Quiz: Incident Response

DataField.Dev

Quiz: Incident Response

A 26-question self-check on the incident-response lifecycle, preparation, triage, containment, and the blameless postmortem. Questions tagged [Sec+] (CompTIA Security+) and [CISSP] ((ISC)² CISSP) map to those exam domains — incident response is heavily tested on both. Answers and one-line explanations are at the end; complete the whole quiz before checking.

Section 1 — Multiple choice (1 pt each)

1. [Sec+] Which is the correct order of the NIST SP 800-61 incident-response lifecycle? A. Detect → Prepare → Recover → Contain B. Prepare → Detect & Analyze → Contain, Eradicate, Recover → Post-Incident Activity C. Contain → Eradicate → Detect → Prepare D. Prepare → Recover → Detect → Eradicate

2. A security event differs from a security incident in that an incident: A. always involves malware B. is any observable occurrence C. violates or imminently threatens security policy and harms (or credibly threatens) the CIA triad D. must be reported to regulators

3. [Sec+] A scenario-specific response procedure written at the decision/coordination level (e.g., for ransomware) is a: A. runbook B. playbook C. policy D. baseline

4. The step-by-step technical procedure for one task (e.g., "isolate a Windows host in the EDR console"), executable by a tier-1 analyst under stress, is a: A. playbook B. runbook C. charter D. standard

5. [CISSP] The single person with authority to make and own decisions and coordinate during an incident is the: A. CISO B. SOC manager C. incident commander D. forensic lead

6. During an active ransomware encryption incident, the dominant containment concern is: A. avoiding tipping off the attacker B. preserving memory evidence above all C. stopping the (irreversible) damage immediately D. maintaining full business operations

7. [Sec+] For a deeply compromised host, the preferred eradication approach is: A. run antivirus and keep using it B. disconnect and monitor C. wipe and reimage from known-good media D. change the local admin password

8. Short-term containment is best described as: A. the permanent fix B. a fast, reversible action to stop immediate spread (e.g., isolate a host) C. rebuilding from backups D. the postmortem

9. [CISSP] The primary purpose of a blameless postmortem is to: A. identify who to discipline B. satisfy the auditor C. find systemic causes and produce durable improvements without assigning individual blame D. decide whether to pay the ransom

10. During recovery, restoring from backups only works if the backups are: A. encrypted with the production key B. stored on the same file server C. offline/immutable and tested for restoration D. taken yearly

11. [Sec+] A tabletop exercise is: A. a live attack on production systems B. a discussion-based simulation that walks a scenario without touching production C. a penetration test D. a backup restoration drill

12. "How far has it spread?" is the triage question most associated with: A. notification B. scoping C. eradication D. recovery

13. The biggest risk of loud, premature containment against a stealthy, long-resident intruder is: A. it preserves too much evidence B. it tips off the attacker, who burns known footholds and activates hidden ones C. it satisfies the regulator too early D. it is always reversible

14. [CISSP] Which best captures why "do we pay the ransom?" should be decided by policy in advance, not improvised in the war room? A. It is a simple financial calculation B. Responders are too junior C. It is a strategic/legal/ethical (and possibly sanctions) decision that payment cannot guarantee D. Regulators forbid all discussion of it

Section 2 — True / False with justification (1 pt each)

For each, mark T or F and give a one-sentence reason.

15. "Because the NIST lifecycle is a sequence, you must fully finish detection before any containment."

16. [Sec+] "A SOC should treat every security event as an incident to be safe."

17. "Keeping the only copy of the IR plan on the corporate file share is acceptable because it is backed up."

18. "Eradication is only as effective as the scoping that preceded it."

19. "A postmortem that produces a detailed report but no owned, deadlined action items has done its job."

Section 3 — Fill in the blank (1 pt each)

20. The two halves of containment are _ -term (fast, reversible) and _ -term (durable holding pattern).

21. [Sec+] Mapping an incident to a level on a SEV-1–SEV-4 matrix is called _ classification, and it drives escalation, resourcing, and _.

22. A _ is a scenario-level decision procedure; a _ is a step-by-step technical task procedure.

Section 4 — Short answer (2 pts each)

23. [CISSP] Explain why incident response is itself a security control, using two organizations that suffer the identical intrusion but reach opposite outcomes.

24. Name the four competing concerns in a containment decision, and explain how the incident type determines which concern dominates (contrast ransomware with a stealthy APT).

