What is the goal of incident response?
A. Prevent attacks only
B. Detect and minimise damage
C. Delete logs
D. Replace systems
Answer: B
Explanation:
Incident response aims to quickly detect security incidents and reduce their impact while maintaining business operations. It is not only about stopping attacks but also ensuring systems remain functional and recover properly.
Which phase includes restoring systems?
A. Detection
B. Preparation
C. Recovery
D. Analysis
Answer: C
Explanation:
The recovery phase involves restoring systems to normal operation after an incident. This may include restoring backups, applying patches, and verifying systems are secure before returning to production.
IR purpose?
A. Prevent
B. Respond to incidents
C. Encrypt
D. Backup
Answer: B
Explanation:
Incident Response (IR) is designed to handle security incidents once they occur. Its primary goal is to detect incidents quickly, contain them, and minimise damage while maintaining business operations. It is not just about prevention, but about managing real-time breaches effectively.
First IR phase?
A. Detection
B. Preparation
C. Recovery
D. Analysis
Answer: B
Explanation:
The first phase is Preparation, where organisations build their incident response capability. This includes training teams, defining procedures, and setting up tools such as SIEM systems. Strong preparation reduces response time and limits damage during actual incidents.
Detection phase?
A. Identify incidents
B. Recover
C. Encrypt
D. Backup
Answer: A
Explanation:
The detection and analysis phase involves identifying and confirming security incidents. This can be done through alerts, logs, or user reports. It is critical because without detection, the organisation cannot respond to threats.
Containment means:
A. Detect
B. Stop spread
C. Recover
D. Log
Answer: B
Explanation:
Containment focuses on limiting the impact of an incident by stopping it from spreading. This may involve isolating infected systems, disconnecting networks, or disabling compromised accounts. Proper containment prevents further damage.
Eradication means:
A. Detect
B. Remove threat
C. Log
D. Backup
Answer: B
Explanation:
Eradication involves completely removing the root cause of the incident, such as deleting malware or closing vulnerabilities. It ensures that the attacker no longer has access to the system before recovery begins.
Recovery means:
A. Detect
B. Restore systems
C. Log
D. Backup
Answer: B
Explanation:
Recovery restores systems to normal operation after an incident. This may include restoring from clean backups, applying patches, and verifying system integrity. The goal is to safely return systems to production without reintroducing vulnerabilities.
Post-incident phase?
A. Attack
B. Lessons learned
C. Detection
D. Encryption
Answer: B
Explanation:
The post-incident phase focuses on analysing what happened and improving future response. Organisations conduct “lessons learned” reviews to identify weaknesses and update policies, tools, and procedures to prevent similar incidents.
Playbook is:
A. Backup
B. Step-by-step IR guide
C. Firewall
D. SIEM
Answer: B
Explanation
A playbook in cybersecurity is a documented predefined, step‑by‑step set of procedures used to respond to specific security incidents. It outlines actions, tools, roles, and decision points so teams can react quickly and consistently. Playbooks help standardise incident handling, reduce errors, and improve response time.
Explanation:
A playbook is a documented set of procedures for responding to specific incidents. It provides clear instructions for analysts, reducing confusion and improving response consistency. Playbooks are essential in SOC environments.
Jump kit contains:
A. Logs
B. Tools for IR
C. Encryption
D. Backup
Answer: B
Explanation:
A jump kit is a portable collection of tools and resources used during incident response. It may include forensic tools, scripts, and documentation. It ensures analysts are ready to respond immediately without delays.
Evidence handling ensures:
A. Speed
B. Legal validity
C. Logging
D. Encryption
Answer: B
Explanation:
Proper evidence handling ensures that collected data can be used in legal proceedings. This includes maintaining chain of custody and following procedures to preserve integrity. Poor handling can make evidence inadmissible in court.
Which is part of the incident response lifecycle?
A. Encryption
B. Preparation
C. Backup
D. Logging
Answer: B
Explanation:
The IR lifecycle includes Preparation, Detection & Analysis, Containment/Eradication/Recovery, and Post-Incident Activity. These stages guide organisations in handling incidents effectively.
How many phases are in the NIST IR lifecycle?
A. 2
B. 3
C. 4
D. 5
Answer: C
Explanation:
NIST defines 4 phases: Preparation, Detection & Analysis, Containment/Eradication/Recovery, and Post-Incident Activity. This is a key exam topic.
Why must containment be done carefully?
A. It slows system
B. It may trigger further damage
C. It deletes logs
D. It encrypts data
Answer: B
Explanation:
Some malware reacts to containment (e.g., losing connection) by triggering destructive actions like data wiping. Therefore, containment decisions must be carefully planned.
Why collect evidence early?
A. Save time
B. Preserve forensic data
C. Delete logs
D. Encrypt data
Answer: B
Explanation:
Evidence must be collected early to preserve its integrity. Delays can result in lost or altered data, which affects investigations and legal proceedings.
What is the main goal of post-incident activity?
A. Attack
B. Improve future response
C. Detect malware
D. Encrypt data
Answer: B
Explanation:
Post-incident focuses on lessons learned, improving processes, and updating security controls. It ensures the organisation becomes stronger after each incident.
-
Week 1 Questions11
-
Week 2 Questions6
-
Week 3 Questions5
-
Week 4 Questions1
-
Week 5 Questions5
-
Week 6 Questions14
-
Practice Questions16
-
Chapter 2 Questions23
-
Chapter 3 Questions19
-
Chapter 4 Questions18
-
Chapter 5 Questions21
-
Chapter 6 Questions17
-
Chapter 7 Questions17
-
Chapter 8 Questions15
-
Chapter 10 Questions8
