Incident Response Management for CompTIA CySA+

Sample Practice Questions

1. Question 1

   Which of the following will most likely ensure that mission-critical services are available in the event of an incident?
   1. A. Business continuity plan
   2. B. Vulnerability management plan
   3. C. Disaster recovery plan
   4. D. Asset management plan
   Explanation

   The correct answer is: A. Business continuity plan.

   A business continuity plan most likely ensures that mission-critical services remain available in the event of an incident because the BCP is specifically designed around continuity of operations during disruption, defining alternate processes, workarounds, and resource arrangements that keep critical services running. A vulnerability management plan reduces the population of weaknesses that could be exploited but does not address operational continuity once an event has occurred. A disaster recovery plan focuses on restoring IT services after a disaster, which is a related but narrower scope than the BCP's coverage of business operations as a whole. An asset management plan governs the inventory and lifecycle of assets and does not by itself maintain mission-critical service availability during an incident.

2. Question 2

   An incident response team receives an alert to start an investigation of an internet outage. The outage is preventing all users in multiple locations from accessing external SaaS resources. The team determines the organization was impacted by a DDoS attack. Which of the following logs should the team review first?
   1. A. CDN
   2. B. Vulnerability scanner
   3. C. DNS
   4. D. Web server
   Explanation

   The correct answer is: C. DNS.

   The DNS logs should be reviewed first because users in multiple locations losing access to external SaaS resources during a DDoS event is most consistent with a DNS-layer attack such as DNS amplification, reflection, or upstream resolver flooding. If name resolution is failing or being poisoned, every SaaS endpoint becomes unreachable regardless of the underlying transport. CDN logs would only be relevant if a single SaaS provider's content was affected rather than the broader outage described. Vulnerability scanner logs are unrelated to a real-time outage investigation. Web server logs would help if the organization itself were the DDoS target, but the scenario describes users unable to reach external services, which makes DNS the highest-yield first stop.

3. Question 3

   Which of the following is the best action to take after the conclusion of a security incident to improve incident response in the future?
   1. A. Develop a call tree to inform impacted users
   2. B. Schedule a review with all teams to discuss what occurred
   3. C. Create an executive summary to update company leadership
   4. D. Review regulatory compliance with public relations for official notification
   Explanation

   The correct answer is: B. Schedule a review with all teams to discuss what occurred.

   Scheduling a review with all teams to discuss what occurred is the best action after the conclusion of a security incident to improve future response, because that meeting is the lessons-learned forum that surfaces what worked, what did not, and what should change. Cross-team participation is critical so improvements are owned by everyone whose work is affected. Developing a call tree to inform impacted users is a communication artifact and not a means of improving response. Creating an executive summary informs leadership but does not by itself improve the program. Reviewing regulatory compliance with public relations for official notification is a downstream compliance and communications task rather than the structured improvement review.

4. Question 4

   An incident response team found IoCs in a critical server. The team needs to isolate and collect technical evidence for further investigation. Which of the following pieces of data should be collected first in order to preserve sensitive information before isolating the server?
   1. A. Hard disk
   2. B. Primary boot partition
   3. C. Malicious files
   4. D. Routing table
   5. E. Static IP address
   Explanation

   The correct answer is: D. Routing table.

   The routing table should be collected first among the listed options because it is the most volatile artifact on the list — it exists only in memory and will be lost or changed the moment the server is disconnected for isolation. Capturing the routing table before isolation preserves the network state the attacker may have manipulated, including injected routes or evidence of pivoting. Hard disk and primary boot partition contents are persistent and can be captured later through a forensic image. Malicious files reside on disk and likewise survive the isolation step. A static IP address is configuration that is recoverable from the host or DHCP records. Volatility ordering puts the routing table first.

5. Question 5

   Which of the following is the first step that should be performed when establishing a disaster recovery plan?
   1. A. Agree on the goals and objectives of the plan
   2. B. Determine the site to be used during a disaster
   3. C. Demonstrate adherence to a standard disaster recovery process
   4. D. Identify applications to be run during a disaster
   Explanation

   The correct answer is: A. Agree on the goals and objectives of the plan.

   The first step when establishing a disaster recovery plan is to agree on the goals and objectives of the plan, because every subsequent decision — site selection, application priorities, vendor relationships, technical architecture — flows from what the organization wants the plan to accomplish (acceptable downtime, scope of disasters covered, recovery scale). Without those goals, the team is making technical choices in a vacuum. Determining the site to be used during a disaster comes after the goals have set the geographic and capacity constraints. Demonstrating adherence to a standard recovery process is a quality measure rather than the first activity. Identifying applications to run during a disaster depends on the criticality framework that the goals and objectives establish.

Other CompTIA CySA+ domains

• Reporting and Communication (29 questions)
• Security Operations (306 questions)
• Vulnerability Management (108 questions)