Which of the following is an attack that attempts to prevent the use of systems, networks, or applications by the intended users?

Lina, a threat responder, uses the Nuix Adaptive Security tool to analyze alerts of suspicious file uploads. She identifies that an insider used Outlook to send attachments to unknown email addresses during off-hours. The tool captures screenshots, file metadata, and keystroke logs. What type of evidence is Lina primarily relying on?

John is a professional hacker who is performing an attack on the target organization where he tries to redirect the connection between the IP address and its target server such that when the users type in the Internet address, it redirects them to a rogue website that resembles the original website. He tries this attack using cache poisoning technique. Identify the type of attack John is performing on the target organization.

Which of the following is not a countermeasure to eradicate cloud security incidents?

Sam. an employee of a multinational company, sends emails to third-party organizations with a spoofed email address of his organization. How can you categorize this type of incident?

In an online retail company, a severe security incident occurred where attackers exploited a zero-day vulnerability in the website's backend. This exploit allowed the theft of thousands of customers' credit card details. While the tech team races to patch the vulnerability, what should be the primary focus of the IH&R team?

Logan, a network security analyst, notices a pattern of repeated ICMP echo requests being sent to a broad range of IP addresses within the company's internal subnet. To confirm his suspicion of a possible reconnaissance attempt, he opens Wireshark and starts analyzing the traffic for unusual scanning behavior. What technique is most likely being used by the attacker?

Drake is an incident handler in Dark CLoud Inc. He is intended to perform log analysis

in order to detect traces of malicious activities within the network infrastructure.

Which of the following tools Drake must employ in order to view logs in real time and

identify malware propagation within the network?

Clark, a professional hacker, exploited the web application of a target organization by

tampering the form and parameter values. He successfully exploited the web

application and gained access to the information assets of the organization.

Identify the vulnerability in the web application exploited by the attacker.

Following a spear-phishing campaign targeting executive-level employees, a mid-sized financial firm experienced unauthorized access to internal systems, leading to widespread disruption of customer-facing applications. Although the technical issues were resolved within days, the breach triggered legal scrutiny and negative press coverage. Several major customers expressed concern about the firm's risk posture and began transitioning to competitors. Investor confidence was impacted as the stock value dipped, and senior leadership initiated a damage control campaign. Which of the following best categorizes the broader consequences experienced by the organization?

Which of the following best describes an email issued as an attack medium, in which several messages are sent to a mailbox to cause overflow?

An incident handler is analyzing email headers to find out suspicious emails.

Which of the following tools he/she must use in order to accomplish the task?

During an incident involving suspected unauthorized data access, Sophia, a system administrator, immediately isolates the affected system from the network to prevent further communication. She ensures no one tampers with the device, restricts access to the area, and notifies the incident response team. What role is Sophia performing as a first responder?

John, a professional hacker, is attacking an organization, where he is trying to destroy the connectivity between an AP and client to make the target unavailable to other

wireless devices.

Which of the following attacks is John performing in this case?

Racheal is an incident handler working in InceptionTech organization. Recently,

numerous employees are complaining about receiving emails from unknown senders. In

order to prevent employees against spoofing emails and keeping security in mind,

Racheal was asked to take appropriate actions in this matter. As a part of her

assignment, she needs to analyze the email headers to check the authenticity of received

emails.

Which of the following protocol/authentication standards she must check in email

header to analyze the email authenticity?

Andrew, an incident responder, is performing risk assessment of the client organization.

As a part of risk assessment process, he identified the boundaries of the IT systems,

along with the resources and the information that constitute the systems.

Identify the risk assessment step Andrew is performing.

At a major healthcare provider, staff received phishing emails impersonating HR. Reporting via email failed due to mail system issues. The IR team introduced VOIP and SMS-based reporting mechanisms. Which preparatory step was implemented?

Oscar receives an email from an unknown source containing his domain name oscar.com. Upon checking the link, he found that it contains a malicious URL that redirects to the website evilsite.org. What type of vulnerability is this?

Which of the following is a common tool used to help detect malicious internal or compromised actors?

Francis received a spoof email asking for his bank information. He decided to use a tool to analyze the email headers. Which of the following should he use?

Mr. Smith is a lead incident responder of a small financial enterprise having few

branches in Australia. Recently, the company suffered a massive attack losing USD 5

million through an inter-banking system. After in-depth investigation on the case, it was

found out that the incident occurred because 6 months ago the attackers penetrated the

network through a minor vulnerability and maintained the access without any user

being aware of it. Then, he tried to delete users’ fingerprints and performed a lateral

movement to the computer of a person with privileges in the inter-banking system.

