Practice Exam ยท Chapters 95โ€“101

Exam: Security Operations

Endpoint Security ยท IAM ยท Access Controls ยท MFA ยท Password Security ยท Scripting & Automation ยท Incident Response โ€” 20 scored questions + 2 scenario questions.

Chapters 95โ€“101 Practice Exam
๐Ÿ“ 20 scored questions โฑ๏ธ 25-minute target ๐ŸŽฏ Pass threshold: 80% (16/20)
Time remaining
25:00
Part A โ€” Multiple Choice (Questions 1โ€“20)
Ch 95 ยท Endpoint Security
Question 1 of 20
A company requires every device to pass a security health check โ€” current OS patches, active antivirus, enabled host firewall โ€” before connecting to the internal network. Devices that fail are redirected to a quarantine VLAN where they can self-remediate and re-request access. Which security control performs this pre-access health evaluation?
โœ… A โ€” NAC posture assessment. Network Access Control evaluates endpoint health at the network boundary before granting access. The key characteristics: (1) defined policy specifying required security states (patch level, AV status, firewall state), (2) automated pre-access check, (3) compliant devices receive normal access, non-compliant devices are quarantined to a remediation VLAN. EDR monitors for malicious behavior after a device is already on the network. Host-based IPS inspects traffic at the device level. UBA monitors user behavioral patterns, not device health posture at connection time.
Ch 95 ยท Endpoint Security
Question 2 of 20
A security analyst investigates an alert: a Microsoft Word process (winword.exe) spawned a command shell (cmd.exe), which then connected to an external IP address and downloaded a file. Traditional antivirus did not flag anything because the malware binary was new and had no known signature. Which technology detected this attack, and what method did it use?
โœ… B โ€” EDR behavioral analysis. EDR detected the suspicious parent-child process relationship: a Word document (winword.exe) spawning a command shell (cmd.exe) is not normal word processor behavior. EDR systems monitor process trees and apply machine learning models trained on attacker techniques to identify malicious behavior patterns โ€” no prior signature is required. Signature-based AV would miss any new binary not yet in its database. Network IPS could block the outbound connection but cannot detect the initial macro execution. FIM monitors file changes to specifically monitored files, not process relationships. The parent-child process chain is the classic macro malware indicator that EDR behavioral analysis catches.
Ch 95 ยท Endpoint Security
Question 3 of 20
A security platform aggregates telemetry from endpoint agents, network traffic sensors, cloud workload logs, and identity provider authentication records. When a user account logs in from an unusual geographic location, immediately accesses hundreds of files on a file server, then uploads data to an external cloud storage service, the platform correlates these three events across all three domains into a single high-priority alert. Which technology is this?
โœ… C โ€” XDR (Extended Detection and Response). XDR extends EDR by aggregating telemetry from multiple security domains โ€” endpoints, network, cloud, and identity โ€” into a single platform. Its defining value: detecting multi-stage attacks where each individual event looks benign in isolation but reveals a clear threat when correlated across domains. An unusual login (identity domain) + mass file access (endpoint/file domain) + external upload (cloud/network domain) tells the attacker story only when correlated. Standard EDR sees only the endpoint. A SIEM can also aggregate multi-source logs but typically requires manually written correlation rules and analyst effort; XDR applies automated cross-domain correlation as a core capability.
Ch 96 ยท Identity & Access Management
Question 4 of 20
An employee transfers from Finance to HR โ€” their Finance access is never removed. Six months later they also receive IT department access for a project. They now have accumulated access to Finance, HR, and IT resources, far exceeding what their current role requires. What IAM problem does this represent, and what is the formal term?
โœ… D โ€” Access creep (privilege creep). Access creep is the progressive accumulation of permissions across multiple role transitions without corresponding deprovisioning of obsolete access. The employee was never stripped of Finance access when they moved to HR, then gained additional IT access. Proper lifecycle management requires both provisioning (granting new role access) and deprovisioning (removing old role access) at each transition. An orphaned account is specifically an account for a user who has departed the organization entirely and was never disabled. Identity proofing relates to verifying identity before initial account creation. Provisioning errors relate to incorrect initial grants, not the accumulation pattern over time.
