Response Phase Question Bank

Universal Response Questions

Strategic Response Planning

These work for any Malmon after investigation is complete:

“Given everything you’ve learned, what’s your response strategy?”
“What are your priorities for stopping this threat?”
“How do you balance speed with thoroughness in your response?”
“What constraints affect your response options?”
“What could go wrong with your proposed approach?”
“How do you coordinate your individual actions into a team response?”

Risk Assessment Questions

“What’s the risk of taking action versus waiting for more information?”
“How do you minimize collateral damage during response?”
“What business operations must continue during your response?”
“What happens if your response fails or is incomplete?”
“How do you balance containment with evidence preservation?”

Role-Specific Response Questions

Detective Response Questions

Evidence Preservation

“What evidence needs to be preserved before taking response actions?”
“How do you maintain chain of custody during active response?”
“What documentation is critical for post-incident analysis?”
“How do you balance evidence collection with urgent containment?”
“What forensic data might be lost during response actions?”

Continued Investigation During Response

“What ongoing monitoring do you need during response actions?”
“How do you detect if the threat adapts to your countermeasures?”
“What indicators would show successful versus failed response actions?”
“How do you investigate while simultaneously responding?”
“What new evidence might emerge during the response phase?”

Validation and Verification

“How do you verify that your response actions are working?”
“What would confirm complete threat elimination?”
“How do you distinguish between successful containment and threat evolution?”
“What follow-up investigation is needed after initial response?”
“How do you validate system integrity after remediation?”

Protector Response Questions

Immediate Containment

“What systems need immediate isolation to prevent further spread?”
“How do you contain the threat without disrupting critical operations?”
“What defensive measures can be deployed rapidly?”
“How do you prevent the threat from detecting your response actions?”
“What emergency controls can be implemented immediately?”

System Hardening and Recovery

“What systems need to be rebuilt versus cleaned?”
“How do you harden systems against reinfection during recovery?”
“What security controls should be enhanced during rebuilding?”
“How do you prioritize system restoration for business continuity?”
“What patches or updates are critical for prevention?”

Defensive Strategy Implementation

“How do you implement layered defenses against this threat type?”
“What monitoring capabilities need to be enhanced?”
“How do you protect against similar future attacks?”
“What security architecture changes would prevent this attack?”
“How do you balance security improvements with operational needs?”

Tracker Response Questions

Network Containment

“How do you cut off the threat’s network access without disrupting business?”
“What network segmentation can prevent lateral movement?”
“How do you block command and control communications?”
“What traffic needs to be monitored during containment efforts?”
“How do you prevent data exfiltration during response actions?”

Data Protection and Recovery

“What data needs immediate protection from further compromise?”
“How do you secure backup systems during the response?”
“What data restoration is required for business continuity?”
“How do you verify data integrity after threat removal?”
“What data loss occurred and can it be recovered?”

Infrastructure Disruption

“How do you disrupt the attacker’s infrastructure without legal issues?”
“What coordination with external providers is needed?”
“How do you prevent the threat from establishing new infrastructure?”
“What threat intelligence sharing would help the broader community?”
“How do you track whether the threat has alternative access methods?”

Communicator Response Questions

Stakeholder Management

“Who needs to be informed about response actions and when?”
“How do you balance transparency with operational security during response?”
“What communication protocols are needed during active response?”
“How do you manage stakeholder expectations during extended response?”
“What regular updates are needed for different stakeholder groups?”

External Communication

“What regulatory notifications are required and when?”
“How do you coordinate with law enforcement during response?”
“What customer communication is needed about service impacts?”
“How do you manage media inquiries during active response?”
“What information can be shared with industry partners?”

Crisis Communication

“How do you maintain team morale during extended response efforts?”
“What communication is needed with affected users?”
“How do you coordinate with external incident response teams?”
“What legal consultation is needed for response decisions?”
“How do you prepare public statements if the incident becomes public?”

