FEDVTE Enterprise Cybersecurity Operations
Exam COMPREHENSIVE Questions
Answered, 2026 Verified Graded A+ Already
Passed!
Domain 1: Incident Response, Threat Intel & TTP Analysis (15 Questions)
1. Which of the following accurately describes the correct sequence of the four main phases
of the NIST 800-61r2 Incident Response (IR) Lifecycle?
A. Detection/Analysis, Containment/Eradication/Recovery, Preparation, Post-Incident Activity
B. Preparation, Detection/Analysis, Containment/Eradication/Recovery, Post-Incident Activity
C. Preparation, Containment/Eradication/Recovery, Detection/Analysis, Post-Incident Activity
D. Detection/Analysis, Preparation, Post-Incident Activity, Containment/Eradication/Recovery
Answer: B
[CORRECT]
Rationale: According to NIST SP 800-61r2, the Incident Response Lifecycle consists of four
main phases: 1) Preparation (establishing IR capabilities), 2) Detection and Analysis
(identifying incidents), 3) Containment, Eradication, and Recovery (limiting damage and
restoring systems), and 4) Post-Incident Activity (lessons learned).
2. During the "Preparation" phase of the NIST IR Lifecycle, which specific action is critical to
ensuring that the "Detection and Analysis" phase can function effectively during a high-
pressure ransomware event?
A. Drafting the "Lessons Learned" report for the previous quarter's incidents
B. Creating and pre-approving "Containment" strategies for common attack vectors like
ransomware
C. Wiping and reimaging all hard drives in the environment
D. Isolating the infected host from the network immediately
,Answer: B
[CORRECT]
Rationale: The "Preparation" phase focuses on preemptive measures. Having pre-approved
containment strategies (like network isolation scripts or firewall rules) for common threats
such as ransomware allows analysts to execute the "Containment" phase immediately during
"Detection and Analysis" without waiting for management approval, minimizing the dwell
time.
3. A federal SOC analyst has successfully eradicated a threat from a compromised server.
According to NIST 800-61r2, what is the immediate next step in the lifecycle before moving to
"Post-Incident Activity"?
A. Hold a press conference to disclose the breach
B. Conduct a "Lessons Learned" meeting
C. Recovery: Restoring systems from clean backups and validating functionality
D. Detection/Analysis: Re-scanning the network for other anomalies
Answer: C
[CORRECT]
Rationale: The third phase of the NIST lifecycle is "Containment, Eradication, and Recovery."
Once the threat is eradicated, the final step of this specific phase is "Recovery," which
involves restoring systems from clean backups and monitoring for signs that the threat has
reappeared. "Post-Incident Activity" begins only after recovery is complete.
4. Which specific document is the primary output of the "Post-Incident Activity" phase
required by NIST 800-61r2 to improve future IR processes?
A. The Chain of Custody Form
B. The Incident Response Plan (IRP)
C. The Lessons Learned Report
, D. The malware hash analysis report
Answer: C
[CORRECT]
Rationale: NIST 800-61r2 mandates that the "Post-Incident Activity" phase includes
generating a "Lessons Learned" report. This document identifies what went well, what went
wrong, and how the IR process can be improved for future incidents.
5. An analyst observes a malicious file attachment being delivered to a specific target within
the organization via email. Which MITRE ATT&CK technique and specific sub-technique ID
describes this action?
A. T1566.001: Spearphishing Attachment
B. T1190: Exploit Public-Facing Application
C. T1566.002: Spearphishing Link
D. T1569.002: Service Execution
Answer: A
[CORRECT]
Rationale: MITRE ATT&CK technique T1566 covers "Phishing." Sub-technique T1566.001
specifically refers to "Spearphishing Attachment," which involves sending emails with
malicious attachments to specific targets to gain initial access.
6. Following a successful phishing attachment delivery, the adversary uses a valid Windows
service (e.g., svchost.exe) to execute their payload. Which MITRE ATT&CK technique describes
this execution method?
