CCE CCE Incident Response & Malware Analysis

Question 1

According to NIST SP 800-61, what are the four phases of the incident response lifecycle?

Accepted Answer

Preparation, Detection & Analysis, Containment/Eradication/Recovery, Post-Incident Activity

Answer

Identify, Protect, Detect, Respond

Answer

Triage, Investigation, Remediation, Closure

Answer

Planning, Execution, Review, Reporting

Question 2

During malware analysis, what is the difference between static and dynamic analysis?

Accepted Answer

Static analysis examines the malware without executing it; dynamic analysis runs the malware in a controlled environment

Answer

Static analysis runs the malware; dynamic analysis reads the binary without executing it

Answer

Static analysis uses network traffic; dynamic analysis uses memory dumps

Answer

Static analysis is faster than dynamic analysis in all cases

Question 3

What is a 'sandbox' in the context of malware analysis?

Accepted Answer

An isolated virtual environment used to execute and observe malware behavior safely

Answer

A secure offline backup system

Answer

A network segment used for testing patches

Answer

A forensic write blocker

Question 4

In incident response, what does the term 'containment' refer to?

Accepted Answer

Limiting the spread and impact of an incident while preserving forensic evidence

Answer

Deleting all evidence of the incident

Answer

Restoring systems to their pre-incident state

Answer

Reporting the incident to law enforcement

Question 5

What tool would a CCE examiner use to examine strings embedded in a malware binary without executing it?

Accepted Answer

The 'strings' utility or BinText

Answer

Volatility

Answer

Wireshark

Answer

Autopsy

Question 6

What is 'indicators of compromise' (IOCs) and how are they used in incident response?

Accepted Answer

Observable artifacts (IP addresses, file hashes, registry keys) that indicate a system may be compromised

Answer

Documented software vulnerabilities used to patch systems

Answer

Legal court orders for seizing digital evidence

Answer

Network performance benchmarks