Crisis Manager Response Questions

Overall Response Coordination

“How do you orchestrate the team’s response efforts?”
“What decision-making authority is needed for response actions?”
“How do you allocate resources across competing response priorities?”
“What escalation criteria trigger additional response resources?”
“How do you maintain situational awareness during complex response operations?”

Business Continuity Management

“What critical business functions must be maintained during response?”
“How do you balance security response with operational requirements?”
“What alternative processes can substitute for compromised systems?”
“How do you manage the financial impact of extended response efforts?”
“What supply chain or partner impacts need management?”

Strategic Decision Making

“What response decisions require board or executive approval?”
“How do you assess the cost-benefit of different response options?”
“What long-term strategic changes should result from this incident?”
“How do you balance immediate response with future prevention?”
“What lessons learned should be captured during response?”

Threat Hunter Response Questions

Proactive Threat Elimination

“What additional threats should you hunt for during response?”
“How do you ensure complete threat removal, not just containment?”
“What persistence mechanisms might survive standard response actions?”
“How do you hunt for related threats that might be dormant?”
“What would indicate the threat has established backup access methods?”

Advanced Response Techniques

“What deception techniques could be used against this threat?”
“How do you respond without alerting other potential threats?”
“What threat intelligence should be gathered during response?”
“How do you coordinate with external threat hunting teams?”
“What attribution evidence should be collected during response?”

Future Prevention Strategy

“What threat hunting capabilities should be enhanced after this incident?”
“How do you develop proactive defenses against similar threats?”
“What threat intelligence feeds would have prevented this incident?”
“How do you improve organizational threat hunting maturity?”
“What partnerships would enhance future threat detection?”

Type-Effectiveness Questions

Exploiting Malmon Weaknesses

For Trojan-Type Malmons (Weak to Detection)

“How do you implement behavioral analysis to catch masquerading threats?”
“What detection rules would identify this type of deception?”
“How do you validate software authenticity in your environment?”
“What user training prevents future social engineering success?”
“How do you implement application whitelisting to prevent unauthorized software?”

For Worm-Type Malmons (Weak to Isolation)

“How do you rapidly implement network segmentation?”
“What network access controls can stop propagation immediately?”
“How do you isolate affected segments without business disruption?”
“What patching strategy addresses the propagation vector?”
“How do you prevent reinfection when bringing systems back online?”

For Ransomware-Type Malmons (Weak to Backup)

“How quickly can you restore from clean backups?”
“What backup verification is needed before restoration?”
“How do you prioritize system restoration for business continuity?”
“What additional backup strategies should be implemented?”
“How do you ensure backups are protected from future ransomware?”

For APT-Type Malmons (Weak to Intelligence)

“What threat intelligence helps understand this adversary’s methods?”
“How do you leverage external intelligence for response planning?”
“What indicators of compromise should be shared with the community?”
“How do you coordinate with national cybersecurity agencies?”
“What attribution information supports law enforcement action?”

Coordination and Team Response Questions

Team Synchronization

“How do your individual response actions support the overall strategy?”
“What information sharing is critical during response execution?”
“How do you avoid conflicting or counterproductive actions?”
“What coordination checkpoints are needed during extended response?”
“How do you maintain team cohesion under pressure?”

Resource Management During Response

“What additional expertise or resources are needed for effective response?”
“How do you manage team fatigue during extended response operations?”
“What external resources (contractors, law enforcement, vendors) should be engaged?”
“How do you prioritize resource allocation across competing response needs?”
“What budget authority is needed for response activities?”

Real-Time Adaptation

“How do you adapt your response if the threat evolves during your actions?”
“What would cause you to change your response strategy mid-execution?”
“How do you respond if your initial actions prove ineffective?”
“What backup response plans are needed if primary approaches fail?”
“How do you balance persistence with flexibility in response execution?”

