CCNA Security Operations Questions

66 of 291 questions · Page 4/4 · Security Operations · Answers revealed

226
MCQmedium

A security analyst detects that multiple workstations in the finance department are displaying ransom notes and files are being encrypted. The analyst has disconnected the affected workstations from the network. Which of the following should the analyst do next according to the incident response procedure?

A.Reimage all affected workstations immediately to restore operations.
B.Isolate the entire finance department network segment and preserve forensic evidence.
C.Run a full antivirus scan on the workstations to remove the ransomware.
D.Restore the encrypted files from the latest backup without further investigation.
AnswerB

Isolating the segment prevents lateral movement of the ransomware. Preserving forensic evidence allows for a thorough investigation to identify the initial infection vector and prevent future incidents.

Why this answer

Option B is correct because the immediate next step in the incident response procedure after containment (disconnecting affected workstations) is to isolate the affected network segment to prevent lateral movement and preserve forensic evidence. This aligns with the NIST SP 800-61 incident response framework, which prioritizes containment, eradication, and recovery in that order, and emphasizes evidence preservation before any remediation actions.

Exam trap

The trap here is that candidates often jump to recovery actions (reimaging or restoring backups) too early, forgetting that the incident response process requires containment and evidence preservation before eradication and recovery.

How to eliminate wrong answers

Option A is wrong because reimaging destroys volatile forensic evidence (e.g., memory contents, encryption keys, malware artifacts) that is critical for root cause analysis and attribution. Option C is wrong because running an antivirus scan on an actively encrypting system can trigger further encryption or destroy evidence, and antivirus tools are ineffective against modern ransomware that uses polymorphic code or fileless techniques. Option D is wrong because restoring from backup without investigation may reintroduce the infection vector or miss indicators of compromise (IoCs) that could prevent future attacks.

227
MCQmedium

A manager asks the security team to let Human Resources inspect the files on a laptop suspected of containing stolen customer data before IT touches it. What is the best response?

A.Let HR browse the files first so they can confirm whether the data is sensitive.
B.Create a forensic image of the device, document the handoff, and maintain chain of custody before any analysis.
C.Copy the files to a shared drive so multiple departments can review them quickly.
D.Factory reset the laptop immediately to prevent further leakage of customer data.
AnswerB

When a device may contain evidence, the priority is to preserve it in a way that supports later analysis and legal defensibility. Creating a forensic image captures the data without modifying the original device, and documenting each transfer maintains chain of custody. This approach protects evidence integrity and allows authorized investigators to review the copy instead of the live system. It is the correct response before HR or others inspect the contents.

Why this answer

Option B is correct because the first priority in any investigation involving potential evidence is to preserve the data in its original state. Creating a forensic image (bit-for-bit copy) ensures that the original media is not altered, and documenting the handoff with a chain of custody form provides a verifiable audit trail. This process adheres to forensic best practices and legal requirements, preventing spoliation of evidence before any analysis begins.

Exam trap

The trap here is that candidates may think HR needs immediate access to confirm sensitivity, but they overlook the forensic requirement to preserve the original state of the evidence before any access or analysis occurs.

How to eliminate wrong answers

Option A is wrong because allowing HR to browse the files directly on the live laptop would modify metadata (e.g., file access times, last opened dates) and could potentially alter or delete data, compromising the integrity of the evidence. Option C is wrong because copying files to a shared drive without first creating a forensic image risks altering file timestamps and metadata during the copy process, and it bypasses proper chain of custody, making the evidence inadmissible. Option D is wrong because factory resetting the laptop would destroy all data, including any evidence of the alleged theft, making it impossible to conduct a forensic investigation and potentially violating legal hold requirements.

228
MCQmedium

A SIEM alert flags an interactive logon to a Windows file server from a service account that normally only runs scheduled tasks. The alert occurred at 01:12, but the maintenance window for that server is every Sunday at 02:00. The account also accessed a different server five minutes later. What should the analyst do first?

A.Ignore the alert because service accounts often authenticate outside normal business hours.
B.Correlate the activity with the change calendar, scheduled-task logs, and ticketing records before escalating.
C.Immediately disable the service account to stop any potential attacker activity.
D.Reimage the file server to remove any possible compromise.
AnswerB

The best first step in triage is to determine whether the activity is authorized or anomalous. Because service-account use can be legitimate, the analyst should correlate the logon with maintenance windows, scheduled-task history, and approved change records. That quickly separates normal administrative activity from suspicious lateral movement without prematurely disrupting operations.

Why this answer

Option B is correct because the analyst must first gather context to determine if the alert is a false positive or a genuine security incident. The interactive logon at 01:12 is outside the scheduled maintenance window (Sunday 02:00), and the account’s subsequent access to another server warrants correlation with change calendars, scheduled-task logs, and ticketing records to verify if the activity was authorized. This step prevents unnecessary disruption while ensuring that any anomalous behavior is properly investigated before escalation.

