WGU C845 VUN1 Task 2: Evaluating Incident Response
Operations & Defending Network Security | 2026/2027
Edition | 150 Verified Questions
WGU C845 VUN1 Task 2 Exam 2026-2027 QUESTIONS AND ANSWERS ALREADY
GRADED A+. 100% Verified Solutions | Updated Per Latest Guidelines | Graded A+
This comprehensive exam prep document for WGU C845 VUN1 Task 2 covers the critical domains of
incident response operations and network security defense. With 150 verified questions, it provides an
in-depth review of key concepts including incident detection, containment, eradication, recovery, and
post-incident activities. The material is aligned with the latest 2026/2027 academic guidelines and
industry best practices, ensuring students are well-prepared to evaluate and defend network security
effectively.
Key Features:
Incident response lifecycle and frameworks
Network security defense strategies and tools
Risk assessment and vulnerability management
Security operations center (SOC) procedures
Legal and regulatory compliance in incident handling
Post-incident analysis and reporting
Updates for 2026:
- Updated to reflect 2026/2027 NIST and SANS incident response guidelines
- Incorporated new case studies on ransomware and advanced persistent threats
- Revised questions to include cloud and hybrid network security scenarios
- Enhanced answer rationales with step-by-step explanations
- Added compliance checklist for GDPR, HIPAA, and PCI-DSS
Abstract:
This document serves as a definitive study resource for the WGU C845 VUN1 Task 2 examination, focusing on
evaluating incident response operations and defending network security. It synthesizes core principles from the
incident response lifecycle, including preparation, detection, containment, eradication, recovery, and lessons
learned. The content emphasizes practical application through scenario-based questions that test the ability to
analyze security incidents, select appropriate countermeasures, and implement defense-in-depth strategies. Special
attention is given to contemporary threats such as ransomware, zero-day exploits, and insider threats, as well as
the integration of security frameworks like NIST SP 800-61 and ISO 27035. The document also addresses the role
of security operations centers (SOCs), threat intelligence, and automated response tools in modern network
defense. By mastering these topics, students will be equipped to design and evaluate incident response plans that
align with organizational policies and regulatory requirements.
Keywords:
incident response operations, network security defense, WGU C845, VUN1 Task 2, NIST SP 800-61, security
operations center, threat intelligence, defense in depth
Answer Format:
Each question is followed by the correct answer and a detailed rationale explaining why it is correct, along with
distractor analysis that clarifies why the other options are incorrect. Rationales reference specific frameworks,
standards, and real-world scenarios to reinforce learning.
Page 1
,Compliance Checklist:
All questions are verified against current WGU C845 curriculum and industry standards
Rationales cite authoritative sources including NIST, SANS, and ISO
Content covers all key domains outlined in the VUN1 Task 2 rubric
Updated for the 2026/2027 academic year with the latest security trends
Includes both technical and managerial aspects of incident response
Provides a balanced mix of conceptual and applied questions
Content Area Overview:
Content Area Questions Key Topics Weight
Incident Response Lifecycle 1-30 Preparation, Detection, Analysis, 20%
Containment, Eradication, Recovery,
Post-Incident Activity
Network Security Defense 31-60 Firewalls, IDS/IPS, VPNs, Segmentation, 20%
Access Control, Monitoring
Risk and Vulnerability 61-85 Risk Assessment, Vulnerability Scanning, 17%
Management Patch Management, Penetration Testing
Security Operations Center 86-110 SOC Tiers, SIEM, Threat Hunting, Incident 17%
(SOC) Triage, Escalation
Legal, Regulatory, and 111-130 GDPR, HIPAA, PCI-DSS, Chain of 13%
Compliance Custody, Reporting Requirements
Advanced Threats and Case 131-150 Ransomware, APTs, Insider Threats, 13%
Studies Zero-Day Exploits, Cloud Security Incidents
Page 2
,Q1. During a ransomware incident, the incident response team identifies that the encryption process began
on a Domain Controller (DC) after an attacker used stolen credentials to disable antivirus and deploy the
ransomware via Group Policy. Which containment strategy would be MOST effective to prevent further
spread while preserving forensic evidence?
