts
Threat intelligence feeds enhance automation by adding details like IP reputation or malware family.
This helps SOAR or SIEM platforms prioritize alerts and auto-escalate high-risk cases.
Correct Answer: It enriches alerts with context for faster decision making
102. In automation, what is a 'playbook'?
Difficulty: MediumType: MCQTopic: Playbooks
- A guidebook for human analysts only
- A predefined set of automated steps for responding to specific threats
- A software installation manual
- A backup of security tools
A playbook defines workflows to handle common incidents, such as phishing or malware detection.
In SOAR systems, playbooks automatically trigger tasks like IP blocking, user notification, and ticket creation.
Correct Answer: A predefined set of automated steps for responding to specific threats
103. Which scripting language is most commonly used for automating security operations?
Difficulty: MediumType: MCQTopic: Automation
Python is widely used in security automation due to its readability and large library ecosystem.
It supports integrations with APIs, SIEM systems, and network tools for rapid IR task automation.
Correct Answer: Python
104. How do APIs enable automation in incident response tools?
Difficulty: MediumType: SubjectiveTopic: Integrations
APIs allow security systems like SIEM, EDR, and SOAR to communicate seamlessly.
For example, a SOAR tool can pull alerts from SIEM, enrich them with threat intel APIs, and execute firewall rules automatically.
This interoperability is the backbone of modern IR automation.
105. Describe the steps involved in designing an effective automation playbook.
Difficulty: MediumType: SubjectiveTopic: Playbooks
1. **Identify repetitive tasks:** Such as alert triage or URL reputation checks.
2. **Define triggers:** What starts the workflow (e.g., SIEM alert).
3. **Outline actions:** List API calls, notifications, and containment steps.
4. **Test and tune:** Validate logic on real alerts.
5. **Monitor and improve:** Review success rates and update as threats evolve.
106. What are the main benefits of using SOAR in a security operations center?
Difficulty: MediumType: SubjectiveTopic: SOAR
SOAR reduces manual workload, improves response speed, and enforces process consistency.
It helps analysts focus on high-priority investigations while automating repetitive actions like enrichment or containment.
Over time, SOAR improves efficiency and reduces alert fatigue.
107. How do EDR tools improve the efficiency of incident response?
Difficulty: MediumType: SubjectiveTopic: EDR
EDR solutions provide continuous endpoint visibility and real-time detection.
They allow analysts to isolate endpoints, gather forensic data, and reverse malicious actions remotely.
This reduces investigation time and ensures swift containment.
108. What are common challenges faced when automating SIEM workflows?
Difficulty: MediumType: SubjectiveTopic: SIEM Challenges
Challenges include alert overload, poor data quality, and lack of standardization across log sources.
Automation can also lead to false positives if correlation rules are too broad.
Continuous tuning and validation of automation logic are necessary to maintain accuracy.
109. How will AI and machine learning impact future incident response automation?
Difficulty: MediumType: SubjectiveTopic: Future IR
AI and ML will enable predictive response by identifying patterns before attacks escalate.
They will enhance anomaly detection, automate classification of incidents, and optimize playbook decisions based on past success rates.
Human analysts will focus more on strategy and complex threat analysis.
110. What does the 'Shared Responsibility Model' in cloud security define?
Difficulty: EasyType: MCQTopic: Shared Model
- Who pays for cloud services
- Which security tasks are handled by the provider vs the customer
- The number of users allowed in a cloud account
- Who owns the internet connection
The shared responsibility model outlines how security is divided between the cloud provider and the customer.
Providers secure the cloud infrastructure, while customers secure their data, applications, and configurations within it.
Correct Answer: Which security tasks are handled by the provider vs the customer
111. Which AWS service provides centralized visibility for detecting and investigating incidents?
Difficulty: MediumType: MCQTopic: AWS IR
- AWS CloudTrail
- AWS Detective
- AWS Config
- AWS Inspector
AWS Detective automatically analyzes CloudTrail logs, VPC flow data, and GuardDuty findings.
It helps security teams visualize connections between resources and investigate suspicious activity faster.
Correct Answer: AWS Detective
112. Which Microsoft Azure service acts as a cloud-native SIEM and SOAR solution?
Difficulty: MediumType: MCQTopic: Sentinel
- Azure Defender
- Azure Monitor
- Microsoft Sentinel
- Azure Security Center
Microsoft Sentinel is a cloud-native SIEM and SOAR platform.
It collects data across Azure, on-prem, and other cloud platforms, enabling analytics, automation, and cross-environment incident response.