Exam trap

The trap here is that candidates may assume any activity outside business hours is automatically malicious or, conversely, that service accounts always authenticate at odd hours, leading them to ignore the alert—when the key is to recognize that the interactive logon type and the deviation from the maintenance window are the specific anomalies requiring correlation.

How to eliminate wrong answers

Option A is wrong because ignoring the alert based solely on the time of day overlooks the specific anomaly: the account performed an interactive logon (type 2 or 10) rather than its usual scheduled-task logon (type 5), and the activity occurred outside the defined maintenance window. Option C is wrong because immediately disabling the service account without investigation could disrupt legitimate operations and destroy forensic evidence; the analyst should first verify if the activity was authorized via change records. Option D is wrong because reimaging the server is a drastic, irreversible step that should only be taken after confirming compromise through proper forensic analysis and incident response procedures.

229
Multi-Selectmedium

An organization is implementing a new Security Information and Event Management (SIEM) system. Which three of the following are primary capabilities that a SIEM provides to support security operations? (Choose three.)

Select 3 answers
.Correlation of log data from multiple sources to identify patterns of suspicious activity
.Real-time alerting based on predefined security rules and anomalies
.Long-term storage and retention of logs for compliance and forensic analysis
.Automated patching of operating system vulnerabilities across the enterprise
.Blocking malicious network traffic at the perimeter firewall
.Performing vulnerability scans on internal hosts and applications

Why this answer

A SIEM system's primary capabilities include aggregating and correlating log data from diverse sources (servers, firewalls, endpoints) to detect patterns indicative of security incidents. It provides real-time alerting by applying predefined correlation rules and anomaly detection algorithms to streaming log events. Additionally, SIEM solutions offer long-term log storage and retention, which is essential for compliance audits (e.g., PCI DSS, HIPAA) and post-incident forensic analysis.

Exam trap

The trap here is that candidates confuse a SIEM's ability to ingest and analyze data from other security tools with the ability to perform those tools' native functions (like patching, blocking, or scanning), leading them to select options that describe actions a SIEM cannot directly execute.

230
MCQmedium

A file server in the accounting department begins renaming documents and dropping ransom notes. The SOC confirms encryption is still in progress, and the server hosts a share used by several finance teams. What should the incident response team do first?

A.Disconnect the server from the network to contain the spread.
B.Restore the file share from backup immediately while the server is still connected.
C.Power off the server immediately without any other action.
D.Notify users to change their passwords before any technical action is taken.
AnswerA

Immediate network isolation stops further encryption, reduces lateral movement, and protects other systems. In ransomware events, containment is the first priority once the incident is confirmed and active.

Why this answer

Disconnecting the server from the network is the immediate containment step to prevent the ransomware from encrypting additional files on the share or spreading laterally to other systems. Since encryption is still in progress, isolating the server stops the attacker's process from accessing more files and blocks any command-and-control (C2) communication. This aligns with the NIST incident response framework's containment phase, prioritizing stopping the spread over recovery or notification.

Exam trap

The trap here is that candidates may prioritize data recovery (Option B) or user notification (Option D) over containment, failing to recognize that the immediate priority is stopping active encryption to limit damage.

How to eliminate wrong answers

Option B is wrong because restoring from backup while the server is still connected risks re-encrypting the restored files if the ransomware process is active, and it violates the containment-first principle. Option C is wrong because powering off the server may cause loss of volatile forensic data (e.g., memory-resident encryption keys, running processes) and can trigger anti-forensic behaviors in some ransomware strains. Option D is wrong because notifying users to change passwords before technical containment wastes critical time; the immediate threat is active encryption, not credential compromise, and password changes should occur after containment and eradication.

231
Multi-Selecthard

A post-incident review shows the SOC detected malicious PowerShell activity six hours late because the existing detections did not correlate the encoded command, the unusual outbound connection, and the creation of a scheduled task. Leadership wants the two follow-up actions most likely to improve future response. Select two.

Select 2 answers
A.Add the new indicators and event patterns to SIEM and EDR detections.
B.Revise the incident response playbook so analysts know the new escalation and containment steps.
C.Restore the compromised host to production immediately after the next reboot.
D.Reduce log retention to keep storage costs low.
E.Disable PowerShell everywhere without reviewing business requirements or alternatives.
AnswersA, B

Updating detections helps the security stack recognize the same behavior earlier in the future.

Why this answer

Option A is correct because adding the new indicators (encoded command, unusual outbound connection, scheduled task creation) and event patterns to SIEM and EDR detections directly addresses the root cause of the six-hour delay: the lack of correlation between these specific events. By updating detection rules to correlate these patterns, the SOC can trigger alerts in near-real time rather than relying on manual post-hoc analysis. This is a core SIEM/EDR tuning practice to reduce mean time to detect (MTTD).

