1
CYBI: Security+
OPERATIONS AND INCIDENT RESPONSE
Objective: Operations and Incident Response

4.1 Given a scenario, use the appropriate tool to assess organizational security

4.2 Summarize the importance of policies, processes, and procedures for incident
response

4.3 Given an incident, utilize appropriate data sources to support an investigation

4.4 Given an incident, apply mitigation techniques or controls to secure an
environment

4.5 Explain the key aspects of digital forensics
2
3
Sample-01
Objective: Operations and Incident Response
76. The company Charles works for has recently had a stolen company cell phone result
in a data breach. Charles wants to prevent future incidents of a similar nature. Which of
the following mitigation techniques would be the most effective?
A. Enable FDE via MDM.
B. A firewall change
C. A DLP rule
D. A new URL filter rule
4
Objective: Operations and Incident Response
76. A.
A variety of configuration changes could be pushed to mobile devices to help: setting
passcodes, enabling full-disk encryption (FDE) on mobile devices via organizationally
deployed mobile device management (MDM), or even preventing some sensitive files
from being downloaded or kept on those devices could all help. Firewall rules, data loss
prevention (DLP) rules, and URL filters will not prevent a stolen device from being
accessed and the data being exposed.
5
Objective: Operations and Incident Response
77. Henry runs the following command:
dig @8.8.8.8 example.com What will it do?
A. Search example.com’s DNS server for the host 8.8.8.8.
B. Search 8.8.8.8’s DNS information for example.com.
C. Look up the hostname for 8.8.8.8.
D. Perform open source intelligence gathering about 8.8.8.8 and example.com.
6
Objective: Operations and Incident Response
77. B.
The @ command for dig selects the Domain Name System (DNS) server it should query. In
this case, it will query one of Google’s DNS servers at 8.8.8.8 for the DNS information for
example.com.
7
Objective: Operations and Incident Response
78. Greg is collecting a forensic image of a drive using FTK Imager, and he wants to
ensure that he has a valid copy. What should he do next?
A. Run the Linux cmp command to compare the two files.
B. Calculate an AES-256 hash of the two drives.
C. Compare an MD5 or SHA-1 hash of the drive to the image.
D. Compare the MD5 of each file on the drive to the MD5 of each file in the image.
8
Objective: Operations and Incident Response
78. C.
Greg should use the built-in hashing functions to compare either an MD5 or SHA-1 hash of
the source drive to a hash using the same function run on the image. If they match, he
has a valid and intact image. None of the other answers will provide validation that the
full drive was properly imaged.
9
Objective: Operations and Incident Response
79. Adam needs to search for a string in a large text file. Which of the following tools
should he use to most efficiently find every occurrence of the text he is searching for?
A. cat
B. grep
C. head
D. tail
10
Objective: Operations and Incident Response
79. B.
The Linux grep command is a search tool that Adam can use to search through files or
directories to find strings. cat is short for concatenate, and the command can be used to
create files, to view their contents, or to combine files. head and tail are used to view the
beginning or end of a file, respectively
11
Objective: Operations and Incident Response
80. Angela wants to use segmentation as part of her mitigation techniques. Which of the
following best describes a segmentation approach to network security?
A. Removing potentially infected or compromised systems from the network
B. Using firewalls and other tools to limit the spread of an active infection
C. Partitioning the network into segments based on user and system roles and security
requirements
D. Adding security systems or devices to prevent data loss and exposure’
12
Objective: Operations and Incident Response
80. C.
Segmentation splits networks or systems into smaller units that align with specific needs.
Segmentation can be functional, security based, or for other purposes. Removing
potentially infected systems would be an example of isolation, using firewalls and other
tools to stop the spread of an infection is containment, and adding security systems to
prevent data loss is an example of implementing a security tool or feature.
13
Objective: Operations and Incident Response
81. Charlene has been asked to write a business continuity (BC) plan for her organization.
Which of the following will a business continuity plan best handle?
