Free CompTIA CS0-003 Practice Questions 2026 - Page 18

Explanation:

Simulations (often called tabletop exercises or incident response simulations) are designed to test preparedness without affecting operations. They are structured scenarios that involve key stakeholders (e.g., security analysts, IT, legal, PR) working through a hypothetical cyberattack step by step.

This allows teams to:

Identify gaps in procedures or communication

Practice their incident response playbooks

Evaluate detection, containment, and recovery readiness

Why the Other Options Are Incorrect:

Review lessons-learned documentation and create a playbook:
Useful for planning, but not an active test of preparedness.

Deploy known malware and document the remediation process:
Too risky—could disrupt systems or lead to unintended damage.

Schedule a system recovery to the DR site for a few applications:
Tests disaster recovery (DR), not security incident response directly.

Reference:
Domain 4.3: "Given a scenario, analyze and respond to an incident using appropriate processes."
Simulations are a safe and controlled way to test real-world readiness.

Explanation:

Automation is ideal for repetitive, rule-based tasks that require fast, consistent responses. Among the options, firewall IoC (Indicator of Compromise) block actions and email header analysis are the most fitting because they

Involve parsing logs/data for known patterns (IoCs, metrics)

Can be automatically mapped to security responses (e.g., block, quarantine)

Are time-sensitive and benefit from speed

Have well-defined logic paths

Why “Firewall IoC block actions” is ideal for automation:

Log scanning for IoCs (e.g., IPs/domains associated with threats) can be done automatically.

Blocking threats in firewalls can be scripted based on predefined rules or threat feeds.

SOAR platforms often automate this task.

False positive handling can also be partially automated or flagged for manual review.

Email header analysis is also a good candidate:

Parsing headers for phishing metrics

Automatically blacklisting domains

Quarantining suspicious messages

Why the other two are not ideal for automation:

Suspicious file analysis involving “graphics” categorization: This likely involves image recognition and subjective judgment — not ideal unless supported by advanced AI/ML, which is not typical in standard SecOps automation.

Security application user errors and calling users: This is manual, user-facing, and requires communication, empathy, and case-by-case troubleshooting — unsuitable for automation.

Reference:
Domain 4.2: Identify the appropriate automation and orchestration techniques. Examples include firewall rule updates, email threat isolation, IOC-based blocking, etc.

Explanation:

The question asks which technique will best achieve the Chief Information Security Officer’s (CISO) goal of improving visibility and reporting of malicious actors in the environment to reduce the time to prevent lateral movement and potential data exfiltration following a recent security incident. Mean time to detect (MTTD) is the most effective technique, as it focuses on reducing the time taken to identify malicious actors, enabling faster detection and containment to prevent lateral movement and data exfiltration. This aligns with the CS0-003 exam’s Security Operations (Domain 1) and Incident Response and Management (Domain 3) objectives, which emphasize improving detection capabilities and minimizing incident impact.

Why A is Correct:

MTTD Overview: Mean time to detect measures the average time from when a malicious activity (e.g., malware execution, unauthorized access) occurs to when it is identified by the security team (e.g., via SIEM alerts, EDR detections). Improving MTTD enhances visibility by ensuring threats are identified quickly.

Addressing CISO’s Goals:

Improved Visibility: Faster detection through tools like EDR (per prior questions) or SIEM with enriched data (e.g., malicious IP correlation) provides better visibility into malicious actors’ actions (e.g., reverse shells, per prior questions).

Preventing Lateral Movement: Early detection (e.g., spotting a compromised account used in an on-path attack) allows containment (e.g., microsegmentation, account disablement) before adversaries move to other systems.

Preventing Data Exfiltration: Quick identification of malicious activity (e.g., via IOCs in firewall logs) enables blocking exfiltration attempts (e.g., to C2 servers), protecting sensitive data like PHI in a healthcare context.

Healthcare Context: In a healthcare organization (per prior questions), reducing MTTD prevents ransomware or data breaches, ensuring HIPAA compliance by minimizing the window of exposure for PHI.

CS0-003 Alignment: Domain 1 emphasizes enhancing detection capabilities through monitoring and analytics, while Domain 3 supports rapid identification to limit incident impact, both prioritizing MTTD.

Why Other Options Are Incorrect:

B. Mean time to respond

Reason: Mean time to respond (MTTR) measures the time from detection to initial response (e.g., containment actions like isolating a system). While important, it occurs after detection, so improving MTTR doesn’t directly enhance visibility or reporting of malicious actors. MTTD is more critical for early identification to prevent lateral movement.

