CompTIA CySA+ (CS0-003) - Domain 3 - Incident Response and Management

Ref:📕CompTIA CySA+ Study Guide: Exam CS0-003 (Sybex Study Guide) 3rd Edition

CySA+ (CS0-003) – Domain 3 – Incident Response and Management

1 / 68

What is involved in the preparation phase of setting up a CSIRT?

A. Creating a policy document and assigning staff

B. Training, testing, documentation of procedures, assembling the necessary tools, and building strong cybersecurity defenses

C. Building the Foundation for Incident Response and Creating an Incident Response Team

D. All of the above

2 / 68

Why do incident response processes have loops that allow responders to return to prior phases during response to a cybersecurity incident?

A. To allow responders to take breaks during an intensive response

B. To reanalyze and verify if an incident has been successfully resolved

C. To enable responders to perform other security tasks that don’t involve the current incident

D. To keep track of the duration and cost of the response effort

3 / 68

What is the focus of defense against the Exploitation stage in Lockheed Martin’s Cyber Kill Chain?

A. Gathering data about reconnaissance activities and prioritizing defenses based on that information

B. Conducting full malware analysis, building detections for weaponizers, and collecting files and metadata

C. Observing how the attack was delivered and what was targeted then inferring what the adversary was intending to accomplish

D. User awareness, secure coding, vulnerability scanning, penetration testing, endpoint hardening, and similar activities

4 / 68

What should a CSIRT team do if they believe the evidence they’ve gathered may be used in court?

A. Discard the evidence immediately after reviewing

B. Consult attorneys before discarding any evidence

C. Store the evidence for two years only

D. Send the evidence to U.S. federal government agencies

5 / 68

How can increases in resource usage indicate potential compromise?

A. Attackers may consume CPU or memory due to their use of tools or utilities

B. Network usage may increase as data is transferred

C. Unusual spikes in database read volume may indicate data gathering

D. All of the above

6 / 68

What criteria does NIST recommend to develop an appropriate containment strategy during an incident response?

A. Only the potential damage to and theft of resources

B. Just the need for evidence preservation

C. The time and resources needed to implement the strategy

D. Potential damage to and theft of resources, need for evidence preservation, service availability, time and resources needed to implement the strategy, effectiveness of the strategy, duration of the solution

7 / 68

What are commonly used intrusion detection systems for monitoring file system modifications?

A. Kaspersky and Norton

B. OSSEC and Tripwire

C. McAfee and Avast

D. BitDefender and Panda

8 / 68

What key elements should an incident response policy contain according to NIST recommendations?

A. Rating scheme for incidents, definition of cybersecurity incidents, performance measures for the CSIRT

B. Description of specific technologies, response procedures, and evidence-gathering techniques

C. Description of the CSIRT payroll structures, individual performance reviews, and disciplinary actions

D. List of clients and vendors, information about the organization’s CEO, transition procedures for policy change

9 / 68

What is the Unified Kill Chain?

A. It is a combination of several cyber security models including Lockheed Martin’s Cyber Kill Chain and MITRE’s ATT&CK framework

B. It is the same as MITRE’s ATT&CK framework

C. It is the official cyber attack model used by CompTIA CySA+

D. It is a cyber attack model designed by Lockheed Martin

10 / 68

What do Indicators of Compromise (IoCs) consist of?

A. Information about activity, events, and behaviors related to potentially malicious behavior

B. Data about actual attacks or compromises

C. Detailed information about threat actors and their goals

D. List of potential vulnerabilities in a system

11 / 68

Which of the following is NOT one of the common examples of behavior-based Indicators of Compromise (IoC)?

A. Unusual privileged account behaviors

B. Addition of users to groups with lesser rights

C. Bot-like behaviors

D. Understanding of user and account behavior-based identification

12 / 68

What is the purpose of isolating attackers in a sandbox environment?

A. To provide attackers with valuable information

B. To distract the attackers with useless information

C. To allow continued observation in a safe, contained environment

D. To stop the attackers’ activities immediately

13 / 68

What is a common technique used by attackers to conceal their activities and evade detection?

A. Use encrypted protocols like TLS to protect web traffic

B. Send the traffic through popular sites

C. Cause a DDOS attack to distract security

D. Create spoofed traffic to confuse security system

14 / 68

What is the objective of isolating affected systems in a network?