A. How to respond during a person-made disaster
B. How to keep the organization running during a system outage
C. How to respond during a natural disaster
D. All of the above
14
Objective: Operations and Incident Response
81. B.
Unlike a disaster recovery plan that is written to help an organization recovery from a
person-made or natural disaster, a business continuity plan focuses on how to keep the
business running when it is disrupted. Thus, Charlene’s BC plan would detail how to keep
the organization running when a system outage occurs.
15
Objective: Operations and Incident Response
82. Brad wants to create a self-signed x.509 certificate. Which of the following tools can
be used to perform this task?
A. hping
B. Apache
C. OpenSSL
D. scp
16
Objective: Operations and Incident Response
82. C.
OpenSSL can be used to generate a certificate using a command like this:
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout
privateKey.key -out certificate.crt.
None of the other tools listed can be used to generate a certificate.
17
Objective: Operations and Incident Response
83. Cameron wants to test for commonly used passwords in his organization. Which of the
following commands would be most useful if he knows that his organization’s name,
mascot, and similar terms are often used as passwords?
A. john --wordlist "mywords.txt" --passwordfile.txt
B. ssh -test -"mascotname, orgname"
C. john -show passwordfile.txt
D. crack -passwords -wordlist "mascotname, orgname"
18
Objective: Operations and Incident Response
83. A.
The only password cracker listed is John the Ripper. John accepts custom wordlists,
meaning that Cameron can create and use his own wordlist, as shown in option A.
19
Objective: Operations and Incident Response
84. Which of the following capabilities is not built into Autopsy?
A. Disk imaging
B. Timeline generation
C. Automatic image filtering
D. Communication visualization
20
Objective: Operations and Incident Response
84. A.
Autopsy does not have a built-in capability to create disk images. Instead, it relies on
third-party tools for acquisition and then imports disk images and other media. Autopsy
has built-in timeline generation, image filtering and identification, and communication
visualization, among many other capabilities.
21
Objective: Operations and Incident Response
85. Alaina’s company is considering signing a contract with a cloud service provider, and
wants to determine how secure their services are. Which of the following is a method she
is likely to be able to use to assess it?
A. Ask for permission to vulnerability scan the vendor’s production service.
B. Conduct an audit of the organization.
C. Review an existing SOC audit.
D. Hire a third party to audit the organization
22
Objective: Operations and Incident Response
85. C.
Many cloud service providers do not allow customer-driven audits, either by the customer
or a third party. They also commonly prohibit vulnerability scans of their production
environment to avoid service outages. Instead, many provide third-party audit results in
the form of a service organization controls (SOC) report or similar audit artifact.
23
24
Sample-02
Objective: Operations and Incident Response
86. Erin is working through the Cyber Kill Chain and has completed the exploitation phase
as part of a penetration test. What step would come next?
A. Lateral movement
B. Privilege escalation
C. Obfuscation
D. Exfiltration
25
Objective: Operations and Incident Response
86. B.
The Cyber Kill Chain moves to privilege escalation after exploitation. The entire kill chain
is: 1) Reconnaissance, 2) Intrusion, 3) Exploitation, 4) Privilege Escalation, 5) Lateral
Movement, 6) Obfuscation/Anti-forensics, 7) Denial of Service, and 8) Exfiltration.
26
Objective: Operations and Incident Response
87. Dana wants to use an exploitation framework to perform a realistic penetration test of
her organization. Which of the following tools would fit that requirement?
A. Cuckoo
B. theHarvester
C. Nessus
D. Metasploit
27
Objective: Operations and Incident Response
87. D.
Of the tools that are listed, only Metasploit is an exploitation framework. Cuckoo is a
malware testing sandbox, theHarvester is an open source intelligence gathering tool, and
Nessus is a vulnerability scanner. Tools like Metasploit, BeEF, and Pacu are all examples of
exploitation frameworks.
28
Objective: Operations and Incident Response
88. Cynthia has been asked to build a playbook for the SOAR system that her
organization uses. What will she build?
