support@Free-Braindumps.com
Register Login
Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  1. Home
  2. Exams
  3. CompTIA
  4. CS0-003

CompTIA CS0-003 Exam Actual Questions
CompTIA CySA+ (CS0-003) (Page 8 )

Updated On: 13-Jun-2026
Page 8 of 73
PDF with 571 Questions

Which of the following is an important aspect that should be included in the lessons-learned step after an incident?

  1. Identify any improvements or changes in the incident response plan or procedures
  2. Determine if an internal mistake was made and who did it so they do not repeat the error
  3. Present all legal evidence collected and turn it over to iaw enforcement
  4. Discuss the financial impact of the incident to determine if security controls are well spent

Answer(s): A

Explanation:

Option A is correct because the lessons-learned phase focuses on identifying improvements to the incident response plan and procedures to prevent recurrence.
A) Correct — emphasizes updating IR playbooks, runbooks, and communication workflows based on findings.
B) Incorrect — assigning blame is counterproductive; CS practice emphasizes blameless post-incident reviews focusing on process improvements, not individuals.
C) Incorrect — legal evidence handling is an investigative activity; lessons learned should reflect process enhancements, not ongoing legal procedures.
D) Incorrect — financial impact analysis may be part of business continuity or risk assessment but is not the primary focus of lessons learned in IR lifecycle.



The security operations team is required to consolidate several threat intelligence feeds due to redundant tools and portals. Which of the following will best achieve the goal and maximize results?

  1. Single pane of glass
  2. Single sign-on
  3. Data enrichment
  4. Deduplication

Answer(s): A

Explanation:

Option A is correct because a single pane of glass consolidates multiple threat intel feeds into one unified interface, reducing tool fragmentation and improving correlation, visibility, and response efficiency.
A) Correct — aligns threat intelligence into a centralized dashboard, enabling streamlined ingestion, correlation, and faster decision-making across feeds.
B) Incorrect — single sign-on focuses on authentication across tools, not consolidation of threat intelligence content or feeds.
C) Incorrect — data enrichment adds context to indicators but does not merge or deduplicate feeds from multiple sources.
D) Incorrect — deduplication removes duplicate items within a dataset; it does not consolidate multiple feeds into one view.



Which of the following would a security analyst most likely use to compare TTPs between different known adversaries of an organization?

  1. MITRE ATT&CK
  2. Cyber Kill Cham
  3. OWASP
  4. STIX/TAXII

Answer(s): A

Explanation:

Option A is correct because MITRE ATT&CK provides a publicly available knowledge base of adversary TTPs (techniques, tactics, and procedures) used to compare and map behaviors across different actors. Incorrect — B: Cyber Kill Chain is a threat modeling framework describing attacker progression, not a direct TTP comparison across adversaries. Incorrect — C: OWASP focuses on application security vulnerabilities, not adversary TTPs. Incorrect — D: STIX/TAXII are data models/transport for threat intelligence sharing, not a structured framework for comparing TTPs between known adversaries.



An analyst is remediating items associated with a recent incident. The analyst has isolated the vulnerability and is actively removing it from the system. Which of the following steps of the process does this describe?

  1. Eradication
  2. Recovery
  3. Containment
  4. Preparation

Answer(s): A

Explanation:

Option A is correct because eradication involves removing threat components from the environment after containment, completing the cleanup phase of remediation. Incorrect —
B) Recovery is restoring systems to normal operations after eradication, not the active removal itself.
C) Containment is isolating affected systems to prevent spread, which occurs earlier; it’s not the removal phase.
D) Preparation is the proactive planning phase before an incident, not the remediation actions taken during or after containment.



Joe, a leading sales person at an organization, has announced on social media that he is leaving his current role to start a new company that will compete with his current employer. Joe is soliciting his current employer's customers. However, Joe has not resigned or discussed this with his current supervisor yet. Which of the following would be the best action for the incident response team to recommend?

