GCIH Practice Questions: Networked Environment Attack Domain

Published: August 12, 2025 | 10 min read

Test your GCIH knowledge with 5 practice questions from the Networked Environment Attack domain. Includes detailed explanations and answers.

GCIH Practice Questions

Master the Networked Environment Attack Domain

Test your knowledge in the Networked Environment Attack domain with these 5 practice questions. Each question is designed to help you prepare for the GCIH certification exam with detailed explanations to reinforce your learning.

Question 1

You are tasked with investigating a suspected network attack where the attacker exploited a vulnerability in a protocol to gain unauthorized access. Using Nmap, you perform a service version scan on the target network. Which Nmap command would you use to identify the services and their versions running on the target hosts?

A) nmap -sP 192.168.1.0/24

B) nmap -sV 192.168.1.0/24

C) nmap -sS 192.168.1.0/24

D) nmap -A 192.168.1.0/24

Show Answer & Explanation

Correct Answer: B

Explanation: Option B is correct because the '-sV' flag in Nmap is used to perform service version detection, which helps identify the services running on the target hosts and their versions. Option A ('-sP') is a ping scan, which only checks if hosts are up. Option C ('-sS') is a SYN scan, which is used for stealth scanning but does not provide service version information. Option D ('-A') enables OS detection, version detection, script scanning, and traceroute, which is more comprehensive but not specific to service version detection.

Question 2

An incident handler receives an alert about a potential Distributed Denial of Service (DDoS) attack targeting the organization’s web server. What should be the handler's first priority?

A) Contact the Internet Service Provider (ISP) for assistance.

B) Implement rate limiting on the affected server.

C) Verify the alert by checking network traffic patterns.

D) Activate the organization's DDoS mitigation plan.

Show Answer & Explanation

Correct Answer: C

Explanation: The first priority should be to verify the alert by checking network traffic patterns (Option C) to confirm whether a DDoS attack is indeed occurring. This helps avoid unnecessary actions if the alert is a false positive. Contacting the ISP (Option A) and activating the mitigation plan (Option D) are steps to take after verification. Implementing rate limiting (Option B) might be part of mitigation but should be based on confirmed details of the attack.

Question 3

An incident handler receives an alert of unusual outbound traffic from a critical server. What is the best first step to take in this situation?

A) Immediately disconnect the server from the network.

B) Analyze the traffic using Wireshark to identify the destination and nature of the traffic.

C) Perform a full forensic disk image of the server.

D) Review the server's recent logs for any unauthorized access attempts.

Show Answer & Explanation

Correct Answer: B

Explanation: In this scenario, analyzing the traffic with Wireshark (Option B) is the best first step as it provides immediate insight into the nature and destination of the traffic, which is crucial for determining the severity and scope of the incident. Disconnecting the server (Option A) might disrupt critical services and should be reserved for confirmed severe cases. Creating a forensic image (Option C) is time-consuming and not an immediate response action. Reviewing logs (Option D) is useful, but analyzing live traffic gives more direct information about the current situation.

Question 4

During an incident response, you suspect that a host in your network is communicating with a known malicious IP address. What is the most effective initial action you should take?

A) Isolate the host from the network.

B) Capture a full packet capture of the network traffic.

C) Conduct a vulnerability scan on the host.

D) Review the firewall logs for any anomalies.

Show Answer & Explanation

Correct Answer: A

Explanation: The best initial action is to isolate the host from the network to prevent further communication with the malicious IP and contain the potential threat. Capturing full packet data or reviewing firewall logs are secondary steps that can be taken after containment. Conducting a vulnerability scan is not immediately relevant to stopping the malicious communication.

Question 5

An alert indicates a large volume of ICMP traffic from a single internal IP to multiple external IPs. What should be your first response?

A) Perform a traceroute to one of the external IPs.

B) Check for any recent changes in the network configuration.

C) Block the internal IP from sending ICMP packets.

D) Capture ICMP traffic for deeper analysis.

Show Answer & Explanation

Correct Answer: C

Explanation: The first response should be to block the internal IP from sending ICMP packets to prevent potential data exfiltration or a denial-of-service attack. Capturing traffic and checking network configuration are important but secondary to stopping the traffic.

Ready to Accelerate Your GCIH Preparation?

Join thousands of professionals who are advancing their careers through expert certification preparation with FlashGenius.

✅ Unlimited practice questions across all GCIH domains
✅ Full-length exam simulations with real-time scoring
✅ AI-powered performance tracking and weak area identification
✅ Personalized study plans with adaptive learning
✅ Mobile-friendly platform for studying anywhere, anytime
✅ Expert explanations and study resources

Start Free Practice Now

Already have an account? Sign in here

About GCIH Certification

The GCIH certification validates your expertise in networked environment attack and other critical domains. Our comprehensive practice questions are carefully crafted to mirror the actual exam experience and help you identify knowledge gaps before test day.