CSOC Threat Detection and Incident Response

Question 1

What are the typical phases of a cybersecurity incident response lifecycle?

Accepted Answer

Preparation, Detection and Analysis, Containment, Eradication, Recovery, and Post-Incident Review

Answer

Discovery, Escalation, Remediation, and Sign-off

Answer

Alert, Triage, Patch, Report, and Close

Answer

Identify, Protect, Detect, Respond, and Recover

Question 2

What is a Security Information and Event Management (SIEM) system used for in a CSOC?

Accepted Answer

Aggregating and correlating security event logs from multiple sources to detect threats and support incident response

Answer

Managing physical security access to the CSOC facility

Answer

Storing backup copies of all organisational data for disaster recovery

Answer

Automating the deployment of security patches across the network

Question 3

What is an Indicator of Compromise (IoC) in threat detection?

Accepted Answer

Evidence found in a network or system that suggests a security breach or malicious activity may have occurred

Answer

A legal indicator that a company is not compliant with cybersecurity regulations

Answer

A financial metric indicating that a company's cybersecurity budget has been compromised

Answer

A software tool used to detect and isolate malware on endpoint devices

Question 4

What is the difference between a security event and a security incident?

Accepted Answer

A security event is any observable occurrence; a security incident is an event that adversely affects security or violates a security policy

Answer

A security event is always serious; a security incident is a minor occurrence not requiring response

Answer

Security events are external threats; security incidents are internal breaches only

Answer

There is no distinction — both terms describe confirmed attacks on a system

Question 5

What is 'containment' in the context of cybersecurity incident response?

Accepted Answer

Actions taken to limit the spread and impact of an active security incident while preserving evidence for investigation

Answer

Permanently removing all traces of malware from affected systems

Answer

Preventing users from accessing the internet during a security investigation

Answer

Notifying affected users that their data may have been compromised

Question 6

What is the purpose of a post-incident review (PIR) after a cybersecurity incident?

Accepted Answer

To identify what happened, why it happened, and how to improve detection, response, and prevention for the future

Answer

To determine who is legally liable for the incident and initiate disciplinary action

Answer

To inform the public and media about the details of the security breach

Answer

To restore all affected systems to their pre-incident state