A. Immediately power off all affected servers and workstations.
B. Disconnect the DC from the network and block SMB ports at the firewall.
C. Reboot all systems in safe mode and run a decryption tool.
D. Reset all user passwords and enable multi-factor authentication.
Correct Answer: B. Disconnect the DC from the network and block SMB ports at the firewall.
Rationale: Disconnecting the DC and blocking SMB ports stops the propagation mechanism (Group Policy via
SMB) while preserving volatile memory and logs. Powering off (A) may lose forensic data. Rebooting (C) is a
recovery step, not containment. Resetting passwords (D) does not stop active encryption via Group Policy.
Why Wrong:
A - Powering off destroys volatile memory and may hinder forensic analysis.
C - Rebooting in safe mode is a recovery action, not immediate containment.
D - Password reset does not halt the ongoing encryption process pushed via Group Policy.
Reference: NIST SP 800-61 Rev 2, Section 3.2.2; SANS PICERL Containment Phase
Q2. An analyst reviews network logs showing outbound traffic from a finance workstation to a known
command-and-control (C2) IP on port 443. The workstation also made DNS queries for a domain registered
24 hours ago. Which of the following best describes the stage of the Cyber Kill Chain represented by the DNS
query?
A. Reconnaissance
B. Weaponization
C. Command and Control
D. Actions on Objectives
Correct Answer: C. Command and Control
Rationale: The DNS query to a newly registered domain is typical of establishing C2 communication after initial
compromise. Reconnaissance (A) occurs earlier; Weaponization (B) is the preparation of the exploit; Actions on
Objectives (D) is the final stage where data exfiltration or damage occurs. Here, the C2 channel is being set up.
Why Wrong:
A - Reconnaissance involves gathering information about the target, not resolving a C2 domain.
B - Weaponization is the creation of the malicious payload, not the communication channel.
D - Actions on Objectives would involve data theft or destruction, not just establishing C2.
Reference: Lockheed Martin Cyber Kill Chain; Hutchins et al. (2011)
Q3. After a phishing incident, forensic analysis of a compromised workstation reveals a previously unknown
executable in the startup folder. The file's hash is not found in any threat intelligence feeds. Which analysis
technique would be MOST effective to determine the file's behavior without executing it on a production
system?
A. Static analysis using a disassembler like IDA Pro
B. Dynamic analysis in a sandboxed virtual machine
C. Signature-based antivirus scan
D. File entropy calculation
Correct Answer: A. Static analysis using a disassembler like IDA Pro
Rationale: Static analysis with a disassembler allows examination of the binary's code without execution, revealing
potential malicious functions. Dynamic analysis (B) requires execution, which risks infection if the sandbox is not
perfectly isolated. Signature scan (C) fails for unknown files. Entropy (D) may indicate packing but not behavior.
Page 3
, Why Wrong:
B - Dynamic analysis requires execution and risks escape from the sandbox.
C - Signature-based detection is ineffective for unknown malware.
D - Entropy only suggests packing, not actual behavior.
Reference: Sikorski & Honig (2012). Practical Malware Analysis, Ch. 1-2
Q4. An organization's security policy requires that all incident response team members be trained annually.
After a major breach, a post-incident review reveals that the team failed to preserve chain of custody for a
critical hard drive. Which of the following is the BEST explanation for this failure?
A. The team lacked proper forensic imaging tools.
B. The incident response plan did not include a chain of custody form.
C. The team was not trained on legal and forensic procedures.
D. The hard drive was encrypted and could not be accessed.
Correct Answer: C. The team was not trained on legal and forensic procedures.
Rationale: Failure to preserve chain of custody is typically due to lack of training on forensic procedures. While
missing forms (B) could contribute, the root cause is inadequate training. Tools (A) and encryption (D) are
separate issues that do not directly explain the procedural failure.
Why Wrong:
A - Lack of tools does not excuse failure to document handling.
B - Even without a form, trained personnel would document manually.
D - Encryption complicates analysis but does not prevent documentation.
Reference: NIST SP 800-86, Section 4.2; ISO 27037:2012
Q5. During a simulated APT exercise, the blue team observes that the red team is using a custom backdoor
that communicates over DNS tunneling. Which network defense control would be MOST effective at
detecting this activity?
A. Stateful firewall blocking all outbound DNS except from internal DNS servers
B. Intrusion detection system (IDS) with signature for known backdoor patterns
C. DNS sinkhole configured to redirect all queries to a non-existent domain
D. Deep packet inspection (DPI) of DNS traffic for anomalous payload sizes and entropy
Correct Answer: D. Deep packet inspection (DPI) of DNS traffic for anomalous payload sizes and entropy
Rationale: DNS tunneling often uses large or high-entropy payloads in TXT or A records. DPI can detect these
anomalies. Blocking all outbound DNS (A) may break legitimate services. Signature-based IDS (B) fails for custom
backdoors. Sinkhole (C) redirects queries but does not detect tunneling.
Why Wrong:
A - Blocking all outbound DNS except from internal servers may prevent tunneling but is too restrictive and
not detection-focused.
B - Signature-based detection is ineffective against custom backdoors.
C - A sinkhole only captures queries to known malicious domains, not tunneling patterns.
Reference: Farnham & Atlasis (2013). Detecting DNS Tunneling; SANS SEC504
Q6. An incident responder needs to collect memory from a compromised Windows server to analyze running
processes and network connections. Which tool and methodology is MOST appropriate to minimize forensic
impact?
A. Use the built-in Task Manager to save a process list.
B. Use FTK Imager to create a forensic image of the hard drive.
C. Use the DumpIt tool to capture a raw memory dump to an external drive.
D. Execute a PowerShell script that queries process information and writes to a network share.
Page 4
Operations & Defending Network Security | 2026/2027
Edition | 150 Verified Questions
WGU C845 VUN1 Task 2 Exam 2026-2027 QUESTIONS AND ANSWERS ALREADY
GRADED A+. 100% Verified Solutions | Updated Per Latest Guidelines | Graded A+
This comprehensive exam prep document for WGU C845 VUN1 Task 2 covers the critical domains of
incident response operations and network security defense. With 150 verified questions, it provides an
in-depth review of key concepts including incident detection, containment, eradication, recovery, and
post-incident activities. The material is aligned with the latest 2026/2027 academic guidelines and
industry best practices, ensuring students are well-prepared to evaluate and defend network security
effectively.
Key Features:
Incident response lifecycle and frameworks
Network security defense strategies and tools
Risk assessment and vulnerability management
Security operations center (SOC) procedures
Legal and regulatory compliance in incident handling
Post-incident analysis and reporting
Updates for 2026:
- Updated to reflect 2026/2027 NIST and SANS incident response guidelines
- Incorporated new case studies on ransomware and advanced persistent threats
- Revised questions to include cloud and hybrid network security scenarios
- Enhanced answer rationales with step-by-step explanations
- Added compliance checklist for GDPR, HIPAA, and PCI-DSS
Abstract:
This document serves as a definitive study resource for the WGU C845 VUN1 Task 2 examination, focusing on
evaluating incident response operations and defending network security. It synthesizes core principles from the
incident response lifecycle, including preparation, detection, containment, eradication, recovery, and lessons
learned. The content emphasizes practical application through scenario-based questions that test the ability to
analyze security incidents, select appropriate countermeasures, and implement defense-in-depth strategies. Special
attention is given to contemporary threats such as ransomware, zero-day exploits, and insider threats, as well as
the integration of security frameworks like NIST SP 800-61 and ISO 27035. The document also addresses the role
of security operations centers (SOCs), threat intelligence, and automated response tools in modern network
defense. By mastering these topics, students will be equipped to design and evaluate incident response plans that
align with organizational policies and regulatory requirements.
Keywords:
incident response operations, network security defense, WGU C845, VUN1 Task 2, NIST SP 800-61, security
operations center, threat intelligence, defense in depth
Answer Format:
Each question is followed by the correct answer and a detailed rationale explaining why it is correct, along with
distractor analysis that clarifies why the other options are incorrect. Rationales reference specific frameworks,
standards, and real-world scenarios to reinforce learning.
Page 1
,Compliance Checklist:
All questions are verified against current WGU C845 curriculum and industry standards
Rationales cite authoritative sources including NIST, SANS, and ISO
Content covers all key domains outlined in the VUN1 Task 2 rubric
Updated for the 2026/2027 academic year with the latest security trends
Includes both technical and managerial aspects of incident response
Provides a balanced mix of conceptual and applied questions
Content Area Overview:
Content Area Questions Key Topics Weight
Incident Response Lifecycle 1-30 Preparation, Detection, Analysis, 20%
Containment, Eradication, Recovery,
Post-Incident Activity
Network Security Defense 31-60 Firewalls, IDS/IPS, VPNs, Segmentation, 20%
Access Control, Monitoring
Risk and Vulnerability 61-85 Risk Assessment, Vulnerability Scanning, 17%
Management Patch Management, Penetration Testing
Security Operations Center 86-110 SOC Tiers, SIEM, Threat Hunting, Incident 17%
(SOC) Triage, Escalation
Legal, Regulatory, and 111-130 GDPR, HIPAA, PCI-DSS, Chain of 13%
Compliance Custody, Reporting Requirements
Advanced Threats and Case 131-150 Ransomware, APTs, Insider Threats, 13%
Studies Zero-Day Exploits, Cloud Security Incidents
Page 2
,Q1. During a ransomware incident, the incident response team identifies that the encryption process began
on a Domain Controller (DC) after an attacker used stolen credentials to disable antivirus and deploy the
ransomware via Group Policy. Which containment strategy would be MOST effective to prevent further
spread while preserving forensic evidence?
A. Immediately power off all affected servers and workstations.
B. Disconnect the DC from the network and block SMB ports at the firewall.
C. Reboot all systems in safe mode and run a decryption tool.
D. Reset all user passwords and enable multi-factor authentication.
Correct Answer: B. Disconnect the DC from the network and block SMB ports at the firewall.
Rationale: Disconnecting the DC and blocking SMB ports stops the propagation mechanism (Group Policy via
SMB) while preserving volatile memory and logs. Powering off (A) may lose forensic data. Rebooting (C) is a
recovery step, not containment. Resetting passwords (D) does not stop active encryption via Group Policy.
Why Wrong:
A - Powering off destroys volatile memory and may hinder forensic analysis.
C - Rebooting in safe mode is a recovery action, not immediate containment.
D - Password reset does not halt the ongoing encryption process pushed via Group Policy.
Reference: NIST SP 800-61 Rev 2, Section 3.2.2; SANS PICERL Containment Phase
Q2. An analyst reviews network logs showing outbound traffic from a finance workstation to a known
command-and-control (C2) IP on port 443. The workstation also made DNS queries for a domain registered
24 hours ago. Which of the following best describes the stage of the Cyber Kill Chain represented by the DNS
query?
A. Reconnaissance
B. Weaponization
C. Command and Control
D. Actions on Objectives
Correct Answer: C. Command and Control
Rationale: The DNS query to a newly registered domain is typical of establishing C2 communication after initial
compromise. Reconnaissance (A) occurs earlier; Weaponization (B) is the preparation of the exploit; Actions on
Objectives (D) is the final stage where data exfiltration or damage occurs. Here, the C2 channel is being set up.
Why Wrong:
A - Reconnaissance involves gathering information about the target, not resolving a C2 domain.
B - Weaponization is the creation of the malicious payload, not the communication channel.
D - Actions on Objectives would involve data theft or destruction, not just establishing C2.
Reference: Lockheed Martin Cyber Kill Chain; Hutchins et al. (2011)
Q3. After a phishing incident, forensic analysis of a compromised workstation reveals a previously unknown
executable in the startup folder. The file's hash is not found in any threat intelligence feeds. Which analysis
technique would be MOST effective to determine the file's behavior without executing it on a production
system?
A. Static analysis using a disassembler like IDA Pro
B. Dynamic analysis in a sandboxed virtual machine
C. Signature-based antivirus scan
D. File entropy calculation
Correct Answer: A. Static analysis using a disassembler like IDA Pro
Rationale: Static analysis with a disassembler allows examination of the binary's code without execution, revealing
potential malicious functions. Dynamic analysis (B) requires execution, which risks infection if the sandbox is not
perfectly isolated. Signature scan (C) fails for unknown files. Entropy (D) may indicate packing but not behavior.
Page 3
, Why Wrong:
B - Dynamic analysis requires execution and risks escape from the sandbox.
C - Signature-based detection is ineffective for unknown malware.
D - Entropy only suggests packing, not actual behavior.
Reference: Sikorski & Honig (2012). Practical Malware Analysis, Ch. 1-2
Q4. An organization's security policy requires that all incident response team members be trained annually.
After a major breach, a post-incident review reveals that the team failed to preserve chain of custody for a
critical hard drive. Which of the following is the BEST explanation for this failure?
A. The team lacked proper forensic imaging tools.
B. The incident response plan did not include a chain of custody form.
C. The team was not trained on legal and forensic procedures.
D. The hard drive was encrypted and could not be accessed.
Correct Answer: C. The team was not trained on legal and forensic procedures.
Rationale: Failure to preserve chain of custody is typically due to lack of training on forensic procedures. While
missing forms (B) could contribute, the root cause is inadequate training. Tools (A) and encryption (D) are
separate issues that do not directly explain the procedural failure.
Why Wrong:
A - Lack of tools does not excuse failure to document handling.
B - Even without a form, trained personnel would document manually.
D - Encryption complicates analysis but does not prevent documentation.
Reference: NIST SP 800-86, Section 4.2; ISO 27037:2012
Q5. During a simulated APT exercise, the blue team observes that the red team is using a custom backdoor
that communicates over DNS tunneling. Which network defense control would be MOST effective at
detecting this activity?
A. Stateful firewall blocking all outbound DNS except from internal DNS servers
B. Intrusion detection system (IDS) with signature for known backdoor patterns
C. DNS sinkhole configured to redirect all queries to a non-existent domain
D. Deep packet inspection (DPI) of DNS traffic for anomalous payload sizes and entropy
Correct Answer: D. Deep packet inspection (DPI) of DNS traffic for anomalous payload sizes and entropy
Rationale: DNS tunneling often uses large or high-entropy payloads in TXT or A records. DPI can detect these
anomalies. Blocking all outbound DNS (A) may break legitimate services. Signature-based IDS (B) fails for custom
backdoors. Sinkhole (C) redirects queries but does not detect tunneling.
Why Wrong:
A - Blocking all outbound DNS except from internal servers may prevent tunneling but is too restrictive and
not detection-focused.
B - Signature-based detection is ineffective against custom backdoors.
C - A sinkhole only captures queries to known malicious domains, not tunneling patterns.
Reference: Farnham & Atlasis (2013). Detecting DNS Tunneling; SANS SEC504
Q6. An incident responder needs to collect memory from a compromised Windows server to analyze running
processes and network connections. Which tool and methodology is MOST appropriate to minimize forensic
impact?
A. Use the built-in Task Manager to save a process list.
B. Use FTK Imager to create a forensic image of the hard drive.
C. Use the DumpIt tool to capture a raw memory dump to an external drive.
D. Execute a PowerShell script that queries process information and writes to a network share.
Page 4
