🎓 CISSP Practice - Domain 7 - Security Operations

Q7. A SIEM rule fires on “impossible travel” when a user logs in from New York and then from Sydney five minutes later. Investigation shows the user is a developer who scripted an API call from a Sydney VPS listed on a major cloud provider.

Q4. A hospital’s medical-device VLAN is air-gapped except for a weekly one-hour window when a vendor support laptop is connected to push firmware updates. During a quarterly audit, the SOC finds that the laptop’s antivirus pattern file is 14 months old and the OS last patched 18 months ago. The vendor claims the laptop is never online, therefore “unhackable.” Which security-operations concept BEST refutes the vendor’s assertion?

Q2. A manufacturing plant uses a safety instrumented system (SIS) that shuts down turbines when vibration exceeds 4 mm/s. The OT-security team wants to add a network IDS tap on the same span port that carries SIS traffic, but the plant engineer refuses, citing safety-critical latency. The CISO insists the IDS is necessary to detect Stuxnet-like malware. Which security-operations concept should the CISO cite FIRST to justify a compensating control that satisfies both parties?

Q1.

Q1. A global retailer’s SOC has been running a legacy SIEM that cannot parse JSON logs from the company’s new cloud-native payment application. During the first week of deployment, an attacker makes 200,000 micro-refund requests that individually fall below the dollar limit that would trigger the rule-based fraud engine. The SIEM shows “unknown log format” alerts, but analysts discard them as noise. Which security-monitoring principle has MOST clearly failed?

Q4. A SIEM rule fires: “Multiple AWS Console logins from the same Identity Center user but two different browser fingerprints within 5 min.” The source IPs are both in the AWS-owned EC2 address space and geolocated to us-east-1. The user swears she only uses her corporate laptop with Chrome. CloudTrail shows AssumeRole events with externalId matching the corporate IdP.

Q2. A DevOps pipeline that builds container images for a public-facing micro-service suddenly starts failing code-signing validation. The checksums of the last three images differ from the signed manifest even though the Git commit hashes are unchanged. The build servers are fully patched, and AV scans are negative. Which detective control would have MOST effectively uncovered the attack vector?

Q8. A small SOC has two analysts on the night shift. A worm propagates at 01:48, generating 1,800 new alerts per minute. The SIEM auto-creates tickets, but the analysts spend 30 minutes trying to suppress the alert storm instead of containing the worm. After-action review shows the top three alert types were identical except for source IP. Which SOAR playbook component would BEST optimize future response?

Q6. A Fortune-100 company uses a central log lake with 90-day online retention and 2-year cold-store. A new privacy regulation requires that any EU employee IP address older than 30 days be “forgotten,” yet the SOC still needs to detect long-term attack campaigns. Which security-operations solution BEST balances compliance and detection?

Q1. A global SaaS provider’s SOC has deployed an AI-driven user-behavior analytics (UBA) platform. Over a 7-day period the engine alerts on a sales rep who normally works 09:00-17:00 ET but whose account is now generating API calls from IP space registered in Romania at 03:00 ET. The first three alerts are investigated and closed as “false positive—user on vacation using personal VPN.” On the eighth night the same credential pair issues 4 000 API calls that exfiltrate 3 TB of CRM data to the same Romanian ASN. Which flaw in security-operation **process** is MOST to blame?

Q5. A SOC manager wants to measure how quickly analysts can triage phishing emails. She configures the mail gateway to inject 10 benign “canary” messages per day that contain known-bad URLs hosted by the security team. After 30 days, only 83 % of the canaries have generated user-reported tickets, and the median user-report time is 4 h 12 m. Which metric is she actually calculating?

Q7. A manufacturing plant’s safety instrumented system (SIS) is air-gapped, but the data-diode that sends read-only sensor data to the business LAN was replaced during maintenance with a bi-directional serial cable. A month later, ransomware on the corporate side pivots into the SIS network and halts production. Which security-operations FAILURE is MOST critical?