Exam trap

The trap here is that candidates may think updating the playbook (Option B) is the primary fix, but the question specifically asks for actions that improve future *detection* and *response* speed, and while playbook revision helps, the root cause was missing detection logic, not missing procedural steps.

232
MCQmedium

EDR flags encoded PowerShell launched by a spreadsheet application, followed by an attempt to access LSASS and outbound HTTPS traffic to a rare domain. What should the analyst do first from the EDR console?

A.Reboot the endpoint to terminate the suspicious processes
B.Isolate the endpoint from the network while keeping it powered on
C.Uninstall the spreadsheet application immediately
D.Block the rare domain and close the alert
AnswerB

Isolation stops further communication and lateral movement while preserving evidence on a live system.

Why this answer

Option B is correct because isolating the endpoint from the network while keeping it powered on preserves volatile evidence (e.g., running processes, memory contents) and prevents the attacker from exfiltrating data or establishing further C2 communication. The EDR console allows immediate network isolation without losing the ability to perform live forensics or memory analysis. This aligns with the incident response priority of containment before eradication or recovery.

Exam trap

The trap here is that candidates confuse immediate containment (isolation) with eradication (reboot or uninstall), failing to recognize that preserving volatile evidence is critical for understanding the attack vector and scope before taking destructive actions.

How to eliminate wrong answers

Option A is wrong because rebooting the endpoint destroys volatile evidence in memory (e.g., LSASS dump artifacts, injected code) and may allow persistence mechanisms to re-execute on startup, potentially losing the forensic trail. Option C is wrong because uninstalling the spreadsheet application is a premature remediation step that destroys evidence and does not address the active threat; the analyst must first contain the endpoint to prevent lateral movement or data exfiltration.

233
MCQmedium

An EDR alert flags suspicious PowerShell on a finance workstation. Windows logs show the script started immediately after a patch-management tool launched from the software distribution server. The script only queries installed software and writes results to a log file. What is the most likely conclusion?

A.The alert is likely a false positive because the activity matches approved patch-management behavior
B.The workstation is definitely compromised because PowerShell is always malicious
C.The endpoint should be immediately wiped because the script wrote to a log file
D.The software distribution server should be blocked from the network permanently
AnswerA

The script behavior matches a normal inventory or patching task, and the timing with the distribution server supports legitimate administration.

Why this answer

The EDR alert is likely a false positive because the PowerShell script's behavior—querying installed software and writing results to a log file—is consistent with legitimate patch-management inventory tasks. The script's execution immediately after the patch-management tool launched from the software distribution server indicates it was triggered by that tool as part of its normal operations, not by an attacker. Since the activity matches approved patch-management behavior and shows no signs of malicious intent (e.g., data exfiltration, lateral movement, or persistence), the alert should be investigated but is most likely a false positive.

Exam trap

The trap here is that candidates often assume any PowerShell execution is malicious, but the SY0-701 exam tests the ability to correlate process ancestry and script behavior to distinguish legitimate administrative activity from actual threats.

How to eliminate wrong answers

Option B is wrong because it incorrectly assumes PowerShell is always malicious, ignoring that PowerShell is a legitimate administrative tool widely used for automation and inventory tasks in enterprise environments. Option C is wrong because writing to a log file is a standard, non-malicious operation; immediate wiping is an extreme and unnecessary response that would disrupt business operations without evidence of compromise. Option D is wrong because permanently blocking the software distribution server would break critical patch-management workflows; the server is the likely source of the legitimate script, not a threat actor.

234
MCQeasy

A firewall rule must be changed to allow a vendor update server. Which step best reduces the chance of an unexpected outage?

A.Make the change directly in production without review to save time.
B.Document the change, get approval, and include a rollback plan.
C.Disable the firewall temporarily while the update is tested.
D.Apply the rule but do not tell anyone so there is less paperwork.
AnswerB

This is the best answer because secure change management uses approval and rollback planning to reduce operational risk. Documenting the requested change ensures the impact is reviewed, and a rollback plan gives the team a way to quickly restore service if the update causes problems. These controls help prevent outages caused by rushed or poorly understood production changes.

Why this answer

Option B is correct because following a formal change management process—documenting the change, obtaining approval, and including a rollback plan—ensures that the firewall rule modification is reviewed for potential impacts, authorized by stakeholders, and can be reverted if it causes an outage. This structured approach minimizes the risk of unexpected downtime by validating the change in a controlled manner and providing a safety net.

Exam trap

CompTIA often tests the misconception that speed or convenience (like disabling the firewall or skipping approval) is acceptable for urgent changes, but the exam emphasizes that proper change management is always required to prevent outages and maintain security.

