Choose the correct answer.

1. What is the primary goal of incident handling?

A. To develop security policies

B. To manage and mitigate security incidents effectively
C. To train employees on IT skills
D. To audit network configurations
Answer: B

2. Which of the following is not a phase of the Incident Handling Process?

A. Preparation
B. Recovery
C. Implementation
D. Detection and Analysis
Answer: C

3. What does NIST define as part of the incident handling process?

A. Monitoring, Deployment, and Integration

B. Preparation, Detection & Analysis, Containment, Eradication & Recovery, Post-Incident
Activity
C. Risk Assessment and Threat Evaluation
D. Awareness Training
Answer: B

4. What does SOC stand for in cybersecurity?

A. Security Optimization Center

B. Security Operations Center
C. System Operation Chain
D. System Oriented Control
Answer: B

5. What is a key activity during the preparation phase?

A. Malware analysis
B. Formulating an incident response team
C. Restoring affected systems
D. Blocking unauthorized IP addresses
Answer: B

6. Which phase involves identifying deviations from normal operations?

A. Preparation
B. Detection and Analysis
C. Eradication
D. Recovery
Answer: B

7. Which tool is commonly used to analyze network traffic?

A. Velociraptor
B. GRR
C. Wireshark
D. Sysinternals
Answer: C

8. What should be done first when acquiring data for forensic analysis?

A. Analyze log files

B. Acquire data from volatile storage like RAM
C. Backup all network devices
D. Identify the root cause
Answer: B

9. What is the purpose of a write blocker?

A. To monitor active network connections

B. To prevent evidence tampering during data acquisition
C. To scan for malware
D. To block unauthorized access to systems
Answer: B

10. What are the sub-phases of containment?

A. Temporary and Final Containment

B. Short-Term, Backup, and Long-Term Containment
C. Analysis, Containment, and Recovery
D. Detection, Backup, and Isolation
Answer: B

11. Which framework focuses on proactively monitoring endpoints?

A. GRR
B. Velociraptor
C. Cyber Kill Chain
D. NIST
Answer: B

12. What is an effective way to categorize networks for detection purposes?

A. By physical location
B. By logical levels such as network perimeter, host perimeter, host-level, and application-level
C. By service types
D. By hardware specifications
Answer: B

13. Which hashing method is not secure due to collisions?

A. SHA-3
B. MD-5
C. SHA-2
D. None of the above
Answer: B

14. What is the goal of the recovery phase?

A. Identify vulnerabilities
B. Restore affected systems to operational status
C. Monitor ongoing threats
D. Perform training for incident responders
Answer: B

15. What does the acronym CSIRT stand for?

A. Cyber Security and Incident Resolution Team

B. Computer Security Incident Response Team
C. Critical Security Infrastructure Response Team
D. Centralized System Incident Response Team
Answer: B

16. Which resource is used to identify abnormal services on a Windows system?

A. Task Manager
B. netstat -nao
C. lsof -i
D. sc query
Answer: D

17. Which phase involves creating a report on lessons learned?

A. Detection and Analysis

B. Containment
C. Post-Incident Activity
D. Preparation
Answer: C

18. What is the first step when responding to a detected incident?

A. Escalating to upper management

B. Notifying the local cybercrime unit
C. Verifying evidence and ensuring proper classification of the incident
D. Isolating the affected system
Answer: C

19. What does the Cyber Kill Chain model emphasize?

A. Network security configurations

B. The attack stages used by adversaries
C. Incident response readiness
D. Secure coding practices
Answer: B

20. Which action should be avoided during the containment phase?

A. Submitting identified binaries to cloud-based antivirus solutions

B. Isolating affected systems
C. Informing management
D. Backing up critical data
Answer: A

21. Which tool generates alerts when a malicious file is opened?

A. Velociraptor
B. Canarytokens
C. Wireshark
D. GRR
Answer: B

22. What is the primary goal of eradication?

A. Secure backups
B. Restore systems
C. Eliminate all attacker artifacts and improve defenses
D. Analyze network performance
Answer: C

23. What is a recommended action after system recovery?

A. Reinstall software without patching

B. Keep a close eye for signs of re-compromise
C. Disable all user accounts temporarily
D. Remove all logs for storage space
Answer: B

24. Which is an example of detection at the host level?

A. Analyzing application logs

B. Identifying open ports
C. Endpoint protection warning about a malicious executable
D. Monitoring network packets
Answer: C