Ch 96 ยท Identity & Access Management
Question 5 of 20
An HR department verifies a new hire's identity through three sequential steps: (1) collecting their name and employee ID to uniquely identify them in the system; (2) checking their government-issued ID against an authoritative government database to confirm it is genuine and belongs to this specific person; (3) having the HR manager formally document and sign off that identity verification was completed correctly. These three steps correspond to which identity proofing stages?
โœ… A โ€” Resolution, validation, and attestation. Identity proofing consists of three stages: Resolution โ€” collecting sufficient uniquely identifying information (name, employee ID, SSN) to uniquely identify this specific individual; Validation โ€” verifying that the collected information is genuine using authoritative sources (checking the government ID against a government database); Attestation โ€” a qualified party formally confirming and documenting that identity verification was successfully completed. These stages ensure the identity being provisioned belongs to the actual person before any account or access is created. AAA (Authentication, Authorization, Accounting) is an access control framework for runtime access decisions, not an identity proofing process.
Ch 96 ยท Identity & Access Management
Question 6 of 20
A directory administrator needs to locate a specific user object in the LDAP directory. The user is Alice Chen, in the Marketing Organizational Unit, at Globex Corporation, in the United States. What type of LDAP identifier uniquely specifies this user's complete location in the directory tree?
โœ… B โ€” Distinguished Name (DN). A Distinguished Name uniquely identifies an object by specifying its complete path through the Directory Information Tree (DIT), listing all container objects from the leaf object up to the root: CN=Alice Chen,OU=Marketing,O=Globex Corporation,C=US. The Common Name (CN) only identifies the object within its immediate parent container โ€” another Alice Chen in a different OU would have the same CN but a different DN. The DN is the globally unique identifier in LDAP. A Relative Distinguished Name (RDN) is the single-level identifier (e.g., CN=Alice Chen) relative to its parent; the full DN is the concatenation of all RDNs from leaf to root.
Ch 97 ยท Access Controls
Question 7 of 20
A government agency operates a classified system where data is labeled Confidential, Secret, or Top Secret. Users are assigned clearance levels and access is granted only when the user's clearance level meets or exceeds the data's classification. The system administrator assigns all labels; users cannot modify any label even on files they personally created. Which access control model is in use?
โœ… C โ€” Mandatory Access Control (MAC). MAC is the government/military classified information model. The defining characteristic: the OS enforces access based on classification labels assigned by administrators to both subjects (users, clearance levels) and objects (files, classification levels). Users cannot modify labels on any resource โ€” even files they created. Access is granted when the subject's clearance level meets or exceeds the object's classification level. DAC lets the resource owner control permissions. RBAC uses group membership. ABAC evaluates multiple simultaneous attributes. MAC's inability to let users change labels is the core security property that prevents unauthorized declassification.
Ch 97 ยท Access Controls
Question 8 of 20
A healthcare organization's access control system evaluates a doctor's access to patient records based on five factors simultaneously: (1) their role (physician vs. administrative staff), (2) whether the patient is currently assigned to them, (3) time of day (no access between midnight and 6 AM), (4) network source (hospital VPN required), and (5) the operation type (read vs. write). Access decisions change dynamically whenever any factor changes. Which access control model is this?
โœ… D โ€” Attribute-Based Access Control (ABAC). ABAC is the next-generation model that evaluates multiple attributes simultaneously from three categories: subject attributes (who is asking: physician role, specific patient assignment), environment attributes (under what conditions: time, network), and action attributes (what they want to do: read vs. write). Access decisions are context-aware and dynamic โ€” a doctor who normally has access is denied at midnight or on public Wi-Fi. RBAC uses only role membership. Rule-Based uses conditions but typically lacks the simultaneous multi-category evaluation ABAC provides. ABAC is the most flexible and granular model, used in zero-trust architectures and healthcare systems where context dramatically changes appropriate access.
Ch 97 ยท Access Controls
Question 9 of 20