How to eliminate wrong answers

Option A is wrong because making the change directly in production without review bypasses change management, increasing the risk of misconfiguration or unintended access that could cause an outage. Option C is wrong because disabling the firewall temporarily exposes the network to all traffic, creating a security vulnerability and potentially causing a different type of outage from malicious activity. Option D is wrong because applying the rule without notification violates change control policies, prevents stakeholders from preparing for potential impacts, and eliminates the ability to coordinate a rollback if issues arise.

235
MCQeasy

A company wants to make sure it can recover quickly after ransomware, even if the production network is unavailable. Which backup approach is the best choice?

A.Store backups only on the same file server so they are easy to access.
B.Keep an offline copy of backups that is disconnected from production systems.
C.Use a single monthly backup and never test restores to save time.
D.Save backups in the same cloud account using the same admin credentials.
AnswerB

Offline backups are harder for ransomware to encrypt and can support recovery when online systems are unavailable.

Why this answer

Option B is correct because an offline (air-gapped) backup, such as a tape stored in a safe or a disconnected external drive, ensures that ransomware cannot encrypt or delete the backup data. This approach guarantees recoverability even when the production network is completely compromised or unavailable, aligning with the 3-2-1 backup rule (three copies, two media types, one offsite/offline).

Exam trap

The trap here is that candidates may think 'offline' means simply not connected to the internet, but the key is physical or logical disconnection from the production network to prevent ransomware from reaching the backup during an active attack.

How to eliminate wrong answers

Option A is wrong because storing backups on the same file server means they share the same attack surface; ransomware can encrypt or delete them alongside production data, making recovery impossible. Option C is wrong because a single monthly backup without testing restores violates the principle of recovery point objective (RPO) and recovery time objective (RTO); untested backups may be corrupt or incomplete, and the long interval between backups risks significant data loss.

236
MCQeasy

A SOC analyst sees 20 failed logins for one user account, followed by a successful login 30 seconds later from the same office subnet. The user confirms they mistyped the password several times. What is the best conclusion?

A.It is definitely a brute-force attack and should be treated as confirmed compromise.
B.It is most likely a false positive caused by user error and should be documented after verification.
C.It is evidence of malware on the user's workstation until the device is rebuilt.
D.It proves the password was changed by an attacker and the account must be disabled immediately.
AnswerB

The failed logins match the user's explanation and the location is consistent with normal behavior.

Why this answer

The scenario shows 20 failed logins followed by a successful login from the same office subnet, and the user confirms they mistyped the password. This pattern is consistent with user error (e.g., Caps Lock or typo), not an automated brute-force attack, which would typically show a much higher volume of attempts from diverse IPs. The best conclusion is a false positive, which should be documented after verification to maintain accurate incident records.

Exam trap

The trap here is that candidates may overreact to multiple failed logins as a brute-force attack, ignoring the user's confirmation and the same-subnet source, which are classic indicators of user error rather than malicious activity.

How to eliminate wrong answers

Option A is wrong because a brute-force attack would involve hundreds or thousands of attempts from multiple IP addresses, not just 20 from the same subnet, and a successful login from the user's own subnet with user confirmation of error makes an attack unlikely. Option C is wrong because there is no evidence of malware; failed logins followed by a successful login from the same subnet are not indicative of malware activity, and rebuilding the device is an extreme, unnecessary response. Option D is wrong because the successful login occurred from the same office subnet, not an attacker's IP, and the user confirmed they mistyped the password; there is no evidence the password was changed, and disabling the account would be premature without further investigation.

237
MCQmedium

A SOC analyst confirms that an employee entered credentials into a phishing site and that the mailbox now shows a new forwarding rule sending messages to an external address. The account is still signed in on a laptop and a mobile phone. What is the best next action?

A.Wait for the user to log out naturally before taking action.
B.Revoke active sessions and force a password reset for the account.
C.Archive the mailbox and close the ticket after notifying the user.
D.Delete the forwarding rule only and consider the incident closed.
AnswerB

This removes the attacker’s current access path and prevents reuse of the compromised credentials.

Why this answer

Option B is correct because the immediate priority is to contain the compromised account by terminating all active sessions (revoking OAuth tokens, clearing SAML sessions) and forcing a password reset to prevent further unauthorized access. The mailbox forwarding rule indicates the attacker has established persistence, and the active sessions on the laptop and mobile phone mean the attacker could still be using the account. Revoking sessions ensures the attacker cannot continue exfiltration or lateral movement, while the password reset invalidates the stolen credentials.

Exam trap

The trap here is that candidates may think waiting for the user to log out (Option A) is acceptable because the user is still signed in, but in security operations, you must assume the attacker has active access and act immediately to revoke sessions rather than relying on user behavior.

