Domain 5 – Section C Review: Operations & Forensics
Section C tested operational processes, incident response, forensics, and security monitoring. These are the day-to-day operational disciplines that protect cloud environments. Verify you can apply structured processes to cloud scenarios.
These questions span ITIL, change management, incident response, forensics, and SOC/SIEM. Focus on process discipline and cloud-specific adaptations.
Scenario questions (10)
Question 1
A cloud engineer deploys a configuration change directly to production to fix a performance issue. The change inadvertently disables a security monitoring agent. No one notices for two weeks.
What process failure allowed this?
A. Incident management
B. Change management — the change was not reviewed for security impact before deployment
C. Capacity management
D. Problem management
Answer & reasoning
Correct: B
Change management requires reviewing proposed changes for security impact before deployment. A direct, unreviewed change to production bypassed this safeguard, allowing the security monitoring gap.
Question 2
During a cloud incident, the response team isolates a compromised instance by modifying its security group to deny all traffic. They then begin forensic analysis.
What critical step was potentially missed BEFORE isolation?
A. Notifying management
B. Updating the incident response plan
C. Capturing a disk snapshot and memory dump to preserve volatile evidence
D. Running a vulnerability scan on the isolated instance
Answer & reasoning
Correct: C
Before isolation or any modification, forensic evidence should be preserved — disk snapshots and memory captures. Isolation changes the instance state, and some volatile evidence may be lost during the process.
Question 3
An organization's SOC receives alerts from their cloud SIEM about unusual API activity at 3:00 AM — a new IAM role was created and granted administrator access. No change requests were filed.
What type of alert is this?
A. Security alert indicating potential credential compromise or insider threat
B. Compliance reporting event
C. Availability alert
D. Performance anomaly
Answer & reasoning
Correct: A
Unauthorized IAM role creation with admin privileges outside change management, especially at unusual hours, is a high-priority security alert indicating potential credential compromise or malicious insider activity.
Question 4
A cloud incident investigation determines the root cause was an unpatched vulnerability that had been exploited three times in the past year. Each time, the incident team fixed the immediate issue.
What process is MISSING?
A. Better incident detection
B. Additional SOC analysts
C. Problem management to address the root cause and prevent recurrence
D. More frequent security scanning
Answer & reasoning
Correct: C
Recurring incidents from the same root cause indicate a problem management failure. Incident management restores service; problem management investigates root causes and implements permanent fixes.
Question 5
A forensic investigator needs to collect evidence from a cloud instance. The cloud provider states they cannot provide physical disk access due to multi-tenancy.
What is the appropriate alternative?
A. Abandon the forensic investigation
B. Request the provider to shut down the entire physical host
C. Use virtual machine snapshots, log exports, and API audit records as logical evidence
D. Demand physical access through legal action
Answer & reasoning
Correct: C
Cloud forensics relies on logical evidence — VM snapshots, logs, and API records — rather than physical access. Multi-tenant environments preclude physical disk access, but logical alternatives provide equivalent forensic value.
Question 6
An organization uses a cloud-native SIEM that only ingests operating system logs from their instances. After a credential compromise, the attacker accessed cloud storage directly through API calls without touching any instance.
Why was the attack missed?
A. The attacker used encrypted communication
B. The SIEM was not configured correctly
C. The SIEM lacked cloud-native data sources — API audit logs and storage access logs — necessary to detect API-based attacks
D. The operating system logs were corrupted
Answer & reasoning
Correct: C
API-based attacks bypass instance-level monitoring entirely. Without cloud audit logs and storage access logs, the SIEM has no visibility into API activity or direct cloud service access.
Question 7
A cloud SLA specifies 99.99% uptime but does not include any security-related terms. A breach occurs, and the provider takes 5 days to notify the customer.
What contractual gap enabled this delay?
A. The SLA percentage was too low
B. The customer did not have monitoring in place
C. The provider's incident response team was understaffed
D. The SLA lacked security-specific terms including breach notification timelines
Answer & reasoning
Correct: D
SLAs focused only on uptime miss critical security commitments. Breach notification timelines, incident response obligations, and security reporting requirements must be explicitly included in the agreement.
Question 8
After a cloud service outage, the operations team restores service within the RTO. The post-incident review reveals this is the third outage caused by the same misconfiguration.
What should the team recommend?
A. Faster incident response procedures
B. Problem management investigation to identify and permanently fix the root cause of the recurring misconfiguration
C. Additional standby infrastructure
D. Replacing the cloud provider
Answer & reasoning
Correct: B
Recurring outages from the same cause require problem management, not faster incident response. The root cause must be identified and permanently resolved to prevent recurrence.
Question 9
A SOAR playbook automatically isolates compromised instances and revokes suspicious credentials. A SOC analyst questions whether full automation is appropriate.
When is the analyst's concern MOST valid?
A. When the SOAR platform is cloud-native
B. When the automated playbook might isolate a critical production system without human judgment about business impact
C. When the analyst prefers manual work
D. When the automated response is faster than manual response
Answer & reasoning
Correct: B
Automated responses to security incidents can have business impact — isolating a critical production system may cause more damage than the incident itself. Complex decisions with significant business implications should involve human judgment.
Question 10
An organization measures their SOC's Mean Time to Detect at 48 hours and Mean Time to Respond at 6 hours.
Which metric should they prioritize improving?
A. MTTR, because response speed is always more important
B. Both equally, because they are independent metrics
C. Neither — these metrics are acceptable
D. MTTD, because reducing the time an attacker operates undetected has the greatest security impact
Answer & reasoning
Correct: D
MTTD of 48 hours means attackers have two days of undetected access. Reducing detection time limits the attacker's window for damage, data theft, and lateral movement. While MTTR matters, the greater impact comes from detecting threats faster.
Section C master pattern
When answering Domain 5 Section C questions, ask yourself:
- Is this an incident (restore now) or a problem (prevent recurrence)?
- Was the proper process followed or bypassed?
- Is evidence being preserved before recovery actions?
- Are monitoring data sources comprehensive for the cloud environment?
- Does automation replace human judgment where it should not?
If you follow structured processes, preserve evidence, and ensure comprehensive monitoring, you will answer correctly.