CNDA Intrusion Detection and Incident Response

Question 1

According to NIST SP 800-61, what are the four phases of the incident response lifecycle?

Accepted Answer

Preparation, Detection and Analysis, Containment/Eradication/Recovery, Post-Incident Activity

Answer

NIST SP 800-61 defines the IR lifecycle as Preparation; Detection and Analysis; Containment, Eradication, and Recovery; and Post-Incident Activity.

Question 2

During containment of a network intrusion, which action BEST preserves evidence while limiting damage?

Accepted Answer

Isolate the system on a quarantine network while capturing memory and disk images

Answer

Isolating to a quarantine network stops lateral spread while preserving volatile evidence (memory, active connections) for forensic analysis.

Question 3

What is the primary purpose of a SIEM (Security Information and Event Management) system?

Accepted Answer

To aggregate, correlate, and analyze security logs from multiple sources for threat detection

Answer

SIEM centralizes log collection and uses correlation rules to identify patterns across disparate sources that may indicate a security incident.

Question 4

An analyst observes beaconing behavior from an internal host — regular outbound connections to an external IP at fixed intervals. What does this most likely indicate?

Accepted Answer

A command-and-control (C2) connection from malware

Answer

Regular, periodic outbound connections at fixed intervals are a hallmark of malware beaconing to a C2 server for instructions.

Question 5

Which type of threat intelligence indicator would a CNDA use to identify malicious activity by matching network traffic?

Accepted Answer

Indicator of Compromise (IoC) such as a malicious IP or domain

Answer

IoCs such as malicious IPs, domains, hashes, and URL patterns can be fed into firewalls, IDS, and SIEM to detect known threats.

CNDA - Certified Network Defense Architect Practice Test

CNDA - Certified Network Defense Architect Practice Test

CNDA Intrusion Detection and Incident Response