GIAC GCIH Sample Questions & Practice Test

GIAC Certified Incident Handler (GCIH) is an incident-response route for candidates who need to identify attacks, triage alerts, contain compromised systems, preserve evidence, communicate clearly, and move from response to recovery.

Use this page to preview the kind of incident-handling decisions a GCIH practice route should test. The questions below are original IT Mastery sample questions, not official GIAC exam questions.

What this route should test

• distinguishing suspicious events from confirmed incidents using evidence
• choosing containment actions that preserve visibility and reduce impact
• recognizing attack behaviors such as phishing, command-and-control, credential theft, and lateral movement
• moving from immediate response to recovery, lessons learned, and control improvement

Sample Exam Questions

Question 1

Topic: triage

An endpoint alert shows credential dumping behavior, an unusual parent process, and outbound connections to a newly seen domain. What is the best triage step?

• A. Close the alert because one event is not proof
• B. Delete the endpoint logs
• C. Treat it as a high-priority incident candidate, collect related evidence, and follow containment procedure
• D. Ask the user to reboot and continue working

Best answer: C

Explanation: Multiple indicators across process behavior and network activity justify escalation. Triage should preserve evidence and follow the response procedure.

Question 2

Topic: containment

A workstation is suspected of active malware communication. What containment approach is usually safest?

• A. Isolate the system using approved process while preserving forensic evidence and required business context
• B. Power it off immediately in every case without documenting state
• C. Ignore it until the next patch cycle
• D. Give the user local administrator rights to investigate

Best answer: A

Explanation: Containment should reduce ongoing harm while preserving useful evidence. The exact action depends on procedure and business impact.

Question 3

Topic: evidence handling

Why should responders document timestamps, actions taken, and evidence sources during an incident?

• A. Documentation is only for legal teams
• B. It slows down response and should be skipped
• C. It is useful only after public disclosure
• D. It supports timeline reconstruction, repeatable analysis, accountability, and later review

Best answer: D

Explanation: Incident documentation helps responders understand scope and sequence. It also supports handoff, reporting, and lessons learned.

Question 4

Topic: malware indicators

Several hosts run a new executable from a user-writable directory shortly after receiving the same email attachment. What does this most likely indicate?

• A. Normal software deployment
• B. Possible malware execution tied to a phishing campaign
• C. A firewall rule cleanup task
• D. Scheduled backup validation

Best answer: B

Explanation: Execution from user-writable paths after a common attachment is suspicious. The team should connect endpoint and email evidence.

Question 5

Topic: command-and-control

Which pattern is most suspicious for command-and-control activity?

• A. A server downloading an approved patch from a known vendor
• B. A user visiting a documented SaaS app
• C. Regular outbound beaconing to a rare domain with similar packet sizes and timing
• D. A printer receiving a print job

Best answer: C

Explanation: Repeated beaconing to rare infrastructure can indicate C2. Timing, destination reputation, payload size, and host context matter.

Question 6

Topic: log correlation

An attacker may have used stolen credentials. Which evidence combination is most useful?

• A. Sign-in logs, MFA events, impossible-travel signals, endpoint activity, privilege changes, and accessed resources
• B. Office seating charts only
• C. A screenshot of the company homepage
• D. The user’s preferred browser theme

Best answer: A

Explanation: Credential incidents require correlation across identity, endpoint, privilege, and resource-access evidence to determine scope.

Question 7

Topic: phishing response

A phishing email reached several users, and one user clicked. What should the response team do?

• A. Delete the ticket because only one user clicked
• B. Send the same attachment to IT for testing
• C. Publish the user’s name to discourage mistakes
• D. Identify recipients, remove or quarantine messages, protect clicked accounts, and preserve indicators

Best answer: D

Explanation: Phishing response should address both delivered messages and affected users. The team should protect accounts and preserve indicators for detection.

Question 8

Topic: lateral movement

A compromised endpoint authenticates to multiple servers it has never accessed before. What should responders suspect?

• A. Normal browser caching
• B. Possible lateral movement or credential misuse
• C. A display-driver update
• D. A harmless DNS typo

Best answer: B

Explanation: New authentication paths from a compromised host can indicate lateral movement. Responders should review credentials, host activity, and target systems.

Question 9

Topic: communication

During a major incident, why should external communications be coordinated through the incident process?

• A. To hide all technical facts forever
• B. To prevent responders from collecting evidence
• C. To keep messaging accurate, authorized, and consistent with legal, regulatory, and customer obligations
• D. To replace technical investigation with public relations

Best answer: C

Explanation: Incident communication must be accurate and coordinated. Uncontrolled statements can create legal, regulatory, or customer-trust problems.

Question 10

Topic: recovery

After containing ransomware on several systems, what should happen before reconnecting restored hosts?

• A. Validate clean restore points, patch or fix root cause, rotate affected credentials, and monitor for recurrence
• B. Reconnect immediately because files are visible again
• C. Disable monitoring to reduce alerts
• D. Reuse compromised credentials to save time

Best answer: A

Explanation: Recovery should not reintroduce the same compromise path. Clean restores, root-cause fixes, credential hygiene, and monitoring are essential.

Question 11

Topic: lessons learned

What is the main purpose of a post-incident review?

• A. Assign blame to the first person who reported the issue
• B. Delete evidence and close all tickets
• C. Avoid changing controls after the incident
• D. Identify what happened, what worked, what failed, and which controls or procedures need improvement

Best answer: D

Explanation: Lessons learned should improve future detection, response, communication, and prevention. The goal is operational improvement, not blame.

Question 12

Topic: severity

Which incident should usually receive higher severity?

• A. A single blocked malware download on a patched test system
• B. Confirmed compromise of an administrator account with evidence of privilege use
• C. A user mistyping a password once
• D. A low-risk vulnerability on a retired isolated host

Best answer: B

Explanation: Administrator compromise can affect many systems and data sets. Severity should reflect impact, privilege, spread, and confidence.

Quick readiness checklist

Related IT Mastery pages

• GIAC GSEC for security-foundation scenarios
• GIAC GCIA for intrusion-analysis scenarios
• CompTIA CySA+ for defensive analyst route planning
• Microsoft SC-500 for cloud and AI security practice