Finally, the attacker gained access and did fraudulent transactions.

Based on the above scenario, identify the most accurate kind of attack.

A large multinational enterprise recently integrated a digital HR onboarding system to streamline applicant submissions and document collection. During a cybersecurity audit, it was revealed that attackers had set up a phishing site mimicking the official HR document submission portal. Several employees and new hires uploaded their resumes and downloaded pre-filled form templates, believing them to be legitimate. Upon opening the downloaded Word documents, the system silently connected to external servers and fetched additional template data without any user consent or visible macro execution warnings. This bypassed email gateway filters and endpoint antivirus tools, leading to lateral malware spread across systems used by HR, finance, and legal departments.

Digital forensic analysis showed that the documents did not contain visible scripts or macros but relied on hidden structural definitions to retrieve malicious payloads dynamically from attacker-controlled servers. Which of the following web-based malware distribution techniques best explains the observed behavior?

Which of the following is not a countermeasure to eradicate inappropriate usage

incidents?

Which of the following details are included in the evidence bags?

Liam, a certified digital forensics technician, labels seized laptops, USB drives, and smartphones with exhibit tags, records detailed descriptions in an evidence logbook, photographs items in their original positions, and documents custody transfers. Which aspect of evidence handling is Liam demonstrating?

ThetaTec, a global fintech giant, identified that an employee was siphoning off funds using a sophisticated method undetectable by traditional monitoring tools. The firm decided to employ advanced techniques to detect such hidden insider threats. What should be its primary focus?

Shally, an incident handler, is working for a company named Texas Pvt. Ltd. based in

Florida. She was asked to work on an incident response plan. As part of the plan, she

decided to enhance and improve the security infrastructure of the enterprise. She has

incorporated a security strategy that allows security professionals to use several

protection layers throughout their information system. Due to multiple layer protection,

this security strategy assists in preventing direct attacks against the organization’s

information system as a break in one layer only leads the attacker to the next layer.

Identify the security strategy Shally has incorporated in the incident response plan.

In which of the following phases of incident handling and response (IH&R) process the identified security incidents are analyzed, validated, categorized, and prioritized?

SpaceTech Innovations, specializing in space exploration software, encountered malware that camouflaged itself within proprietary algorithms. This stealthy malware intermittently transmitted blueprints to an unknown receiver. With a state-of-the-art code analyzer and a network traffic analyzer at hand, what’s the ideal first step?

Elizabeth, who works for OBC organization as an incident responder, is assessing the risks to the organizational security. As part of the assessment process, she is calculating the probability of a threat source exploiting an existing system vulnerability. Which of the following risk assessment steps is Elizabeth currently in?

OmegaTech Corp identified unauthorized remote access to its primary server and data exfiltration tunnels. Simultaneously, IoT device firmware corruption was reported. As the first responder, what should Olivia prioritize?

Which of the following is a term that describes the combination of strategies and services intended to restore data, applications, and other resources to the public cloud or dedicated service providers?

Aarav, an IT support specialist, identifies that multiple employees have engaged with an email promoting free shopping vouchers, which appears suspicious. To minimize the potential threat, he instructs staff to report the message, classify it as junk, and remove it from their inboxes. He further advises them not to interact with similar messages in the future, even if they seem to come from internal contacts. Which best practice is Aarav reinforcing?

Eve’s is an incident handler in ABC organization. One day, she got a complaint about email hacking incident from one of the employees of the organization. As a part of

incident handling and response process, she must follow many recovery steps in order to recover from incident impact to maintain business continuity.

What is the first step that she must do to secure employee account?

An organization's customers are experiencing either slower network communication or unavailability of services. In addition, network administrators are receiving alerts from security tools such as IDS/IPS and firewalls about a possible DoS/DDoS attack. In result, the organization requests the incident handling and response (IH&R) team further investigates the incident. The IH&R team decides to use manual techniques to detect DoS/DDoS attack.

Which of the following commands helps the IH&R team to manually detect DoS/DDoS attack?

Which of the following is an attack that occurs when a malicious program causes a user’s browser to perform an unwanted action on a trusted site for which the user is currently authenticated?

An IT security analyst at a logistics firm is alerted to unusual outbound traffic originating from an employee’s mobile device connected to the corporate VPN. Antivirus scans fail to remove the malware, indicating persistence. The organization cannot afford further data leakage. Which action should the incident handler take next?

