CompTIA Security+ Practice Test of the Day 260325

The cybersecurity director at a regional credit union is tasked with strengthening the organization's ability to respond to security incidents. After reviewing the current incident response plan, the director determines that the team lacks predefined roles, documented escalation procedures, and access to forensic tools needed to investigate incidents effectively. The director decides to focus efforts on the foundational work that must be completed before any incident occurs to ensure the team is ready to act quickly and consistently when a breach is detected. Which phase of the incident response process is the director working on?

An analyst in a SOC at a manufacturing firm notices that several production workstations have begun generating unusual outbound traffic to an unfamiliar external IP address during off-peak hours. The analyst reviews firewall logs, endpoint detection alerts, and network flow data and determines that the traffic pattern is consistent with a known command-and-control (C2) communication signature associated with a recently published threat actor campaign. The analyst documents the indicators of compromise and formally escalates the finding to the incident response team with a notification that an active incident has been identified. Which phase of the incident response lifecycle is the analyst completing?

During an active ransomware incident, the incident response team at a retail company has confirmed that malware has spread to approximately 15 workstations in the corporate office and is actively attempting to encrypt files on shared network drives. The team lead instructs team members to immediately disconnect the affected workstations from the network and block outbound traffic from the affected subnet at the perimeter firewall. The team is also instructed to avoid rebooting or powering off the affected machines at this time in order to preserve volatile memory artifacts for later forensic analysis. Which phase of the incident response process is the team executing?

A security engineer at a logistics company has successfully isolated the systems affected by a credential-based intrusion in which an attacker used a compromised service account to move laterally across several servers over a period of two weeks. The forensics team has completed its analysis, identified all affected systems, cataloged the persistence mechanisms the attacker used, and confirmed the two vulnerabilities that were exploited to gain initial access. The security engineer is now disabling the compromised accounts, deleting malicious scheduled tasks and registry run keys placed by the attacker, and applying the vendor patches for the exploited vulnerabilities across all affected and at-risk systems. Which incident response phase is the security engineer executing?

Two weeks after a phishing attack successfully compromised the email account of an executive at a media company — resulting in the exfiltration of several confidential contract files — the incident response team has fully restored affected systems, revoked all unauthorized access, and confirmed no further signs of intrusion. The CISO has called a mandatory meeting with all incident response team members, the security operations manager, and senior leadership to formally review the incident timeline, evaluate how quickly the threat was detected and contained, discuss which response actions were effective and which were not, and identify gaps in the response process that should be addressed before the next incident. Which incident response phase does this meeting represent?

The CISO of a government contracting firm wants to evaluate how well the incident response team and key organizational stakeholders would perform in a realistic ransomware scenario involving encrypted systems, exfiltrated sensitive data, and a regulatory breach notification deadline. The CISO wants to involve legal, HR, IT, public relations, and executive leadership in a controlled exercise that tests decision-making, communication, and escalation procedures. Critically, the CISO requires that no live systems be affected and no actual malware be deployed — participants will walk through the scenario by verbally discussing what decisions and actions they would take at each stage rather than executing real technical response steps. Which type of incident response testing is the CISO describing?

A digital forensics investigator is called in to assist with an insider threat case at a biotech company in which an employee is suspected of stealing proprietary research data prior to resigning. The investigator creates verified bit-for-bit forensic images of the suspect's workstation hard drive and USB storage devices and places the original hardware in tamper-evident sealed evidence bags. The investigator then meticulously records every individual who accesses the evidence, the exact date and time of each access, the stated purpose of each access, and the location and transfer of custody of evidence between the forensic laboratory and the secure evidence storage facility. Why is this documentation process critical to the investigation?

An organization's legal department has informed the IT security team that the company is a named defendant in a lawsuit filed by a former business partner alleging breach of contract and theft of confidential data. Outside counsel has instructed the IT team to immediately suspend all automated email archiving deletion rules, file retention purges, and log rotation policies that would ordinarily delete data older than 90 days. The team must also preserve all potentially relevant communications, contracts, system logs, and file access records dating back 24 months, and must notify all data custodians of their obligation to preserve any relevant documents within their control — even personal devices used for business purposes. What is the formal term for this legal directive?

After a web application breach exposed the personally identifiable information of more than 40,000 customers at an insurance company, the incident response team has successfully contained and eradicated the threat and restored affected systems. The security team is now tasked with conducting a formal investigation to determine the specific vulnerability that was exploited, the precise sequence of events that allowed the attacker to progress from initial compromise to successful data exfiltration, which security controls failed or were misconfigured, and what systemic changes are needed to prevent a similar incident from recurring in the future. The objective is to identify the underlying technical and process failures that created the conditions for the breach — not just the immediate symptoms. What type of post-incident analysis is the team conducting?

A senior security analyst at a defense contractor has been assigned to proactively search for signs of compromise within the organization's network that may have evaded detection by the SIEM, endpoint detection and response platform, and perimeter firewall systems. Rather than waiting for automated alerts to trigger, the analyst formulates hypotheses based on recently published threat intelligence reports about advanced persistent threat (APT) actors known to target defense contractors, then manually queries historical log data, network traffic captures, and endpoint telemetry to look for subtle behavioral indicators consistent with those threat actors' documented tactics, techniques, and procedures (TTPs). What security practice is the analyst performing?