Medium CS0-003 practice questions
Applied — put a concept to work in a realistic situation. 133 medium questions available — no sign-up, always free.
A CySA+ analyst is preparing to launch the organization's quarterly vulnerability scan. The current asset inventory lists 480 hosts, but the analyst notices that a recent network topology change added a new subnet for a business unit that provisioned its own cloud-connected devices without notifying IT. The security manager wants to ensure the scan does not miss any live systems on the network. Which action should the analyst take FIRST to address this gap?
A CySA+ analyst is asked to build a repeatable methodology for classifying observed adversary behaviors during an active intrusion. The goal is to map each discrete action an attacker takes on a compromised host—such as dumping credentials, creating scheduled tasks, and disabling logging—to a standardized catalog of techniques and sub-techniques, so detection engineers can later measure coverage gaps. Which attack methodology framework is the MOST appropriate choice for this specific purpose?
A SOC analyst reviewing firewall logs notices that an internal workstation initiates outbound HTTPS connections to the same external IP address every 300 seconds, with each connection transferring a nearly identical small payload of approximately 512 bytes. The destination domain was registered three days ago and has no reputation data. Which conclusion is BEST supported by these indicators?
A SOC analyst is correlating events from a web server, a firewall, and a domain controller during an incident investigation. The analyst notices that the sequence of logged events across the three systems does not match the actual order in which the activity occurred, making it impossible to build an accurate timeline. All logs are being forwarded to the same SIEM. Which underlying issue is MOST likely responsible for this problem?
A vulnerability scan identifies a critical remote code execution flaw on a legacy manufacturing control server. The vendor no longer supports the operating system, and no patch is available. The server must remain online because it controls an active production line, and it cannot be replaced for at least 18 months due to budget and procurement constraints. Which recommendation BEST reduces the risk while keeping the system operational?
A security analyst is tasked with performing a vulnerability scan of a fleet of internal Windows servers to build an accurate patch remediation plan. Previous uncredentialed scans produced many results based only on banner grabbing and left large gaps in missing-patch detection. The server team has approved providing a dedicated service account for scanning. Which scanning approach will provide the most accurate and complete assessment of missing patches and configuration weaknesses?
A vulnerability analyst is reviewing a scanner report that lists a vulnerability with the CVSS v3.1 vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. Management asks the analyst to explain what characteristic of this vulnerability most significantly increases the urgency of remediation. Which statement is the analyst's BEST response?
A CySA+ analyst is reviewing a vulnerability assessment report and notices that one finding has a CVSS v3.1 vector string ending in the metric 'S:C'. The vendor advisory describes a flaw in a hypervisor component that allows a compromised guest virtual machine to affect the underlying host and other guests. When explaining the risk to management, which statement about the Scope (S) metric being set to 'Changed' is most accurate?
A vulnerability analyst is reviewing scan results for two servers. Both are affected by a vulnerability with a CVSS v3.1 base score of 9.8 (Critical). Server A is an internet-facing web server hosting the customer payment portal, and a public proof-of-concept exploit is confirmed to be circulating in the wild. Server B is an internal test server with no sensitive data, isolated on a segmented lab VLAN with no external access, and no known exploit exists for its specific configuration. Management wants the analyst to prioritize remediation using more than the base score alone. Which approach BEST reflects proper risk-based prioritization?
A threat intelligence analyst is reviewing an incident report. According to the report, an adversary obtained a zero-day vulnerability, then paired an exploit for that vulnerability with a malicious PDF payload to create a deliverable file. This file had not yet been sent to any target at the time the activity was observed. Using the Lockheed Martin Cyber Kill Chain, which stage does this coupling of exploit and payload BEST represent?
During the analysis phase of an incident, a SOC analyst confirms a workstation is infected with credential-harvesting malware. Before recommending containment actions, the incident lead insists the team first determine which other systems the compromised account accessed, what data was reachable, and whether the malware spread laterally. Which incident response activity is the lead prioritizing?
A threat analyst is documenting an intrusion using the Diamond Model of Intrusion Analysis. Investigation reveals that the attacker used a spear-phishing email to compromise an accounts-payable employee's workstation, then leveraged that access to reach the finance department's payment system. The analyst wants to properly populate the model's four core vertices. Which piece of evidence should be recorded under the 'Victim' vertex?