25. What does SIEM stand for?

A. System Intrusion and Event Monitoring

B. Security Incident and Event Management
C. System Information Event Monitoring
D. Security Information and Emergency Management
Answer: B

26. What is a critical document during the preparation phase?

A. Incident contact list

B. Network diagram
C. User training manual
D. Business continuity plan
Answer: A

27. Which detection method focuses on user behavior?

A. Network-based detection
B. Host-based detection
C. Application-level detection
D. Behavioral analysis
Answer: D

28. What is a volatile data source?

A. Hard disk
B. RAM
C. Archived logs
D. Backups
Answer: B

29. What does the term "containment" primarily refer to?

A. Preventing incident spread

B. Analyzing the root cause
C. Restoring affected systems
D. Documenting findings
Answer: A

30. What is the focus of short-term containment?

A. Blocking all network traffic

B. Isolating the affected system
C. Eradicating malware
D. Creating forensic images
Answer: B

31. What is a primary function of a CSIRT?

A. Training employees
B. Monitoring all network traffic
C. Responding to security incidents
D. Creating security policies
Answer: C

32. Which tool can detect fileless malware?

A. GRR
B. Task Manager
C. Apache logs
D. Netcat
Answer: A

33. What is the purpose of the post-incident report?

A. Analyze evidence
B. Identify gaps and improve processes
C. Restore operations
D. Notify legal authorities
Answer: B

34. Which is a part of the eradication phase?

A. Backup restoration
B. Identifying and removing malware artifacts
C. Analyzing network performance
D. Generating user activity logs
Answer: B

35. What is the main focus of the detection and analysis phase?

A. Restoring system functionality

B. Identifying and classifying incidents based on gathered data
C. Blocking unauthorized IP addresses
D. Creating backup images
Answer: B

36. What should be done after detecting an anomaly in logs?

A. Immediately shut down the affected system

B. Compare it against baseline behavior for further analysis
C. Notify the legal department
D. Submit logs to public forums for review
Answer: B

37. Which of these tools assists in viewing abnormal processes on Windows?

A. ps aux
B. tasklist
C. netstat
D. sc query
Answer: B

38. What should be documented during post-incident activity?

A. Only successful response methods

B. All oversights and successful methods
C. Steps taken during recovery phase only
D. Team members' personal reflections
Answer: B

39. Which phase involves restoring affected systems to operational status?

A. Eradication
B. Containment
C. Recovery
D. Detection
Answer: C

40. What is a common sign of network perimeter intrusion?

A. Increased CPU usage on endpoints

B. Abnormal spikes in network traffic at specific ports
C. Delayed application responses
D. Disk read/write anomalies
Answer: B

41. What role does a CSIRT manager play?

A. Escalating minor issues to law enforcement

B. Managing incident response activities and resource allocation
C. Providing network security updates
D. Training employees on using monitoring tools
Answer: B

42. What is an example of long-term containment?

A. Disconnecting the affected system immediately

B. Patching vulnerabilities across all affected systems
C. Creating forensic images for analysis
D. Notifying external stakeholders
Answer: B

43. Which of these is a forensic data acquisition method?

A. Creating a RAM dump

B. Blocking IP addresses
C. Reviewing web application logs
D. Installing intrusion detection systems
Answer: A

44. Which type of incident requires immediate response?

A. Non-critical system compromise

B. Extensive compromise of sensitive customer information
C. Unauthorized login to a non-administrative account
D. Minor network traffic spike
Answer: B

45. What is a common tool for Linux process analysis?

A. lsof
B. tasklist
C. Velociraptor
D. sc query
Answer: A

46. Which data source is considered least volatile?

A. RAM
B. CPU registers
C. Hard disk
D. Temporary cache files
Answer: C

47. Which activity falls under the preparation phase?

A. Training the response team

B. Identifying network anomalies
C. Removing malicious artifacts
D. Reviewing past incident reports
Answer: A

48. What is an indicator of potential malware activity?

A. New, unexpected services running on a system

B. Unchanged network traffic over time
C. Logs showing repeated normal user activities
D. Presence of encrypted backups
Answer: A