A. A set of rules with actions that will be performed when an event occurs using data collected
or provided to the SOAR system
B. An automated incident response process that will be run to support the incident response (IR)
team
C. A trend analysis–driven script that will provide instructions to the IR team
D. A set of actions that the team will perform to use the SOAR to respond to an incident
29
Objective: Operations and Incident Response
88. A.
A playbook for a security orchestration, automation, and response (SOAR) environment is
a set of rules that determine what actions will be performed when an event occurs that is
identified by the SOAR using data it collects or receives.
30
Objective: Operations and Incident Response
89. What incident response step is missing in the following image?
A. Business continuity
B. Containment
C. Response
D. Discovery
31
Objective: Operations and Incident Response
89. B.
The Security+ exam outline uses a six-step process for incident response: Preparation,
Identification, Containment, Eradication, Recovery, and Lessons Learned.
32
Objective: Operations and Incident Response
90. Gurvinder’s corporate datacenter is located in an area that FEMA has identified as
being part of a 100-year flood plain. He knows that there is a chance in any given year
that his datacenter could be completely flooded and underwater, and he wants to
ensure that his organization knows what to do if that happens. What type of plan should
he write?
A. A Continuity of Operations Plan
B. A business continuity plan
C. A flood insurance plan
D. A disaster recovery plan
33
Objective: Operations and Incident Response
90. D.
A disaster recovery plan addresses what to do during a person-made or natural disaster.
A flood that completely fills a datacenter would require significant efforts to recover from,
and Gurvinder will need a solid disaster recovery plan—and perhaps a new datacenter
location as soon as possible! A COOP, or Continuity of Operations Pan, is needed for U.S.
government agencies but is not required for businesses. A business continuity plan would
cover how to keep business running, but it does not cover all the requirements in a
natural disaster of this scale, and a flood insurance plan is not a term used in the Security+
exam.
34
Objective: Operations and Incident Response
91. Frank wants to identify where network latency is occurring between his computer and
a remote server. Which of the following tools is best suited to identifying both the route
used and which systems are responding in a timely manner?
A. ping
B. tracert
C. pathping
D. netcat
35
Objective: Operations and Incident Response
91. C.
pathping combines both ping and tracert/traceroute style functionality to help identify
both the path used and where latency is an issue. It is built into Windows and can be used
for exactly the troubleshooting that Frank needs to accomplish. He could use both ping
and tracert/traceroute to perform the task, but he would need to spend more time using
each tool in turn to identify the same information that pathping will put into a single
interface. netcat, while useful for many tasks, isn’t as well suited to this one.
36
Objective: Operations and Incident Response
92. Derek wants to see what DNS information can be queried for his organization as well
as what hostnames and subdomains may exist. Which of the following tools can provide
both DNS query information and Google search information about hosts and domains
through a single tool?
A. dnsenum
B. dig
C. host
D. dnscat
37
Objective: Operations and Incident Response
92. A.
The dnsenum tool can perform many Domain Name System (DNS)-related functions,
including querying A records, nameservers, and MX records, as well as performing zone
transfers, Google searches for hosts and subdomains, and net range reverse lookups. dig
and host are useful for DNS queries but do not provide this range of capabilities, and
dnscat was made up for this question.
38
Objective: Operations and Incident Response
93. Jill has been asked to perform data recovery due to her forensic skills. What should
she tell the person asking to perform data recovery to give her the best chance of
restoring lost files that were accidentally deleted?
A. Immediately reboot using the reset switch to create a lost file memory dump.
B. Turn off “secure delete” so that the files can be more easily recovered.
C. Do not save any files or make any changes to the system.
D. All of the above
39
Objective: Operations and Incident Response
93. C.
Jill wants the least possible changes to occur on the system, so she should instruct the
user to not save any files or make any changes. Rebooting the system will not create a
memory dump, and may cause new files to be written or changed if patches were
waiting to install or other changes are set to occur during a reboot. Turning off secure
delete or making other changes will not impact the files that were deleted prior to that
setting change.