An employee creates a shared folder on their workstation and adds specific colleagues to the permission list. Later, without consulting IT or management, they share the folder with a third colleague they trust. Which access control model is this, and what is its primary security weakness?
โœ… A โ€” Discretionary Access Control (DAC). DAC is the default model in most commercial operating systems โ€” the resource owner controls who can access their resources. The primary weakness: security depends entirely on each owner making correct decisions. Owners may not understand data sensitivity, may share for convenience, or may trust people they shouldn't. In this scenario, the employee exercised their DAC right to share โ€” no IT approval, no oversight. MAC directly addresses this by removing the owner's ability to change access labels. RBAC uses centrally-managed groups. DAC's simplicity (any owner can share) is also its fundamental security vulnerability.
Ch 98 ยท Multifactor Authentication
Question 10 of 20
A government system's authentication requires users to present a physical card with an embedded microprocessor containing cryptographic keys and certificates, plus enter a PIN. The card is useless without the PIN; the PIN is useless without the card. Which two authentication factors does this combine, and why does it qualify as true MFA?
โœ… B โ€” Smart card (something you have) + PIN (something you know). True MFA requires factors from two or more DIFFERENT categories. A smart card is a physical device with an embedded cryptographic microprocessor โ€” it is something you have. The PIN is knowledge you carry mentally โ€” it is something you know. This is the government PIV/CAC model. The security logic: a stolen card without the PIN is useless (possession compromised, knowledge intact); a stolen PIN without the card is useless (knowledge compromised, possession intact). Both independent factors must be simultaneously available to authenticate, which is the essence of MFA. Two passwords would be two-factor but not true MFA because both are knowledge factors.
Ch 98 ยท Multifactor Authentication
Question 11 of 20
A penetration tester convinces a mobile carrier to transfer a target's phone number to an attacker-controlled SIM. The attacker then uses the target's phished password to initiate login. The system sends a one-time code via SMS; the attacker receives it on the compromised SIM and successfully authenticates. Which MFA factor was bypassed, and what stronger alternative would have been resistant to this attack?
โœ… C โ€” SMS OTP (something you have) bypassed via SIM swapping. SMS OTP is categorized as "something you have" because it requires control of the registered phone number. SIM swapping transfers the phone number to an attacker-controlled SIM, effectively transferring the possession factor without physically stealing the device. A FIDO2/WebAuthn security key is immune to SIM swapping because: (1) it is a physical hardware device that must be present, (2) it uses cryptographic challenges that are domain-specific โ€” a response valid at site A is not valid at site B, and (3) there is no phone number or carrier to hijack. SMS OTP is the weakest "something you have" factor specifically because phone number portability creates the SIM swap attack surface.
Ch 98 ยท Multifactor Authentication
Question 12 of 20
A biometric fingerprint system reports a False Acceptance Rate (FAR) of 0.01% and a False Rejection Rate (FRR) of 5%. What do these metrics mean in operational terms, and which metric represents the security risk vs. the usability issue?
โœ… D โ€” FAR is the security metric; FRR is the usability metric. FAR (False Acceptance Rate) measures how often the system wrongly grants access to an impostor โ€” the security failure. A 0.01% FAR means 1 in 10,000 impostor attempts succeed; this is the security team's primary concern. FRR (False Rejection Rate) measures how often the system wrongly denies access to a legitimate user โ€” the usability failure. A 5% FRR means 1 in 20 legitimate authentication attempts fail; this frustrates users and helpdesk volume. The two rates have an inherent tradeoff: adjusting the sensitivity threshold to reduce false acceptances increases false rejections. The CER (Crossover Error Rate) is the sensitivity setting where FAR equals FRR, used to compare the overall accuracy of different biometric systems.
Ch 99 ยท Password Security
Question 13 of 20
An employee uses the same password for corporate email, personal Gmail, a banking account, and five other services. A breach at one small service exposes the password in plaintext. Attackers now systematically test the stolen credential against all major platforms. Successful logins are achieved at the corporate email and banking accounts within hours. What attack is this, and what technology would have prevented the multi-service compromise?
