TestOut - CompTIA CySA+ Practice Questions 3.3.7
A security analyst for a large financial institution notices abnormal OS process behavior, unauthorized changes, and file system changes occurring on one of the company's servers. The analyst believes there may be a security breach. What is the BEST way to confirm the analyst's suspicions of a breach? A. Check the system logs for unusual activity. B. Shut down the server immediately to prevent further damage. C. Conduct a full system backup to ensure that data is not lost. D. Ask all employees who have access to the server if they made any changes.
A. Check the system logs for unusual activity. Explanation System logs record all activity on a server, including processes and file changes, which makes it an excellent resource for detecting security breaches. Conducting a full system backup is a good practice to ensure data is not lost, but it will not help confirm suspicions of a breach. Asking all employees who have access to the server if they made any changes is not a reliable way to determine if there has been a breach. Shutting down the server immediately may prevent further damage, but it will not help confirm suspicions of a breach.
An organization recently suffered a data breach and must focus on validating data integrity and implementing compensating controls. The IT security team will need to analyze network indicators to identify potential threats and improve security measures. Which of the following actions would be MOST appropriate for the security team to take in this situation? A. Monitor network traffic for unusual patterns. B. Utilize secure data backup and recovery procedures. C. Implement a role-based access control system. D. Conduct a thorough digital forensics investigation.
A. Monitor network traffic for unusual patterns. Explanation Analyzing network indicators and monitoring network traffic for unusual patterns can help the security team identify potential threats, validate data integrity, and determine the effectiveness of compensating controls. Although role-based access control systems can help limit unauthorized access to sensitive data, they do not directly address validating data integrity or exploring network indicators. A digital forensics investigation can help determine the cause and extent of the data breach but does not directly address data integrity validation or network indicators analysis as an ongoing security measure. Secure data backup and recovery procedures help to restore lost or damaged data. However, they do not directly address validating data integrity in real time or analyzing network indicators to improve security measures.
A security analyst is going through systems looking for potential misconfigurations. What are some key items the analyst should search for while misconfiguration hunting? (Select three.) A. Open ports B. New user creation C. Money transfer D. Physical access points E. Unpatched software F. Weak passwords G. Isolated networks
A. Open ports E. Unpatched software F. Weak passwords Explanation One key item to search for during misconfiguration hunting is weak passwords. An attacker can exploit weak passwords and gain control of a system. Another key item to look for while misconfiguration hunting is open ports. Open ports offer attackers potential exploits leading to system compromise. During misconfiguration hunting, it is crucial to search for unpatched software. Unpatched software is a common exploit used by cybercriminals. Isolated networks, such as air-gapped networks or networks with limited connectivity to the internet, are often thought to be more secure. Searching for isolated networks is not a component of misconfiguration hunting. Isolated network hunting involves searching for vulnerabilities in physical access points that could be used to gain access to the isolated network. Business-critical asset hunting involves an organization's processes used to manage critical assets. These processes can be targeted, such as new user creation, money transfer, access permission approvals, and other similar high-risk functions.
A company experiences a severe security incident where an attacker accesses and steals sensitive information from its servers. The incident response team investigates the issue and performs a root cause and forensic analysis. What will the company gain from conducting the forensic analysis? A. To identify the initial entry point of the attack B. To gather evidence C. To restore services and systems as quickly as possible D. To identify areas for improvement in the incident response plan
B. To gather evidence Explanation The company conducts a forensic analysis to collect and analyze evidence associated with a security incident, such as identifying the attacker and determining compromised data. A root cause analysis will pinpoint areas for improvement in the incident response plan. While identifying the initial entry point is a component of incident response, it is not the primary objective of forensic analysis. Although restoring services and systems is an important part of incident response, it is not the goal of forensic analysis, which focuses on gathering and analyzing evidence to determine the scope and impact of a security incident.
Behavioral threat research combines IoCs to show patterns and techniques used in previous attacks. Which of the following threat indicators is normally associated with a denial-of-service (DoS) attack? A. Port hopping B. Rapidly changing domain IP addresses C. IP addresses from unusual geographic locations D. High memory usage
C. IP addresses from unusual geographic locations Explanation IP addresses from unusual geographic locations is normally an indicator of a denial-of-service (DoS) attack. High memory usage is normally an indicator of a virus attack. Port hopping and rapidly changing domain IP addresses are normally indicators of an advanced persistent threat (APT).
