Skip to content

Chapter 28 Quiz: Advanced Incident Response

Test your knowledge of major incident command structures, war room management, forensic preservation, and the full IR lifecycle from detection to lessons learned.

Questions

1. During a large-scale ransomware incident, your organization activates the Incident Command System (ICS). Which role is responsible for managing communication with external parties, including media, regulators, and law enforcement?

  • A) Operations Section Chief
  • B) Planning Section Chief
  • C) Public Information Officer (PIO)
  • D) Incident Commander
Answer

C — Public Information Officer (PIO)

In ICS, the Public Information Officer is a Command Staff role reporting directly to the Incident Commander. The PIO manages all external communications including media statements, regulatory notifications, and coordination with law enforcement. The Incident Commander maintains overall strategic control while the Operations Chief directs tactical response.

2. A war room has been stood up for a critical incident. The IR lead notices that executives are continuously interrupting the technical team with status questions every 10 minutes. Which war room structure best addresses this?

  • A) Ask executives to leave the war room entirely
  • B) Establish a separate executive briefing room with scheduled updates every 60–90 minutes and a designated liaison
  • C) Allow questions only via chat so technical staff can ignore them
  • D) Promote the CISO to Incident Commander to absorb executive inquiries
Answer

B — Establish a separate executive briefing room with scheduled updates every 60–90 minutes and a designated liaison

Best practice is a two-room model: a technical war room for IR staff doing hands-on work, and a separate command room for executives and decision-makers. A designated liaison (often a senior IR manager) bridges the rooms on a scheduled cadence, preventing disruptive interruptions while keeping leadership informed.

3. External legal counsel is engaged during an active breach. What is the primary reason organizations route IR communications through counsel?

  • A) Attorneys have cybersecurity certifications required for evidence handling
  • B) To establish attorney-client privilege over IR findings and reports
  • C) External counsel can directly interface with threat actors for ransom negotiation
  • D) Legal counsel manages forensic tool licensing agreements
Answer

B — To establish attorney-client privilege over IR findings and reports

Routing IR work product (reports, findings, forensic summaries) through legal counsel can establish attorney-client privilege, protecting those documents from compelled disclosure in litigation or regulatory proceedings. This is a deliberate legal strategy. Privilege does not automatically apply — the engagement must be structured correctly with counsel directing the work.

4. An analyst is responding to an active intrusion. Before evicting the threat actor, which forensic preservation action is highest priority?

  • A) Reimage all compromised systems immediately to stop the bleeding
  • B) Acquire memory images (RAM) from active compromised hosts before any remediation
  • C) Collect only disk images since volatile memory is not admissible in court
  • D) Disconnect all affected systems from the network without any prior collection
Answer

B — Acquire memory images (RAM) from active compromised hosts before any remediation

Volatile memory contains running processes, network connections, encryption keys, injected code, and attacker tooling that disappears on reboot or shutdown. The standard forensic order of volatility places RAM first. Disk images can be acquired second. Reimaging without collection (A) destroys evidence. Disconnecting without collection (D) also loses volatile data.

5. Your IR team has identified all attacker footholds, malware persistence mechanisms, and compromised accounts. The team debates whether to evict or eradicate first. What is the correct sequence?

  • A) Eradicate each foothold as discovered, then verify eviction
  • B) Fully map all attacker footholds first, then execute eviction and eradication simultaneously in a coordinated action
  • C) Notify the threat actor via their C2 channel before eviction to comply with regulations
  • D) Evict the threat actor immediately upon discovering the first foothold
Answer

B — Fully map all attacker footholds first, then execute eviction and eradication simultaneously in a coordinated action

Premature eviction alerts the threat actor and risks them destroying evidence, pivoting to undetected footholds, or accelerating destructive actions (e.g., ransomware detonation). Best practice is to silently observe while mapping the full attack surface, then execute a coordinated simultaneous eviction across all footholds. This maximizes the chance of complete removal.

6. After evicting a threat actor, the organization needs to rebuild a critical database server that was confirmed compromised. What is the safest rebuild strategy?