โœ… A โ€” Credential stuffing. Credential stuffing is the attack where stolen username/password pairs from one breach are automatically tested against other services โ€” automated at scale using breach databases. Password reuse is the vulnerability that makes this attack devastatingly effective: the same credential works across unrelated sites. A password manager prevents this by generating a unique, random, high-entropy password for every account; even if one service is breached, the exposed password is valid only there and cannot unlock any other account. The manager stores all unique passwords encrypted behind a master credential the user memorizes. This is a foundational defense against the credential stuffing attack model.
Ch 99 ยท Password Security
Question 14 of 20
An organization uses a privileged access solution where database administrator credentials are stored in a centralized vault. When a DBA needs to access a production database, they authenticate to the vault; the vault then establishes the session on their behalf. The DBA never sees the actual database password. After each session, the credential is automatically rotated so it cannot be reused. Which technology is this, and what is its key security property?
โœ… B โ€” Password vaulting. Password vaulting stores privileged account credentials in a secure vault. The defining characteristic: the human administrator never sees the actual password โ€” the vault proxies the session to the target system using the stored credential. Automatic rotation after each use ensures the password changes continuously, so a captured session cannot be replayed with a reused credential. This eliminates the shared privileged account problem and creates full audit trails of who accessed what systems and when. Just-in-time (JIT) permissions creates temporary ephemeral credentials for a specific task; vaulting protects and proxies the permanent (or regularly rotating) primary credential. An enterprise password manager stores passwords users retrieve and manually enter; vaulting prevents the user from ever seeing the credential.
Ch 99 ยท Password Security
Question 15 of 20
A user authenticates to their laptop using facial recognition. The laptop uses a TPM (Trusted Platform Module) chip to store a cryptographic private key, and Windows Hello to process the biometric scan. No password is entered at any point. Which authentication paradigm is this, and how does it provide MFA security without a traditional password?
โœ… C โ€” Passwordless authentication. Windows Hello uses biometric (something you are) to unlock a cryptographic private key stored in the TPM chip (something you have). This is true MFA โ€” two different factor categories โ€” without a traditional password. The security architecture: the private key is generated and stored inside the TPM and never leaves it; even the OS cannot extract it. Authentication works by the biometric unlocking TPM operations, and the private key signs a challenge proving identity. Passwordless authentication addresses systemic password problems: no password to reuse across sites, no password to phish, no password fatigue. The biometric + TPM combination is hardware-bound, phishing-resistant, and achieves MFA security without the credential management challenges of passwords.
Ch 100 ยท Scripting & Automation
Question 16 of 20
An organization's disk space monitoring script automatically clears temporary files whenever free space drops below 10%. Servers remain operational indefinitely. However, the root cause of excessive temporary file accumulation โ€” a misconfigured application writing unbounded temporary files โ€” is never investigated or fixed. Which scripting risk does this represent?
โœ… D โ€” Technical debt. Technical debt in automation occurs when scripts are used to suppress symptoms rather than fix root causes. The disk space script keeps servers running but defers the actual problem โ€” the misconfigured application accumulates temporary files indefinitely. Eventually, the temporary files may accumulate faster than the script can clear them, or new symptoms may emerge, and the team faces a much larger problem than they would have had if they investigated the root cause initially. Single point of failure describes the impact of automation failure, not root cause masking. Guard rails intercept unsafe operations before they execute; this script performs remediation after the condition arises. Ongoing supportability relates to maintenance burden as systems evolve.
Ch 100 ยท Scripting & Automation
Question 17 of 20
A technician attempts to delete a temporary folder but accidentally selects the entire application directory. Before the deletion executes, an automated system detects that the selected path contains files flagged as critical production components and blocks the operation. The technician has file-delete permissions on the system. What type of automation control is this?
