CS0-003 Exam Dumps - CompTIA CyberSecurity Analyst CySA+ Certification Exam

The given firewall logs indicatehigh outbound traffic with low IP reputation, sustained over time, which is a strongindicator of cryptomining activity​.

Option A (Anomalous activity)is a general term but does not specifywhythe activity is suspicious.

Option B (Bandwidth saturation)occurs when network traffic is overwhelming, but cryptomining typicallyuses CPU/GPU powerrather than overwhelming bandwidth.

Option D (Denial of service - DoS)would result incontinuous large requests, but cryptomining generatesconsistent, high-bandwidth outbound trafficrather than bursts of large requests.

Thus,C is the correct answer, as cryptomininggenerates unusual outbound network activity from internal hosts to mining pools​.

A risk register typically contains details like ID, name, description, classification of information, and responsible party. It’s used for tracking identified risks and managing them.Recording details like ID, Name, Description, Classification of information, and Responsible party is typically done in a Risk Register. This document is used to identify, assess, manage, and monitor risks within an organization. It's not directly related to incident response or change control documentation.

A social engineering attack is underway is the most likely explanation for the outbound traffic to a host IP that resolves to https://offce365password.acme.co, while the site’s standard VPN logon page is www.acme.com/logon. A social engineering attack is a technique that exploits human psychology and behavior to manipulate people into performing actions or divulging information that benefit the attackers. A common type of social engineering attack is phishing, which involves sending fraudulent emails or other messages that appear to come from a legitimate source, such as a company or a colleague, and lure the recipients into clicking on malicious links or attachments, or entering their credentials or other sensitive information on fake websites. In this case, the attackers may have registered a domain name that looks similar to the company’s domain name, but with a typo (offce365 instead of office365), and set up a fake website that mimics the company’s VPN logon page. The attackers may have also sent phishing emails to the company’s employees, asking them to reset their passwords or log in to their VPN accounts using the malicious link. The security analyst should investigate the source and content of the phishing emails, and alert the employees not to click on any suspicious links or enter their credentials on any untrusted websites. Official References:

https://partners.comptia.org/docs/default-source/resources/comptia-cysa-cs0-002-exam-objectives

https://www.comptia.org/certifications/cybersecurity-analyst

https://www.comptia.org/blog/the-new-comptia-cybersecurity-analyst-your-questions-answered

Comprehensive and Detailed Explanation:

To improve the detection of known attacks and behavioralIndicators of Compromise (IoCs), the best approach is tointegrate with an open-source threat intelligence feed. Threat intelligence feeds provide up-to-date information on known malicious IPs, domains, file hashes, and behavioral patterns that attackers use​.

Option A (randomly generating and storing hash values)is impractical, as there are an infinite number of possible files.

Option B (alerting on any system change)would lead to excessive noise and false positives, making the system difficult to manage.

Option D (manually adding signatures)is useful but is not scalable or as timely as an external intelligence feed​.

Thus, the correct answer isC, as integrating an open-source threat intelligence feed enhances the SIEM’s ability to detect and respond to real-world threats​.

To mitigate brute-force attacks, implementing an account lockout policy (C) prevents continuous attempts by locking the account after a set number of failed logins. Blocking inbound connections on TCP port 3389 (RDP) from untrusted IP addresses (F) limits access, reducing the attack surface. According to CompTIA Security+, these controls effectively prevent unauthorized access. While blocking specific IPs (D) or disabling RDP (E) can also help, the lockout and firewall rules provide broader, proactive protection against this attack type.

When a patch cannot be deployed due to conflicting routine system upgrades, updating the risk register and requesting a change to the Service Level Agreement (SLA) is a practical approach. It allows for re-evaluation of the risk and adjustment of the SLA to reflect the current situation.

Fuzzing is a process used to test applications by inputting unexpected or random data to see how the application behaves. This method is particularly effective in identifying vulnerabilities such as buffer overflows, input validation errors, and other anomalies that could cause the application to crash or behave unexpectedly. By using fuzzing, the security team can ensure the new application is robust and capable of handling unexpected strings with anomalous formats without crashing.