> For the complete documentation index, see [llms.txt](https://davidjosearaujo.gitbook.io/online-courses/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://davidjosearaujo.gitbook.io/online-courses/cyber-incident-response/follow-up-lessons-learned/quiz.md).

# Quiz

## Question 1

If you discover your messaging/email servers have been compromised during a data breach, what should you do as related to communications across the IR team?

<details>

<summary>Solution</summary>

Utilize an out-of-band or alternate messaging network/environment

</details>

## Question 2

Who should the final incident report be shared with?

<details>

<summary>Solution</summary>

Only those who have a specific need to know

</details>

## Question 3

Which two things are usually combined to calculate priority in incidents?

<details>

<summary>Solution</summary>

Urgency and impact

</details>

## Quesiton 4

You are the incident response lead for your organization. Your team has identified a system that's currently compromised. The system is a critical system and shutting it down immediately may cause an adverse impact on the organization. What should your team do first?

<details>

<summary>Solution</summary>

Perform a memory dump to be used for analysis

</details>

## Question 5

Which of the following is TRUE concerning containment?

<details>

<summary>Solution</summary>

Containment is more of a strategy than a step

</details>

## Question 6

What should you NOT do during containment?

<details>

<summary>Solution</summary>

Guarantee things or make such statements

</details>

## Question 7

Which of the following is NOT a common tool used in containment?

<details>

<summary>Solution</summary>

Password crackers

</details>

## Question 8

What is the primary goal of eradication?

<details>

<summary>Solution</summary>

To make sure the threat is completely removed per a predefined definition

</details>

## Question 9

How will an incident responder know how to clean or wipe a machine properly during eradication?

<details>

<summary>Solution</summary>

Using processes defined by the organization via policies and procedures

</details>

## Question 10

Who should be notified first of the eradication of a threat?

<details>

<summary>Solution</summary>

The rest of the IR team

</details>

## Question 11

What team or practice in the organization is likely to be able to provide the most assistance or guidance during recovery?

<details>

<summary>Solution</summary>

Business Continuity (BC) and Disaster Recovery (DR) teams

</details>

## Question 12

Which departments or practices are most likely to be impacted by restoration during the recovery phases? (Pick TWO)

<details>

<summary>Solution</summary>

* Change management
* Configuration management

</details>

## Question 13

What traditional forensics/IR practice is usually not possible if the data breach happened in a cloud service provider (CSP) environment using Platform-as-a-Service models such as Amazon EC2 or Microsoft Azure?

<details>

<summary>Solution</summary>

Take a physical, bit-to-bit, forensically-sound image of the suspected hard drive

</details>

## Question 14

Why are system monitoring tools useful for the recovery phase in incident response?

<details>

<summary>Solution</summary>

They may be used to monitor systems to ensure abnormal behavior has not returned

</details>

## Question 15

Why should implementation of improvements after the follow-up step be phased into the process? (Select THREE)

<details>

<summary>Solution</summary>

* Solutions may impact operations and other critical business functions
* May require significant resources and input from other teams
* Will usually require some type of impact assessment

</details>

## Question 16

Which criteria would MOST likely lead to changes in the IR playbook?

<details>

<summary>Solution</summary>

Team was not able to follow the playbook effectively

</details>


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://davidjosearaujo.gitbook.io/online-courses/cyber-incident-response/follow-up-lessons-learned/quiz.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.