# Quiz

## Question 1

If you discover your messaging/email servers have been compromised during a data breach, what should you do as related to communications across the IR team?

<details>

<summary>Solution</summary>

Utilize an out-of-band or alternate messaging network/environment

</details>

## Question 2

Who should the final incident report be shared with?

<details>

<summary>Solution</summary>

Only those who have a specific need to know

</details>

## Question 3

Which two things are usually combined to calculate priority in incidents?

<details>

<summary>Solution</summary>

Urgency and impact

</details>

## Quesiton 4

You are the incident response lead for your organization. Your team has identified a system that's currently compromised. The system is a critical system and shutting it down immediately may cause an adverse impact on the organization. What should your team do first?

<details>

<summary>Solution</summary>

Perform a memory dump to be used for analysis

</details>

## Question 5

Which of the following is TRUE concerning containment?

<details>

<summary>Solution</summary>

Containment is more of a strategy than a step

</details>

## Question 6

What should you NOT do during containment?

<details>

<summary>Solution</summary>

Guarantee things or make such statements

</details>

## Question 7

Which of the following is NOT a common tool used in containment?

<details>

<summary>Solution</summary>

Password crackers

</details>

## Question 8

What is the primary goal of eradication?

<details>

<summary>Solution</summary>

To make sure the threat is completely removed per a predefined definition

</details>

## Question 9

How will an incident responder know how to clean or wipe a machine properly during eradication?

<details>

<summary>Solution</summary>

Using processes defined by the organization via policies and procedures

</details>

## Question 10

Who should be notified first of the eradication of a threat?

<details>

<summary>Solution</summary>

The rest of the IR team

</details>

## Question 11

What team or practice in the organization is likely to be able to provide the most assistance or guidance during recovery?

<details>

<summary>Solution</summary>

Business Continuity (BC) and Disaster Recovery (DR) teams

</details>

## Question 12

Which departments or practices are most likely to be impacted by restoration during the recovery phases? (Pick TWO)

<details>

<summary>Solution</summary>

* Change management
* Configuration management

</details>

## Question 13

What traditional forensics/IR practice is usually not possible if the data breach happened in a cloud service provider (CSP) environment using Platform-as-a-Service models such as Amazon EC2 or Microsoft Azure?

<details>

<summary>Solution</summary>

Take a physical, bit-to-bit, forensically-sound image of the suspected hard drive

</details>

## Question 14

Why are system monitoring tools useful for the recovery phase in incident response?

<details>

<summary>Solution</summary>

They may be used to monitor systems to ensure abnormal behavior has not returned

</details>

## Question 15

Why should implementation of improvements after the follow-up step be phased into the process? (Select THREE)

<details>

<summary>Solution</summary>

* Solutions may impact operations and other critical business functions
* May require significant resources and input from other teams
* Will usually require some type of impact assessment

</details>

## Question 16

Which criteria would MOST likely lead to changes in the IR playbook?

<details>

<summary>Solution</summary>

Team was not able to follow the playbook effectively

</details>