40
Objective: Operations and Incident Response
94. What phase follows lateral movement in the Cyber Kill Chain?
A. Exfiltration
B. Exploitation
C. Anti-forensics
D. Privilege escalation
41
Objective: Operations and Incident Response
94. C.
Anti-forensics activities follow lateral movement in the Cyber Kill Chain model. It helps to
remember that after an attacker has completed their attack, they will attempt to hide
traces of their efforts, and then may proceed to denial-of-service or exfiltration activities
in the model
42
Objective: Operations and Incident Response
95. Veronica has completed the recovery phase of her organization’s incident response
plan. What phase should she move into next?
A. Preparation
B. Lessons learned
C. Recovery
D. Documentation
43
Objective: Operations and Incident Response
95. B.
The IR process used for the Security+ exam outline is Preparation, Identification,
Containment, Eradication, Recovery, and Lessons Learned. Veronica should move into
the lessons learned phase.
44
Objective: Operations and Incident Response
96. Michelle has been asked to sanitize a number of drives to ensure that sensitive data is
not exposed when systems are removed from service. Which of the following is not a valid
means of sanitizing hard drives?
A. Physical destruction
B. Degaussing
C. Quick-formatting the drives
D. Zero-wiping the drives
45
Objective: Operations and Incident Response
96. C.
Quick formatting merely deletes file indexes rather than removing and overwriting files,
making it inappropriate for sanitization. Physical destruction will ensure that the data is not
readable, as will degaussing and zero wiping.
46
Objective: Operations and Incident Response
97. Bart is investigating an incident, and needs to identify the creator of a Microsoft Office
document. Where would he find that type of information?
A. In the filename
B. In the Microsoft Office log files
C. In the Windows application log
D. In the file metadata
47
Objective: Operations and Incident Response
97. D.
Microsoft Office places information like the name of the creator of the file, editors,
creation and change dates, and other useful information in the file metadata that is
stored in each Office document. Bart can simply open the Office document to review this
information or can use a forensic or file metadata tool to review it. Filenames may contain
the creator’s name, but this would only be if the creator included it. Microsoft Office does
not create or maintain a log, and the application log for Windows does not contain this
information.
48
Objective: Operations and Incident Response
98. Nathaniel wants to allow Chrome through the Windows Defender firewall. What type of
firewall rule change will he need to permit this?
A. Allow TCP 80 and 443 traffic from the system to the Internet.
B. Add Chrome to the Windows Defender Firewall allowed applications.
C. Allow TCP 80 and 443 traffic from the Internet to the system.
D. All of the above
49
Objective: Operations and Incident Response
98. B.
Windows Defender Firewall operates on a per-application model and can filter traffic
based on whether the system is on a trusted private network or a public network.
Nathaniel should allow Chrome by name in the firewall, which will allow it to send traffic
without needing to specify ports or protocols.
50
Objective: Operations and Incident Response
99. Nathan wants to perform whois queries on all the hosts in a class C network. Which of
the following tools can do that and also be used to discover noncontiguous IP blocks in
an automated fashion?
A. netcat
B. dnsenum
C. dig
D. nslookup
51
Objective: Operations and Incident Response
99. B.
The dnsenum Perl script builds in quite a few Domain Name System (DNS) enumeration
capabilities, including host, nameserver, and MX record gathering; zone transfer; Google
scraping for domains; subdomain brute forcing from files; as well as Whois automation
and reverse lookups for networks up to class C in size. Although you could manually use
dig or nslookup or even netcat to perform many of these functions, dnsenum is the only
automated tool on the list.
52
Objective: Operations and Incident Response
100. What key forensic tool relies on correctly set system clocks to work properly?
A. Disk hashing
B. Timelining
C. Forensic disk acquisition
D. File metadata analysis
53
Objective: Operations and Incident Response
100. B.
Building a timeline, particularly from multiple systems, relies on accurately set system
clocks or adding a manually configured offset. Disk hashing and acquisition does not
need an accurate system clock, and file metadata can be reviewed even without an
accurate clock, although accurate clock information or knowing the offset can be useful
for analysis.
54