Welcome to today’s CompTIA Security+ practice test!
Today’s practice test is based on subdomain 4.8 (Explain appropriate incident response activities.) from the CompTIA Security+ SY0-701 objectives.
This beginner-level practice test is inspired by the CompTIA Security+ (SY0-701) exam and is designed to help you reinforce key cybersecurity concepts on a daily basis.
These questions are not official exam questions, but they reflect topics and scenarios relevant to the Security+ certification. Use them to test your knowledge, identify areas for improvement, and build daily cybersecurity habits.
Click the button below to start today’s practice exam. To view answers and explanations for today’s questions, expand the Answers accordion.
Results
#1. A security administrator at a hospital receives alerts from multiple endpoints indicating potential ransomware activity. Which FIRST step should be taken according to incident response best practices?
#2. Which of the following best describes the purpose of a legal hold during incident response?
#3. An analyst identifies unusual outbound traffic from an internal database server. What is the NEXT step after confirming an active data exfiltration attack?
#4. During the eradication phase of incident response, which activity is MOST appropriate for eliminating the root cause of the incident?
#5. A SOC analyst responds to a phishing attack where several employees clicked a malicious link. After containing affected endpoints, which step should the analyst take NEXT?
#6. A forensic investigator is acquiring data from a compromised laptop. Which of the following is MOST important to ensure evidence admissibility?
#7. Which of the following incident response activities occurs LAST in the process?
#8. A company wants to test its incident response process without impacting production. Which method should be used?
#9. Which of the following BEST describes a primary goal of the analysis phase?
#10. A malware outbreak affected 50 endpoints. The incident response team has eradicated the malware and restored all systems. What is the NEXT recommended step?
Note: CompTIA and Security+ are registered trademarks of CompTIA. This content is not affiliated with or endorsed by CompTIA.
To view CompTIA Security+ practice tests on other days, click here.
Answers
| Number | Answer | Explanation |
|---|---|---|
| 1 | A | A security administrator at a hospital receives alerts from multiple endpoints indicating potential ransomware activity. Which FIRST step should be taken according to incident response best practices? A. Disconnect infected hosts from the network According to incident response best practices (often following the NIST framework: Preparation, Detection & Analysis, Containment, Eradication & Recovery, Post-Incident Activity), the FIRST step after detecting potential ransomware is Containment. Disconnecting infected hosts from the network prevents the ransomware from spreading further to other systems, encrypting more data, or reaching backup systems. This is a critical immediate action. B. Notify executive management: While notification is crucial, it’s typically done after initial containment actions have been taken to limit the damage. Notifying management before containing the spread might lead to more widespread damage. C. Perform a forensic disk image acquisition: Forensic acquisition is part of the eradication/recovery or post-incident analysis phase. It’s important for understanding how the attack happened and for potential legal action, but it comes after containment, as performing it on an active infection could allow further spread. D. Eradicate the ransomware from infected endpoints: Eradication (removing the ransomware) is a later stage in the incident response process. Attempting eradication before containment could lead to the ransomware reactivating, spreading, or destroying evidence. Containment is the immediate priority. |
| 2 | B | Which of the following best describes the purpose of a legal hold during incident response? A. It ensures compliance with data retention policies. A legal hold often overrides standard data retention policies. Instead of complying with deletion schedules, it suspends them to preserve data. B. It prevents modification or deletion of relevant evidence. A legal hold (also known as a litigation hold or preservation order) is a process that an organization uses to preserve all forms of relevant information when litigation or an investigation is reasonably anticipated. Its primary purpose during incident response is to ensure that any data, logs, or artifacts that could serve as evidence are not altered, destroyed, or deleted, even if standard data retention policies would normally lead to their disposal. This is crucial for forensic analysis, legal proceedings, and compliance. C. It allows security analysts to perform threat hunting activities. Threat hunting is a proactive search for threats that may have evaded existing security controls. While a legal hold ensures evidence is available for investigation, its purpose is not to enable threat hunting. D. It enforces access control restrictions on critical data. Access control restricts who can view or modify data. While critical data is often subject to legal holds, the main purpose of the hold is preservation, not defining who can access the data for normal operations. |