โœ… A โ€” Guard rails. Guard rails are automated validation controls that intercept potentially dangerous operations and block them if they would cause harm. The critical distinction from access control: access controls determine WHO can perform an action; guard rails determine WHETHER a specific instance of that action is safe. The technician IS permitted to delete files โ€” permission is not the issue. The guard rail evaluates the specific action (deleting a path containing flagged critical files) and blocks it before execution. This is the automation equivalent of a "are you sure?" confirmation, except it is automated, policy-driven, and does not rely on human judgment at the moment of action. Guard rails prevent both human error and process drift by enforcing safety constraints at the action level.
Ch 101 ยท Incident Response
Question 18 of 20
According to NIST SP 800-61 Rev 2, what are the four phases of the incident response lifecycle in the correct order?
โœ… B โ€” NIST SP 800-61 four phases. The NIST SP 800-61 Rev 2 incident response lifecycle has exactly four phases: (1) Preparation โ€” building capabilities before incidents occur: policies, team, tools, training, go bag; (2) Detection and Analysis โ€” identifying that an incident has occurred, triaging, and understanding its scope; (3) Containment, Eradication, and Recovery โ€” stopping the spread, removing the threat, and restoring operations; (4) Post-Incident Activity โ€” lessons learned, documentation, process improvement. Common exam trap: confusing with the NIST Cybersecurity Framework (Identify, Protect, Detect, Respond, Recover), which has five functions and is a risk management framework, not the incident response lifecycle model. NIST SP 800-61 is the incident handling specific document.
Ch 101 ยท Incident Response
Question 19 of 20
After confirming a successful intrusion, an incident response team identifies four tasks: (1) delete all malware files from compromised systems; (2) disable the specific user account the attacker exploited; (3) patch the vulnerability that enabled initial access; (4) restore production systems from verified clean backups. Which NIST phase do tasks 1, 2, and 3 belong to, and which does task 4 belong to?
โœ… C โ€” Eradication vs. Recovery, both within NIST Phase 3. NIST SP 800-61's third phase combines three sub-activities under one roof: Containment (stopping spread), Eradication (removing the threat), and Recovery (restoring operations). Tasks 1โ€“3 are eradication activities: deleting malware removes malicious code, disabling the exploited account closes the attacker's access path, patching the vulnerability removes the attack vector. Task 4 is a recovery activity: restoring from clean backups returns the system to a known-good state. The important exam distinction: both eradication and recovery occur within the same NIST phase (Phase 3), not in separate phases. The activities are sequential within the phase โ€” you eradicate before you recover to avoid restoring a system that will be immediately recompromised.
Ch 101 ยท Incident Response
Question 20 of 20
An incident response team holds its post-incident review meeting three weeks after the incident was fully resolved. Several team members no longer recall specific details โ€” when alerts first arrived, which actions were taken in what sequence, and what decisions were made in the heat of the incident. The timeline reconstruction is incomplete. What NIST SP 800-61 guidance did the team fail to follow?
โœ… D โ€” Post-incident meeting should be held as soon as possible after resolution. NIST SP 800-61 explicitly recommends conducting the post-incident review meeting as soon as possible after the incident is resolved, while memories are still fresh. The purpose is to reconstruct an accurate timeline, identify what went well, identify what should be improved, and produce actionable recommendations. Memory fades quickly: specific timestamps of alerts, exact sequence of decisions, and contextual details that explain why certain choices were made all degrade within days. Three weeks is too long. Well-conducted post-incident reviews directly improve the Preparation phase for the next incident โ€” they are not administrative formalities but core quality improvement mechanisms in the NIST IR lifecycle.
Part B โ€” Scenario Questions (unscored โ€” self-assess)
Ch 95โ€“97 ยท Scenario
Scenario Question A
A mid-sized financial company is investigating a security incident. A contractor's laptop connected to guest Wi-Fi bypassed the network policy because the NAC solution was configured to skip posture checks for guest-network devices. The contractor's account (a member of the Sales Representatives RBAC group with access to all 50,000 customer records) then accessed the internal CRM through VPN. An EDR alert fired at 3 AM showing the contractor's session downloading 50,000 customer records โ€” 10ร— their normal volume โ€” from an IP address that matches the contractor's known endpoint but at an atypical hour. The contractor denies any 3 AM activity.

