Incident Response Interview Questions

Your vulnerability scanner finds 47 Windows servers with RDP exposed directly to the internet on port 3389. The ops team says they need RDP for emergency access and cannot wait for a VPN. How do you reduce the risk immediately while building a proper long-term solution?

Security logs show a successful RDP login from an external IP after thousands of failed attempts. The account is a local administrator. Walk through your response.

Your threat intel team has evidence that an APT group has been in your environment for 6 months. Lead the investigation without tipping off the attackers.