  1. Isolate Joe's PC from the network
  2. Reimage the PC based on standard operating procedures
  3. Initiate a remote wipe of Joe's PC using mobile device management
  4. Perform no action until HR or legal counsel advises on next steps

Answer(s): D

Explanation:

Option D is correct because incident response should involve lawful, organizationally approved processes and coordination with HR/legal before taking any user-level actions, to avoid policy violations or data loss. A, B, and C are premature technical actions that could impact user data, violate privacy, or contravene corporate policy without proper authorization and evidence of risk escalation. Isolating a PC (A) or wiping/reimaging (B/C) could disrupt legitimate work or violate employment/records laws. Without documented policy and authorization, the IR team should escalate to HR/legal and follow formal incident handling procedures, including evidence collection and containment planning.



The Chief Information Security Officer is directing a new program to reduce attack surface risks and threats as part of a zero trust approach. The IT security team is required to come up with priorities for the program. Which of the following is the best priority based on common attack frameworks?

  1. Reduce the administrator and privileged access accounts
  2. Employ a network-based IDS
  3. Conduct thorough incident response
  4. Enable SSO to enterprise applications

Answer(s): A

Explanation:

Option A is correct because reducing administrator and privileged access aligns with zero trust and common attack frameworks (principle of least privilege, PAM controls) to minimize attack surface and limit insider/external abuse. It directly reduces harmful blast radius and credential abuse opportunities.
B) Incorrect — network-based IDS detects threats but does not reduce attack surface; it is a detection/control tool, not a preventive privilege reduction prioritized in zero trust.
C) Incorrect — thorough incident response is important but not the top preventive priority to shrink attack surface; frameworks prioritize access controls and segmentation first.
D) Incorrect — enabling SSO improves usability but can expand trust boundaries if not paired with strong access controls; not the primary practical reduction of attack surface.



During an extended holiday break, a company suffered a security incident. This information was properly relayed to appropriate personnel in a timely manner, and the server was up to date and configured with appropriate auditing and logging. The Chief Information Security Officer wants to find out precisely what happened. Which of the following actions should the analyst take first?

  1. Clone the virtual server for forensic analysis
  2. Log in to the affected server and begin analysis of the logs
  3. Restore from the last known-good backup to confirm there was no loss of connectivity
  4. Shut down the affected server immediately

Answer(s): A

Explanation:

Option A is correct because cloning the affected virtual server preserves the original state for forensically sound analysis, preventing contamination or alteration of evidence during examination. This aligns with standard incident response and digital forensics practice to create a working copy for analysis.
B is incorrect because analyzing logs directly on the live system risks altering evidence and may be hindered by ongoing activity; evidence should be preserved via a forensic copy first.
C is incorrect because restoring to a last known-good backup alters the system state, erasing potential evidence and hindering incident reconstruction.
D is incorrect because immediate shutdown should be avoided if containment and preservation steps are not yet completed; it can destroy volatile data and hinder investigation.



A systems administrator is reviewing after-hours traffic flows from data center servers and sees regular, outgoing HTTPS connections from one of the servers to a public IP address. The server should not be making outgoing connections after hours. Looking closer, the administrator sees this traffic pattern around the clock during work hours as well. Which of the following is the most likely explanation?

  1. Command-and-control beaconing activity
  2. Data exfiltration
  3. Anomalous activity on unexpected ports
  4. Network host IP address scanning
  5. A rogue network device

Answer(s): A

Explanation:

Option A is correct because persistent, regular HTTPS connections to a public IP from a server indicate C2 beaconing behavior, where a compromised host communicates with an adversary’s infrastructure to receive commands or exfiltrate data. The after-hours and around-the-clock pattern aligns with automated beaconing rather than legitimate maintenance traffic.
B is incorrect because data exfiltration would show large or unusual data transfer, not just regular, small HTTPS connections to a single external endpoint. C is incorrect since anomalous activity on unexpected ports would involve nonstandard ports; HTTPS over port 443 is expected. D is incorrect because port scanning generates rapid, short-lived connection attempts, not steady outbound HTTPS to one host. E is incorrect as a rogue device implies a new device on the network, not ongoing outbound beaconing from an existing server.



  PDF
Viewing page 8 of 73
Viewing questions 57 - 64 out of 571 questions


CS0-003 Exam Discussions & Posts (Share your experience with others)

AI Tutor AI Tutor 👋 I’m here to help!