A SOC analyst reviewing DNS query logs from an internal workstation notices hundreds of outbound lookups per hour to domains such as 'kjf83hdsl2.info', 'zx9qmvbn4.info', and 'p1x8wqz7t.info'. Most of these queries return NXDOMAIN responses, but a small number resolve successfully to a hosting provider in another country. Which conclusion is best supported by these indicators?
A SOC analyst using an EDR platform observes that a finance workstation is executing an unsigned binary that is spawning encoded PowerShell commands and initiating outbound connections to multiple external IPs. The analyst needs to stop the potential spread while preserving the ability to investigate the host and collect volatile data. Which EDR capability should the analyst invoke FIRST?
A CySA+ analyst is reviewing EDR telemetry on a Windows workstation after an alert fired. The process tree shows that WINWORD.EXE (Microsoft Word) spawned cmd.exe, which then launched powershell.exe with an encoded command that reached out to an external IP. No legitimate business macro is deployed in the environment. Which host indicator is the strongest evidence of malicious activity in this telemetry?
A finance clerk received an email appearing to come from the CEO requesting an urgent wire transfer to a new vendor. The clerk forwards it to the SOC. Reviewing the mail gateway logs, an analyst notes the message passed SPF, DKIM, and DMARC checks and originated from a legitimately registered external domain, 'compañy-corp.com', while the organization's real domain is 'company-corp.com'. There were no malicious attachments or links. Which indicator best characterizes this activity?
During a ransomware incident, the IR team has isolated three infected workstations and confirmed the malware achieved kernel-level persistence and dropped multiple unknown binaries. Anti-malware scans now report the machines as 'clean.' Business leadership is pressing to return the machines to production quickly. As the analyst leading the eradication phase, what is the MOST appropriate course of action?
A vulnerability scanner reports that a critical Apache Struts remote code execution flaw (CVE-2017-5638) is present on a production web server. Before the analyst escalates the finding to the patching team, the server owner insists the application was migrated to a Java Spring framework months ago and no longer uses Struts. Which action should the analyst take FIRST to determine whether this is a false positive?
A SOC analyst is reviewing perimeter firewall logs and notices that a single external source IP generated hundreds of connection attempts to sequential destination ports (22, 23, 25, 80, 443, 3389, ...) on one internal host within a 15-second window. Nearly all attempts were denied by the firewall, and only a handful of ports returned SYN-ACK responses. Which activity does this pattern MOST likely indicate?
A DevOps team deploys cloud infrastructure using Terraform templates through a CI/CD pipeline. The security team discovers that several production S3 buckets were provisioned with public read access and unencrypted storage, and that these same misconfigurations keep reappearing after being manually fixed. Which approach would MOST effectively prevent these vulnerabilities from reaching production in the future?
A security team has finished eradicating a ransomware infection across the affected file servers. Systems have been rebuilt from known-good images, patched, and reconnected to the production network. The incident commander now wants to formally complete the recovery phase before transitioning to lessons learned. Which action is MOST important to perform during this recovery phase?
A retail company confirms a breach in which an attacker accessed a database containing customer names, email addresses, and hashed loyalty-program passwords, but no payment card data or government identifiers. The incident commander is drafting external communications and must decide who needs to be notified first from a stakeholder perspective. Which factor should MOST directly determine which external parties must be formally notified?
A mid-sized manufacturer suffers a confirmed ransomware incident affecting several production servers. The incident response manager is coordinating notifications. The company holds a cyber insurance policy that requires prompt reporting of covered events and pre-approval before engaging outside vendors or making ransom-related decisions. Which action should the IR manager prioritize to protect the organization's ability to recover costs under the policy?
A Tier 1 analyst at a hospital detects ransomware activity encrypting files on a shared clinical file server. The organization's incident response plan defines that any incident affecting patient care systems or involving data-encrypting malware must be immediately escalated beyond the SOC. According to sound escalation practice, what should the analyst do FIRST after initial validation?
A security analyst has completed the investigation of a ransomware incident that affected a manufacturing plant. The CISO asks the analyst to write the executive summary section of the formal incident report for the board of directors and C-suite. Which content is MOST appropriate to include in this executive summary?