How to eliminate wrong answers

Option A is wrong because waiting for the user to log out naturally gives the attacker continued access to the account, allowing further data exfiltration via the forwarding rule or other malicious actions. Option C is wrong because archiving the mailbox and closing the ticket without revoking sessions or resetting the password leaves the account compromised, the forwarding rule active, and the attacker still able to access the account and modify settings.

238
MCQmedium

A SOC analyst confirms that a workstation is encrypting local files and attempting SMB connections to nearby hosts. The user is still logged in, and the business wants to limit spread without destroying evidence. What is the best immediate action?

A.Power the workstation off immediately and leave it in place
B.Quarantine the workstation from the network using EDR or switch port containment
C.Run a full antivirus scan while the workstation remains connected
D.Wipe and reimage the workstation from a standard build image
AnswerB

This is the best immediate containment action because it stops further spread while preserving evidence. EDR quarantine or disabling the switch port isolates the infected host without unnecessarily powering it down. The SOC can then collect volatile and disk evidence, determine the scope of infection, and proceed with eradication and recovery steps in the proper incident response sequence.

Why this answer

Option B is correct because quarantining the workstation via EDR or switch port containment immediately stops the SMB-based lateral movement and further encryption of network shares, while preserving the volatile evidence (memory, running processes, encryption keys) for forensic analysis. This aligns with the business requirement to limit spread without destroying evidence, as powering off or reimaging would lose critical forensic data.

Exam trap

The trap here is that candidates think powering off (Option A) is the fastest way to stop spread, but CompTIA emphasizes preserving evidence and avoiding destruction of volatile data, making network quarantine the correct choice.

How to eliminate wrong answers

Option A is wrong because powering off the workstation destroys volatile evidence (e.g., encryption keys in memory, active network connections) and may trigger anti-forensic mechanisms in the ransomware. Option C is wrong because running a full antivirus scan while the workstation remains connected allows the ransomware to continue encrypting local files and spreading via SMB to nearby hosts, violating the goal to limit spread. Option D is wrong because wiping and reimaging destroys all evidence, including the ransomware binary, encryption artifacts, and forensic traces needed for incident response and attribution.

239
Multi-Selecthard

A Linux operations team must run a nightly maintenance workflow on 60 servers to rotate logs and restart one service. Security does not allow interactive root logins, and every execution must be auditable. Which two practices best support secure administration? Select two.

Select 2 answers
A.Use a dedicated service account with sudo rights limited to the exact commands in the workflow.
B.Run the workflow through a centralized automation platform that records execution time and output.
C.Hardcode the root password in the script so the same job works everywhere.
D.Share one privileged SSH key among all administrators for convenience.
E.Disable command logging so the maintenance output is easier to review.
AnswersA, B

Least-privilege sudo access lets the job run without giving the account broad interactive root power.

Why this answer

Option A is correct because using a dedicated service account with sudo rights limited to the exact commands in the workflow enforces the principle of least privilege. This ensures that even if the account is compromised, an attacker can only execute the specific log rotation and service restart commands, not arbitrary root-level operations. It also eliminates the need for interactive root logins, satisfying the security policy while maintaining auditability through sudo logs.

Exam trap

The trap here is that candidates often think hardcoding credentials or sharing keys is acceptable for convenience, but the SY0-701 exam strictly tests the principle of least privilege and the necessity of non-repudiation through dedicated accounts and centralized logging.

240
Multi-Selectmedium

A security analyst is reviewing the organization's incident response procedures. According to the NIST SP 800-61 framework, which four of the following are recognized phases of the incident response lifecycle? (Choose four.)

Select 4 answers
.Preparation
.Detection and Analysis
.Containment, Eradication, and Recovery
.Post-Incident Activity
.Threat Hunting
.Risk Assessment

Why this answer

The NIST SP 800-61 Revision 2 framework defines the incident response lifecycle as consisting of four phases: Preparation, Detection and Analysis, Containment/Eradication/Recovery, and Post-Incident Activity. These phases form a continuous cycle, with lessons learned from Post-Incident Activity feeding back into Preparation. The question asks for the four recognized phases, and these four options directly match the NIST model.

Exam trap

The trap here is that candidates may confuse proactive security activities like Threat Hunting or Risk Assessment with the formal incident response phases, but NIST SP 800-61 strictly lists only the four phases given as correct answers.

241
MCQeasy

A legacy application cannot be patched for two weeks, but the security team still wants to reduce risk in the meantime. What is the best temporary measure?

A.Do nothing until the patch window opens.
B.Add a compensating control such as restricting access to the system.
C.Disable all logging so the system runs faster.
D.Rename the application so attackers cannot find it.
AnswerB

A compensating control lowers risk while the permanent fix is unavailable.

Why this answer

Option B is correct because implementing a compensating control, such as restricting network access via firewall rules or disabling unnecessary services, reduces the attack surface while the legacy application remains unpatched. This aligns with the principle of defense-in-depth, where temporary mitigations like access control lists (ACLs) or host-based firewalls can block exploit vectors until the patch is applied.

