10 free, exam-style GIAC Response and Industrial Defense (GRID) practice questions with answers and explanations. No signup required. Work through them below, then take the full free GRID practice test to study every exam domain.
During an investigation, an ICS analyst reverse-engineers a malware sample recovered from an engineering workstation, derives new detection signatures and network indicators, and shares them with the sector ISAC. Within the Active Cyber Defense Cycle, these actions belong to which phase?
Correct answer: C - Threat and Environment Manipulation
Threat hunters confirm an adversary has established command-and-control on a historian in the corporate network and is harvesting credentials, but no control-system device or physical process has been affected. According to the ICS Cyber Kill Chain, the intrusion is currently in:
Correct answer: B - Stage 1 (Cyber Intrusion Preparation and Execution)
A plant must build an accurate asset inventory of a live process network that includes aging PLCs known to fault when probed. The OT security team needs make, model, firmware, and protocols for each device with the LOWEST risk to operations. Which discovery approach is MOST appropriate?
Correct answer: D - Passively analyze a SPAN/tap feed of existing network traffic
In a packet capture from a manufacturing cell, an analyst sees a workstation that is not the engineering station repeatedly sending function code 0x06 over TCP port 502 to a PLC. What is the analyst MOST likely observing?
Correct answer: A - Modbus write-single-register commands being issued to the PLC
When designing a defensible architecture using the Purdue Model, what is the PRIMARY security purpose of the Level 3.5 industrial DMZ (iDMZ)?
Correct answer: C - To broker traffic so there is no direct path between the enterprise (IT) and control (OT) networks
Mid-incident, responders determine that fully isolating an infected PLC would halt a continuously running process with potential safety consequences. The standard IT playbook calls for immediate containment by isolation. What is the MOST appropriate course of action in this ICS environment?
Correct answer: B - Coordinate with operations and engineering to contain the threat while preserving process safety and availability
A compromised HMI is still powered on and running. Following the order of volatility, which evidence should responders acquire FIRST?
Correct answer: D - A capture of the HMI's volatile memory (RAM)
An ICS defender wants to generate rich, protocol-aware connection logs and asset metadata from network traffic in order to build a behavioral baseline of normal communications, rather than only alerting on known-bad signatures. Which tool is BEST suited to this goal?
Correct answer: A - Zeek
While analyzing an intrusion with the Diamond Model, an analyst documents a domain name and a set of IP addresses that the adversary registered and used to host their command-and-control server. These artifacts map to which core feature of the Diamond Model?
Correct answer: C - Infrastructure
To triage a suspicious binary recovered from an OT network, an analyst inspects its file headers, embedded strings, and imported functions without ever running the file. This technique is BEST described as:
Correct answer: A - Static analysis
Practice hundreds more GRID questions with instant scoring, weak-area drills, and full exam simulations.