Address: (1) What NAC configuration error created the initial risk, and what should have been enforced instead? (2) The EDR alert flagged unusual volume, but the session uses legitimate credentials from a known IP. What additional detection layer most directly applies, what anomaly category does this represent, and why is the known-IP argument insufficient? (3) The contractor's RBAC group has access to all 50,000 records because "Sales Representatives need full CRM access." What access control principle was violated, and which more granular model could have limited the blast radius of a compromised account?
1. NAC configuration error:

The error: guest-network devices were exempted from posture assessment. This defeats the entire purpose of NAC โ€” any device connecting to any network segment should be assessed against the organization's endpoint security policy before receiving access that could lead to internal systems. The contractor's laptop bypassed patch level, AV status, and firewall checks entirely.

What should have been enforced: posture assessment for all connecting devices regardless of the network they connect to. Guest and contractor devices should receive even more scrutiny, not less, because they are not under the organization's management. At minimum: a dissolvable NAC agent should have run a posture check at connection time and quarantined the laptop if it failed.

2. Detection layer, anomaly category, and the known-IP argument:

Detection layer: User Behavior Analytics (UBA). UBA establishes a behavioral baseline per account and generates alerts when current behavior significantly deviates โ€” wrong time (3 AM vs. normal business hours), wrong data volume (50,000 records vs. typical incremental access).

Anomaly category: Unexpected behavior โ€” the account is doing something a legitimate user with this profile would not do (3 AM, 10ร— volume, full database extraction). This is distinct from risky behavior (inherently dangerous action type) and unintentional (accident). Multiple simultaneous deviations from baseline strongly suggest credential compromise โ€” likely the contractor's credentials were stolen and an attacker in a different time zone is operating the session.

Known-IP argument is insufficient because: (1) if the contractor's endpoint was compromised (malware), the attacker operates from the contractor's physical device โ€” the IP is legitimate but the actor is not; (2) IP addresses can be spoofed or shared; (3) if the contractor's VPN credentials were stolen, an attacker could route traffic to appear to originate from an expected endpoint. Known IP confirms device location, not operator identity. UBA detects the behavioral anomaly that IP-based checks cannot.

3. Access control principle violated and better model:

Principle violated: Least privilege. The Sales Representatives RBAC group has access to the entire 50,000-record customer database because it was easier to grant blanket access than to define granular access. Least privilege requires that every account has only the access necessary for its specific job function โ€” a contractor performing analysis on a specific subset of customers should not have access to all customers.

Better model: ABAC (Attribute-Based Access Control) could limit access to: (1) only records assigned to the contractor's specific accounts (subject attribute), (2) only during business hours (environment attribute), (3) only read operations, not bulk export (action attribute). This would have reduced the blast radius from 50,000 records to the contractor's specific assigned portfolio โ€” even if the account were compromised, the attacker could only exfiltrate what the contractor was legitimately permitted to access under ABAC policies.
Ch 98โ€“101 ยท Scenario
Scenario Question B
An employee's corporate account is compromised via a two-stage attack: (1) a phishing email harvests the employee's password; (2) the attacker SIM-swaps the employee's phone number to intercept SMS-based MFA codes. The attacker accesses the corporate VPN, installs a persistence backdoor on two servers, and exfiltrates three months of financial planning files over four days. The IR team discovers the breach during routine log analysis on day five. The team immediately: deletes the backdoor files from the affected servers, disables the compromised employee account, patches the phishing-enabled vulnerability, and then rebuilds the two affected servers from verified clean backups. Three days later they hold a post-incident meeting where they find that some team members cannot recall exact alert timestamps or decision sequences from the response.