A. To restrict access to the affected systems.

B. To allow the attacker to access other systems in the network.

C. To continue to allow the attacker to access the isolated systems but restrict their ability to access other systems.

D. To enable communication between the affected systems and all systems in the network.

15 / 68

What criticism has Lockheed Martin’s Cyber Kill Chain model received?

A. It only focuses on external threats

B. It mainly focuses on perimeter and antimalware-based defensive techniques and lacks focus on insider threats

C. It includes actions that occur outside of the defended network

D. All of the above

16 / 68

What should not be included in the incident response policy?

A. Definition of cybersecurity incidents and related terms

B. Procedure documents specifying response procedures and evidence-gathering techniques

C. Organizational structure including roles, responsibilities, and level of authority

D. Performance measures for CSIRT

17 / 68

What is the primary responsibility of IT managers and senior leadership in incident response efforts?

A. To shutdown critical servers during an incident

B. To provide the authority, resources, and time required to respond appropriately to a security incident

C. To communicate with law enforcement or the general public during an incident

D. To assess the impact of an incident on key stakeholders

18 / 68

What is the main objective of post-incident activity in cybersecurity?

A. To improve the company’s public image

B. To determine what actually occurred during an incident

C. To punish the perpetrator

D. To develop new software

19 / 68

What are some considerations when deciding to retain an incident response provider?

A. The types of incidents that can be handled internally

B. The provider’s guaranteed response time

C. The organization’s plan to respond to an incident before the provider gets involved

D. All of the above

20 / 68

Which of the following is NOT typically within the scope of the CSIRT as defined by the organization’s incident response policy?

A. What triggers the activation of the CSIRT

B. Whether the CSIRT is responsible for certain business units

C. If the CSIRT is authorized to communicate with law enforcement

D. The procedures for annual company-wide training

21 / 68

What are the two testing resources that you must know for the CySA+ exam?

A. NIST 800-30 and ISO 27001

B. OSSTMM and OWASP Web Security Testing Guide

C. ISO 27002 and COBIT 5

D. ISO 31000 and COSO

22 / 68

What is the primary purpose of network segmentation in cybersecurity?

A. To create separate networks for different types of users

B. To allow compromised systems to continue operating while under observation

C. To prevent the spread of security incidents by isolating potential threats

D. To create a separate network for the transfer of sensitive information

23 / 68

According to the NIST Computer Security Incident Handling Guide, what does it suggest about identifying an attacking host?

A. It is a top priority during a cybersecurity incident.

B. It is a time-consuming and futile process that may prevent a team from minimizing the business impact.

C. It is easily achievable with the right tools and resources.

D. It should be avoided at all costs.

24 / 68

What technique does NIST’s hypothetical attacker use to identify when their compromised system has been removed from the network?

A. The attacker monitors HTTP requests sent to an external server.

B. The attacker monitors incoming traffic from the network administrator.

C. The attacker sets up a periodic ping request to an external host and monitors the results.

D. The attacker sets up a botnet to overload the network with traffic.

25 / 68

What are the four activities that should always be included in the incident recovery validation effort?

A. Verify user accounts, proper restoration of permissions, system and data integrity, and logging capabilities.

B. Conduct vulnerability scans, data backup, checking antivirus updates, and verifying user accounts.

C. Verifying user accounts, system and data integrity, network monitoring, and incident reporting.

D. Data encryption, system and data integrity, proper restoration of permissions, and verifying user accounts.

26 / 68

What is the purpose of validating data integrity during preservation activities?

A. To ensure that the data captured and retained matches the original data

B. To make sure data investigators draw correct conclusions

C. To calculate a hash based on the original file, volume, or drive

D. All of the above

27 / 68

What is the primary purpose of the eradication phase while responding to a cybersecurity incident?

A. Identifying the attacker

B. Removing any remaining artifacts of the incident from the network

C. Rebuilding the organization’s network

D. Updating malware signatures

28 / 68

What activities are undertaken during the post-incident activity phase of incident response?

A. Relaxing and taking a break

B. Undertaking forensic procedures, performing a root cause analysis, conduct a lessons learned review, and ensuring that internal and external evidence retention requirements are met

C. Immediately starting the next task

D. Focusing only on fixing the damage caused

29 / 68

What is an important aspect while gathering and handling evidence during the incident response containment phase?

A. Only limiting damage to the organization

B. Keeping a detailed evidence log

C. Speeding up the containment process

D. Focusing solely on internal purposes

30 / 68

Why is it important for a cybersecurity analyst to perform root cause analysis in the aftermath of a security incident?