C. Mean time to remediate

Reason: Mean time to remediate measures the time to fully resolve an incident (e.g., patching vulnerabilities, removing malware). It occurs after detection and response, making it less relevant for improving visibility and preventing initial lateral movement or exfiltration compared to MTTD.

D. Service-level agreement uptime

Reason: SLA uptime measures system availability (e.g., 99.9% uptime for servers) and is unrelated to detecting or reporting malicious actors. It doesn’t address visibility, lateral movement, or data exfiltration, making it irrelevant to the CISO’s goals.

Additional Context:

MTTD Improvement Techniques:

Deploy EDR on endpoints (e.g., CrowdStrike, per prior questions) to detect malicious behavior (e.g., reverse shells). Enhance SIEM with data enrichment (e.g., correlating IPs with threat feeds, per prior questions) for faster IOC detection. Use microsegmentation (per prior questions) to limit lateral movement post-detection.

Example: Reducing MTTD from hours to minutes by tuning SIEM rules to detect suspicious logins (e.g., from unusual IPs).

Healthcare Relevance: Faster detection prevents PHI breaches (e.g., via SQL injection or on-path attacks, per prior questions), critical for HIPAA compliance.

CS0-003 Relevance: Domain 1 tests improving detection through monitoring, while Domain 3 emphasizes minimizing incident dwell time, often via performance-based questions (PBQs).

Reference:

CompTIA CySA+ (CS0-003) Exam Objectives, Domains 1 (Security Operations) and 3 (Incident Response and Management), covering detection metrics and incident response.

Explanation:

If a previously remediated vulnerability reappears, the most likely cause is that the system was rolled back to a previous state (e.g., via snapshot, backup, or failover) that still contained the vulnerability. This can happen when:

A database server crashes or is restored from backup.

A rollback is performed for operational or testing reasons.

An older software version or configuration (with the vulnerability) gets reapplied.

Why the other options are incorrect:

The finding is a false positive and should be ignored:
A reappearing vulnerability that was known and previously fixed is not a false positive by default. Dismissing it could lead to real risk.

The vulnerability scanner was configured without credentials:
That would likely fail to detect deeper system-level vulnerabilities, not cause reappearance of previously fixed ones. Also, it would have appeared as a scan limitation, not as a reintroduced vuln.

The vulnerability management software needs to be updated:
If the vulnerability was already known and fixed, software updates would not make it reappear. Updates could affect detection capabilities, but not undo remediations.

Reference:

Domain 3.4: Remediate vulnerabilities in accordance with a risk management strategy. This includes recognizing the risk of configuration drift and rollbacks restoring insecure states.

tcpdump:

A powerful command-line packet analyzer.

Great for capturing raw network traffic directly from the compromised host.

Lightweight and widely used in incident response and forensics.

Wireshark:

A GUI-based network protocol analyzer.

Allows deep inspection of captured packets for signs of intrusion or odd behavior.

Ideal for analysts reviewing traffic patterns, payloads, and anomalies in detail.

Why not the others?

SIEM (Security Information and Event Management):
Better for aggregating logs and generating alerts, not direct traffic capture.

Vulnerability scanner:
Identifies system weaknesses but doesn't monitor or capture live traffic.

Nmap:
Primarily used for port scanning and network mapping—not for traffic analysis.

SOAR (Security Orchestration, Automation, and Response):
Enhances incident response workflows but doesn't itself capture traffic.

Explanation:

After conducting a lessons-learned review following an incident, the primary goal is to improve how future incidents are handled. Therefore, the incident response plan (IRP) should be updated to:

Address any gaps identified during the incident.

Improve procedures and communication.

Implement new controls or countermeasures.

Why not the others?

Disaster recovery plan (DRP):
Focuses on restoring IT operations after major disruptions like natural disasters, not day-to-day security incidents.

Business continuity plan (BCP):
Ensures essential functions can continue during a crisis but isn’t directly improved by most incident-specific lessons.

Tabletop exercise:
It's a simulation, not a plan; results from a tabletop might trigger updates, but not the other way around.

Reference:
[CompTIA CySA+ (CS0-003) Objectives – Domain 3.3: Incident response process improvements]

Explanation:

This option represents multi-factor authentication (MFA) using:

Something you are → Biometrics (e.g., fingerprint, face recognition)

Something you have → Device

Something you know → Personalized code

This layered approach provides the highest level of security for sensitive data by making unauthorized access far more difficult.