A. T1566.001: Spearphishing Attachment
B. T1569.002: Service Execution
C. T1059.001: Command and Scripting Interpreter
Exam COMPREHENSIVE Questions
Answered, 2026 Verified Graded A+ Already
Passed!
Domain 1: Incident Response, Threat Intel & TTP Analysis (15 Questions)
1. Which of the following accurately describes the correct sequence of the four main phases
of the NIST 800-61r2 Incident Response (IR) Lifecycle?
A. Detection/Analysis, Containment/Eradication/Recovery, Preparation, Post-Incident Activity
B. Preparation, Detection/Analysis, Containment/Eradication/Recovery, Post-Incident Activity
C. Preparation, Containment/Eradication/Recovery, Detection/Analysis, Post-Incident Activity
D. Detection/Analysis, Preparation, Post-Incident Activity, Containment/Eradication/Recovery
Answer: B
[CORRECT]
Rationale: According to NIST SP 800-61r2, the Incident Response Lifecycle consists of four
main phases: 1) Preparation (establishing IR capabilities), 2) Detection and Analysis
(identifying incidents), 3) Containment, Eradication, and Recovery (limiting damage and
restoring systems), and 4) Post-Incident Activity (lessons learned).
2. During the "Preparation" phase of the NIST IR Lifecycle, which specific action is critical to
ensuring that the "Detection and Analysis" phase can function effectively during a high-
pressure ransomware event?
A. Drafting the "Lessons Learned" report for the previous quarter's incidents
B. Creating and pre-approving "Containment" strategies for common attack vectors like
ransomware
C. Wiping and reimaging all hard drives in the environment
D. Isolating the infected host from the network immediately
,Answer: B
[CORRECT]
Rationale: The "Preparation" phase focuses on preemptive measures. Having pre-approved
containment strategies (like network isolation scripts or firewall rules) for common threats
such as ransomware allows analysts to execute the "Containment" phase immediately during
"Detection and Analysis" without waiting for management approval, minimizing the dwell
time.
3. A federal SOC analyst has successfully eradicated a threat from a compromised server.
According to NIST 800-61r2, what is the immediate next step in the lifecycle before moving to
"Post-Incident Activity"?
A. Hold a press conference to disclose the breach
B. Conduct a "Lessons Learned" meeting
C. Recovery: Restoring systems from clean backups and validating functionality
D. Detection/Analysis: Re-scanning the network for other anomalies
Answer: C
[CORRECT]
Rationale: The third phase of the NIST lifecycle is "Containment, Eradication, and Recovery."
Once the threat is eradicated, the final step of this specific phase is "Recovery," which
involves restoring systems from clean backups and monitoring for signs that the threat has
reappeared. "Post-Incident Activity" begins only after recovery is complete.
4. Which specific document is the primary output of the "Post-Incident Activity" phase
required by NIST 800-61r2 to improve future IR processes?
A. The Chain of Custody Form
B. The Incident Response Plan (IRP)
C. The Lessons Learned Report
, D. The malware hash analysis report
Answer: C
[CORRECT]
Rationale: NIST 800-61r2 mandates that the "Post-Incident Activity" phase includes
generating a "Lessons Learned" report. This document identifies what went well, what went
wrong, and how the IR process can be improved for future incidents.
5. An analyst observes a malicious file attachment being delivered to a specific target within
the organization via email. Which MITRE ATT&CK technique and specific sub-technique ID
describes this action?
A. T1566.001: Spearphishing Attachment
B. T1190: Exploit Public-Facing Application
C. T1566.002: Spearphishing Link
D. T1569.002: Service Execution
Answer: A
[CORRECT]
Rationale: MITRE ATT&CK technique T1566 covers "Phishing." Sub-technique T1566.001
specifically refers to "Spearphishing Attachment," which involves sending emails with
malicious attachments to specific targets to gain initial access.
6. Following a successful phishing attachment delivery, the adversary uses a valid Windows
service (e.g., svchost.exe) to execute their payload. Which MITRE ATT&CK technique describes
this execution method?
A. T1566.001: Spearphishing Attachment
B. T1569.002: Service Execution
C. T1059.001: Command and Scripting Interpreter