In the lead-up to a major product launch, a technology company reviews its endpoint security strategy to safeguard intellectual property. What is the most essential element to incorporate into their incident response strategy for endpoints?

Which one of the following is the correct flow of the stages in an incident handling and response (IH&R) process?

Which of the following options describes common characteristics of phishing emails?

After deploying a new application on Google Cloud Platform (GCP), a security engineer discovers that an unauthorized entity has been accessing the application's backend services. Which of the following measures should the engineer take first to address this security incident?

Miko was hired as an incident handler in XYZ company. His first task was to identify the PING sweep attempts inside the network. For this purpose, he used Wireshark to analyze the traffic. What filter did he use to identify ICMP ping sweep attempts?

A ransomware attack recently disrupted operations at a manufacturing facility, specifically targeting its IoT-integrated conveyor system. While attempting to recover from the incident, the incident response team discovered that the available backups were incomplete—several critical sensor logs and control commands were missing, which caused delays in restoring device functions and syncing with other systems. The team concludes that relying on traditional backup routines alone is insufficient for restoring full IoT functionality after an attack. Which strategy would best prevent such issues in future recovery efforts?

An organization implemented an encoding technique to eradicate SQL injection

attacks. In this technique, if a user submits a request using single-quote and some

values, then the encoding technique will convert it into numeric digits and letters

ranging from a to f. This prevents the user request from performing SQL injection

attempt on the web application.

Identify the encoding technique used by the organization.

A colleague wants to minimize their security responsibility because they are in a small organization. They are evaluating a new application that is offered in different forms. Which form would result in the least amount of responsibility for the colleague?

An international insurance provider observed a sharp rise in endpoint infections across geographically dispersed offices. The IR team correlated the infections with recent access to a series of trusted informational websites visited during routine research activities. After cross-referencing network telemetry and endpoint logs, analysts uncovered that these sites had been covertly altered by threat actors to include obfuscated scripts that launched on page render. Upon visiting the tampered content, a series of exploit chains were executed, targeting unpatched vulnerabilities in rendering engines of commonly used client applications. The malicious code was injected directly into volatile memory, allowing the payload to operate stealthily without initiating file creation events or prompting user interaction. Security tools failed to detect the compromise in real time due to the absence of conventional indicators such as user-triggered executions or external file transfers. Which web-based malware delivery technique is MOST consistent with the described attack?

ZYX company experienced a DoS/DDoS attack on their network. Upon investigating the incident, they concluded that the attack is an application-layer attack. Which of the following attacks did the attacker use?

Which of the following email security tools can be used by an incident handler to

prevent the organization against evolving email threats?

Which of the following information security personnel handles incidents from management and technical point of view?

Which of the following risk mitigation strategies involves execution of controls to

reduce the risk factor and brings it to an acceptable level or accepts the potential risk

and continues operating the IT system?

A malicious, security-breaking program is disguised as a useful program. Such executable programs, which are installed when a file is opened, allow others to control a user's system. What is this type of program called?

Alice is a disgruntled employee. She decided to acquire critical information from her organization for financial benefit. To acccomplish this, Alice started running a virtual machine on the same physical host as her victim's virtual machine and took advantage of shared physical resources (processor cache) to steal data (cryptographic key/plain text secrets) from the victim machine. Identify the type of attack Alice is performing in the above scenario.

NeuroNet, a pioneer in neural network research, identified an insider siphoning off critical research data. Post-investigation revealed employee dissatisfaction as the motive. To minimize such threats in the future, which measure should NeuroNet prioritize?

Eric works as an incident handler at Erinol software systems. He was assigned a task to protect the organization from any kind of DoS/DDoS attacks.

Which of the following tools can be used by Eric to achieve his objective?

In which of the following confidentiality attacks attackers try to lure users by posing themselves as authorized AP by beaconing the WLAN's SSID?

Which of the following port scanning techniques involves resetting the TCP connection

between client and server abruptly before completion of the three-way handshake

signals, making the connection half-open?

A regional airport recently upgraded its operations with smart IoT-based baggage handling and security camera systems. During a routine cyber resilience drill mimicking device disruption, operational staff experienced confusion in executing assigned duties and lacked clarity in the communication flow. There was uncertainty about who should engage with third-party vendors, how to retrieve diagnostic logs from affected systems, and which units required priority attention to maintain continuity. Which of the following would best address these preparedness gaps?