| 3 | B | An analyst identifies unusual outbound traffic from an internal database server. What is the NEXT step after confirming an active data exfiltration attack? A. Conduct a root cause analysis: Root cause analysis is performed after the incident has been contained, eradicated, and recovered from. It helps understand how the attack happened to prevent future occurrences, but it’s not the immediate priority when data is actively being stolen. B. Isolate the server from the network This is the crucial Containment step in the incident response lifecycle. Once an active data exfiltration attack is confirmed, the immediate priority is to stop the data loss and prevent further compromise. Isolating the server (e.g., by disconnecting its network cable, blocking its network access at a firewall/switch) prevents the attacker from continuing to steal data and from using the compromised server as a pivot point for further attacks. C. Perform lessons learned meeting: A lessons learned meeting is the final step in the incident response process, conducted after the incident is fully resolved. It’s for post-mortem analysis and process improvement, not an immediate action during an active attack. D. Notify regulatory authorities immediately: While regulatory notification is often mandatory for data breaches, it typically occurs after initial containment and often after a preliminary assessment of the scope and nature of the breach. The absolute next step after confirming active exfiltration is to stop the bleeding. |
| 4 | A | During the eradication phase of incident response, which activity is MOST appropriate for eliminating the root cause of the incident? A. Implementing additional firewall rules to block known malicious IPs and domains associated with the specific threat. The Eradication phase involves completely removing the threat and its root cause from the environment and strengthening defenses to prevent recurrence. If an attacker used specific malicious IPs or domains for command and control, data exfiltration, or staging, blocking these additional indicators of compromise (IOCs) is a crucial step to ensure the attacker is completely cut off and cannot easily re-establish access. This activity directly contributes to eliminating the lingering presence of the threat and its channels, which is part of eliminating the “root cause” of continued compromise or re-infection. B. Capturing volatile memory for forensic analysis: This is an activity performed during the Detection & Analysis or early Containment phases. Volatile data needs to be captured immediately before it’s lost, before major changes like eradication are performed. C. Notifying legal counsel and public relations: These are communication activities that occur throughout and after an incident, primarily as part of the Communication/Post-Incident Activity phase. They are not technical steps for eliminating the threat. D. Conducting a post-incident “lessons learned” review: This activity is performed in the Post-Incident Activity phase, after the incident has been fully resolved and systems are recovered. It’s for process improvement, not for actively eliminating the threat. |
| 5 | A | A SOC analyst responds to a phishing attack where several employees clicked a malicious link. After containing affected endpoints, which step should the analyst take NEXT? A. Identify all users who clicked the link and reset their credentials After containing the affected endpoints (meaning the immediate threat on those specific machines is handled), the NEXT critical step is to address the potential compromise of user accounts. If employees clicked a malicious link, their credentials might have been harvested. Resetting credentials for all potentially compromised users is a crucial eradication/recovery step to prevent further unauthorized access or lateral movement by the attacker using stolen credentials. B. Update firewall rules to block phishing domains: While a good measure, this is a preventative or hardening step that often comes as part of eradication/recovery or post-incident activity. The immediate concern after containing infected machines is account compromise. Blocking the domain prevents future clicks but doesn’t address current potential account compromise. C. Conduct an organization-wide phishing awareness campaign: This is a long-term preventative measure for security awareness. It’s important but not the immediate next step after an active phishing incident where user credentials might be compromised. D. Disable all outbound web traffic until further notice: This is an extreme and highly disruptive containment measure. While it might be used in severe, widespread outbreaks, it’s generally not the next step after containing several affected endpoints. It would severely impact business operations and would be considered only if the risk was unmanageable otherwise. The priority is targeted action. |
| 6 | B | A forensic investigator is acquiring data from a compromised laptop. Which of the following is MOST important to ensure evidence admissibility? A. Implementing multi-factor authentication on the laptop: MFA is an authentication control that protects access to the laptop. It’s crucial for security but does not directly ensure the admissibility of acquired evidence once the laptop has been compromised and data is being extracted for forensic purposes. B. Maintaining a chain of custody log For evidence to be admissible in legal proceedings, it is MOST important to demonstrate that the evidence has not been tampered with or altered from the moment it was collected until it is presented in court. A chain of custody log meticulously documents every person who handled the evidence, when they handled it, what they did with it, and why. This ensures the integrity and authenticity of the evidence. C. Using threat intelligence feeds for correlation: Threat intelligence feeds provide information about known threats and can help in identifying malicious activity. However, they are used during the analysis phase of an investigation, not for ensuring the admissibility of the collected evidence itself. D. Encrypting evidence drives with AES-256: Encrypting the drives used to store the forensic evidence (e.g., the forensic image) is a good security practice to protect the confidentiality and integrity of the evidence during transport or storage. While important for protecting the evidence, it’s secondary to the chain of custody for proving admissibility – the chain of custody shows who had access and what they did, which is the core of proving the evidence wasn’t tampered with. Without a proper chain of custody, even encrypted evidence might be challenged. |
