Domain 7 Capstone: Security Operations
Executive Pattern Summary
Domain 7 is the largest domain on the CISSP exam and covers the daily practice of security. Before working through these capstone questions, internalize these seven decision patterns that connect every topic in Security Operations:
- Life safety overrides everything. In any scenario where personnel safety conflicts with asset protection, evidence preservation, or business continuity, protect the people first. This is the most absolute rule on the exam.
- Containment before eradication. During incident response, contain the damage to prevent spread before attempting to remove the threat. Jumping to eradication without containment risks losing control of the incident scope.
- Evidence integrity enables justice. Chain of custody, proper imaging, and documentation are not optional steps. Without them, forensic evidence is inadmissible and incident root cause analysis is unreliable.
- Recovery objectives drive strategy. RTO, RPO, and MTD are not arbitrary numbers — they come from the BIA and determine every investment in backup, replication, and alternate-site strategy. When strategy does not match objectives, the strategy is wrong.
- Testing validates planning. Plans that exist only on paper are assumptions. Progressive testing — from desk checks through full interruption — transforms assumptions into verified capability. Untested plans fail at the worst possible time.
- Physical and logical security are one program. An attacker who bypasses physical controls has already defeated a significant portion of your logical defenses. Integration between physical access, logical access, and monitoring provides layered defense.
- Continuous improvement over perfection. Security operations is a cycle: detect, respond, recover, learn, improve. Every incident, every test, and every audit should produce lessons that feed back into better processes.
Domain 7 – Capstone Questions
Question 1
A SOC analyst detects lateral movement across the network following a confirmed ransomware infection on a workstation. The SIEM shows connections from the infected host to three file servers and two domain controllers. The incident response team is still assembling.
What should the SOC analyst do FIRST?
A. Isolate the infected workstation and the five systems it has contacted from the network to contain the spread
B. Begin forensic imaging of the infected workstation to preserve evidence
C. Notify law enforcement of the ransomware attack
D. Shut down all file servers to prevent data encryption
Answer & reasoning
Correct: A
Containment is the immediate priority when active lateral movement is occurring. Isolating the infected host and the potentially compromised systems prevents further spread while the IR team mobilizes. Forensic imaging (B) is important but comes after containment. Law enforcement notification (C) follows organizational procedures and is not the first action. Shutting down all file servers (D) is disproportionate and causes unnecessary disruption.
Question 2
During a post-incident review, the team discovers that the SIEM generated an alert for the initial compromise 48 hours before the incident was detected by a user reporting encrypted files. The alert was classified as low priority by the automated triage rules.
What should the incident review recommend?
A. Replace the SIEM with a more advanced platform
B. Review and tune SIEM correlation rules and alert prioritization to reduce the gap between detection and response
C. Hire additional SOC analysts to monitor all alerts in real time
D. Implement mandatory daily SIEM report reviews by the CISO
Answer & reasoning
Correct: B
The SIEM detected the activity — the failure was in how the alert was classified and prioritized. Tuning correlation rules and alert triage criteria directly addresses the root cause: the system saw the threat but downgraded its importance. Replacing the platform (A) does not fix a configuration issue. Additional staff (C) does not address prioritization logic. CISO review (D) is too far removed from operational triage.
Question 3
An organization’s change management board approves a firewall rule change to support a new application. The change is implemented on a Friday evening. On Monday morning, the security team discovers that the new rule inadvertently opened inbound access from the internet to an internal database server.
What change management control failed?
A. The change should not have been implemented on a Friday
B. The firewall administrator made a technical error that should result in disciplinary action
C. The change management process did not include a security review of the rule’s actual impact before or after implementation
D. All firewall changes should require CISO approval
Answer & reasoning
Correct: C
Change management should include a security review that evaluates the actual impact of the proposed change, not just its intended function. Post-implementation verification should confirm the change produced only the expected results. The failure is in process, not in timing (A) or individual performance (B). CISO approval for routine changes (D) creates bottlenecks without addressing the review gap.
Question 4
A forensic investigator arrives at a workstation suspected of being used in corporate fraud. The workstation is powered on and the suspect’s email client is open on screen. The investigator’s first action is to pull the power cord to preserve the hard drive contents.
What mistake was made?
A. The investigator should have notified HR before touching the workstation
B. The investigator should have taken photographs first
C. The investigator should have waited for the suspect to log off
D. Volatile data in RAM (running processes, network connections, open files) was destroyed by the hard power-off and should have been captured first
Answer & reasoning
Correct: D
The order of volatility dictates that the most volatile evidence (RAM, running processes, network connections, temporary files) must be captured before less volatile evidence (hard drive contents). Pulling the power cord destroys all volatile data that could have been critical to the investigation. The correct approach is to capture RAM contents, document running processes and network connections, then create a forensic image of the drive.