Q7. A financial regulator requires that trading firms keep “immutable logs” for seven years. A firm implements WORM (write-once-read-many) S3 buckets with object-lock in compliance mode for 2,555 days. Six months later, an attacker compromises a cloud admin account and creates a new bucket lifecycle rule that moves objects to Glacier Deep Archive, then deletes the bucket policy. The firm argues the logs are still immutable because object-lock is intact. Which security-operations concern BEST refutes the firm’s claim?

Q6. A DevOps team uses containers orchestrated by Kubernetes. A runtime security tool detects that a pod is executing /bin/sh with a newly spawned reverse-shell process. The image hash matches the approved golden image, but the PID tree shows the shell descended from an Apache worker.

Q8. A SOC analyst is building a playbook for “credential-stuffing against customer portal.” Which metric BEST measures the EFFECTIVENESS of the playbook’s containment step?

Q3. A hospital’s medical IoT VLAN segments patient monitors from the rest of the network via ACLs on a core switch. During a penetration test, the tester plugs into a vacant RJ-45 in a patient room and receives an IP address in the monitor VLAN, then successfully transmits spoofed vital-sign packets to the central telemetry server. Which security operations failure is PRIMARY?

Q2. Your organization’s on-premises SIEM forwards syslog messages to a new managed SOC that operates in a different time zone (UTC+2). After the cut-over, analysts complain that forensic timelines are “off” by four hours, causing root-cause analyses to be rejected by auditors. Which security-operation task should be performed **first** to restore evidentiary integrity?

Q6. A cloud-native e-commerce site runs in AWS. A Lambda function triggered by S3 “PUT” events suddenly begins executing 100× normal volume, driving 50 TB/month of data-transfer charges. CloudTrail shows the calls originate from 4,000 unique access keys that do NOT belong to your AWS account. Which detective mechanism would have identified the issue FIRST?

Q9. A red-team exercise reveals that help-desk staff routinely accept “I forgot my password” requests via personal Gmail accounts because the corporate VPN was down. No ticket exists in the ITSM system. Which security operations control is MOST appropriate to prevent recurrence?

Q8. A security team subscribes to a commercial threat-intel feed that delivers SHA-256 hashes of ransomware binaries within 30 minutes of sample discovery. The SOC’s SOAR platform is configured to auto-block these hashes on the enterprise EDR. During a post-mortem the CISO notes that the same ransomware still successfully executed on 42 workstations. Hash-mismatch analysis shows the malware re-packed itself every 45 minutes. Which security-operation improvement is MOST effective?

Q3. A company uses a cloud-based CASB to enforce DLP. An employee uploads 200 GB of customer PII to a personal Google Drive from a corporate laptop while connected to the office guest Wi-Fi. The CASB logs the event but does not block it.

Q10. A security operations center has deployed an EDR solution that hashes every executable on endpoints and compares SHA-256 values to a cloud reputation service. A red-team operator launches a custom Cobalt Strike beacon that re-compiles itself with a 4-byte NOP sled every execution, producing a unique hash each time. The EDR allows the process because the hash is unknown but not explicitly malicious. Which security-operations countermeasure BEST closes this gap without adding excessive false positives?

Q4. Your organization uses a fully managed DNS provider. Yesterday the provider’s name servers began returning 127.0.0.1 for your apex domain, causing a 6-hour customer outage. Post-mortem shows the provider fell victim to a credential-stuffing attack that changed your DNS A records. Which operational control would BEST have reduced the likelihood of this incident?

Q3. A manufacturing plant uses 24×5 operations. Saturday morning the facility manager powers down non-critical PLCs so maintenance can replace relays. On Monday the CISO discovers that one of the PLCs re-booted with firmware three versions older than the Friday image, and the attacker tunnelled into the corporate ERP through the PLC’s back-door account. Which security-operation maturity gap BEST explains the compromise?

