SSCP Incident Response and Recovery Questions and Answers

Question 1

An incident response analyst has confirmed that a workstation is infected with malware and is actively communicating with an external command-and-control server. According to the NIST incident response lifecycle, which of the following is the MOST appropriate immediate action?

Accepted Answer

Disconnect the workstation from the network.

Answer

The immediate priority during the Containment phase of the incident response lifecycle is to prevent the incident from causing further damage. Disconnecting the workstation from the network (network segmentation or full disconnection) is the most effective immediate step to stop communication with the C2 server and prevent the malware from spreading to other systems. While other actions like forensic imaging, analysis, and reimaging are important, they follow after initial containment is achieved.

Question 2

Which of the following BEST describes the primary goal of a Business Continuity Plan (BCP)?

Accepted Answer

To maintain critical business functions during and after a significant disruption.

Answer

A Business Continuity Plan (BCP) focuses on the entire organization and the processes required to keep essential business functions operational during a crisis. This is distinct from a Disaster Recovery Plan (DRP), which is a subset of BCP and specifically focuses on restoring IT infrastructure and data.

Question 3

An organization has successfully contained and eradicated a security threat. During which phase of the incident response lifecycle would the team formally document their findings and recommend improvements to security controls and procedures?

Accepted Answer

Post-Incident Activity

Answer

The Post-Incident Activity phase, often called 'lessons learned,' is where the incident response process is reviewed. The primary purpose of this phase is to learn from the incident to improve security posture, update response plans, and prevent future occurrences. This involves documenting the incident, its impact, the actions taken, and recommending improvements.

Question 4

A financial services company has a regulatory requirement to resume critical operations within one hour of a disaster declaration. The company needs a recovery site that is fully configured with all necessary hardware, software, and real-time synchronized data. Which type of disaster recovery site would BEST meet this requirement?

Accepted Answer

Hot Site

Answer

A hot site is a fully operational replica of the primary production environment, often with real-time or near-real-time data synchronization. It is designed for immediate or near-immediate failover, meeting the very low Recovery Time Objective (RTO) of one hour. A warm site has hardware but requires configuration and data restoration, while a cold site is just a facility with power and cooling, both resulting in much longer recovery times.

Question 5

During the Detection and Analysis phase of an incident response, a SOC analyst notices anomalous traffic patterns from a server. What is a critical next step within this specific phase?

Accepted Answer

Validating the incident by correlating logs from firewalls, IDS, and server event logs.

Answer

In the Detection and Analysis phase, the goal is to confirm whether a suspected event is actually a security incident and to determine its scope and priority. Correlating data from multiple sources (like firewall logs, IDS alerts, and server logs) is a crucial analysis step to validate the alert, understand the context, and avoid acting on a false positive. Patching, blocking traffic (containment), and restoring (recovery) are actions taken in later phases.

SSCP Certification Practice Test

SSCP Certification Practice Test

SSCP Incident Response and Recovery Questions and Answers