Question 5
A hospital’s backup strategy uses nightly full backups stored on-site. A ransomware attack at 3:00 PM encrypts the primary database and all on-site backup copies, including the most recent backup from midnight.
What backup strategy failure is MOST significant?
A. Full backups should have been performed more frequently than nightly
B. Backups accessible to the same network as production allowed the ransomware to encrypt both, violating the principle of backup isolation
C. The hospital should have used differential backups instead of full backups
D. Tape backups should have been used instead of disk-based backups
Answer & reasoning
Correct: B
The critical failure is that backups were accessible from the same network as production systems. Modern ransomware specifically targets backup repositories to prevent recovery. The 3-2-1 backup principle (three copies, two media types, one off-site) and network isolation of backup infrastructure are specifically designed to prevent this scenario. Backup frequency (A) and type (C) are secondary to the isolation failure.
Question 6
A security operations manager is implementing a vulnerability management program. The first scan of the environment identifies 15,000 vulnerabilities across 2,000 systems. The patching team can address approximately 500 vulnerabilities per month.
What is the BEST approach to managing this backlog?
A. Prioritize remediation based on risk: vulnerability severity, asset criticality, exposure level, and exploit availability
B. Start with the oldest vulnerabilities to clear the longest-standing risk
C. Focus exclusively on critical-severity vulnerabilities and accept risk on everything else
D. Pause scanning until the current backlog is cleared to avoid overwhelming the team
Answer & reasoning
Correct: A
Risk-based prioritization ensures the most dangerous vulnerabilities on the most critical assets are addressed first. A critical vulnerability on an internet-facing server with a public exploit takes priority over a critical vulnerability on an isolated development server. Age-based prioritization (B) does not account for risk. Focusing only on critical severity (C) ignores context. Pausing scanning (D) creates blind spots.
Question 7
An organization’s privileged access management system shows that a database administrator account logged in at 2:00 AM on a Saturday and exported the entire customer database. The DBA was on vacation at the time and claims no knowledge of the activity.
What security operations control should have detected or prevented this?
A. Stronger password complexity requirements for privileged accounts
B. Multi-factor authentication for privileged access combined with behavioral analytics that flag anomalous activity patterns
C. Restricting database access to business hours only
D. Requiring the DBA to be physically present in the office for database operations
Answer & reasoning
Correct: B
MFA would have prevented access if the credentials were compromised — the attacker would need the second factor. Behavioral analytics would flag the anomalous pattern: access from an unusual location or device, at an unusual time, performing an unusual bulk export. Together, these controls address both prevention and detection. Time restrictions (C) are too rigid for operations that may require off-hours maintenance.
Question 8
During an incident investigation, the security team needs to image a server hard drive for forensic analysis. The server is a production system processing real-time financial transactions that cannot be taken offline.
What forensic approach is MOST appropriate?
A. Shut down the server and create a bit-for-bit forensic image
B. Wait until the next scheduled maintenance window to perform the imaging
C. Perform a live forensic image of the drive while the system continues operating, documenting the system state and any changes during imaging
D. Copy only the log files and transaction records relevant to the investigation
Answer & reasoning
Correct: C
When a production system cannot be taken offline, live forensic imaging captures the drive contents while the system operates. The investigator must document the running state, note that changes may have occurred during imaging, and capture volatile data alongside the disk image. This approach preserves evidence while maintaining business operations. Waiting (B) allows evidence to be overwritten. Partial collection (D) may miss relevant artifacts.
Question 9
A company operates a warm site for disaster recovery. After activating the warm site during an actual disaster, the recovery team discovers that the site’s hardware is two generations behind the primary site due to a hardware refresh at the primary that was not mirrored at the warm site. Several applications will not run on the older hardware.
What maintenance process failed?
A. The warm site should have been converted to a hot site with automatic synchronization
B. Configuration management and change control did not include the DR site in the hardware refresh scope
C. The warm site vendor is responsible for maintaining hardware currency
D. Application compatibility testing should have been performed during the disaster activation
Answer & reasoning
Correct: B
When the primary site receives a hardware refresh, the change management process should flag that the DR site also needs to be evaluated and updated. Configuration management must track both sites and ensure they remain compatible. This is the same principle that applies to software updates, network changes, and any infrastructure modification — DR site alignment must be part of the change scope.
Question 10
An organization’s security operations team detects that an insider has been slowly exfiltrating small amounts of data through encrypted email attachments over three months. The DLP system did not flag the activity because the individual files were below the size threshold.
What detection improvement would address this gap?
