Back to CompTIA Cybersecurity Analyst+ (CySA+)

Incident Response Management

Apply attack methodology frameworks, perform incident response, and understand the incident management lifecycle to handle security incidents effectively.

Covers attack methodology frameworks including cyber kill chains, diamond model of intrusion analysis, MITRE ATT&CK, OSSTMM, and OWASP testing guide. Includes performing incident response activities such as detection, analysis, containment, eradication, and recovery. Also covers the incident management life cycle including incident response plans, tools, playbooks, tabletop exercises, training, business continuity, disaster recovery, forensic analysis, and root cause analysis.
5 minutes 5 Questions

Incident Response (IR) Management acts as the operational backbone for a Cybersecurity Analyst, providing a structured framework to address security breaches effectively. In the context of CompTIA CySA+, this process closely adheres to the NIST SP 800-61 lifecycle, comprising four distinct phases: …

Concepts covered: Cyber Kill Chain framework, Diamond Model of Intrusion Analysis, MITRE ATT&CK framework, OSSTMM (Open Source Security Testing Methodology), OWASP Testing Guide, Incident detection and identification, Incident analysis and triage, Containment strategies, Eradication procedures, Recovery and restoration, Evidence preservation and chain of custody, Incident response plan development, Incident response tools and technologies, Playbooks and runbooks, Tabletop exercises, Incident response training, Business continuity planning, Disaster recovery procedures, Digital forensic analysis, Root cause analysis techniques, Post-incident review and lessons learned

Test mode:
Start practice test
CySA+ - Incident Response Management Example Questions

Test your knowledge of Incident Response Management

Question 1

An incident response team is performing eradication after discovering that attackers used compromised API keys to deploy malicious containers across a cloud environment. The team has revoked the compromised API keys, terminated malicious containers, and updated access control policies. Upon reviewing the eradication completeness, which additional action is essential to ensure thorough threat removal?

Correct Answer: Audit and rotate all API keys and secrets that may have been exposed or accessed during the compromise period

The correct answer is to audit and rotate all API keys and secrets that may have been exposed or accessed during the compromise period.

During an incident involving compromised API keys, attackers typically perform reconnaissance and lateral movement activities. This means they may have discovered, accessed, or exfiltrated other credentials and secrets beyond just the ones used in the initial attack. A thorough eradication process requires assuming that any credentials accessible to the compromised keys could also be compromised.

This approach follows the principle of assuming breach and taking comprehensive remediation steps rather than minimal ones. In cloud environments, API keys often have access to secrets managers, environment variables, or configuration files containing other credentials.

The option suggesting rotation of only the specific confirmed compromised keys is insufficient because it takes a narrow approach that fails to account for potential lateral movement and additional credential theft that may not have been detected during initial investigation.

The option about updating firewall rules addresses preventive controls and monitoring, which are valuable but fall under the recovery and lessons learned phases rather than completing the eradication of existing threats. Firewall rules don't remove compromised credentials that attackers may still possess.

The option about reviewing container orchestration logs is an important investigative activity for detection and analysis purposes, but it doesn't actively remove threats from the environment. Log review helps identify scope but doesn't constitute an eradication action itself.

For complete threat removal during eradication, the team must eliminate all potential persistence mechanisms, and rotating all potentially exposed credentials is essential to prevent attackers from regaining access using other secrets they may have obtained during the compromise.

Question 2

A security team is eradicating a breach where attackers compromised an organization's DNS infrastructure to redirect traffic and intercept credentials. The team has identified and removed malicious DNS records, restored legitimate configurations, and flushed DNS caches across the network. Post-eradication analysis shows that several internal applications continue to resolve domain names incorrectly. Which overlooked eradication element is most likely causing this continued issue?

Correct Answer: Cached DNS entries in local resolver caches on individual endpoints and application-level DNS caching mechanisms require additional clearing procedures

The correct answer relates to cached DNS entries on individual endpoints and application-level DNS caching mechanisms.

In this scenario, the security team has already flushed DNS caches across the network, but applications are still resolving domain names incorrectly. This indicates that the eradication effort missed additional caching layers.

DNS caching occurs at multiple levels:
1. Network-level DNS caches (which were addressed)
2. Operating system resolver caches on individual endpoints
3. Application-specific DNS caches (browsers, Java applications, and other software often maintain their own DNS caches)

Many applications cache DNS resolutions independently of the system DNS cache. For example, web browsers like Chrome and Firefox maintain their own internal DNS caches, and Java applications use the JVM's DNS caching mechanism. These application-level caches are not cleared when you flush the system DNS cache or network DNS caches.

The other options are less likely causes:

  • Zone transfer configuration issues would prevent secondary servers from receiving updates, but the question states that legitimate configurations have been restored, implying the records are correct on the servers themselves.

  • Compromised upstream DNS forwarders would be a concern, but this would affect new DNS queries rather than causing continued incorrect resolution after the primary infrastructure has been cleaned.

  • Reducing TTL values would help with future propagation speed, but it doesn't address why existing cached entries on endpoints and applications are still causing problems. TTL changes affect how long new entries are cached, not entries that are already cached.

Question 3

A security analyst is processing a threat intelligence report detailing an adversary's use of 'Registry Run Keys' to ensure malware execution upon system reboot. When mapping this observation into the MITRE ATT&CK framework to distinguish the technical method from the adversary's broader strategic intent, which classification accurately categorizes the 'Registry Run Keys' entry within the hierarchy?

Correct Answer: Identification of the registry modification as a Technique

The correct answer is the identification of the registry modification as a Technique.

In the MITRE ATT&CK framework, the hierarchy is structured as follows: Tactics represent the 'why' (the adversary's tactical goal), Techniques represent the 'how' (the way an adversary achieves a tactical goal), and Procedures represent the specific implementation (the specific commands or tools used).

Here is the step-by-step reasoning:
1. Tactic (Why): The broader strategic intent mentioned in the scenario is ensuring malware execution upon system reboot. This aligns with the 'Persistence' tactic, which involves maintaining access to a system across restarts.
2. Technique (How): The specific method described is using 'Registry Run Keys'. This is a known method to achieve Persistence. In MITRE ATT&CK, 'Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder' is a specific Technique (T1547.001).
3. Procedure (Specifics): The question does not provide the exact command-line arguments, specific registry values, or malware names used. Therefore, we contain the description at the Technique level.

Why the other answers are incorrect:
- Assignment of the high-level goal to the Persistence Tactic: While the goal is indeed Persistence, the question specifically asks for the classification of the 'Registry Run Keys' entry itself, which is the method (Technique), not the goal (Tactic).
- Extraction of the exact command parameters as a Procedure: The scenario describes the general method ('Registry Run Keys') but does not provide the granular details (e.g., 'reg add HKLM... /v Malware /d C:\evil.exe') required to classify it as a Procedure.
- Mapping of the specific artifact to a Data Component source: While registry keys are data sources/artifacts, the context of the question focuses on mapping the adversary's behavior within the Tactic/Technique/Procedure (TTP) structure, specifically distinguishing the technical method from the intent.

More Incident Response Management questions
421 questions (total)
Start 100 question test