Why not the others?

Assigned device with randomized code: Only one factor (something you have) — not strong enough alone.

Alphanumeric/special character username + passphrase: Still just one factor (something you know).

One-time code via email and push: May seem like MFA, but email is insecure and can be compromised; push notifications without biometrics or passcodes can be weak.

Reference:

[CompTIA CySA+ CS0-003 | Domain 2.3: Identity and Access Management Security Controls]

Explanation:

The question asks which shell script function a security analyst should use to most accurately identify anomalies on network routing. The function in option C is the best choice, as it retrieves the Autonomous System Number (ASN) and related routing information for a given IP address, which is critical for detecting routing anomalies such as BGP hijacking or unexpected routing paths. This aligns with the CS0-003 exam’s Security Operations (Domain 1) and Incident Response and Management (Domain 3) objectives, which emphasize network monitoring and analyzing indicators of compromise (IOCs) for network-based attacks.

Analysis of Each Option:
A. function x() { info=$(geoiplookup $1) && echo "$1 | $info" }

Functionality: Uses geoiplookup to retrieve geolocation data (e.g., country, city) for an IP address.

Relevance: Geolocation is useful for identifying where an IP originates geographically but does not provide routing-specific information (e.g., ASN, routing paths). It’s ineffective for detecting anomalies like BGP misconfigurations or routing hijacks.

Why Incorrect: Routing anomalies involve unexpected paths or ASNs, not physical locations, making this less accurate for the objective

B. function x() { info=$(ping -c 1 $1 | awk -F "/" ’END{print $5}’) && echo "$1 | $info" }

Functionality Sends one ICMP ping to the IP address and extracts the average round-trip time (RTT) from the output (e.g., avg field in ping summary).

Relevance: RTT measures network latency but provides no insight into routing paths, ASNs, or network topology. It cannot detect routing anomalies like unexpected hops or BGP issues.

Why Incorrect: Latency data is irrelevant to routing anomalies, which require path or ASN analysis.

C. function x() { info=$(dig $(dig -x $1 | grep PTR | tail -n 1 | awk -F ".in-addr" ’{print $1} ').origin.asn.cymru.com TXT +short) && echo "$1 | $info" }

Functionality:

Performs a reverse DNS lookup (dig -x $1) to resolve the IP address to a hostname.

Extracts the PTR record (using grep PTR | tail -n 1 | awk -F ".in-addr" ’{print $1}’) to get the IP’s base address.

Queries *.origin.asn.cymru.com for the ASN and routing information (e.g., AS number, BGP prefix) via a DNS TXT record.

Outputs the IP and its ASN/routing data.

Relevance: ASN and BGP prefix information directly relate to network routing, enabling the analyst to detect anomalies like BGP hijacking (e.g., an IP routed through an unexpected ASN) or misconfigured routes. This is critical for identifying routing anomalies in a network.

Why Correct: This function provides precise routing data, making it the most accurate for detecting anomalies like unauthorized route changes or malicious ASNs.

Example Output: For IP 8.8.8.8, it might return 8.8.8.8 | AS15169 Google LLC, revealing the AS controlling the IP’s routing.

D. function x() { info=$(traceroute -m 40 $1 | awk ‘END{print $1}’) && echo "$1 | $info" }

Functionality: Runs traceroute with a maximum of 40 hops to the IP and extracts the last hop’s address (or name) from the output.

Relevance: Traceroute shows the network path to the destination, which can help identify routing anomalies (e.g., unexpected hops). However, extracting only the last hop provides limited information, missing intermediate routing details or ASN data critical for anomaly detection.

Why Incorrect: While traceroute is relevant, the function’s output (just the last hop) is less comprehensive than ASN data (option C), reducing its accuracy for routing anomaly detection.

Why C is Most Accurate:

Routing Anomalies: Anomalies in network routing often involve BGP misconfigurations, route hijacking, or unexpected ASNs (e.g., an IP routed through a malicious AS). Option C directly queries ASN data, which is central to identifying such issues.

Security Context: In a healthcare organization (per prior questions), routing anomalies could indicate an on-path attack (e.g., redirecting traffic to a malicious server, per prior MITM question) or data exfiltration attempts, risking PHI exposure. ASN data helps verify legitimate routing paths.

CS0-003 Alignment: Domain 1 emphasizes monitoring network traffic for anomalies, while Domain 3 supports analyzing IOCs like unexpected routing during incident response, both favoring ASN-based analysis

Example Use Case: If a server’s traffic (e.g., SVR01 from prior questions) routes through an unexpected ASN (e.g., a known malicious AS), option C’s output flags this anomaly, enabling rapid investigation.