49. What is the primary objective of containment?

A. Preventing further damage or intrusion

B. Restoring normal operations
C. Documenting the incident details
D. Training employees for future incidents
Answer: A

50. Which phase involves securing backups before analysis?

A. Detection
B. Eradication
C. Containment
D. Preparation
Answer: C

51. What is the first step in the incident handling process?

A. Detection and Analysis
B. Preparation
C. Containment
D. Eradication
Answer: B
52. Which phase includes creating an incident response team?
A. Post-Incident Activity
B. Detection and Analysis
C. Preparation
D. Recovery
Answer: C
53. What is an example of an event considered a security incident?
A. Execution of malware
B. A successful data backup
C. An employee logging into their account
D. Normal network traffic
Answer: A
54. What does "alert fatigue" refer to in incident handling?
A. Overreaction to minor incidents
B. Too many false or irrelevant alerts overwhelming the team
C. Lack of alerts during an incident
D. Slow response times due to insufficient staffing
Answer: B
55. Which of these is a key focus of the detection phase?
A. Monitoring system logs for unusual activity
B. Rebuilding compromised systems
 C. Training employees on cybersecurity awareness
D. Updating security policies
Answer: A
56. What is a common tool used for analyzing network packets?
A. Velociraptor
B. Wireshark
C. GRR
D. Sysinternals
Answer: B
57. Which phase includes restoring systems to operational status?
A. Preparation
B. Containment
C. Recovery
D. Detection
Answer: C
58. What is the purpose of a chain of custody in incident handling?
A. To document the order of actions taken during an incident
B. To track evidence handling to ensure integrity
C. To establish communication protocols during incidents
D. To contain malicious software
Answer: B
59. What type of data acquisition captures volatile data?
A. Static acquisition
B. Dynamic acquisition
C. Cloning
D. Forensic duplication
Answer: B
60. Which of the following best defines "long-term containment"?
A. Isolating the affected system immediately
B. Monitoring attackers' movements
C. Patching systems and implementing additional controls
D. Restoring normal operations
Answer: C
61. Which organization publishes the Computer Security Incident Handling Guide?
A. NIST
B. ISO
C. ISC2
D. Lockheed Martin
Answer: A
62. What is a key outcome of the post-incident activity phase?
A. Identifying lessons learned
B. Containing the attacker
C. Eliminating malware
D. Reinstalling systems
Answer: A
63. What is an example of a host-level detection tool?
A. Endpoint protection software
B. Firewalls
C. Network IDS
D. Packet sniffers
Answer: A
64. What should be avoided during short-term containment?
A. Disconnecting the affected system from the network
B. Notifying the incident response team
C. Submitting malware samples to online scanners
D. Documenting the incident
Answer: C
65. Which technique is used to validate the integrity of acquired evidence?
A. Packet inspection
B. Hashing
C. Cloning
D. Baseline comparison
Answer: B
66. What is the main focus of the eradication phase?
A. Rebooting affected systems
B. Removing malware and attacker artifacts
C. Logging system usage
D. Installing endpoint security tools
Answer: B
67. Which is an example of application-level detection?
A. Monitoring web application logs for anomalies
B. Using a firewall to block incoming connections
C. Analyzing DNS queries
D. Reviewing email headers
Answer: A
68. Which of these describes "static acquisition"?
A. Capturing volatile data during an active session
B. Imaging non-volatile data from a powered-off system
C. Using live memory analysis
D. Cloning a network server
Answer: B
69. What does "visibility" mean in the context of incident detection?
A. The ability to trace attacker communication
B. The extent of monitoring across network and host systems
C. The use of external threat intelligence
D. The placement of firewalls in the architecture
Answer: B
70. What is the purpose of incident classification?
A. To determine which tools to use during the response
B. To prioritize incidents based on severity and impact
C. To define roles in the incident response team
D. To improve network defenses
Answer: B
True or False
1. Incident handling is primarily about managing and mitigating security incidents.

Answer: True

2. The implementation phase is part of the NIST-defined incident handling process.

Answer: False

3. Preparation is the first phase in the incident handling process.

Answer: True

4. SOC stands for Security Operations Center.

Answer: True

5. An incident response team does not need to be trained during the preparation phase.

Answer: False

6. Detection and analysis involve identifying deviations from normal behavior.

Answer: True

7. Wireshark is a tool commonly used for network traffic analysis.

Answer: True

8. RAM is a volatile data source that should be acquired first during data collection.

Answer: True

9. Write blockers prevent evidence tampering during data acquisition.

Answer: True

10. Short-term containment focuses on isolating the affected system.

Answer: True

11. Velociraptor is a framework used for analyzing physical hardware configurations.

Answer: False

12. Networks can be categorized for detection purposes into logical levels like network
perimeter, host perimeter, and application-level.