If a hacker cannot find any other way to attack an organization, they can influence an employee or a disgruntled staff member. What type of threat is this?

Identify the malicious program that is masked as a genuine harmless program and gives the attacker unrestricted access to the user’s information and system. These

programs may unleash dangerous programs that may erase the unsuspecting user’s disk and send the victim’s credit card numbers and passwords to a stranger.

Michael is a part of the computer incident response team of a company. One of his responsibilities is to handle email incidents. The company receives an email from an unknown source, and one of the steps that he needs to take is to check the validity of the email. Which of the following tools should he use?

Joseph is an incident handling and response (IH&R) team lead in Toro Network Solutions Company. As a part of IH&R process, Joseph alerted the service providers,

developers, and manufacturers about the affected resources.

Identify the stage of IH&R process Joseph is currently in.

Meera, part of the Incident Handling & Response (IH&R) team, identifies an ongoing phishing campaign targeting internal employees. She immediately circulates an organization-wide alert, warning staff not to engage with the suspicious email. Along with the alert, she provides visual cues and instructions on how to recognize similar phishing threats in the future. Her goal is to prevent further damage and strengthen employee awareness. What additional action would best align with Meera’s eradication efforts?

A cloud security analyst identifies a complex multi-vector attack targeting cloud-hosted applications (DDoS + phishing + malware infiltration). In cloud incident handling, what is the most critical challenge to overcome to respond effectively?

After containing a data compromise that disrupted operations across multiple departments, a global consulting enterprise launched a formal retrospective involving cybersecurity leads, infrastructure managers, legal advisors, and executive stakeholders. The initiative involved constructing a detailed timeline of incident-handling activities, evaluating decision pathways, identifying coordination breakdowns, and recommending actionable improvements to mitigate future occurrences. The review emphasized a no-blame culture, aiming to refine strategic playbooks and organizational readiness based on empirical evidence and shared insights. Which post-incident activity is primarily being executed in this scenario?

Employee monitoring tools are mostly used by employers to find which of the following?

Jason, a cybersecurity analyst in the incident response team, begins investigating several complaints from employees who received emails urgently requesting wire transfers to an overseas account. The emails appeared to come from the company’s CEO, using a tone of authority and pressure to bypass standard procedures. Upon closer inspection, Jason identifies that the sender's email address includes a minor alteration in the domain name—a form of domain spoofing. He examines the email headers, confirms the falsified sender identity, and cross-checks with the actual CEO’s activity logs to ensure there was no internal compromise. Immediately, Jason blocks the sender’s IP address at the firewall level, alerts the finance department to prevent any unauthorized transactions, and issues a company-wide advisory about the impersonation attempt. What type of phishing is Jason handling?

Chandler is a professional hacker who is targeting Technote organization. He wants to obtain important organizational information that is being transmitted between

different hierarchies. In the process, he is sniffing the data packets transmitted through the network and then analyzing them to gather packet details such as network, ports,

protocols, devices, issues in network transmission, and other network specifications. Which of the following tools Chandler must employ to perform packet analysis?

EduTech University noticed unauthorized access to student records, including academic and financial details. As the semester's examinations approached, there were concerns about potential leaks or manipulations of question papers. In this complex digital scenario, what is the optimal step for the first responder?

Which of the following techniques helps incident handlers to detect man-in-the-middle attack by finding the new APs and trying to connect an already established channel,

even if the spoofed AP consists similar IP and MAC addresses as of the original AP?

Nervous Nat often sends emails with screenshots of what he thinks are serious incidents, but they always turn out to be false positives. Today, he sends another screenshot, suspecting a nation-state attack. As usual, you go through your list of questions, check your resources for information to determine whether the screenshot shows a real attack, and determine the condition of your network. Which step of IR did you just perform?

A national research agency was recently subjected to a comprehensive cybersecurity compliance audit. During the audit, reviewers evaluated how the agency's incident response unit manages harmful code samples during investigations. The assessment revealed that team members often interacted with dangerous file payloads directly on enterprise-connected systems used for general operations. Furthermore, no precautionary renaming was applied to prevent accidental triggering, and sensitive materials were placed in areas accessible by non-specialized personnel. The auditors flagged these practices as severely noncompliant with safe sample processing protocols and recommended urgent changes to prevent operational fallout or accidental outbreaks. Which best practice for secure handling of malicious code was most clearly disregarded in this case?

SWA Cloud Services added PKI as one of their cloud security controls. What does PKI stand for?