Q2. Your organization’s incident-response plan requires that every Severity-1 ticket be accompanied by a SHA-256 hash of the suspect binary before the SOC may escalate it to the malware team. During a tabletop exercise, the red-cell facilitator hands the SOC lead a USB drive labeled “ransomware sample” and asks for the hash. The lead plugs the drive into the analysis laptop, mounts it read-only, and runs sha256sum /dev/sdb. A junior analyst points out that this command hashes the entire block device—including slack space—rather than the file. The facilitator rules that the escalation requirement has NOT been satisfied. Which security-operations principle was most clearly violated?

Q6. A hospital’s medical device network is air-gapped except for a one-way diode that exports HL7 messages to the billing VLAN. During a ransomware event the MRI controllers display the ransom note, yet the diode logs show zero outbound packets. Which security-operation principle is MOST likely violated?

Q10. A global manufacturing firm uses operational-technology (OT) controllers that can only log over Syslog UDP and cannot tolerate packet loss. The SOC wants to send these logs to the cloud SIEM, but the network team refuses to allow UDP/514 through the firewall, citing best-practice restrictions. Which security-operations architecture is the MOST secure compromise?

Q8. A DevOps team uses containers orchestrated by Kubernetes. A vulnerability scan finds 14 Critical CVEs inside a base image pulled from Docker Hub. The image is inside a private registry that the CI/CD pipeline copies every night. Pods are ephemeral and live < 2 h.

Q5. A cloud-first company uses infrastructure-as-code (IaC) to spin up staging environments every night. A developer accidentally commits an AWS security-group rule that opens 0.0.0.0/0 on TCP 3389. The change is auto-applied at 02:00. At 07:00 the SOC receives an AWS GuardDuty alert “RDP brute force from 86 IP addresses.” The company wants to prevent recurrence. Which security-operations activity BEST breaks the error chain?

Q7. During a ransomware outbreak, the IR team decides to activate “isolation” playbooks that cut off the affected site by black-holing its /16 in BGP. The network-ops center reverts the change 45 minutes later, stating that the black-hole also stopped VoIP emergency phones and violated the safety SLA. Which security-operations document should be updated first to prevent recurrence?

Q7. A SaaS company’s incident-response retainer requires the MSSP to meet a 4-hour SLA from ticket open to containment. During a credential-stuffing attack the on-call analyst is stuck in a countryside area with only 2G data service and cannot VPN into the jump host. Thirty minutes later the customer’s single-sign-on (SSO) is breached, leading to 6-hour downtime. Which **BEFORE-the-fact** security-operation control would have BEST reduced the likelihood of SLA breach?

Q1. A global retailer’s SOC is shifting from a 4-tier to a 3-tier follow-the-sun model while simultaneously rolling out an expanded SOAR playbook. During the first weekend, analysts in Manila close 42 % more alerts than the week before, yet the Monday-morning hand-off to the Denver team contains only ticket numbers—no context or run-book links. At 09:12 Denver time, a SIEM rule fires on the same IP range that Manila had already “resolved” as “expected marketing scanner.” Denver re-opens the tickets and escalates them as false-positive tuning requests. Which security-operation metric is MOST directly degraded by this situation?

Q9. A company uses a managed DNS provider that offers a 5-minute TTL. During an incident, the SOC wants to sinkhole a malware domain by redirecting it to a internal honeypot web server. However, the provider’s API is throttled to 10 requests per minute and the domain has 200 A records. The SOC also fears that sudden global DNS changes might impact remote workers’ split-tunnel VPN. Which security-operations procedure BEST balances speed and safety?

Q3. Your organization uses a single Active Directory forest with fine-grained password policies. A red-team exercise discovers that 11 service accounts are configured with “Password never expires” and are members of Domain Admins. The accounts have SPNs defined and show no failed logins in 400 days. Management refuses to disable them because “legacy billing needs them.”

Q5. A Tier-1 analyst receives an alert that a production Linux web server executed “chmod 4777 /usr/bin/vi” at 02:13 local time. The change was rolled back four minutes later. The server is fully patched, and AIDE logs show no other file modifications.