Additional Context:

Implementation:

Run the script: ./script.sh 8.8.8.8 outputs 8.8.8.8 | AS15169 Google LLC.

Automate in a SIEM (e.g., Splunk) to check ASNs for all outbound IPs, flagging anomalies (e.g., traffic to ASNs not in an allowlist).

Healthcare Relevance: Ensures secure routing for systems handling PHI, preventing interception or redirection of sensitive data.

CS0-003 Relevance: Domain 1 tests network monitoring tools, while Domain 3 emphasizes analyzing network-based IOCs, often via performance-based questions (PBQs).

Reference:

CompTIA CySA+ (CS0-003) Exam Objectives, Domains 1 (Security Operations) and 3 (Incident Response and Management), www.comptia.org, covering network monitoring and anomaly detection.

Explanation:

To filter logs and match only correctly formatted requests to:

https://10.1.2.3/api?id=123

You need a regular expression that:

Matches exact URL format

Accepts only GET requests

Includes integer value for id

Breakdown of Option B:

https://10\.1\.2\.3/api\?id= → Matches the correct static URL path.

\d+ → Matches one or more digits.

The surrounding " is optional but may represent string match context in logs.

Correct syntax & logic. Matches only valid GET requests to the internal API with a numeric id argument.

Incorrect Options:

A. (?!https://10\.1\.2\.3/api\?id=[0-9]+)
Negative lookahead. It matches everything except the correct format — opposite of the goal.

C. (?:"https://10\.1\.2\.3/api\?id-[0-9]+)
Incorrect syntax. id- should be id=. Also, (?:" is unnecessary here.

D. https://10\.1\.2\.3/api\?id«[0-9J$
Syntax errors («, [0-9J) — invalid regex.

Explanation:

The question describes a scenario where an employee installs a freeware program to change the desktop appearance, after which the system generates a high volume of random DNS queries, and an investigation reveals the command Add-MpPreference -ExclusionPath '%ProgramFiles%\Ksysconfig'. The most likely activity occurring is defense evasion, as the command excludes a directory from Windows Defender scans, likely to prevent detection of malicious activity (e.g., malware installed with the freeware). This aligns with the CS0-003 exam’s Incident Response and Management (Domain 3) and Security Operations (Domain 1) objectives, which emphasize identifying malicious behaviors and indicators of compromise (IOCs).

Why D is Correct:

Defense Evasion Definition: Defense evasion involves techniques to avoid detection by security tools (e.g., antivirus, EDR). Adding an exclusion path to Windows Defender is a clear example, as it prevents the AV from scanning the malicious Ksysconfig folder, allowing malware to operate undetected.

Link to Observed Activity:

The freeware likely installed malware, causing the random DNS queries (e.g., for C2 communication or crypto-mining, per prior healthcare context).

The exclusion command hides the malware from Windows Defender, explaining the high volume of DNS queries going undetected initially.

Healthcare Context: In a healthcare organization (per prior questions), defense evasion could allow malware to persist on systems handling PHI, risking data breaches or ransomware, critical for HIPAA compliance.

CS0-003 Alignment: Domain 3 emphasizes identifying attacker techniques like defense evasion (mapped to MITRE ATT&CK T1562.001), while Domain 1 supports detecting malicious behaviors via network and system monitoring.

Why Other Options Are Less Likely:

A. Persistence
Reason: Persistence involves maintaining access (e.g., creating scheduled tasks, registry keys). While the malware may include persistence mechanisms, the command Add-MpPreference specifically disables AV scanning, not establishes persistence. No evidence (e.g., registry edits) directly supports persistence as the primary activity.

B. Privilege escalation
Reason: Privilege escalation involves gaining higher permissions (e.g., user to admin). The command requires elevated privileges to execute, but its purpose is to evade detection, not escalate privileges. No evidence suggests privilege escalation (e.g., exploiting a kernel vulnerability).

C. Credential harvesting
Reason: Credential harvesting involves stealing credentials (e.g., via keyloggers, phishing). The DNS queries and AV exclusion suggest network activity (e.g., botnet C2) rather than credential theft. No evidence (e.g., keylogger logs) directly supports credential harvesting.

Reference:

CompTIA CySA+ (CS0-003) Exam Objectives, Domains 1 (Security Operations) and 3 (Incident Response and Management), www.comptia.org, covering malicious behavior analysis.