Chapter 102 · Quiz

Incident Planning — Quiz

Ten questions covering tabletop exercises, phishing simulations, root cause analysis methodology, threat hunting, and the differences between reactive intelligence and proactive hunting.

1. A security manager schedules a meeting where the incident response team discusses a ransomware scenario step by step, making decisions verbally without accessing any systems. What type of exercise is this, and what is its primary limitation?
2. During a phishing simulation, 35% of employees clicked the simulated link AND the phishing message bypassed the organization's email filtering entirely. What two failures does this result reveal?
3. An investigation concludes "the cause of the breach was a misconfigured firewall." A more thorough analyst asks why the firewall was misconfigured, discovering it was not reviewed because the change management process was bypassed due to time pressure. What root cause analysis failure does stopping at the first answer represent?
4. A threat hunter hypothesizes that a nation-state actor is using PowerShell running from unusual parent processes to move laterally. The hunter searches EDR telemetry and SIEM data for this pattern and finds no evidence. What value does this hunt produce even without finding a compromise?
5. A post-incident review identifies three contributing factors to a successful attack: an unpatched vulnerability, a user who clicked a phishing link, and a SIEM alert that was acknowledged but not investigated. The team patches the vulnerability and calls the review complete. What root cause analysis principle did the team violate?
6. Which statement correctly describes the relationship between threat intelligence and threat hunting?
Matching: Incident Planning Concepts

Match each concept (1–4) to its correct description (A–D).

1Tabletop exercise
2Phishing simulation
3Root cause analysis
4Threat hunting
AA proactive security discipline where analysts search for evidence of compromise or malicious activity that has not yet triggered any alert, using SIEM, EDR, and behavioral analytics
BA structured scenario discussion where IR team members make decisions verbally without executing actions on live systems; low cost and suitable for management participation
CA simulation that sends realistic lure messages to real users to measure click rates, credential submission, reporting behavior, and email filter effectiveness simultaneously
DA structured process for identifying the underlying causes of an incident by repeatedly asking why, avoiding blame, and producing fact-based recommendations that prevent recurrence