4.3 Scenario Practice for Incident Response Management

4.3 Scenario Practice for Incident Response Management

Scenario questions are where CS0-003 separates memorizers from analysts. Use a five-step read: role (what are you, an analyst or IR lead?), phase (where in the NIST lifecycle?), indicator (the specific IOC or behavior), action (the next defensible step), and output (what state results).

Team models and roles

Know the team structures, because stems name them as distractors:

Also know supporting roles: legal (privilege, regulatory exposure), human resources (insider cases), public relations / communications (breach disclosure), and executive sponsors (declaring a major incident).

Worked scenario: ransomware

Stem: "Ransomware encrypts file servers. The team contains the spread. What is the priority during eradication?" The cue is the word eradication. The correct action is to identify and remove all malware artifacts and persistence mechanisms (dropped binaries, scheduled tasks, rogue accounts) before any restore. "Restore from backups" is tempting but premature -- it belongs to recovery and risks reinfection. "Contact the media" and "buy cyber insurance" are not eradication activities.

Worked scenario: notification timing

Stem: "Customer PII was exfiltrated; the IR plan and applicable regulation require notification." The cue is regulatory. Notification timing and content follow the legal/compliance track in parallel with technical response -- you do not wait until full recovery. Many regulations impose tight breach-notification windows (for example, certain frameworks require notification within 72 hours of discovery), so flag legal early. The exam rewards answers that engage legal and communications stakeholders at the right time rather than treating disclosure as a final step.

Worked scenario: web server compromise

Stem: attacker exploited a known web-app vulnerability, dropped a web shell, created a local admin account, and disabled logging. Because persistence is deep and logging is compromised, the defensible recovery is rebuild from clean images, patch before deployment, restore only data from immutable backups, and reconfigure monitoring -- not "delete the web shell and change passwords," which leaves unknown artifacts behind. When compromise depth is uncertain, prefer the full rebuild.

• Identify the role and authority you hold
• Anchor the lifecycle phase named or implied
• Underline the indicator (web shell, beacon, brute force)
• Choose the next action, not the eventual one
• Confirm the output matches the stem's goal

Worked scenario: insider and chain of custody

Stem: "HR reports an employee may be exfiltrating data to a personal cloud account; legal anticipates litigation." The cues are insider and litigation. The defensible actions: loop in legal and HR early, preserve evidence under a documented chain of custody, image the workstation with a write blocker, hash the image (SHA-256), and avoid tipping off the employee. "Confront the employee immediately" destroys the investigation; "delete the suspicious files" destroys evidence. When litigation is implied, evidence integrity outranks speed every time.

Worked scenario: distinguishing detection from a false positive

Stem: "The SIEM alerts on a login from an unusual country, but the user is traveling on approved business." The cue is the benign explanation. The correct action is to validate and document the alert as a false positive, then tune the rule -- not declare an incident. CySA+ rewards triage discipline: confirm the true/false positive before escalating, because over-declaring wastes resources and erodes trust in the SOC. Conversely, a real beacon dismissed as noise is a costly false negative.

Reading the answer choices

In two-plausible-answer stems, eliminate by sequence and evidence: which choice is too early (recover before eradicate), which destroys volatile data, which ignores a stakeholder the stem named (legal, HR, regulator). The remaining choice is almost always the answer. Watch absolute words like "immediately" and "all" -- they are correct only when the stem genuinely demands them.

Worked scenario: brute-force against a web portal

Stem: "The SIEM shows thousands of failed logins against a public portal from one IP, then a single success." The single success after mass failures is the key cue -- this is an attrition vector (brute force) that likely succeeded. The next defensible actions are to disable or force a reset on the affected account, block the source IP, and hunt for what the attacker did after login (the IOA shift from failed to successful access). "Tune the alert and move on" is wrong because a compromise occurred; "reimage the portal" is premature without scoping. Match the action to the evidence that access was achieved.

Worked scenario: choosing what to preserve

Stem: "An analyst will pull a suspected host for forensics; the team needs the strongest evidence." The defensible sequence is to capture volatile memory first (RAM, network connections, running processes), then create a forensic image of disk with a write blocker, hashing both. The wrong answer copies files with the OS file explorer (alters timestamps and metadata) or shuts down first (destroys RAM). Tie every preservation choice back to the order of volatility and chain-of-custody integrity, and the answer becomes unambiguous.