Correct Answer: Microsoft Sentinel
113. Which GCP service is primarily used for real-time security event monitoring?
Difficulty: MediumType: MCQTopic: GCP IR
- Cloud Logging
- Security Command Center (SCC)
- Cloud Armor
- BigQuery
GCP’s Security Command Center provides visibility into assets, misconfigurations, and active threats.
It centralizes event data to support incident detection and cloud environment investigations.
Correct Answer: Security Command Center (SCC)
114. What is a key challenge of incident response in a multi-cloud environment?
Difficulty: MediumType: MCQTopic: Multi Cloud
- Limited internet connectivity
- Inconsistent logging and alert formats across providers
- Single point of failure
- Lower uptime guarantees
Each cloud provider uses unique log formats and APIs.
This inconsistency makes correlating and automating incident detection across AWS, Azure, and GCP more complex for security teams.
Correct Answer: Inconsistent logging and alert formats across providers
115. What is the role of AWS CloudTrail in incident response?
Difficulty: MediumType: MCQTopic: CloudTrail
- It encrypts all data in S3 buckets
- It records API calls and user activity for auditing and investigation
- It blocks unauthorized IP addresses automatically
- It manages IAM roles and permissions
AWS CloudTrail provides detailed event logs showing who did what and when.
It’s essential for identifying unauthorized access or suspicious API activity during investigations.
Correct Answer: It records API calls and user activity for auditing and investigation
116. Which tool can automate security response actions across multiple cloud environments?
Difficulty: MediumType: MCQTopic: Automation
- Terraform
- AWS Lambda with SOAR integrations
- Jenkins CI
- GitHub Pages
Lambda functions can automatically execute containment or remediation steps — like revoking credentials or isolating EC2 instances — as part of SOAR-driven workflows in hybrid environments.
Correct Answer: AWS Lambda with SOAR integrations
117. How does digital forensics differ in cloud environments compared to on-premises?
Difficulty: MediumType: SubjectiveTopic: Cloud Forensics
In cloud forensics, investigators have limited control over hardware and rely on provider logs, snapshots, and APIs for evidence.
Unlike on-prem systems, physical access to servers is restricted. Therefore, timely log collection and data preservation agreements with providers become critical for legal compliance and integrity.
118. Outline key steps for responding to a security incident in a cloud environment.
Difficulty: MediumType: SubjectiveTopic: Cloud IR
1. **Detection:** Identify anomalies through cloud-native monitoring (e.g., GuardDuty, Sentinel).
2. **Containment:** Isolate affected accounts, instances, or containers.
3. **Eradication:** Remove malicious files or misconfigurations.
4. **Recovery:** Restore clean resources and reapply IAM controls.
5. **Review:** Conduct lessons learned and update automation workflows.
119. Explain the role of least privilege in cloud incident prevention and response.
Difficulty: MediumType: SubjectiveTopic: Least Privilege
Least privilege ensures users and services have only the permissions they need.
During IR, it limits the blast radius by reducing lateral movement possibilities. In prevention, it stops attackers from exploiting over-permissioned roles and APIs.
120. Why is centralized logging crucial in hybrid cloud environments?
Difficulty: MediumType: SubjectiveTopic: Log Centralization
Centralized logging aggregates data from multiple platforms, helping analysts correlate alerts and detect patterns.
It avoids data silos, reduces response time, and ensures consistent visibility across on-prem and cloud assets.
121. Describe how automation playbooks differ for cloud incident response.
Difficulty: MediumType: SubjectiveTopic: Cloud Playbooks
Cloud IR playbooks must include API-based actions like disabling IAM keys, stopping virtual machines, or revoking roles.
They rely heavily on native services such as AWS Lambda or Azure Logic Apps to execute automated containment steps across distributed environments.
122. How do misconfigurations contribute to cloud security incidents?
Difficulty: MediumType: SubjectiveTopic: Cloud Misconfig
Misconfigured S3 buckets, open ports, or overly permissive IAM policies are leading causes of cloud breaches.
They expose sensitive data and create easy entry points for attackers. Continuous auditing and automated compliance tools help prevent such risks.
123. A user reports a suspicious email asking for login details. What should be your first action?
Difficulty: MediumType: MCQTopic: Phishing IR
- Delete the email immediately
- Forward the email to IT for awareness
- Isolate the email and analyze headers for indicators of compromise
- Reset all company passwords
The first step is analysis — not deletion.
Security teams must examine headers, links, and attachments to extract indicators such as malicious domains or IPs before containment or reporting actions.
Correct Answer: Isolate the email and analyze headers for indicators of compromise
124. During a ransomware attack, which response action should come first?
Difficulty: MediumType: MCQTopic: Ransomware
- Pay the ransom to recover files
- Shut down all servers
- Isolate infected systems from the network
- Erase encrypted data
Immediate containment prevents the malware from spreading laterally.