A. It helps in securing total recovery.

B. It helps to design more stringent security controls.

C. It allows for an understanding of how the breach occurred to prevent future similar incidents.

D. It serves to assign blame and take necessary disciplinary action.

31 / 68

What are the two primary isolation techniques used during a cybersecurity incident response effort?

A. Isolating affected systems and isolating the firewall

B. Isolating affected systems and isolating the attacker

C. Isolating the attacker and isolating the network

D. Isolating the data and isolating the attacker

32 / 68

What is the functional impact of a security incident?

A. The degree of impairment that it causes to the organization

B. The economic impact of a security incident on the organization

C. The number of security incidents investigated by CSIRT members

D. The financial thresholds included in the economic impact categories

33 / 68

What is the first step in the Containment, Eradication, and Recovery phase of incident response?

A. Detection and Analysis

B. Eradication

C. Recovery

D. Containment

34 / 68

Which of the following best describes the importance of combining IoCs in identifying a compromise?

A. To detect single IoCs that occur in isolation

B. To update existing IoCs feed

C. To ensure that multiple IoCs add up to a likely compromise

D. To avoid the usage of log and log analysis tools

35 / 68

How should a CSIRT classify each incident that occurs?

A. A CSIRT should classify an incident by the type of threat only

B. A CSIRT should classify an incident according to a standardized incident severity rating system only

C. A CSIRT should classify an incident by both the type of threat and the severity according to an original incident severity rating system

D. A CSIRT should classify an incident by both the type of threat and the severity according to a standardized incident severity rating system

36 / 68

Why should responders refer back to the change control and configuration management processes after an incident?

A. To understand the cause of the incident.

B. To document any emergency changes made during the incident response.

C. To bypass the organization’s processes in future emergency situations.

D. To prove compliance with legal and regulatory requirements.

37 / 68

What specific role does an independent facilitator serve during a Lessons Learned Review?

A. They handle management of the incident response.

B. They guide the discussion without advancing a hidden agenda.

C. They document the procedures that were followed.

D. They take actions that inhibited the recovery.

38 / 68

What can make distributed DoS attacks difficult to identify and stop?

A. They come from a single system

B. They often originate from systems inside your network

C. They can come from many machines

D. They typically exploit service vulnerabilities

39 / 68

What is the purpose of playbooks developed by CSIRT teams?

A. To serve as an operational plan in response to a specific type of cybersecurity incident

B. To log and track all cybersecurity incidents within an organization

C. To protect the personal financial information of customers

D. To provide a list of incidents that the team is not supposed to deal with

40 / 68

In the incident recovery effort, what is the recommended approach for patching systems and applications?

A. Patch all systems simultaneously

B. Patch the systems that were not involved first

C. Patch systems in a phased approach starting with those directly involved in the compromise

D. Prioritize patching new systems and applications

41 / 68

Which of the following accurately describes the process that should be followed regarding evidence after an incident is concluded?

A. All evidence should be immediately destroyed to prevent further cyber incidents

B. Evidence should be placed in a secure repository, with the decision to retain or destroy it depending on factors such as potential for criminal action and impact on the organization

C. Evidence should be handed over to law enforcement regardless of the organization’s policy

D. The evidence should be exposed to the public to increase awareness of cyber incidents

42 / 68

Which roles are typically represented on a Cybersecurity Incident Response Team (CSIRT)?

A. Database administrators only

B. Cybersecurity professionals, legal counsel, and public relations staff

C. Human resources and system engineers only

D. Desktop experts only

43 / 68

What are the three options for the secure disposition of media containing sensitive information according to NIST?

A. Analyze, Erase, Stub

B. Clean, Shred, Burn

C. Clear, Purge, Destroy

D. Wipe, Overwrite, Expunge

44 / 68

What are the post-incident activities a CSIRT team should perform after immediate, urgent actions of containment, eradication, and recovery are complete?

A. Resting for an extended period

B. Implementing immediate new protocols

C. Managing change control processes, conducting a lessons learned session, and creating a formal written incident report

D. Conducting daily briefings about the incident

45 / 68

What is the purpose of Chain of Custody in incident response activities?

A. Track the use of threat intelligence tools during incident response

B. Document the usage of virtual machines during incident response

C. Monitor the network traffic during the incident

D. Document and track evidence through its life cycle

46 / 68

What are some key functions and objectives of a lessons learned session following a cybersecurity incident?