Decision-Making Under Pressure

Critical Decision Points

“What decisions cannot be delayed without significant risk?”
“How do you make decisions with incomplete information?”
“What would you do if you had unlimited resources versus realistic constraints?”
“How do you balance perfect security with business reality?”
“What decisions would you make differently if this were your own company?”

Risk Tolerance Assessment

“What level of business disruption is acceptable to ensure complete threat removal?”
“How do you balance the risk of incomplete response with operational needs?”
“What would convince you to take more aggressive response actions?”
“How do you assess whether response actions are sufficient versus excessive?”
“What criteria determine when response efforts can be scaled back?”

Malmon-Specific Response Scenarios

Evolution Prevention Questions

“What would prevent [Malmon Name] from evolving to its next stage?”
“How do you disrupt the evolution triggers for this threat type?”
“What response timing is critical to prevent threat escalation?”
“How do you monitor for signs of attempted evolution during response?”
“What happens to your response strategy if evolution occurs during your actions?”

Advanced Threat Response

For Nation-State Threats (Stuxnet, Noodle RAT)

“How would you adapt your response approach for highly resourced adversaries?”
“What operational security practices have you used for sensitive incidents?”
“How would you coordinate with external agencies based on your experience?”
“What broader considerations would influence your response strategy?”
“How do you prepare for long-term, sophisticated threats?”

For Criminal Enterprise Threats (LockBit, Gh0st RAT)

“How would you balance law enforcement coordination with business needs?”
“What reporting obligations have you dealt with in financial incidents?”
“How do you manage security risks from adversarial retaliation?”
“What evidence preservation practices have you used before?”
“How do you handle disclosure decisions during ongoing investigations?”

Time-Pressure Response Questions

Immediate Action Requirements

“What must be done in the next 10 minutes to prevent catastrophic damage?”
“What can wait versus what requires immediate action?”
“How do you triage response priorities under extreme time pressure?”
“What response actions can be parallelized versus what must be sequential?”
“What would you do if you had only one response action available?”

Extended Response Planning

“What response activities need to continue over days or weeks?”
“How do you maintain response effectiveness during extended operations?”
“What shift coverage is needed for round-the-clock response?”
“How do you prevent responder burnout during marathon incidents?”
“What checkpoints help assess progress during long-term response?”

Response Success and Failure Questions

Success Metrics

“How do you measure whether your response was successful?”
“What indicators confirm complete threat elimination?”
“How do you validate that normal operations can safely resume?”
“What follow-up monitoring is needed to ensure response effectiveness?”
“How do you distinguish between threat elimination and temporary suppression?”

Failure Recovery

“What would you do if your primary response strategy fails?”
“How do you recover from response actions that make the situation worse?”
“What escalation options exist if current response proves insufficient?”
“How do you pivot to alternative response strategies under pressure?”
“What would force you to declare your response unsuccessful and try a different approach?”

Post-Response Transition Questions

Recovery and Restoration

“How do you transition from active response to recovery operations?”
“What system restoration priorities support business continuity?”
“How do you verify that recovery actions don’t reintroduce vulnerabilities?”
“What enhanced monitoring is needed during the recovery phase?”
“How do you communicate the transition from crisis response to normal operations?”

Lessons Learned Integration

“What changes to your response procedures are needed based on this experience?”
“How do you capture and institutionalize lessons learned during response?”
“What training or capability gaps were revealed during response?”
“How do you share response insights with the broader security community?”
“What would you do differently if facing this same threat again?”

Emergency Response Questions

When Response Stalls

“What’s preventing progress in your response efforts?”
“How do you break through analysis paralysis during response?”
“What would happen if you took action despite incomplete information?”
“What single action would have the biggest impact right now?”
“How do you overcome organizational resistance to necessary response actions?”

When Everything Goes Wrong

“What would you do if all your response actions backfire?”
“How do you maintain team cohesion when response fails?”
“What help would you call for in a worst-case scenario?”
“How do you protect what’s most critical when you can’t protect everything?”
“What would you tell leadership if your response appears to be failing?”