CS0-003 Exam Dumps - CompTIA CySA+ Questions and Answers

To mitigate brute-force attacks, implementing an account lockout policy (C) prevents continuous attempts by locking the account after a set number of failed logins. Blocking inbound connections on TCP port 3389 (RDP) from untrusted IP addresses (F) limits access, reducing the attack surface. According to CompTIA Security+, these controls effectively prevent unauthorized access. While blocking specific IPs (D) or disabling RDP (E) can also help, the lockout and firewall rules provide broader, proactive protection against this attack type.

Beaconing is the best term to describe the activity that is taking place, as it refers to the periodic communication between an infected host and a blocklisted external server. Beaconing is a common technique used by malware to establish a connection with a command-and-control (C2) server, which can provide instructions, updates, or exfiltration capabilities to the malware. Beaconing can vary in frequency, duration, and payload, depending on the type and sophistication of the malware. The other terms are not as accurate as beaconing, as they describe different aspects of malicious activity. Data exfiltration is the unauthorized transfer of data from a compromised system to an external destination, such as a C2 server or a cloud storage service. Data exfiltration can be a goal or a consequence of malware infection, but it does not necessarily involve blocklisted servers or consistent requests. Rogue device is a device that is connected to a network without authorization or proper security controls. Rogue devices can pose a security risk, as they can introduce malware, bypass firewalls, or access sensitive data. However, rogue devices are not necessarily infected with malware or communicating with blocklisted servers. Scanning is the process of probing a network or a system for vulnerabilities, open ports, services, or other information. Scanning can be performed by legitimate administrators or malicious actors, depending on the intent and authorization. Scanning does not imply consistent requests or blocklisted servers, as it can target any network or system.

From the logs, PC3 showsoutlook.exe spawning excel.exe at 1:15 PM, and laterexcel.exe spawning procdump.exe at 1:16 PM. This is highly suspicious becauseoutlook.exe should not normally launch Excel, andprocdump.exe is often used by attackers to dump process memory, which is a common technique in credential theft​.

PC1:Running expected Windows processes (wininit.exe spawning services.exe and lsass.exe).

PC2:Running a browser process (chrome.exe) from explorer.exe, which is normal.

PC3:Highly suspicious behavior (Excel spawning procdump.exe).

PC4:Running mstsc.exe (Remote Desktop) from explorer.exe, which is expected.

PC5:Running Firefox from explorer.exe, which is normal.

Thus,PC3 should be prioritized for investigationdue to its potential involvement in credential theft.

Email header analysis is one of the security operations tasks that are ideal for automation. Email header analysis involves checking the email header for various indicators of phishing or spamming attempts, such as sender address spoofing, mismatched domains, suspicious subject lines, or phishing confidence metrics. Email header analysis can be automated using tools or scripts that can parse and analyze email headers and take appropriate actions based on predefined rules or thresholds

Weaponization is a factor that describes how an adversary develops or acquires an exploit or payload that can take advantage of a vulnerability and deliver a malicious effect. Weaponization can increase the severity or impact of a vulnerability, as it makes it easier or more likely for an attacker to exploit it successfully and cause damage or harm. Weaponization can also indicate the level of sophistication or motivation of an attacker, as well as the availability or popularity of an exploit or payload in the cyber threat landscape. In this case, an older CVE with a vulnerability score of 7.1 was elevated to a score of 9.8 due to a widely available exploit being used to deliver ransomware. This indicates that weaponization was the reason for this escalation. 

An on-path attack is a type of man-in-the-middle attack where an attacker intercepts and modifies network traffic between two parties. In this case, someone with internal access may be performing an on-path attack by forcing users into port 80, which is used for HTTP communication, instead of port 443, which is used for HTTPS communication. This would allow the attacker to compromise the user accounts and access the company’s internal portal.

Comprehensive and Detailed Explanation From Exact Extract:

The metric that measures how quickly something is detected/identified is Mean Time to Detect (MTTD). Although MTTD is often used in incident detection, it directly matches the wording “how quickly … are identified” because it measures the time between occurrence and detection.

Secbay Press defines MTTD explicitly as the time to detect an issue:

Exact extract (Secbay Press):

“Mean Time to Detect (MTTD) is… the average time taken to identify and detect a security incident… Mean time to detect is how long it took… to when it was detected.”

Why the other options are not best:

KPI is a category/type of measure (a key metric), not the specific metric itself. Secbay distinguishes metrics vs KPIs and lists MTTD as a KPI example.

SLO is a service objective/target, not a measurement of detection speed by itself.

Alert volume measures quantity of alerts, not detection time.

Exact extract (Secbay Press):

“KPI: Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR).”

A new program has been set to execute on system start is the most likely cause of the suspicious activity that is occurring, as it indicates that the malware has modified the registry keys of the system to ensure its persistence. File Integrity Monitoring (FIM) is a tool that monitors changes to files and registry keys on a system and alerts the security analyst of any unauthorized or malicious modifications. The alert triggered by FIM shows that the malware has created a new registry key under the Run subkey, which is used to launch programs automatically when the system starts. The new registry key points to a file named “update.exe” in the Temp folder, which is likely a malicious executable disguised as a legitimate update file. Official References:

https://www.comptia.org/blog/the-new-comptia-cybersecurity-analyst-your-questions-answered

https://partners.comptia.org/docs/default-source/resources/comptia-cysa-cs0-002-exam-objectives

https://www.comptia.org/training/books/cysa-cs0-002-study-guide

Audit settings provide visibility into user actions and system events. These are classified asdetective controlsbecause they enable the detection of anomalies, policy violations, or unauthorized access by generating logs or alerts. They do not prevent actions (Preventive) or reverse harm (Corrective), nor do they provide policy guidance (Directive).

????Reference: CompTIA CySA+ All-in-One by Mya Heath, Chapter 13, “Vulnerability Handling and Response” – Control Types and Functions​.

????Objective: 2.5 - Explain the importance of prioritization, remediation, and mitigation of vulnerabilities​.

Comprehensive and Detailed Explanation From Exact Extract:

Data breach notification laws for personally identifiable information (PII) generally require organizations to provide timely notification to (1) regulatory authorities (regulators/data protection authorities) and (2) affected individuals (customers/data subjects), within legally mandated timeframes.

The Secbay Press CySA+ CS0-003 guide explicitly describes this requirement in multiple places:

Regulatory reporting + notifying affected individuals:Exact extract (Secbay Press): “Reporting the incident to regulatory authorities and notifying affected individuals in accordance with… privacy laws…”

Timeliness is required by law:Exact extract (Secbay Press): “Timeliness of Reporting: Adhering to stipulated timeframes for reporting incidents…”

Customers/affected individuals must be notified within the legally mandated timeframe:Exact extract (Secbay Press): “Sending notifications to customers within the legally mandated timeframe after confirming a data breach.”

These extracts directly support Option D: Regulators and affected customers.

Why the other options are incorrect

A (Service providers and business associates): Those relationships may have contractual notification requirements, but breach notification laws for PII focus on regulators and affected individuals.

B (Law enforcement and the media): These may be involved depending on incident type/requirements, but they are not universally required recipients under PII breach notification laws.

C (CERTs and industry associations): These are optional coordination entities, not mandated recipients for PII breach notification laws.

References (CompTIA CySA+ CS0-003 documents / study guides used):

Secbay Press, CompTIA CySA+ Exam Prep Guide (CS0-003): notify regulatory authorities and affected individuals; timeliness requirements; legally mandated timeframe for customer notifications