1. According to NIST SP 800-61 Rev 2, what are the four phases of the incident response lifecycle in the correct order?
2. A security team assembles a pre-positioned incident response kit containing forensic laptops, removable media, forensic software, and digital cameras kept ready for deployment. What is this kit called, and which NIST IR lifecycle phase does it support?
3. During a malware incident, a responder isolates an infected system from the network to stop attacker communication. Immediately after isolation, the malware begins deleting critical files, destroying evidence. What specific challenge does this illustrate?
4. After confirming a successful intrusion, the incident response team identifies four tasks: (1) delete malware files; (2) disable the account used by the attacker; (3) patch the vulnerability that was exploited; (4) restore systems from clean backups. Which NIST phase do tasks 1, 2, and 3 belong to, and which does task 4 belong to?
5. An incident response team holds a post-incident review meeting three weeks after an incident was resolved. Several team members no longer remember specific details about when alerts were received or which actions were taken first. What post-incident meeting guidance does NIST SP 800-61 provide that the team failed to follow?
6. A security organization is evaluating two training options for its incident response team: (1) scheduled meetings where participants discuss hypothetical attack scenarios and make decisions without touching live systems; (2) realistic exercises where the technical team executes actual response procedures against a simulated attack in a test environment. What are these training methods called?
Matching: Incident Response Concepts
Match each concept (1–4) to its correct description (A–D).
1Sandbox
2File Integrity Monitoring (FIM)
3Critical file hash values
4Tabletop exercise
ACryptographic hashes of OS and application files prepared during the Preparation phase; used during incident analysis to determine whether critical files have been modified or replaced by malware
BAn isolated operating system environment where suspected malware can be safely executed and analyzed; reset or destroyed after analysis without affecting production systems
CA scenario-based discussion exercise where the IR team walks through a hypothetical incident and makes decisions without executing actions on live systems; low cost, suitable for management participation
DA detection tool that continuously monitors critical system files and configuration files, alerting when unauthorized changes are detected; a host-based indicator that attacker activity has modified the system