Exam trap

The trap here is that candidates may choose 'Do nothing' assuming patching is the only valid action, but CompTIA expects you to recognize that compensating controls are a standard risk management strategy when immediate patching is not feasible.

How to eliminate wrong answers

Option A is wrong because doing nothing leaves the vulnerability exposed, increasing the risk of exploitation during the two-week window, which violates the security team's goal of risk reduction. Option C is wrong because disabling logging degrades visibility and audit capabilities, making it harder to detect or investigate attacks, and does not address the underlying vulnerability.

242
MCQmedium

A weekly scan reports three findings: a medium-severity missing patch on a lab VM with no network access, a high-severity default credential on a management interface reachable from the internet, and a low-severity outdated browser plug-in on a visitor kiosk. Which issue should be remediated first?

A.The medium-severity missing patch on the isolated lab VM.
B.The low-severity outdated browser plug-in on the visitor kiosk.
C.The high-severity default credential on the management interface exposed to the internet.
D.All three issues have the same priority because they were found in the same scan cycle.
AnswerC

Exposure and exploitability drive priority. A default credential on an internet-reachable management interface presents immediate unauthorized access risk and should be addressed before issues on isolated or lower-risk assets.

Why this answer

Option C is correct because the high-severity default credential on a management interface reachable from the internet represents an immediate, exploitable risk. Default credentials are well-known and can be used by attackers to gain full administrative control over the device, often leading to a complete compromise of the network. In contrast, the other findings have compensating controls (no network access) or lower impact (outdated browser plug-in), making them lower priority in a risk-based remediation strategy.

Exam trap

The trap here is that candidates focus solely on the severity label (high vs. medium vs. low) without considering the compensating controls or exposure, leading them to incorrectly rank the missing patch or outdated plug-in as higher priority.

How to eliminate wrong answers

Option A is wrong because the lab VM has no network access, which means the missing patch cannot be exploited remotely; the risk is contained and can be remediated later. Option B is wrong because an outdated browser plug-in on a visitor kiosk is low severity and typically has limited attack surface (e.g., no saved credentials, restricted user privileges), so it does not pose an immediate threat compared to an internet-exposed default credential. Option D is wrong because not all findings have the same priority; risk severity is determined by both the vulnerability's severity and the exposure/impact, and the high-severity default credential with internet exposure clearly outweighs the others.

243
Multi-Selectmedium

A company-owned laptop is suspected in an insider theft case and legal says the evidence may be used in court. Which two actions best support evidence admissibility during transport to the evidence locker? Select two.

Select 2 answers
A.Document the chain of custody with the collector, date, time, device condition, and transfer history.
B.Place the laptop in a tamper-evident bag or seal and record the seal number.
C.Browse the user’s files to confirm whether the laptop contains stolen documents.
D.Remove the hard drive and place it in an unmarked box for convenience.
E.Let the employee continue using the laptop until legal staff are available.
AnswersA, B

This is essential because admissibility depends on showing who handled the evidence, when they handled it, and whether it remained intact. Detailed chain-of-custody records help prove the item was not altered or contaminated. Courts and legal teams rely on this documentation to establish integrity from collection through storage and analysis.

Why this answer

Option A is correct because documenting the chain of custody establishes a clear, unbroken record of who handled the evidence, when, and under what conditions. This is critical for admissibility in court, as it demonstrates that the evidence has not been tampered with or altered since collection. Without proper chain-of-custody documentation, the defense could argue that the laptop's integrity was compromised, potentially rendering the evidence inadmissible.

Exam trap

The trap here is that candidates might think previewing files is a valid investigative step, but in forensic evidence handling, any access to the original data must be done through a write-blocker and on a forensic copy, not by browsing the live system, to avoid altering evidence.

244
MCQmedium

After a ransomware event, the team restores a file server from backup, but management wants proof that the restore process will work before the backups are declared trusted. What should be done next?

A.Delete the old backup copies to prevent future confusion
B.Perform a test restore in an isolated environment and verify the recovered data
C.Switch to incremental backups only so the next restore is faster
D.Store the backups on the same file server so they are easier to access
AnswerB

A test restore is the best way to validate backup integrity and operational readiness after an incident. Restoring in isolation confirms that the backup can be used successfully without risking production systems. Verification should include checking file integrity, application access if relevant, and whether the restored data meets recovery objectives. This provides evidence that backups remain trustworthy after ransomware.

Why this answer

Option B is correct because the only way to prove that backups are trustworthy is to perform a test restore in an isolated environment, verifying the integrity and completeness of the recovered data. This validates that the backup process, media, and software are functioning correctly without risking the production environment. Without a successful test restore, the team cannot confirm that the backups are free from corruption, encryption, or other issues that would prevent a real recovery.