A. Lower the DLP file size threshold to catch smaller attachments
B. Block all encrypted email attachments
C. Implement cumulative behavioral analytics that detect aggregate data movement patterns over time, not just individual transfers
D. Require management approval for all email attachments
Answer & reasoning
Correct: C
The attacker bypassed the DLP by staying below per-event thresholds. Behavioral analytics that track cumulative patterns — total data volume sent to external addresses, frequency of encrypted attachments, recipient patterns over time — would detect the slow exfiltration that per-event thresholds miss. Lowering thresholds (A) creates excessive false positives. Blocking encrypted attachments (B) impairs legitimate business communication.
Question 11
A cloud-hosted application experiences a complete outage due to the cloud provider’s regional failure. The organization’s BCP assumed the cloud provider would handle all disaster recovery. The provider’s SLA guarantees 99.9% uptime but does not specify RTO or RPO for regional failures.
What governance failure does this expose?
A. The cloud provider failed to meet its SLA obligations
B. Cloud services should not be used for critical applications
C. The organization transferred operational responsibility to the cloud provider without verifying that the provider’s recovery capabilities matched the organization’s BIA requirements
D. The SLA percentage was too low for a critical application
Answer & reasoning
Correct: C
Uptime SLAs and disaster recovery capabilities are different things. The organization assumed the cloud provider would handle DR without verifying that the provider’s recovery targets matched the BIA’s RTO and RPO requirements. This is a governance failure: the organization is ultimately responsible for ensuring its continuity requirements are met, regardless of where the infrastructure resides.
Question 12
A security team discovers that an attacker has been present in the network for approximately 60 days (dwell time). The attacker has established persistence through scheduled tasks, modified service accounts, and deployed web shells on three servers.
Before beginning eradication, what must the team complete?
A. Notify the board of directors about the breach duration
B. Full scope assessment to identify all persistence mechanisms, compromised accounts, and affected systems so that eradication is complete in a single coordinated action
C. Immediately reset all passwords across the organization
D. Disconnect all servers from the network
Answer & reasoning
Correct: B
With 60 days of dwell time, the attacker has likely established multiple persistence mechanisms. Incomplete eradication — removing some but not all footholds — alerts the attacker and causes them to activate remaining access. The team must identify the full scope before executing a coordinated eradication that removes all persistence simultaneously. Premature password resets (C) or network disconnection (D) may tip off the attacker before the full scope is understood.
Question 13
An organization performs daily incremental backups and weekly full backups. A corruption is discovered in Tuesday’s data, but it is not detected until Thursday. The team needs to restore to Monday’s known-good state.
What is the correct restore sequence?
A. Restore Monday’s incremental backup only
B. Restore the most recent full backup (Sunday), then apply Monday’s incremental backup
C. Restore Tuesday’s incremental backup since that is when the corruption occurred
D. Restore Thursday’s incremental backup and roll back the corrupted data
Answer & reasoning
Correct: B
Incremental backups contain only changes since the last backup. To restore to Monday’s state, you need the foundation (Sunday’s full backup) plus Monday’s incremental backup layered on top. Monday’s incremental alone (A) would be incomplete without the full backup base. Tuesday’s backup (C) contains the corruption. Thursday’s backup (D) contains three days of corrupted data.
Question 14
A company’s SOC uses a tiered staffing model. Tier 1 analysts handle initial alert triage. Metrics show that Tier 1 analysts escalate 85% of all alerts to Tier 2 without meaningful triage, creating a bottleneck at Tier 2.
What is the MOST likely root cause?
A. The organization needs more Tier 2 analysts
B. Tier 1 analysts lack the training, playbooks, or authority needed to triage and resolve common alert types at their level
C. The SIEM is generating too many alerts
D. The tiered model should be replaced with a flat SOC structure
Answer & reasoning
Correct: B
An 85% escalation rate from Tier 1 means the first tier is functioning as a pass-through rather than a triage point. This typically indicates insufficient training, missing standard operating procedures for common alert types, or a lack of authority to close alerts at Tier 1. Addressing these gaps restores the triage function. Adding Tier 2 staff (A) does not fix the Tier 1 problem. Alert volume (C) is separate from escalation rate.
Question 15
A chemical plant’s security system detects an intruder in the perimeter area near hazardous material storage. Simultaneously, the plant’s fire detection system activates in the administrative building on the opposite end of the facility.
How should security operations prioritize the response?
A. Send all available resources to the perimeter intrusion since the intruder may be attempting sabotage
B. Send all available resources to the fire alarm since fire threatens life safety
C. Evacuate the administrative building (life safety first), then respond to the perimeter intrusion while considering that the two events may be related
D. Ignore the fire alarm as a likely diversion and focus on the intruder
Answer & reasoning
Correct: C
Life safety takes absolute priority: the fire alarm in the administrative building triggers immediate evacuation. However, simultaneous events should be treated as potentially coordinated. The intruder near hazardous materials could be related to the fire alarm (a diversion tactic). Security operations should address both events with appropriate resources, leading with life safety while maintaining awareness that the events may be linked.