25. Describe the role of the communications plan for a regulated bank during a SEV-1, naming at least two external parties and why the "clock" is a challenge for responders.

Section 5 — Applied scenario (5 pts)

26. [Sec+] Saturday morning, Meridian's EDR alerts that a process is deleting volume shadow copies on three servers; overnight backups failed; scoping shows all three were reached from one domain-admin service account. (a) Assign a severity and justify it. (b) State your containment posture and the single dominant concern, with two specific containment actions. (c) Identify the eradication step the domain-admin compromise forces, and the recovery prerequisite that the shadow-copy deletion threatened. (d) Name one action item a blameless postmortem should produce.

Answer Key

Click to reveal answers and explanations

1. **B** — Prepare → Detect & Analyze → Contain/Eradicate/Recover → Post-Incident Activity. 2. **C** — an incident harms or imminently threatens the CIA triad in violation of policy; an event is merely observable. 3. **B** — a playbook is the scenario-level decision procedure. 4. **B** — a runbook is the step-by-step technical task. 5. **C** — the incident commander holds decision authority. 6. **C** — active encryption is irreversible loss, so stopping damage dominates. 7. **C** — wipe and reimage; you cannot prove "clean" removed every implant. 8. **B** — fast, reversible spread-stopping action. 9. **C** — systemic improvement without individual blame. 10. **C** — offline/immutable and *tested* backups. 11. **B** — discussion-based, no production impact. 12. **B** — scoping. 13. **B** — tipping off the attacker. 14. **C** — strategic/legal/ethical/sanctions decision with no guarantee. 15. **F** — detection/analysis and containment iterate; you contain what you've scoped while continuing to analyze (the loop in Figure 24.1). 16. **F** — that causes burnout and buries real incidents in noise; triage funnels events down to the few real incidents. 17. **F** — the plan may be encrypted or offline during the very incident it exists for; an out-of-band copy is required. 18. **T** — you can only remove what you found, so under-scoping leaves footholds the attacker returns through. 19. **F** — a postmortem only "works" when it yields owned, deadlined, tracked action items that change the system. 20. short; long. 21. severity; notification. 22. playbook; runbook. 23. Response is a control because the same intrusion can end in a 20-minute containment with three hosts isolated and Monday-normal operations, or a ten-week-undetected total database loss discovered via an FBI call — identical attack, opposite outcomes, with the difference being detection speed, containment decisiveness, and recovery, i.e., IR capability. 24. The four concerns are stopping damage, preserving evidence, maintaining business operations, and avoiding tipping off the attacker; for ransomware (fast/destructive) stopping damage dominates → immediate aggressive containment, while for a stealthy APT avoiding tip-off dominates → quiet thorough scoping then coordinated containment everywhere at once. 25. The comms plan defines who tells whom and when, including internal (team cadence, workforce instructions), legal and the cyber-insurer (often first calls; late insurer notice can void coverage), the federal banking regulator (36-hour determination clock), and affected customers (state breach laws); the clock is a challenge because notification timelines can start before responders fully understand the incident, forcing decisions under uncertainty. 26. (a) **SEV-1** — shadow-copy deletion on servers via a domain-admin account is active/imminent ransomware threatening core systems and recovery. (b) Posture: **immediate aggressive containment**, dominant concern **stop the damage** (irreversible, recovery under attack); actions: isolate the three servers in EDR (powered, for evidence) and disable the service account + force-revoke its sessions/Kerberos tickets domain-wide, plus block C2 domains. (c) Domain-admin compromise forces rotating all privileged credentials and a `krbtgt` double-reset; the recovery prerequisite threatened is offline/immutable, tested backups (the shadow-copy deletion attacked the recovery path). (d) e.g., "remove domain-admin rights from the service account and enforce JIT, owner: named, due: 30 days." **Topics to review by question:** 1, 15 → §24.2 (lifecycle); 2, 16 → §24.1; 3–4, 8, 22 → §24.2 (playbooks/runbooks); 5 → §24.2 (roles); 6, 13, 24 → §24.4 (containment); 7, 18 → §24.4 (eradication); 10 → §24.4 (recovery); 9, 19 → §24.6 (postmortem); 11 → §24.5 (tabletop); 12 → §24.3 (triage/scoping); 14, 22(pay) → §24.5; 21 → §24.2 (severity); 23 → §24.1; 25 → §24.2 (comms); 26 → §24.3–24.6.