Once isolated, forensic teams can analyze the encryption type and restore data from clean backups.
Correct Answer: Isolate infected systems from the network
125. Your web service faces a DDoS attack. What is an effective mitigation step?
Difficulty: MediumType: MCQTopic: DDoS
- Switch to a larger cloud provider
- Enable rate-limiting and use a CDN with DDoS protection
- Change website domain name
- Block all international traffic
CDN and WAF providers filter malicious requests and absorb excess traffic.
Rate-limiting and geo-blocking further help to control attack impact without service downtime.
Correct Answer: Enable rate-limiting and use a CDN with DDoS protection
126. After discovering customer data exposure, what is the correct order of response?
Difficulty: MediumType: MCQTopic: Data Breach
- Notify media → fix issue → investigate
- Contain breach → assess impact → notify stakeholders → remediate
- Delete all affected data → alert users
- Restart systems → review policies later
Incident handling must follow a structured order: contain first, analyze second, communicate transparently, and finally apply remediation and preventive controls.
Correct Answer: Contain breach → assess impact → notify stakeholders → remediate
127. An employee is suspected of data exfiltration. What is the best forensic approach?
Difficulty: MediumType: MCQTopic: Insider Threat
- Directly question the employee
- Collect endpoint logs and preserve disk image for analysis
- Disable the employee account and delete evidence
- Publicly announce the investigation
Evidence must be preserved before any confrontation.
Collect workstation logs, emails, and external device records to build a timeline and confirm data transfer activity.
Correct Answer: Collect endpoint logs and preserve disk image for analysis
128. You find unknown executable files running on multiple endpoints. What should be done first?
Difficulty: MediumType: MCQTopic: Malware Triage
- Reboot all systems
- Upload samples to a sandbox for behavioral analysis
- Uninstall antivirus software
- Report to HR department
Dynamic sandboxing reveals how the executable behaves — network calls, file drops, or registry edits — helping confirm whether it is malicious before mass remediation.
Correct Answer: Upload samples to a sandbox for behavioral analysis
129. Explain how correlation rules in SIEM help identify multi-stage attacks.
Difficulty: MediumType: SubjectiveTopic: SIEM Correlation
SIEM correlation rules connect multiple low-level alerts into a single incident narrative.
For example, repeated failed logins followed by privilege escalation and outbound traffic can be correlated into one attack chain, reducing alert fatigue and highlighting true threats.
130. Why is building a precise incident timeline important for investigations?
Difficulty: MediumType: SubjectiveTopic: Timeline
A timeline helps analysts reconstruct attacker activity step-by-step — from initial compromise to exfiltration.
It reveals dwell time, lateral movements, and the effectiveness of detection controls.
Accurate timestamps also support legal evidence presentation and RCA documentation.
131. Describe best practices for communicating during an ongoing incident.
Difficulty: MediumType: SubjectiveTopic: communication
Use secure internal channels only, maintain a single source of truth, and limit updates to verified facts.
Avoid speculation and ensure communication between technical teams, management, and legal representatives remains coordinated.
Timely, accurate updates prevent misinformation and panic.
132. Differentiate between short-term and long-term containment strategies.
Difficulty: MediumType: SubjectiveTopic: Containment
Short-term containment isolates affected systems quickly — disconnecting hosts or disabling accounts — to stop attack spread.
Long-term containment focuses on building stable configurations such as patching vulnerabilities, hardening access controls, and monitoring recovery systems before returning them to production.
133. What are key considerations before restoring systems after an incident?
Difficulty: MediumType: SubjectiveTopic: Recovery Plan
Confirm systems are clean through re-imaging or malware scanning, validate integrity using hashes, and test backups in an isolated environment.
Reconnecting too soon can reintroduce the threat, so coordinate restoration with containment verification and updated monitoring rules.
134. When and how should external breach notifications be made?
Difficulty: MediumType: SubjectiveTopic: Breach Reporting
Notifications should follow regulatory timelines like GDPR’s 72-hour rule.
Reports must include nature of breach, affected data types, and mitigation steps.
Coordination with legal and PR teams ensures accurate, compliant, and reputation-safe disclosure.
135. How can real incident case studies improve team readiness?
Difficulty: MediumType: SubjectiveTopic: Lessons Learned
Reviewing real cases helps analysts understand attacker behavior and common failure points.
Simulating these scenarios through tabletop exercises ensures quicker recognition and better coordination during future incidents.
It transforms experience into proactive defense capability.