Exam trap

The trap here is that candidates may think simply having backups is sufficient proof of recoverability, but the exam emphasizes that only a successful test restore in an isolated environment can validate the backup's integrity and the restore process itself.

How to eliminate wrong answers

Option A is wrong because deleting old backup copies does not prove the restore process works and actually removes potentially valuable recovery points, violating the 3-2-1 backup rule. Option C is wrong because switching to incremental backups only does not validate the current restore process; it changes the backup strategy without addressing the need for proof of recoverability, and incremental backups actually require a full backup chain to restore, increasing complexity. Option D is wrong because storing backups on the same file server violates the fundamental principle of backup isolation, making them vulnerable to the same ransomware attack that encrypted the original data, and it does not test the restore process at all.

245
MCQeasy

A new SIEM rule generates many alerts from a scheduled backup job that is known to be legitimate. What should the analyst do to improve alert quality?

A.Disable all logging for the backup server.
B.Tune the rule to exclude the known backup activity pattern.
C.Ignore the alerts permanently because the job is approved.
D.Reimage the backup server to stop the alerts.
AnswerB

Alert tuning should reduce false positives without losing useful detection. If the backup job is documented and legitimate, the analyst can adjust the rule to exclude that approved activity pattern or server. This keeps the SIEM useful and helps responders focus on real suspicious behavior instead of repeated harmless alerts.

Why this answer

Option B is correct because tuning the SIEM rule to exclude the known backup activity pattern reduces false positives while preserving detection of actual threats. By creating an exception for the specific backup server's IP, schedule, or process hash, the analyst maintains visibility into anomalous behavior without being overwhelmed by noise.

Exam trap

The trap here is that candidates may choose to disable logging or ignore alerts, confusing operational convenience with proper security hygiene, when the correct approach is to refine detection logic through tuning.

How to eliminate wrong answers

Option A is wrong because disabling all logging for the backup server would create a blind spot, preventing detection of real threats like ransomware encrypting backup data or unauthorized access to backup files. Option C is wrong because ignoring alerts permanently violates security monitoring best practices and could allow a malicious actor to hide activity within the backup job's noise. Option D is wrong because reimaging the backup server is an extreme, unnecessary measure that does not address the root cause—the SIEM rule's lack of specificity—and would disrupt operations without solving the alert volume issue.

246
MCQmedium

An organization is retiring a batch of laptops with SSDs. All of the systems used full-disk encryption and stored sensitive internal documents. What is the best action before the devices leave the company?

A.Run a quick format and remove the asset tags after the files are deleted.
B.Perform a cryptographic erase by destroying the encryption keys and document the sanitization process.
C.Degauss the SSDs and then store them in the disposal room until pickup.
D.Overwrite the drives once with random data and consider the devices ready for resale.
AnswerB

For encrypted SSDs, destroying the encryption keys is an effective and practical sanitization method because the data becomes unreadable even if the drive is later examined. This approach matches the media type and the fact that full-disk encryption was used. Proper documentation also supports accountability and compliance. It is stronger than merely deleting files or performing a superficial format, which may leave recoverable data behind.

Why this answer

Option B is correct because a cryptographic erase (also known as a crypto-scrub) renders the encrypted data permanently inaccessible by securely destroying the encryption keys. Since the SSDs used full-disk encryption (FDE), the data is already encrypted at rest, and without the keys, the ciphertext is effectively unrecoverable. This method is fast, reliable, and compliant with sanitization standards like NIST SP 800-88, making it the best action before the devices leave the organization.

Exam trap

The trap here is that candidates often choose degaussing (Option C) for SSDs, mistakenly applying a technique that works only for magnetic media like HDDs, while ignoring that cryptographic erase is the proper and efficient method for encrypted solid-state drives.

How to eliminate wrong answers

Option A is wrong because a quick format only removes the file system pointers, not the actual data; the encrypted content remains on the SSD and could potentially be recovered if the encryption keys are still present. Option C is wrong because degaussing SSDs is ineffective—SSDs use flash memory that is not affected by magnetic fields, and degaussing can physically destroy the drive without guaranteeing data removal. Option D is wrong because overwriting SSDs with random data is unreliable due to wear-leveling and over-provisioning; the SSD firmware may remap bad blocks, leaving remnants of the original encrypted data intact.

247
MCQmedium

A security analyst receives an automated alert indicating that a standard user account logged in from a geographic location that is unusual for the user, and the login occurred at 3:00 AM local time. The analyst has not yet verified whether this was a successful login or if any additional suspicious activity occurred. According to standard incident response procedures, what should the analyst do NEXT?

A.Disable the user account immediately and reset the password.
B.Conduct a full forensic analysis of the user's workstation.
C.Review the account's recent activity for signs of compromise.
D.Report the incident to law enforcement.
AnswerC

Reviewing recent activity (e.g., successful logins, file access, privilege escalation attempts) is the appropriate analysis step to validate the alert. This helps determine if the account is compromised and guides subsequent containment and eradication actions.

