CYSA-004 Practice Questions: Incident Response and Management Domain

Correct answer (C): This alert has a plausible benign explanation already visible in the artifact: the London IP is the corporate VPN egress node, and the user has an always-on VPN profile. In CySA+ triage, an alert is not automatically a confirmed incident. The best next step is to correlate the VPN, identity, and SaaS activity to validate whether the session behavior is expected before taking disruptive response actions.

Why the other options are wrong:
- Option A: Immediate account disablement may be appropriate for a confirmed compromise, but the current evidence suggests a likely benign cause and does not justify that disruption yet.
- Option B: Declaring a confirmed incident is premature because the artifact includes context that may fully explain the apparent impossible travel.
- Option D: Forensic imaging is premature because the analyst has not yet confirmed malicious activity on the endpoint.

Correct answer (C): This should be treated as a high-severity likely compromise. The analyst has multiple corroborating indicators, not just a single anomalous login: a successful foreign login for a non-traveling privileged user, approved MFA, suspicious privilege-related activity, and large access to sensitive payroll data. In CySA+, severity is based on confidence, asset sensitivity, active attacker behavior, and business impact. The playbook also explicitly says this combination requires immediate escalation.

Why the other options are wrong:
- Option A: This underestimates the situation. The account is privileged, the activity already succeeded, and sensitive payroll data was accessed, so waiting for another sign-in would delay necessary response.
- Option B: User confirmation can help in lower-confidence cases, but this scenario already provides high-confidence indicators and an explicit playbook trigger for immediate escalation.
- Option D: Endpoint telemetry could add context, but it is not required before acting here. The identity and cloud activity already provides strong evidence of active misuse.

Correct answer (B): Because additional sharing has already been blocked and legal hold applies, the analyst should preserve relevant cloud evidence in a defensible manner before taking destructive actions. Exporting audit logs and resource snapshots, documenting chain of custody, and then disabling the compromised key balances preservation with targeted containment. Cloud provider controls do not remove the customer's investigation responsibilities.

Why the other options are wrong:
- Option A: Immediate deletion and termination are destructive and could eliminate evidence needed under legal hold. The scenario explicitly highlights preservation requirements.
- Option C: The cloud provider does not remove the customer's responsibility to investigate identities, configurations, workloads, and access within the customer environment.
- Option D: Broad credential rotation may later be appropriate, but doing it before preserving evidence can complicate the investigation and is not the most targeted next step.

Correct answer (B): The best next action is to preserve the pod's short-lived evidence immediately. The stem explicitly prioritizes preservation before the compromised pod disappears, and the environment is ephemeral. Exporting pod logs and metadata, copying the suspicious file, and preserving related cluster and cloud audit records captures evidence that may be lost within minutes. Restarting, deleting identities, or waiting for host-level imaging would risk losing the most relevant artifacts and would not fit the access constraints described.

Why the other options are wrong:
- Option A: Restarting the workload may remove the compromised pod before key evidence is collected.
- Option C: Blocking the IP may help containment, but the stem prioritizes preservation of ephemeral evidence first, and waiting for a host image is not practical here.
- Option D: Deleting identities and rebuilding are eradication steps that would alter the environment before evidence is preserved.

Correct answer (A): Accessing LSASS memory to dump credentials is a classic credential theft behavior. In MITRE ATT&CK, that aligns with the Credential Access tactic because the attacker is trying to obtain authentication material for later movement or privilege use. This is distinct from persistence actions such as creating services.

Why the other options are wrong:
- Option B: Discovery involves learning about systems, accounts, or the environment. Dumping LSASS is more specific to stealing credentials than to general enumeration.
- Option C: Persistence refers to maintaining access over time, such as by adding services or startup entries. The LSASS dump itself is not primarily a persistence action.
- Option D: Exfiltration is the removal of data from the environment. The 07:45 event concerns credential theft, not data transfer out of the network.

Correct answer (B): The analyst already preserved the volatile evidence most likely to be lost by changing system state. The next priority is containment, so isolating the host from the network is the best action. That limits further command-and-control activity or lateral movement while avoiding unnecessary destruction of remaining evidence. This reflects the normal CySA+ sequencing of detection and analysis, evidence preservation when needed, then containment before eradication and recovery.

Why the other options are wrong:
- Option A: Rebooting might interrupt the script, but it changes system state and can destroy volatile evidence. It is not the best next step when containment can be achieved more safely through isolation.
- Option C: Deleting the phishing email could be useful later for broader remediation, but it does not immediately contain the already-compromised endpoint in the stem.
- Option D: Lessons learned is a post-incident activity performed after containment, eradication, recovery, and validation.

Correct answer (A): Once a legal hold is in effect, potentially relevant data in scope must be preserved and routine deletion or alteration must stop for that scope. The scenario also shows imminent retention loss for email and proxy logs, so immediate preservation is required. Broad disclosure is unnecessary, and destructive actions like reimaging would undermine the hold.

Why the other options are wrong:
- Option B: Waiting for normal backups risks losing data that will be deleted or rolled over before the next cycle.
- Option C: Reimaging can destroy evidence and conflicts with the preservation requirement stated by counsel.
- Option D: Need-to-know still applies; broad distribution of case details is not the best preservation action.

Correct answer (A): Recovery is not complete just because obvious malicious files were removed. Before returning a system to production, analysts should verify that persistence mechanisms and unauthorized access paths are gone and that monitoring is in place to detect recurrence. That confirms eradication was actually successful.

Why the other options are wrong:
- Option B: Removing temporary controls before validation may expose the environment too early. Testing should not replace assurance that the threat is gone.
- Option C: Root cause analysis is valuable, but it is a post-incident activity and should not replace technical validation before return to service.
- Option D: Restoring from backup may be appropriate in some cases, but the stem says the host is already cleaned. The more important remaining task is validation of eradication and persistence removal.

Correct answer (D): The incident meets the matrix's Critical criteria in two separate ways: it involves a tier-1 asset and confirmed exposure of regulated data affecting more than 100 records. This teaches an important CySA+ principle: severity is based on stated impact, scope, data sensitivity, and asset criticality, not just the presence of malware or remote access.

Why the other options are wrong:
- Option A: Low applies to blocked activity with no impact, which is the opposite of a confirmed compromise and export of SSNs.
- Option B: Medium is for limited impact to a single user or system. The stated business criticality and data exposure make that too low.
- Option C: High understates the incident because the provided matrix explicitly defines this scenario as Critical.

Correct answer (A): Isolation is the best immediate containment step because the host is still connected to the VPN and evidence has already been preserved through the successful memory capture. In this scenario, preventing spread and additional command-and-control activity takes priority over cleanup. Rebooting or deleting files would alter evidence and may remove useful artifacts before analysis is complete.

Why the other options are wrong:
- Option B: Rebooting may interrupt the malware, but it destroys volatile evidence and is less controlled than network isolation.
- Option C: Deleting files is eradication, not the best first containment action. It can also remove artifacts needed for analysis.
- Option D: Leaving the user online creates unnecessary risk of lateral movement, more downloads, or data loss.