| 7 | C | Which of the following incident response activities occurs LAST in the process? A. Detection: This is one of the very first phases, where an anomaly or incident is identified. B. Containment: This phase follows Detection, focusing on stopping the spread of the incident and limiting its damage. C. Lessons learned The “Lessons Learned” activity is part of the Post-Incident Activity phase (also sometimes called Post-Mortem or Review). This is the final stage of the incident response process where the team reviews what happened, what went well, what could be improved, and updates policies, procedures, and tools accordingly. D. Eradication: This phase follows Containment, focusing on removing the root cause of the incident and eliminating the threat. The typical order is: Preparation -> Detection & Analysis -> Containment -> Eradication -> Recovery -> Post-Incident Activity (Lessons Learned) |
| 8 | A | A company wants to test its incident response process without impacting production. Which method should be used? A. Tabletop exercise A tabletop exercise is a discussion-based training session where participants talk through an incident scenario. It’s designed to test plans, procedures, and roles without actually deploying any technology or impacting live production systems. This makes it ideal for evaluating the incident response process in a safe, low-impact environment. B. Full-scale live simulation: A full-scale live simulation involves executing the incident response plan on actual systems, often in a segregated but realistic environment or even a limited production setting. While highly effective, it has a higher risk of impact compared to a tabletop and is not suitable if the goal is to test without impacting production. C. Root cause analysis: Root cause analysis is a post-incident activity performed after an incident has occurred and been resolved, to determine why it happened. It’s not a method for testing the incident response process itself. D. Red team penetration test: A red team penetration test simulates a real-world attack against an organization’s systems to find vulnerabilities and test defenses. While it helps identify weaknesses, its primary goal is to find vulnerabilities and test technical controls, not specifically to test the incident response process without impacting production. A red team exercise often does impact production systems (albeit in a controlled way) or requires a dedicated test environment. |
| 9 | B | Which of the following BEST describes a primary goal of the analysis phase? A. Removing all known malware from systems: This activity falls under the Eradication phase, which occurs after the analysis and containment phases. B. Determining the scope and impact of an incident The Analysis phase (part of “Detection & Analysis” in the NIST framework) focuses on understanding the nature, extent, and severity of an incident. This includes identifying what systems are affected, what data might have been compromised, how the attack occurred, and what the potential business impact is. This information is crucial for making informed decisions on how to contain and eradicate the threat. C. Performing business continuity planning: Business continuity planning is a proactive activity that falls under the Preparation phase. It’s about ensuring an organization can continue essential functions during and after a disruption, not an activity during the analysis of an incident. D. Implementing new security controls: Implementing new security controls is typically done in the Recovery phase (to restore systems to normal operations with enhanced security) or the Post-Incident Activity phase (as a lesson learned), not as a primary goal of the analysis itself. |
| 10 | A | A malware outbreak affected 50 endpoints. The incident response team has eradicated the malware and restored all systems. What is the NEXT recommended step? A. Conduct a lessons learned meeting According to incident response best practices (e.g., NIST, SANS), after an incident has been contained, eradicated, and systems are recovered, the Post-Incident Activity phase is crucial. A “lessons learned” meeting is the primary component of this phase, where the team reviews the entire incident, identifies what worked well, what didn’t, and what improvements are needed in policies, procedures, tools, and training. This is essential for continuous improvement of the IR process. B. Notify the legal team: Legal notification (and potentially public relations) is part of the communication strategy throughout the incident lifecycle, often triggered earlier during the containment/analysis phase once the scope and impact are understood. It’s not the next technical or procedural step after full restoration. C. Update the organization’s disaster recovery plan: While the incident might inform updates to the disaster recovery plan, this is a broader strategic activity that falls under Post-Incident Activity/Preparation but is not the immediate next recommended step after restoration. The lessons learned meeting would directly inform such updates. D. Perform a risk assessment: A risk assessment is a proactive activity performed as part of Preparation or ongoing security management. While the incident might highlight specific risks that need re-assessment, it’s not the immediate next step in the IR process itself following restoration; the lessons learned is where the initial insights for such assessments would be gathered. |