Question 16
An organization’s patch management policy requires critical patches to be applied within 72 hours. The IT operations team reports that they cannot meet this timeline for a critical patch because it requires a reboot of the ERP system, and the next approved maintenance window is 10 days away.
What should the security manager recommend?
A. Waive the patching requirement until the maintenance window
B. Apply the patch immediately without a maintenance window since it is critical
C. Request an emergency change window, implement compensating controls until the patch is applied, and document the risk acceptance for the interim period
D. Accept the risk since the ERP system is on the internal network
Answer & reasoning
Correct: C
The security manager should work within the change management framework by requesting an emergency change window while implementing compensating controls (network segmentation, enhanced monitoring, IPS rules) to reduce risk during the interim. Simply waiving the requirement (A) or accepting the risk without mitigation (D) leaves the vulnerability unaddressed. Applying without change management (B) bypasses governance controls.
Question 17
A security awareness program trains all employees on phishing recognition. Despite 95% training completion, the finance department continues to fall for targeted spear-phishing attacks that reference real vendor names and invoice numbers.
What should the security operations team implement?
A. Block all emails containing invoices or financial attachments
B. Require all financial transactions to be verified through an out-of-band channel before processing
C. Terminate employees who repeatedly fail phishing tests
D. Increase the general phishing awareness training frequency to monthly
Answer & reasoning
Correct: B
Spear-phishing attacks targeting the finance department with legitimate-looking vendor information require a process control, not just awareness. Out-of-band verification (calling the vendor using a known number, not the one in the email) adds a validation step that defeats even well-crafted phishing. This is a compensating control that addresses the gap where training alone is insufficient against highly targeted attacks.
Question 18
An employee on a business trip to a high-risk country enters their hotel room and discovers their laptop bag has been moved from where they placed it. The laptop appears intact and powers on normally.
What should the employee do?
A. Run an antivirus scan and continue using the laptop if no threats are found
B. Report the incident to the security team immediately, stop using the device, and treat it as potentially compromised
C. Check the laptop for physical signs of tampering and continue using it if nothing visible is found
D. Back up important files to a USB drive and then report the incident
Answer & reasoning
Correct: B
Physical access to a device in a high-risk environment means the device must be treated as compromised. Hardware implants, firmware modifications, and sophisticated software attacks may leave no visible or scannable trace. The employee should stop using the device immediately and report to the security team, who can arrange forensic inspection and a replacement device. Using a potentially compromised device (A, C) or connecting USB media to it (D) extends the risk.
Question 19
An organization’s DR plan specifies a 4-hour RTO for its customer portal. During a tabletop exercise, the team identifies that the DNS propagation time after failover to the alternate site takes approximately 6 hours due to high TTL values configured on the domain.
What action is needed?
A. Increase the RTO to 8 hours to account for DNS propagation
B. Reduce DNS TTL values to allow faster propagation and align the actual recovery time with the 4-hour RTO
C. DNS propagation is outside the organization’s control and cannot be addressed
D. The tabletop exercise finding is theoretical and does not require action
Answer & reasoning
Correct: B
DNS TTL values are within the organization’s control and directly affect failover time. Reducing TTL values before a disaster ensures that DNS changes propagate faster when failover occurs. This is a common and practical finding from tabletop exercises. The RTO was set by the BIA and should not be adjusted to accommodate a technical limitation that can be fixed (A). DNS is controllable (C). Tabletop findings are exactly what drives plan improvements (D).
Question 20
A manufacturing company’s security operations center monitors both IT and OT (operational technology) networks. An analyst detects anomalous traffic on the OT network that suggests an unauthorized device is communicating with a programmable logic controller (PLC) managing a chemical mixing process.
What is the FIRST priority?
A. Block the unauthorized device’s network access immediately
B. Capture network traffic for forensic analysis before taking action
C. Assess whether the anomalous activity could affect the physical safety of personnel and the manufacturing process before taking network actions that could themselves cause a safety incident
D. Escalate to the IT security team for standard incident response procedures
Answer & reasoning
Correct: C
OT environments controlling physical processes require a safety-first assessment before any intervention. Abruptly blocking network access to a device communicating with a PLC could itself cause a safety incident if the PLC depends on that communication for safe operation. The first step is to assess the safety implications, coordinate with OT engineers, and then take action that addresses the security threat without creating a physical safety hazard. Standard IT incident response (D) may not account for OT safety constraints.