A systems administrator is searching for potential vulnerabilities in the network. Which threat-hunting focus area should the administrator examine, as attackers often exploit it through connected systems or physical access? A. Misconfigured systems B. Lateral movements C. Isolated networks D. Business-critical assets
C. Isolated networks Explanation Isolated networks, such as air-gapped networks or networks with limited connectivity to the internet, are often thought to be more secure. However, attackers can still target these networks by exploiting vulnerabilities in connected systems or through physical access. Misconfigurations in IT systems can create vulnerabilities that attackers can exploit, but not through physical access. Business-critical asset hunting involves searching for vulnerabilities and threats that could impact these assets by searching for unauthorized access attempts, unusual traffic patterns, or suspicious activity that could indicate an attack. The process by which an attacker can move from one part of a computing environment to another is lateral movement. It is not a threat-hunting focus area.
When conducting reputational threat research, you begin by selecting one or more sources for indicators of a reputational threat. Which of the following should you compare these indicators against after collecting them? A. Unauthorized files B. Unusual file system changes C. Unusual entries in log files D. Unauthorized account usage
C. Unusual entries in log files Explanation To perform reputational threat research, select one or more sources for indicators of reputational threats. Then search log files for potential threat indicators. Compare the indicators from log files with data obtained from reputational threat research sources. The following are examples of Indicators of Compromise (IoCs): - Unusual file system changes - Unauthorized files - Unauthorized account usage
A security analyst at an organization receives an alert from their security information and event management (SIEM) system. Upon reviewing the log data, the analyst notices an increase in high-privilege actions within the network. What should the analyst prioritize when investigating this issue to identify the potential underlying cause? A. Examine recent file changes and modifications. B. Review application logs for unexpected behavior. C. Investigate unusual network traffic patterns. D. Analyze new user accounts.
D. Analyze new user accounts. Explanation The analyst should prioritize analyzing newly created user accounts, as the increase in high-privilege actions may be in relation to the unauthorized introduction of new accounts with elevated permissions. While unusual network traffic patterns could indicate malicious activity, they are not directly related to the increase in high-privilege actions observed in this scenario. Reviewing application logs for unexpected behavior might be useful in detecting other types of incidents but does not directly address the increase in high-privilege actions. Examining recent file changes and modifications may help identify unauthorized access or modifications but do not directly focus on the observed increase in high-privilege actions.
A large grass seed corporation wants to proactively monitor for potential cyber threats to its grass seed total management system containing customer payment information, the company's own bank accounts, and all historical orders. Which type of threat hunting focus area does this most closely represent? A. Minimize human engagement B. Honeypot C. Isolated networks D. Business-critical assets and processes
D. Business-critical assets and processes Explanation The grass seed total management system is a business critical asset. Business-critical assets and processes are systems, applications, data, and processes essential to an organization's operations and revenue. The system is not a honeypot. A honeypot is a decoy system or network designed to attract and monitor attackers while diverting them from actual systems and data. There is no indication that the system is an isolated network. Isolated networks are physically or logically separated from other networks, such as the Internet, to improve their security posture. The company may not be focusing on a system that reduces human engagement. Reducing the involvement of humans in security-related tasks is often achieved through automation to perform repetitive tasks.
An organization recently experienced a cyber incident that temporarily halted its operations. The cybersecurity team wants to strengthen its resilience strategies and address potential threats before they cause significant harm. As part of this process, the team must look into the primary factor behind the recent incident. Which of the following techniques would MOST effectively pinpoint the cause and enhance operational preparedness? A. Conducting penetration tests on critical systems B. Focusing on real-time network monitoring C. Analyzing historical logs D. Implementing a hypothesis-driven investigation
D. Implementing a hypothesis-driven investigation Explanation A hypothesis-driven investigation involves proactively searching for potential threats based on specific assumptions. This allows the team to focus on possible causes and identify previously unknown issues, improving the organization's operational preparedness. While historical log analysis can provide valuable insights into past incidents and help identify trends, it may not be sufficient in pinpointing the primary factor behind a new or unknown issue. Real-time network monitoring is useful for detecting ongoing threats and anomalies but may not effectively pinpoint the primary factor behind an incident that has already occurred. Penetration tests can help identify vulnerabilities in critical systems but do not help determine the specific cause of an incident.