Address: (1) Which MFA vulnerability was exploited, and identify two phishing-resistant MFA alternatives that would have prevented the SIM swap bypass. (2) Map each of the team's four specific actions to the correct NIST SP 800-61 sub-activity (eradication or recovery) and explain the importance of completing eradication before recovery. (3) What is the specific risk of holding the post-incident meeting three days post-resolution rather than immediately, and what are the five categories of questions that NIST recommends the post-incident review address?
1. MFA vulnerability and phishing-resistant alternatives:

Vulnerability: SMS OTP is categorized as "something you have" because it requires control of the registered phone number. SIM swapping transfers the phone number to an attacker-controlled SIM โ€” this transfers the possession factor without any physical device theft. The carrier's social engineering was the attack vector; the vulnerability is that phone number portability creates an out-of-band mechanism to hijack the "something you have" factor.

Alternative 1: FIDO2/WebAuthn hardware security key. The key is cryptographically bound to the physical device โ€” there is no phone number or carrier to social-engineer. The challenge-response is domain-specific: a response valid at corporatevpn.com cannot be replayed at a phishing site. SIM swapping is irrelevant because the possession factor is a hardware USB/NFC key, not a phone number.

Alternative 2: Authenticator app (TOTP) with device-binding. A software TOTP app (Microsoft Authenticator, Google Authenticator) generates codes from a shared seed stored on the physical device. Unlike SMS, the code delivery does not involve the carrier โ€” there is no SIM to swap. The attacker would need physical access to the registered smartphone to intercept TOTP codes. This is significantly stronger than SMS OTP against SIM swapping.

2. NIST eradication vs. recovery mapping:

Eradication actions (removing the threat):
โ€ข Delete backdoor files โ†’ eradication: removes the attacker's installed persistence mechanism from the environment
โ€ข Disable compromised employee account โ†’ eradication: closes the attacker's authenticated access path
โ€ข Patch the phishing-enabled vulnerability โ†’ eradication: removes the initial attack vector to prevent re-exploitation

Recovery actions (restoring normal operations):
โ€ข Rebuild servers from verified clean backups โ†’ recovery: restores the two affected servers to a known-good operational state

Why eradication must precede recovery: If the team rebuilds from backup before deleting the backdoor, the rebuilt server may reintroduce clean OS/application state but the attacker still has the compromised credentials and the unpatched vulnerability. The attacker could immediately recompromise the newly rebuilt server using the same attack path. Eradication ensures the environment is clean before recovery โ€” you restore into a secured, hardened environment, not back into the same compromised state.

3. Post-incident meeting timing and NIST questions:

Specific risk of waiting three days: Memory fades quickly and non-linearly. Specific timestamps of when alerts arrived, exact decision sequences under time pressure, and contextual details explaining why specific choices were made all degrade within 24โ€“72 hours. Three days is at the edge of useful recall for a complex multi-day incident. The resulting post-incident report will have gaps, incorrect timelines, and missed root-cause observations โ€” producing weaker recommendations than an immediate review would have.

NIST SP 800-61 post-incident review questions:
1. Exactly what happened, and at what times? (Accurate timeline reconstruction)
2. How well did staff and management perform in dealing with the incident? (Performance assessment)
3. Were documented procedures followed, and were they adequate? (Process compliance and gap identification)
4. What information was needed sooner? (Detection and communication gaps)
5. What would be done differently next time? (Actionable improvement recommendations for the Preparation phase)

The findings feed directly back into the Preparation phase โ€” improving policies, procedures, training, tools, and the incident go bag for the next incident.
โ† Back to Study Hub
โ€”
Pass threshold: 80% (16 / 20 correct)
โ† Back to Study Hub