  • A) Run a full AV scan and remove detected malware; return the server to production
  • B) Restore from the most recent backup taken before the compromise date, then patch
  • C) Rebuild from a golden image (known-good baseline) and restore data from a pre-compromise backup
  • D) Rebuild from a golden image and restore data from the most recent backup regardless of compromise timeline
Answer

C — Rebuild from a golden image (known-good baseline) and restore data from a pre-compromise backup

The only safe recovery is to rebuild OS/applications from a trusted known-good source (golden image) and restore data from a backup confirmed to predate the compromise. Restoring from any post-compromise backup risks reintroducing the threat. Running AV only (A) misses fileless and advanced persistence. Option D risks restoring compromised data.

7. During a post-incident lessons learned session, a team member says "we should just buy better tools." Which lessons learned framework principle does this violate?

  • A) Lessons should be action-oriented
  • B) Lessons should identify root causes, not surface-level symptoms, and include specific, measurable corrective actions
  • C) Lessons should be documented only by the CISO
  • D) Lessons learned sessions must occur within 24 hours of containment
Answer

B — Lessons should identify root causes, not surface-level symptoms, and include specific, measurable corrective actions

"Buy better tools" is a surface-level reaction that doesn't address root cause (e.g., why did existing tools fail? Was it configuration, coverage gap, training, or process?). Effective lessons learned use root cause analysis techniques (5 Whys, fishbone), identify systemic failures, and produce specific, owner-assigned, time-bound corrective actions.

8. An organization measures IR effectiveness using MTTC. What does MTTC stand for, and what does it measure?

  • A) Mean Time to Containment — the average time from incident detection to containing the threat
  • B) Mean Time to Compromise — the average time an attacker needs to gain initial access
  • C) Maximum Threat Timeline to Closure — the longest open incident duration
  • D) Mean Time to Correlation — how fast the SIEM correlates events into alerts
Answer

A — Mean Time to Containment — the average time from incident detection to containing the threat

MTTC (Mean Time to Containment) measures the average elapsed time from when an incident is detected to when it is contained (attacker movement stopped, spread halted). It is a key IR efficiency metric alongside MTTD (Mean Time to Detect) and MTTR (Mean Time to Recover). Lower MTTC indicates more effective IR execution.

9. An organization is selecting an IR retainer model. They want guaranteed response within 4 hours for major incidents and the ability to call the same team that knows their environment. Which retainer model best fits this need?

  • A) Ad-hoc (break-glass) retainer — pay per engagement as needed
  • B) Dedicated retainer with a named team, pre-agreed SLAs, and environment familiarization sessions
  • C) Managed SOC subscription with IR included as a feature
  • D) Bug bounty program with IR response capability
Answer

B — Dedicated retainer with a named team, pre-agreed SLAs, and environment familiarization sessions

A dedicated IR retainer provides: contractual SLAs (4-hour response), a named team familiar with the client's environment (via pre-engagement workshops), and priority escalation. Ad-hoc (A) has no SLAs and the responders won't know the environment. A managed SOC (C) handles monitoring but typically lacks deep IR forensics capability.

10. A CISO is asked to present incident response metrics to the board. Which metric combination most accurately reflects both speed and financial impact of IR performance?

  • A) Number of incidents investigated and number of alerts closed
  • B) MTTD, MTTC, MTTR, and total incident cost (direct + indirect)
  • C) EDR coverage percentage and patch compliance rate
  • D) Number of retainer hours consumed and analyst overtime costs
Answer

B — MTTD, MTTC, MTTR, and total incident cost (direct + indirect)

Board-level IR metrics should address both operational performance (how quickly we detect, contain, and recover: MTTD, MTTC, MTTR) and financial impact (total incident cost including legal, notification, lost business, remediation, and reputational costs). Alert counts (A) are operational metrics without business context. Coverage and patch rate (C) are preventive, not IR, metrics.

Scoring

Score Performance
9–10 Expert — Advanced IR command, forensic, and lifecycle concepts fully internalized
7–8 Proficient — Ready to lead major incident response operations
5–6 Developing — Review Chapter 28 sections on ICS structure, eviction sequencing, and lessons learned
<5 Foundational — Re-read Chapter 28 before proceeding

Return to Chapter 28 | Next: Chapter 29