Q1. During a routine SIEM review, a SOC analyst notices that a single user account has generated 15 failed-logon events from three different source IP addresses in the last 10 minutes, followed by a successful logon from a fourth IP address. The organization’s incident-response plan labels this pattern as “Suspicious—Possible Credential Stuffing.”

Q5. The SOC has implemented a threat-hunting hypothesis: “If a red-team tool such as Cobalt Strike is present, then we will find unregistered Windows services with random 4-byte service names.” The hunters run the query across 12 000 endpoints and receive 47 hits. After removing known false positives, three assets remain. Which **NEXT** step BEST demonstrates adherence to the “analyst-centric” hunting model?

Q3. A SaaS provider runs a fully containerized micro-services platform on Kubernetes. During a routine image-hardening sprint, engineers replace the base image from ubuntu:20.04 to distroless, rebuild all pods, and push them to the production registry. Two hours later, the SOC notices that the EDR agents no longer report process events from those containers. The EDR vendor confirms that their kernel module cannot attach to the statically linked init process used by distroless images. Which security-operation control has been MOST severely weakened?

Q9. A DLP solution flags an e-mail sent by the CFO to a public webmail domain containing an attachment labeled “Q4_Financials_Encrypted.xlsx” that is password-protected. The DLP engine cannot inspect the attachment contents.

Q9. A security guard making night rounds notices a cardboard box labeled “HP Toner” sitting outside the secure print-room door. The next morning the CFO’s printer is found to have a hardware key-logger installed inside the device.

Q7. Your company’s SOAR playbook auto-isolates any host that contacts a newly registered domain (age < 24 h) and downloads > 100 kB. Today the playbook isolated 120 sales laptops that auto-updated a legitimate VPN client whose vendor just switched CDN domains. Executives demand the playbook be disabled.

Q10. A company’s disaster-recovery plan specifies a 4-hour RTO and 30-minute RPO for its customer portal. During the annual drill, the restore from incremental snapshots takes 5.5 hours, and the last snapshot was 45 minutes old.

Q2.

Q9. A federal agency uses a continuous-diagnostics-and-mitigation (CDM) dashboard that displays the average time to patch critical vulnerabilities across 50 000 endpoints. The CIO rewards IT teams whose CDM score improves month-over-month. Over two quarters the mean time drops from 28 days to 3 days, yet the number of incident-response activations for malware **increases** by 40 %. Which security-operation metric dysfunction BEST explains the paradox?

Q10. A DevOps pipeline uses Infrastructure-as-Code (Terraform) to spin up ephemeral Kubernetes clusters in GCP. During a security exercise the red team compiles a custom kernel module that sniffs inter-pod traffic and exfiltrates TLS session keys. The SOC wants to prevent **future** compilations in production containers. Which security-operation control is the MOST operationally sustainable?

Q8. A forensic analyst is asked to image a Windows laptop that may contain evidence of IP theft. The laptop is BitLocker-encrypted and powered on. The user is on vacation and unreachable.

Q8. A managed-security-service provider (MSSP) offers a 24×7 SOC to a small bank. The contract stipulates that the MSSP will maintain a 15-minute SLA for critical alert acknowledgment. After a firewall fails-open during a holiday weekend, the bank’s on-call CISO receives an email alert—but no MSSP call—for 3.5 hours. The post-mortem shows the ticketing system clock was 4 hours behind due to an unpatched NTP drift bug. Which security-operations concept is the ROOT cause of the SLA miss?

Q5. A SIEM rule fires when five failed logins on a Windows server are followed within ten minutes by a successful login from a new country. The SOC receives 30–50 such alerts nightly, and every investigated case so far has been a valid VPN user on holiday. Management asks the SOC to “tune out the noise.” Which tuning approach BEST preserves security value while reducing false positives?

Q3. A SaaS provider runs a red-team exercise against its on-call rotation. At 03:17 local time, the red team triggers a high-severity alert in the customer-support portal. The automated call tree pages the L1 analyst in Singapore, who VPNs in, sees the alert is “red-team,” and immediately closes the ticket without further analysis. The red team then escalates to disk-wiper malware simulation, which the same analyst also ignores. Which security-operations metric is MOST directly undermined?