Answer: True
13. MD-5 is considered a secure hashing method.

Answer: False

14. The recovery phase involves restoring affected systems to operational status.

Answer: True

15. CSIRT stands for Computer Security Incident Response Team.

Answer: True

16. Tasklist can be used to identify abnormal processes on Windows systems.

Answer: True

17. Post-incident activity includes creating a report on lessons learned.

Answer: True

18. The first step when responding to a detected incident is isolating the system.

Answer: False

19. The Cyber Kill Chain model highlights the stages of an attacker's methodology.

Answer: True

20. Submitting identified binaries to cloud-based antivirus tools is recommended during

containment.

Answer: False

21. Canarytokens are used to alert teams when malicious files are accessed.

Answer: True

22. The eradication phase includes removing malware artifacts and improving defenses.

Answer: True

23. Recovery involves monitoring systems for re-compromise after restoring them.

Answer: True

24. Detection at the host level involves monitoring application logs only.

Answer: False

25. SIEM stands for Security Incident and Event Management.

Answer: True
26. The incident contact list is an essential document during the preparation phase.

Answer: True

27. Behavioral analysis is a type of network-based detection.

Answer: False

28. Hard disks are more volatile than RAM.

Answer: False

29. Containment prevents further damage from an incident.

Answer: True

30. Long-term containment involves patching vulnerabilities across systems.

Answer: True

31. A CSIRT's main function is to manage and respond to security incidents.

Answer: True

32. Fileless malware can be detected using frameworks like GRR.

Answer: True

33. Post-incident reports focus solely on mistakes made during response efforts.

Answer: False

34. Eradication is about identifying and removing root causes of incidents.

Answer: True

35. Detection and analysis include comparing anomalies to a known baseline.

Answer: True

36. Tasklist is a tool used for analyzing Linux processes.

Answer: False

37. Post-incident activities aim to improve incident handling processes.

Answer: True

38. Detection of a spike in network traffic at specific ports may indicate perimeter intrusion.

Answer: True
39. Containment and eradication are part of the preparation phase.

Answer: False

40. Static acquisition focuses on data that will not change after a system reboot.

Answer: True

41. Post-incident analysis does not require input from affected business units.

Answer: False

42. Monitoring for registry changes is part of the recovery phase.

Answer: True

43. Identifying anomalies in logs is part of the preparation phase.

Answer: False

44. Write blockers can be hardware or software-based.

Answer: True

45. The preparation phase ensures readiness for incident handling.

Answer: True

46. The recovery phase begins after containment is complete.

Answer: False

47. The goal of long-term containment is to secure systems while business operations
continue.

Answer: True

48. Memory dumps are considered volatile data acquisition.

Answer: True

49. Incident response activities should always involve legal counsel.

Answer: True

50. Indicators of compromise should be ignored if the incident is not critical.

Answer: False

51. A failed login attempt is always classified as a security incident.

Answer: False
52. NIST guidelines are the basis for many incident handling processes.

Answer: True

53. Forensic images must be created before any analysis is done.

Answer: True

54. System administrators should not be involved in detection efforts.

Answer: False

55. Firewalls can aid in network perimeter detection.

Answer: True

56. Rootkits are harmless if detected early.

Answer: False

57. Incident classification determines the severity and response timeline.

Answer: True

58. The Cyber Kill Chain provides guidelines for securing software.

Answer: False

59. Post-incident reports should highlight areas for improvement.

Answer: True

60. Backup activities should be documented as part of containment.

Answer: True

61. Containment ensures the attacker can no longer access the system.

Answer: True

62. Honeypots can assist in detecting malicious activity.

Answer: True

63. The eradication phase should be skipped if containment was successful.

Answer: False

64. Logs from intrusion detection systems (IDS) are analyzed during detection and analysis.

Answer: True
65. Unauthorized system changes should trigger immediate incident response.

Answer: True

66. Linux tools like lsof are used for monitoring network activity.

Answer: True

67. Incident response plans should be updated annually.

Answer: True

68. The preparation phase does not involve tool configuration.

Answer: False

69. Containment should involve business unit approval for system isolation.

Answer: True

70. Incident response frameworks are designed to prevent future attacks entirely.

Answer: False