CompTIA CS0-003 - CompTIA CyberSecurity Analyst CySA+ Certification Exam

The Command and Control stage of the Cyber Kill Chain describes the communication between the attacker and the compromised system. The attacker may use this channel to send commands, receive data, or update malware. If the analyst discovers unusual outbound connections to an IP that was previously blocked, it may indicate that the attacker has established a command and control channel and bypassed the security controls. References: Cyber Kill Chain® | Lockheed Martin

Rolling out a CDN is the best control to mitigate the Layer 4 DDoS attacks against the company website. A CDN is a Content Delivery Network, which is a system of distributed servers that deliver web content to users based on their geographic location, the origin of the web page, and the content delivery server. A CDN can help protect against Layer 4 DDoS attacks, which are volumetric attacks that aim to exhaust the network bandwidth or resources of the target website by sending a large amount of traffic, such as SYN floods, UDP floods, or ICMP floods. A CDN can mitigate these attacks by distributing the traffic across multiple servers, caching the web content closer to the users, filtering out malicious or unwanted traffic, and providing scalability and redundancy for the website12. References: How to Stop a DDoS Attack: Mitigation Steps for Each OSI Layer, Application layer DDoS attack | Cloudflare

Regular expressions are powerful tools for searching text based on specific patterns, making them ideal for parsing Linux log files to detect security events with repeatable patterns. In Bash, regular expressions can be used in commands like grep or awk to efficiently filter log data. CompTIA CySA+emphasizes the use of regular expressions in log analysis for pattern matching, a common requirement for identifying suspicious activities in log files. Options B, C, and D are less suited for this specific task due to their limited pattern-matching capabilities or platform constraints.

Testing is a crucial step in any change management process, as it ensures that the change is compatible with the existing systems and does not cause any errors or disruptions. In this case, the change management team failed to test the email client patch on Windows 11 devices, which resulted in a widespread issue for the users. Testing would have revealed the problem before the patch was deployed, and allowed the team to fix it or postpone the change.

A signal-shielded bag and a tamper-evident seal are tools that can be used to maintain the integrity of the mobile phone while it is transported. A signal-shielded bag prevents the phone from receiving orsending any signals that could compromise the data or evidence on the device. A tamper-evident seal ensures that the phone has not been opened or altered during the transportation. References: Mobile device forensics, Section: Acquisition

The correct answer is B. In forensic analysis, the analyst wants to preserve volatile evidence and prevent the user from changing system state. If the computer is powered off, data in memory, running processes, active network connections, and other volatile artifacts may be lost. If the user continues interacting with the computer, they may unintentionally overwrite or alter evidence.

Exact supporting extract: the Sybex CySA+ Study Guide states that forensic evidence acquisition may require “making live memory images to ensure that information is not lost when a system is powered off.” It also explains that order of volatility measures how easy data is to lose and that data in memory or caches is highly volatile.

The Secbay CySA+ guide also states that allowing a computer to enter hibernation or sleep mode can change memory properties and result in loss of forensic evidence. It further explains that failing to follow order of volatility will likely result in evidence being lost.

Why the other options are incorrect:

A is incorrect because the main reason is evidence preservation, not preventing misuse.

C is incorrect because the analyst is not validating tool installation or patch status.

D is incorrect because legal hold is a legal preservation process, not the immediate reason to keep a live system powered on.

The correct answers are A. System criticality and D. Threat intelligence .

A company may reprioritize a vulnerability score when the affected system is more important to the business than the raw CVSS score alone indicates. A vulnerability on a business-critical system may receive higher priority than the same vulnerability on a low-value system. The CySA+ materials state that vulnerabilities may be prioritized based on system criticality , including the critical nature of the data processed and the business processes that use the host.

Threat intelligence can also cause reprioritization. If intelligence shows that a vulnerability is being actively exploited in the wild or targeted by relevant threat actors, the organization should raise its priority even if the base vulnerability score is not the highest. The Secbay CySA+ guide states that organizations should incorporate threat intelligence to understand the current threat landscape and prioritize vulnerabilities actively exploited in the wild.

Why the other options are incorrect:

B. Alert volume is an incident response or monitoring metric, not a direct reason to reprioritize a vulnerability score.

C. Unexpected outage may affect operations, but it is not a standard vulnerability score reprioritization factor.

E. Patch availability affects remediation planning and timing, but the two strongest score-reprioritization factors in this question are asset/system criticality and threat intelligence.

F. Public relations may affect communications strategy after an incident, but it is not a core vulnerability prioritization factor.

SLA stands for service level agreement, which is a contract or document that defines the expectations and obligations between a service provider and a customer regarding the quality, availability, performance, or scope of a service. An SLA may also specify the metrics, penalties, or remedies for measuring or ensuring compliance with the agreed service levels. An SLA can help the SOC manager review if the team is meeting the appropriate contractual obligations for the customer, such as response time, resolution time, reporting frequency, or communication channels.

Mean Time to Detect (MTTD) is the most appropriate Key Performance Indicator (KPI) to monitor the effectiveness of an incident response reporting and communication program among the choices provided.

Why B is correct: The primary goal of an " incident reporting " program (whether automated by tools or reported by users/staff) is to alert the security team to an issue as quickly as possible. MTTD measures the average time it takes for an organization to identify (detect and report) an incident after it has occurred. A lower MTTD directly indicates that the reporting mechanisms and communication channels from the source to the analysts are operating effectively.

Why A is incorrect: Incident volume measures the quantity of incidents, which reflects the threat landscape or workload rather than the effectiveness of the response program itself. While an increase in user-reported volume can indicate better awareness, MTTD is the standard performance metric for the process.

Why C is incorrect: Average time to patch is a KPI for Vulnerability Management, not Incident Response reporting.

Why D is incorrect: Remediated incidents refers to the volume of resolved issues (Response/Recovery phase) and does not specifically measure the speed or quality of the reporting and communication (detection) phase.

In Domain 4 (Reporting and Communication) and Domain 1 (Security Operations), CompTIA emphasizes the use of time-based metrics to evaluate process maturity.

MTTD (Mean Time to Detect): Measures " dwell time " and the efficiency of the Detection & Reporting phase.

MTTR (Mean Time to Respond): Measures the efficiency of the Response & Recovery phase.

​

The output shows that port 80 is open and running an HTTP service, indicating that the host could potentially be vulnerable to web-based attacks. The other options are not relevant for this purpose: the host is responsive to the ICMP request, as shown by the “Host is up” message; the host is not running a mail server, as there is no SMTP or POP3 service detected; the host is not allowing unsecured FTP connections, as there is no FTP service detected.References: According to the CompTIA CySA+ Study Guide: Exam CS0-003, 3rd Edition123, one of the objectives for the exam is to “use appropriate tools and methods to manage, prioritize and respond to attacks and vulnerabilities”. The book also covers the usage and syntax of nmap, a popular network scanning tool, in chapter 5. Specifically, it explains the meaning and function of each option in nmap, such as “-sV” for version detection2, page 195. Therefore, this is a reliable source to verify the answer to the question.