CCD Cheat Sheet 2026
The 30 highest-yield CCD facts, distilled from real exam questions. Print it, save it as a PDF, or study it here β free, no sign-up.
- What does 'TTP' stand for in the context of threat intelligence? β Tactics, Techniques, and Procedures
- What should be the response when a security event is detected? β Investigate and take action
- Which STIX/TAXII concept is used to share threat intelligence between organizations in a standardized format? β TAXII as transport protocol and STIX as data format
- Which team handles alerts and threat mitigation in real-time? β Security Operations Center (SOC)
- Which ATT&CK tactic involves an adversary trying to avoid detection by security controls? β Defense Evasion
- What does the 'Diamond Model' of intrusion analysis primarily focus on? β Relationships between adversary, capability, infrastructure, and victim
- Which standard of practice is MOST important for ensuring quality in Vulnerability Assessment & Management? β Following evidence-based protocols while adapting to specific circumstances
- Which type of account typically has elevated privileges and is used to run automated processes or services? β Service account
- Why is continuous monitoring essential in cybersecurity? β To detect and respond to threats in real time
- Which standard of practice is MOST important for ensuring quality in Incident Response & Handling? β Following evidence-based protocols while adapting to specific circumstances
- What is 'write blocking' in the context of digital forensics? β Using hardware or software to prevent any writes to the evidence drive during acquisition
- Which file system artifact in Windows records metadata about files including creation, modification, and access times? β Master File Table (MFT)
- In Endpoint Protection & Hardening, what is the FIRST step a CCD professional should take when encountering a new case or situation? β Conduct a comprehensive assessment and gather all relevant information
- Which of the following best describes a VPN? β A secure connection over a public network.
- What is the purpose of a security information and event management (SIEM) system? β Monitor and analyze security data in real time.
- What is alert fatigue in security operations? β Analysts ignore important alerts
- What is the PRIMARY purpose of continuing education requirements in Intrusion Detection & Prevention for CCD professionals? β Maintaining current knowledge and competency as the field evolves
- Which Windows Registry hive contains information about recently run programs, USB device history, and user activity? β NTUSER.DAT (user-specific hive) and SYSTEM hive
- In Incident Response & Handling, what is the FIRST step a CCD professional should take when encountering a new case or situation? β Conduct a comprehensive assessment and gather all relevant information
- Which metric represents the average time taken to detect a security incident? β MTTD
- What is the PRIMARY purpose of continuing education requirements in Incident Response & Handling for CCD professionals? β Maintaining current knowledge and competency as the field evolves
- What is the primary goal of containment during incident response? β To stop the incident from spreading.
- What is Role-Based Access Control (RBAC)? β Granting users permissions based on their assigned organizational roles
- What is a 'hypothesis-driven' threat hunt? β Starting a hunt based on an assumed adversary behavior or TTP
- Which standard of practice is MOST important for ensuring quality in Log Analysis & Forensics? β Following evidence-based protocols while adapting to specific circumstances
- Which protocol is commonly used to securely access a remote system? β SSH
- When a conflict arises between standard procedures and a unique situation in Log Analysis & Forensics, what should a CCD professional prioritize? β Safety and ethical obligations while seeking expert consultation
- Which method enhances security by verifying a userβs identity with more than one factor? β Multi-factor authentication
- During forensic analysis of a Linux system, which file contains a history of commands entered by users in the bash shell? β ~/.bash_history
- What should be done immediately after detecting a confirmed breach? β Alert the incident response team.
Turn these facts into recall: