D488 | D488 Cybersecurity Architecture and
Engineering Exam 4 Version 1 | Questions with
Correct Answers and Expert Explanation for Each
Question | WGU
1. According to the NIST Incident Handling Lifecycle, what is the primary purpose of
the ‘Preparation’ phase?
A. To detect and analyze security incidents as they happen in real-time.
B. To restore systems to their normal operating state after a breach occurs.
C. To document the results of an incident for legal and insurance purposes.
D. To establish policies and build the necessary capabilities to respond to incidents.
Correct Answer: D
Expert Explanation: The preparation phase is foundational as it involves
establishing the policies and tools required for an effective response. It focuses on
training the incident response team and conducting risk assessments to identify
potential threats. By proactively hardening systems, the organization reduces the
likelihood of successful attacks before they occur. This phase also includes the
creation of communication plans to ensure stakeholders are informed during a
crisis. Without adequate preparation, an organization cannot respond to security
events in a timely or organized manner.
,2. Which indicator of compromise (IoC) is most likely associated with a command-and-
control (C2) communication attempt?
A. The presence of unauthorized software on a staff member’s laptop.
B. Multiple failed login attempts on a local workstation.
C. A sudden increase in the usage of system memory (RAM).
D. Unusual outbound network traffic to an unknown IP address.
Correct Answer: D
Expert Explanation: Unusual outbound traffic often signals that an internal system
is attempting to communicate with an external malicious actor. This type of activity
is a classic indicator of command-and-control behavior where malware awaits
instructions. Security analysts monitor these patterns to identify compromised
hosts that may be leaking sensitive data. Detecting these connections early is vital
for preventing the full-scale exfiltration of corporate information. Effective
monitoring systems use threat intelligence feeds to automatically flag known
malicious IP addresses.
3. During an active ransomware attack, what is the most appropriate initial
containment strategy?
A. Isolating affected systems from the network to prevent the spread of encryption.
B. Wiping the affected hard drives and reinstalling the operating system.
,C. Paying the ransom to obtain the decryption key as quickly as possible.
D. Updating the antivirus software on all workstations in the environment.
Correct Answer: A
Expert Explanation: The immediate goal during a ransomware outbreak is to
isolate infected systems to halt the spread of the malware. By disconnecting these
devices from the network, the incident response team prevents the ransomware
from reaching shared drives. This containment step is critical for protecting the rest
of the organization’s infrastructure from being encrypted. It provides the team with
the necessary time to analyze the scope of the infection without further damage
occurring. Isolation is a standard procedure in the containment phase to limit the
total blast radius of the incident.
4. In the eradication phase of incident response, what is the main objective?
A. To perform a post-mortem analysis of why the incident happened.
B. To identify the specific attacker responsible for the security breach.
C. To provide updates to the media regarding the organization’s status.
D. To remove the root cause of the incident and eliminate any remaining traces of
the threat.
Correct Answer: D
, Expert Explanation: The eradication phase focuses on identifying and removing all
elements of the threat from the environment. This includes deleting malware,
closing vulnerabilities that were exploited, and disabling compromised user
accounts. It ensures that the attacker no longer has a foothold or persistence within
the network. Failure to properly eradicate the threat often leads to a recurrence of
the same incident shortly after recovery. Analysts must be thorough in this phase to
confirm that the environment is truly clean before proceeding.
5. What step should be taken during the ‘Recovery’ phase to ensure the system is safe
to return to production?
A. Validating system integrity and monitoring for signs of the same incident
recurring.
B. Drafting a new security policy to address the gaps found during the breach.
C. Notifying the law enforcement agencies about the identity of the suspects.
D. Reimaging all unaffected servers to ensure a standard baseline across the
enterprise.
Correct Answer: A
Expert Explanation: Recovery involves restoring systems to normal operation
while verifying that they are fully functional and secure. Organizations must
implement enhanced monitoring during this phase to detect any signs of the threat
Engineering Exam 4 Version 1 | Questions with
Correct Answers and Expert Explanation for Each
Question | WGU
1. According to the NIST Incident Handling Lifecycle, what is the primary purpose of
the ‘Preparation’ phase?
A. To detect and analyze security incidents as they happen in real-time.
B. To restore systems to their normal operating state after a breach occurs.
C. To document the results of an incident for legal and insurance purposes.
D. To establish policies and build the necessary capabilities to respond to incidents.
Correct Answer: D
Expert Explanation: The preparation phase is foundational as it involves
establishing the policies and tools required for an effective response. It focuses on
training the incident response team and conducting risk assessments to identify
potential threats. By proactively hardening systems, the organization reduces the
likelihood of successful attacks before they occur. This phase also includes the
creation of communication plans to ensure stakeholders are informed during a
crisis. Without adequate preparation, an organization cannot respond to security
events in a timely or organized manner.
,2. Which indicator of compromise (IoC) is most likely associated with a command-and-
control (C2) communication attempt?
A. The presence of unauthorized software on a staff member’s laptop.
B. Multiple failed login attempts on a local workstation.
C. A sudden increase in the usage of system memory (RAM).
D. Unusual outbound network traffic to an unknown IP address.
Correct Answer: D
Expert Explanation: Unusual outbound traffic often signals that an internal system
is attempting to communicate with an external malicious actor. This type of activity
is a classic indicator of command-and-control behavior where malware awaits
instructions. Security analysts monitor these patterns to identify compromised
hosts that may be leaking sensitive data. Detecting these connections early is vital
for preventing the full-scale exfiltration of corporate information. Effective
monitoring systems use threat intelligence feeds to automatically flag known
malicious IP addresses.
3. During an active ransomware attack, what is the most appropriate initial
containment strategy?
A. Isolating affected systems from the network to prevent the spread of encryption.
B. Wiping the affected hard drives and reinstalling the operating system.
,C. Paying the ransom to obtain the decryption key as quickly as possible.
D. Updating the antivirus software on all workstations in the environment.
Correct Answer: A
Expert Explanation: The immediate goal during a ransomware outbreak is to
isolate infected systems to halt the spread of the malware. By disconnecting these
devices from the network, the incident response team prevents the ransomware
from reaching shared drives. This containment step is critical for protecting the rest
of the organization’s infrastructure from being encrypted. It provides the team with
the necessary time to analyze the scope of the infection without further damage
occurring. Isolation is a standard procedure in the containment phase to limit the
total blast radius of the incident.
4. In the eradication phase of incident response, what is the main objective?
A. To perform a post-mortem analysis of why the incident happened.
B. To identify the specific attacker responsible for the security breach.
C. To provide updates to the media regarding the organization’s status.
D. To remove the root cause of the incident and eliminate any remaining traces of
the threat.
Correct Answer: D
, Expert Explanation: The eradication phase focuses on identifying and removing all
elements of the threat from the environment. This includes deleting malware,
closing vulnerabilities that were exploited, and disabling compromised user
accounts. It ensures that the attacker no longer has a foothold or persistence within
the network. Failure to properly eradicate the threat often leads to a recurrence of
the same incident shortly after recovery. Analysts must be thorough in this phase to
confirm that the environment is truly clean before proceeding.
5. What step should be taken during the ‘Recovery’ phase to ensure the system is safe
to return to production?
A. Validating system integrity and monitoring for signs of the same incident
recurring.
B. Drafting a new security policy to address the gaps found during the breach.
C. Notifying the law enforcement agencies about the identity of the suspects.
D. Reimaging all unaffected servers to ensure a standard baseline across the
enterprise.
Correct Answer: A
Expert Explanation: Recovery involves restoring systems to normal operation
while verifying that they are fully functional and secure. Organizations must
implement enhanced monitoring during this phase to detect any signs of the threat
