CNDA Intrusion Detection and Incident Response

Question 1

According to NIST SP 800-61, what are the four phases of the incident response lifecycle?

Accepted Answer

Preparation, Detection and Analysis, Containment/Eradication/Recovery, Post-Incident Activity

Answer

Identify, Protect, Detect, Respond

Answer

Triage, Escalation, Resolution, Review

Answer

Alert, Investigate, Patch, Close

Question 2

During containment of a network intrusion, which action BEST preserves evidence while limiting damage?

Accepted Answer

Isolate the system on a quarantine network while capturing memory and disk images

Answer

Immediately power off the affected system

Answer

Delete all logs to prevent attacker access

Answer

Reinstall the OS immediately

Question 3

What is the primary purpose of a SIEM (Security Information and Event Management) system?

Accepted Answer

To aggregate, correlate, and analyze security logs from multiple sources for threat detection

Answer

To replace firewalls and IDS

Answer

To automatically patch vulnerabilities

Answer

To manage user accounts and passwords

Question 4

An analyst observes beaconing behavior from an internal host — regular outbound connections to an external IP at fixed intervals. What does this most likely indicate?

Accepted Answer

A command-and-control (C2) connection from malware

Answer

Normal NTP synchronization

Answer

A misconfigured DHCP client

Answer

DNS resolution activity

Question 5

Which type of threat intelligence indicator would a CNDA use to identify malicious activity by matching network traffic?

Accepted Answer

Indicator of Compromise (IoC) such as a malicious IP or domain

Answer

CVE identifier

Answer

CVSS score

Answer

CIS benchmark control

Question 6

What is a 'playbook' in the context of incident response?

Accepted Answer

A documented, step-by-step procedure for responding to a specific type of incident

Answer

A vendor-supplied patch guide

Answer

A list of authorized users

Answer

A network diagram