PPAN01 Practice Questions

Standards like NIST SP 800-61 provide a proven framework, but incident response must be operationalized to the organization’s reality. Customization is required to match mission, size, structure, and functions (D)—for example, whether the organization is regulated (financial/health), globally distributed, heavily supplier-dependent, or cloud-first. These factors determine evidence retention, legal notification triggers, escalation thresholds, and which teams own containment steps (email admin vs SOC vs IAM). Customization also improves effectiveness/efficiency by creating a repeatable process and documented handoffs (E): who triages TAP alerts, who executes TRAP pulls, who updates URL Defense blocklists, who performs account resets/token revocation, and how comms are handled with executives and end users. In Proofpoint-driven IR, handoffs are particularly important because email incidents often cross functional boundaries (SOC ↔ messaging team ↔ IAM ↔ helpdesk ↔ legal). Making plans “more generic” (A) is counterproductive; standards are already generic. Documenting every MSSP analyst contact (B) is fragile; role-based contacts are better, but that’s not the key reason for customizing a standard. Changing lifecycle order (C) is not the objective; improving fit and execution is.

BEC is difficult to detect primarily because it often lacks “traditional malware signals” and instead relies on human deception. Social engineering (C) is core: attackers craft believable narratives (invoice urgency, legal requests, gift card scams, payroll changes) tailored to organizational context. Impersonation (D) is the second pillar: display-name spoofing, lookalike domains, compromised vendor accounts, and executive/finance role impersonation. These tactics can produce messages that are text-only, low-volume, and free of obviously malicious attachments/URLs, making signature-based or URL reputation controls less effective. Proofpoint-specific defenses therefore emphasize identity and relationship signals (impostor detection, supplier risk, unusual sending patterns), authentication (SPF/DKIM/DMARC alignment), and behavioral context (who typically emails whom, anomalies in reply chains, newly observed domains). In IR, analysts triage BEC by validating headers, checking domain age and similarity, confirming invoice/payment workflows out-of-band, and scoping for mailbox compromise (rules/forwarding, suspicious OAuth grants). Because BEC “looks normal” at the technical layer, effective detection requires combining Proofpoint telemetry with process controls and fast escalation to business stakeholders.