Mock Exam Part 3: Operations, Incident Response, and Forensics

Welcome to Mock Exam Part 3, the most heavily tested domain: Security Operations (Domain 4, 28%). This domain covers what security professionals do daily — managing identities, securing endpoints, monitoring networks, responding to incidents, and conducting forensic investigations. Questions here are heavily scenario-based, testing your ability to choose the right action given a specific situation. This section also samples Domain 5 (Security Program Management, 20%) which covers risk management, compliance, and governance. Together these domains represent 48% of your exam score — nearly half.

Question: A security analyst confirms that a workstation is actively communicating with a known botnet C2 server. The analyst isolates the workstation from the network. What IR phase does this action fall under?

Answer: Containment. The NIST SP 800-61 IR phases and their primary actions: Preparation — building IR plans and teams; Detection and Analysis — confirming the incident occurred (the analyst has already done this by confirming C2 communication); Containment — limiting the damage (network isolation is a containment action); Eradication — removing the malware; Recovery — restoring systems to operational state; Post-Incident Review — lessons learned. Network isolation (disconnecting, blocking firewall rules) is the quintessential containment action — it stops the attacker from using the compromised host while investigation continues.