Q4. A hospital’s medical-device VLAN is air-gapped except for a one-way diode that exports syslog UDP packets to the SOC’s log lake. During an unannounced audit, the assessor plugs a laptop into the diode’s receive port and successfully sends SNMP set commands back to an MRI machine, changing its field-strength calibration. Which security-operations control has MOST clearly failed?

Q10. A global company runs a 24×7 SOC with follow-the-sun staffing. After a major breach, auditors criticize the SOC for “lack of measurable continuous improvement.” Which KPI pair BEST demonstrates a maturing security-operations program?

Q2. A manufacturing plant’s safety instrumented system (SIS) is air-gapped from the corporate network. A junior engineer brings a personal laptop from home, connects it to the SIS engineering workstation via USB, and accidentally introduces ransomware that halts production.

Q1. Your SOC has deployed an AI-driven user-behavior analytics (UBA) engine that triggers on “impossible travel” events. Last night the engine alerted that the same user appeared to log in from Toronto and Tokyo three minutes apart, yet the authentication logs show a single successful Kerberos TGT issuance in Toronto and no evidence of credential replay. The user’s mobile device GPS history places them in Toronto the entire time.

Q6. A hospital uses biometric palm-vein readers at controlled entry points. During a power outage the generators fail, and the UPS lasts only 20 min. Emergency procedures require the security staff to switch to manual keys. A Joint Commission auditor asks how you will maintain “positive identification” of staff entering the NICU.

Q4. A cloud-first retailer runs a serverless checkout flow in AWS Lambda. During a flash-sale event the SOC notices that 5 % of payment transactions trigger the “Invoke-From-Unknown-Region” CloudWatch alarm. The Lambda execution role has `s3:GetObject` privileges to a bucket that stores full credit-card magnetic-stripe images for troubleshooting. Which **FIRST** responder action is MOST aligned with ISC²’s “contain, eradicate, recover” philosophy?

Q4. A SOC runs a 24/7 follow-the-sun model with three regional teams. A critical privilege-escalation CVE is published at 08:00 UTC. The APAC team has already finished its shift, EMEA is mid-shift, and the Americas team is not yet online. Management wants “virtual patching” via WAF rules within 2 hours.

Q9. A DevOps pipeline uses Infrastructure-as-Code (Terraform) to spin up AWS environments. A developer accidentally commits an access-key ID and secret to a public GitHub repo. AWS GuardDuty generates a “CredentialExfiltration” finding 11 minutes later. The SOC disables the key via Lambda automation within 3 minutes, but the red-team later shows that the key was already used to launch 200 c5.4xlarge instances in another region. Which security-operations process should be implemented to reduce the probability that a future key can be abused within the 14-minute exposure window?

Q1. Your SOC has deployed an AI-powered user-behavior analytics (UBA) engine that baselines every employee’s keyboard cadence, file-touch volume, and VPN-connect times. On a Saturday at 02:14 local time, the model alerts that the CFO’s credentialed session just exfiltrated 3.2 GB of compressed files to an IP in Moldova—something the CFO has never done. The SIEM shows no malware alert, and the EDR platform marks the endpoint “clean.” Which FIRST action best follows the SANS PICERL incident-handling continuum?

Q10. Your SOC uses MITRE ATT&CK mapping. A threat-hunt finds a workstation with “wmiprvse.exe” spawning “powershell.exe” that downloads a JPEG, extracts a base64 blob, and executes via regsvr32. The hunt coincides with a new signature hit on “APT29 – CARBANAK.” Management will fund only ONE additional control this quarter.

Q5. A security guard making night rounds notices a laptop in the conference room is projecting a fake Outlook login page. The room was booked by a visitor who left 30 minutes earlier.

Q2. During a scheduled tabletop, the incident-response lead asks how to preserve evidence on a mission-critical Windows SQL cluster that CANNOT be taken offline. The CFO reminds the team that every minute of downtime costs USD 18 k.