CASP+ Security Operations and Incident Response

Question 1

During a security incident, a responder discovers malware on a compromised host. What is the FIRST action that should be taken according to incident response best practices?

Accepted Answer

Isolate the system from the network while preserving volatile memory

Answer

Immediately reimage the system

Answer

Delete all suspicious files

Answer

Notify law enforcement immediately

Question 2

Which log source is MOST valuable for detecting data exfiltration via DNS tunneling?

Accepted Answer

DNS query and response logs with anomaly baselines

Answer

Windows event logs from domain controllers

Answer

Firewall allow/deny logs

Answer

Antivirus scan results

Question 3

A SOC analyst receives an alert for a possible SQL injection attack. Which evidence BEST confirms successful exploitation?

Accepted Answer

Database error messages followed by unexpected data in HTTP responses

Answer

A single 400 Bad Request response in web server logs

Answer

A spike in failed login attempts

Answer

A port scan originating from the web server IP

Question 4

Which incident response phase involves identifying lessons learned and updating security controls to prevent recurrence?

Accepted Answer

Post-Incident Activity

Answer

Detection and Analysis

Answer

Containment

Answer

Eradication and Recovery

Question 5

A threat hunter is looking for living-off-the-land (LotL) attacks. Which data source provides the MOST visibility into these techniques?

Accepted Answer

Process creation and command-line logging (Sysmon Event ID 1)

Answer

Antivirus signature scan results

Answer

Network bandwidth utilization graphs

Answer

Vulnerability scanner output

Question 6

Which technique allows an attacker to maintain persistence on a Windows system by hijacking the loading of DLLs?

Accepted Answer

DLL search order hijacking

Answer

Pass-the-hash

Answer

Golden ticket attack

Answer

Kerberoasting

During a security incident, a responder discovers malware on a compromised host.What is the FIRST action that should be taken according to incident response best practices?

During a security incident, a responder discovers malware on a compromised host.
What is the FIRST action that should be taken according to incident response best practices?