In which of the following stages of incident handling and response (IH&R) process do

the incident handlers try to find out the root cause of the incident along with the threat

actors behind the incidents, threat vectors, etc.?

Ella, a wireless network administrator, notices multiple authentication failures and reports of users being disconnected from a corporate Wi-Fi network. Upon investigation, she identifies an unauthorized access point broadcasting the same SSID as the legitimate network. What is the most likely issue Ella is facing?

Ethan, an incident handler, reviews traffic logs showing abnormal connections from internal devices to high-risk external domains. He traces these back to a misconfigured IoT device using outdated firmware. What kind of indicator was key in identifying the issue?

Emma, a senior security engineer at a technology firm, discovered during a routine audit that several employees had been granted administrative access to sensitive systems, even though their roles did not require such access rights. One of these employees later accessed restricted financial data and attempted to modify audit logs. Which insider threat eradication measure would have best prevented this incident?

The following steps describe the key activities in forensic readiness planning:

1. Train the staff to handle the incident and preserve the evidence

2. Create a special process for documenting the procedure

3. Identify the potential evidence required for an incident

4. Determine the source of the evidence

5. Establish a legal advisory board to guide the investigation process

6. Identify if the incident requires full or formal investigation

7. Establish a policy for securely handling and storing the collected evidence

8. Define a policy that determines the pathway to legally extract electronic evidence

with minimal disruption

Identify the correct sequence of steps involved in forensic readiness planning.

Dash wants to perform a DoS attack over 256 target URLs simultaneously.

Which of the following tools can Dash employ to achieve his objective?

In response to suspicious communications originating from executive accounts, the organization's response team traced the root cause to spoofed identity relays exploiting unsecured DNS entries. The attack had triggered internal alerts but required deeper remediation to eliminate recurring forged message injections and restore the integrity of interdepartmental mail routing. What action reflects an appropriate eradication strategy in this context?

Your company sells SaaS, and your company itself is hosted in the cloud (using it as a PaaS). In case of a malware incident in your customer's database, who is responsible for eradicating the malicious software?

Which of the following is a volatile evidence collecting tool?

Daniel, a system administrator, was discovered accessing encrypted project files that had no relevance to his job responsibilities. A security audit revealed that his account had unrestricted access to all file servers, and there were no alerts or enforcement mechanisms in place to block or flag such access. Which countermeasure should have been in place to prevent this abuse?

Johnson an incident handler is working on a recent web application attack faced by the

organization. As part of this process, he performed data preprocessing in order to

analyzing and detecting the watering hole attack. He preprocessed the outbound

network traffic data collected from firewalls and proxy servers and started analyzing

the user activities within a certain time period to create time-ordered domain sequences

to perform further analysis on sequential patterns.

Identify the data-preprocessing step performed by Johnson.

Identify the network security incident where intended or authorized users are prevented from using system, network, or applications by flooding the network with a

high volume of traffic that consumes all existing network resources.

A cloud service provider’s IH&R team faces huge volumes of cloud-native logs after anomalous activity. To ensure swift and effective incident triage, what should be the primary course of action?

An organization named Sam Morison Inc. decided to use cloud-based services to reduce the cost of their maintenance. They first identified various risks and threats associated with cloud .. adoption and migrating critical business data to third-party systems. Hence, the organization decided to deploy cloud-based security tools to prevent upcoming threats. Which of the following tools would help the organization to secure cloud resources and services?

Which of the following is not called volatile data?

Adam is an incident handler who intends to use DBCC LOG command to analyze a database and retrieve the active transaction log files for the specified database. The syntax of DBCC LOG command is DBCC LOG(, ), where the output parameter specifies the level of information an incident handler wants to retrieve. If Adam wants to retrieve the full information on each operation along with the hex dump of a current transaction row, which of the following output parameters should Adam use?

Which of the following tools helps incident handlers to view the file system, retrieve deleted data, perform timeline analysis, web artifacts, etc., during an incident response process?

After a successful exploitation attempt, a university web server started exhibiting anomalies such as high server load, random form submission errors, and repeated spam complaints. Hosting providers flagged the domain as suspicious and disabled the web application. The IH&R team discovered new unknown files within the web root directory. Which action would be most appropriate to contain the incident and avoid further damage?

MegaHealth, a global healthcare provider, experienced a sudden malfunction in its MRI machines. Investigations revealed malware that tweaked MRI results and communicated with an external command-and-control server. With tools like an advanced endpoint protection system and a network monitor, what should be the first step?