A. To criticize and blame individuals responsible for the security breach

B. To uncover critical information about the response and highlight potential deficiencies in the incident response plan

C. To exclusively focus on indicators of compromise (IOCs)

D. To ignore the proposed changes to the incident response plan

47 / 68

What is the strongest containment technique in the cybersecurity analyst’s incident response toolkit?

A. Segmentation

B. Isolation

C. Encryption

D. Removal

48 / 68

According to the National Institute for Standards and Technology (NIST), which of the following is NOT classified as a security incident?

A. A user accessing a file stored on a server

B. A keylogger on an executive’s system to steal passwords

C. Accidental loss of sensitive information

D. A denial-of-service attack against a website

49 / 68

Which of the following attack vectors is associated with using brute-force methods to compromise, degrade, or destroy systems, networks, or services as described by NIST?

A. Web

B. Email

C. Attrition

D. External/Removable Media

50 / 68

According to the NIST, what four data impact categories should cybersecurity analysts consider?

A. Privacy breach, proprietary breach, confidentiality breach, regulated information breach

B. Privacy breach, proprietary breach, integrity loss, none

C. Intellectual property breach, regulated information breach, confidentiality breach, none

D. Integrity loss, privacy breach, intellectual property breach, regulated information breach

51 / 68

Why are attack frameworks useful according to the CompTIA CySA+ study guide?

A. They provide a structured way to understand, categorize and respond to attacks

B. They provide a way to create completely original attack models

C. They are required by all cybersecurity organizations

D. They are helpful for communicating with attackers

52 / 68

What should be given focus when documenting the incident response plan?

A. Improvisation during the incident occurrence

B. Creating tools that can be quickly interpreted during crisis

C. Avoiding the use of guidebooks to allow for innovative solutions

D. Making the document long and comprehensive

53 / 68

What is the function of a Chain-of-Custody in evidence acquisition and preservation during incident response activities?

A. It results in higher costs and administrative overhead for the organization

B. It is used to track evidence through its life cycle, including collection, preservation, and analysis

C. It is a tool used to perform data integrity validation

D. It is part of the eDiscovery process where legal counsel issues a hold notice

54 / 68

Which of the following is a typical indicator of compromise (IoC) that involves networking?

A. Unusual network traffic

B. Abnormal system processor usage

C. Data leakage to a social media platform

D. Unusually high data storage

55 / 68

Which of the following measures are used to determine the severity of a security incident?

A. The amount of users affected

B. The degree of impairment and the types of data affected.

C. The economic impact only

D. The functional and economic impact only

56 / 68

What is the importance of testing the Incident Response Plan (IRP)?

A. To reassure the organization that the plan will function properly in an actual incident

B. To save up on firm’s cybersecurity budget

C. To avoid routine monitoring of security events

D. To prove the IRP’s irrelevance in real world scenarios

57 / 68

The Diamond Model of Intrusion Analysis includes several specific terms. Which one of the following is not a term used in this analysis model?

A. Core Features

B. Meta-Features

C. Confidence Value

D. Threat Matrix

58 / 68

Which of the following correctly describes the term ’Scope of Impact’ in relation to incident response?

A. It is the amount of data lost as a result of the incident

B. It is the degree of impairment that a security incident causes the organization and the effort required to recover

C. It is a policy outlining how to communicate incident details to stakeholders

D. It is the potential revenue lost due to the incident

59 / 68

What are the three key measures used in the incident severity assessment according to the NIST guidelines?

A. Scope of Impact, Functional Impact, and Recoverability Effort

B. Functional Impact, Economic Impact, and Recoverability Effort

C. Scope of Impact, Economic Impact, and Time of Service Unavailability

D. Functional Impact, Economic Impact, and Time of Service Unavailability

60 / 68

What are the objectives of the containment, eradication, and recovery phase in incident response?

A. Select an arbitrary containment strategy and implement it

B. Select a containment strategy appropriate to the incident circumstances and implement it to limit the damage cause by the incident

C. Identify the attackers and attacking systems and eradicate their access without any further investigations

D. Recover normal operations without taking steps to limit the damage of the incident

61 / 68

Why is it not sufficient to merely correct the identified security issue in a compromised system?

A. The potential vulnerability may be reintroduced in the system.

B. The corrective actions can degrade the system performance.

C. The rest of the system will continue to function normally.

D. The attacker might not be able to compromise the system again.

62 / 68

What is one purpose of maintaining a chain-of-custody of evidence during incident response activities?

A. To ensure that data is properly encrypted

B. To track evidence through its lifecycle including collection, preservation, and analysis

C. To avoid unnecessary data duplication

D. To accelerate the data acquisition process

63 / 68

What is ’impossible travel’ IoC?

A. When an employee is using VPN resulting in a false location

B. When a single user logs in from multiple different geographic locations within a short period

C. An irregular schedule of user logins and rights usage

D. When an employee logs in from a location hundreds of miles away minutes or just a couple of hours after logging in from their normal location

64 / 68

Which of the following is NOT a recommended action for improving the effectiveness of incident analysis according to NIST 800-61?

A. Profile networks and systems to measure the characteristics of expected activity

B. Create a logging policy that specifies the information that must be logged by systems, applications, and network devices

C. Synchronize clocks across servers, workstations, and network devices

D. Rely solely on automated tools and systems without seeking assistance from external resources

65 / 68

What are some of the important elements that should be covered in a post-incident report written by the CSIRT?

A. Chronology of events and root cause of the incident

B. Location of witnesses during the incident

C. Specific jokes made during the incident

D. Favorite foods of the incident responders

66 / 68

What is a characteristic of unusual DNS traffic that an organization may monitor?

A. Reduced number of DNS queries

B. Queries to normal, familiar domain names

C. Unusually low number of DNS query failures

D. Abnormal levels of DNS queries, particularly to unusual domain names

67 / 68

What are the stages included in ATT&CK matrices to represent the complete threat lifecycle?

A. Access, Execution, Persistence, Escalation, and Exfiltration

B. Detection, Mitigation, Reporting, Review, and Upgrade

C. Installation, Compilation, Testing, Deployment, and Monitoring

D. Identification, Validation, Sanitization, Protection, and Verification

68 / 68

What is the purpose of a ’Legal Hold’?

A. To preserve data and produce it as part of a legal process when a legal counsel issues a legal hold notice

B. To track evidence through its life cycle, including the collection, preservation, and analysis of the evidence.

C. To ensure that captured and retained data matches the original data.

D. To prevent law enforcement involvement in evidence acquisition.

Your score is

Dowload the FREE OFFLINE Version of this Test Bank

Get ready to improve your skills offline now! Click the download button.

Strengthen Your Incident Response Skills with Our Free CompTIA CySA+ (CS0-003) Domain 3: Incident Response and Management Practice Test!

Are you preparing for a career transition into the IT industry or looking to enhance your existing IT skills? Our free CompTIA CySA+ (CS0-003) Domain 3: Incident Response and Management practice test is designed to help you succeed. Modeled after the actual CompTIA CySA+ exam format, this practice test will boost your confidence and readiness for the real test.

Key Features

Realistic Exam Simulation: Experience the actual CompTIA CySA+ exam format, helping you get accustomed to the test environment.
Detailed Explanations: Each question comes with comprehensive explanations, allowing you to learn from your mistakes and deepen your understanding.
Identify Weak Areas: Pinpoint your weaknesses and focus your study efforts where they are needed most.
Completely Free: Access our high-quality CompTIA CySA+ practice test at no cost, and start preparing for your certification today.

Why Choose Our Practice Test?

Expertly Crafted: Created by industry professionals with extensive experience in cybersecurity.
Career Advancement: Passing the CompTIA CySA+ certification can open doors to new job opportunities in the IT field.
Convenient and Accessible: No registration required. Take the test online anytime, anywhere. There is also a free offline deck available for Anki app use. Please use the download form above to get it.

Prepare yourself for the CompTIA CySA+ (CS0-003) certification exam by mastering Incident Response and Management. Ideal for those looking to enhance their cybersecurity skills, achieve certification, and advance their careers in IT.

For more information on CompTIA CySA+ certification, visit the official site.

Don’t wait—start mastering Domain 3: Incident Response and Management for the CompTIA CySA+ (CS0-003) exam today with our free practice test!

Explore our other free mock exams:

CompTIA CySA+ (CS0-003) – Domain 3 – Incident Response and Management

Dowload the FREE OFFLINE Version of this Test Bank

Related Posts

The Affordable, Hands-On Josh Madakor IT Course that gets Results!

The Affordable, Hands-On Cyber Security that gets Results!

JOIN OUR

NEWSLETTER