Why this answer

The correct next step is to review the account's recent activity to gather more context. According to the NIST incident response process (Preparation, Detection & Analysis, Containment, Eradication & Recovery, Post-Incident Activity), after detection the analyst should perform analysis to validate the alert and determine the scope. Reviewing recent logins, accessed files, and other actions helps decide if containment is needed.

Immediately disabling the account (A) could be premature if the alert is a false positive or if the user is traveling. Conducting a full forensic analysis (B) is too resource-intensive for a single alert without further evidence. Reporting to law enforcement (D) is not appropriate at this stage; that would occur after a confirmed incident that meets legal thresholds.

248
Multi-Selecthard

A SIEM report shows this sequence over 25 minutes: the same public IP submitted one failed password attempt against 53 different accounts, then one account successfully authenticated, created an inbox forwarding rule, and downloaded hundreds of messages through the web portal. Which two conclusions are best supported? Select two.

Select 2 answers
A.The pattern is consistent with a password spraying attack.
B.The attacker is performing a brute-force attack against one account.
C.The activity is most likely credential stuffing with multiple known password pairs.
D.The successful account is likely compromised and being used for persistence or mailbox abuse.
E.The events primarily indicate a denial-of-service attack against the mail system.
AnswersA, D

One failed attempt across many accounts from one source fits password spraying, which avoids lockouts by keeping per-account attempts low.

Why this answer

Option A is correct because the SIEM shows a single public IP attempting one failed password against 53 different accounts over 25 minutes. This pattern—low-and-slow, one attempt per account—is the hallmark of a password spraying attack, which avoids account lockout thresholds by never hitting the same account repeatedly. The subsequent successful authentication and mailbox abuse confirm the attacker found a weak password for one account.

Exam trap

The trap here is confusing password spraying (one password, many accounts) with brute-force (many passwords, one account) or credential stuffing (many known pairs), leading candidates to pick B or C despite the single-IP, single-attempt-per-account pattern.

249
MCQeasy

Based on the exhibit, what should the analyst do next to limit the impact of the suspected compromise?

A.Run a full antivirus scan first and wait for the results before taking any other action.
B.Isolate FIN-LT-22 from the network to contain the suspected malware activity.
C.Reboot the laptop to clear the malicious process from memory.
D.Reset the user's password and close the ticket after confirming they can log in again.
AnswerB

Network isolation is the best immediate containment step when an endpoint shows signs of active malicious behavior. It limits further command-and-control traffic, prevents lateral movement, and buys time for investigation. In incident response, containment comes before eradication and recovery when the threat is still active.

Why this answer

Option B is correct because isolating FIN-LT-22 from the network immediately stops the suspected malware from communicating with command-and-control servers or spreading laterally to other hosts. This containment step aligns with the NIST incident response framework's containment phase, which prioritizes limiting damage before eradication or recovery. In a suspected compromise, network isolation (e.g., disabling the switch port or using a host-based firewall rule) is the fastest way to cut off malicious traffic without destroying volatile evidence in memory.

Exam trap

The trap here is that candidates often choose to run an antivirus scan first (Option A) because they assume detection must precede containment, but the SY0-701 exam emphasizes that containment is the immediate priority to limit impact, even before identifying the specific malware.

How to eliminate wrong answers

Option A is wrong because running a full antivirus scan first wastes critical time and may alert the attacker or trigger destructive actions before containment; antivirus also relies on signatures and may miss unknown malware. Option C is wrong because rebooting clears volatile memory (RAM), destroying evidence of the malicious process and potentially allowing persistence mechanisms to re-establish on startup, which violates forensic best practices. Option D is wrong because resetting the user's password does not address the active malware on the endpoint; the attacker could still maintain access via a backdoor or keylogger, and closing the ticket prematurely ignores the need for containment and eradication.

250
MCQmedium

A security analyst is reviewing authentication logs and observes multiple failed login attempts for a single user account occurring within a short timeframe, followed by a successful login from an IP address located in a country where the user has never traveled. The failed attempts originate from various IP addresses and use different passwords. Which type of attack has most likely occurred?

A.Brute-force attack
B.Credential stuffing
C.Password spraying
D.Dictionary attack
AnswerA

Correct. A brute-force attack is characterized by systematically trying many different passwords against a single account until the correct one is found. The log pattern of multiple failed attempts followed by a success aligns with this method.

Why this answer

The correct answer is A (Brute-force attack) because the log shows multiple failed login attempts from various IP addresses using different passwords, followed by a successful login from an unfamiliar country. This pattern indicates a distributed brute-force attack where the attacker systematically tries many passwords against a single account, often using a botnet or proxy rotation to evade IP-based rate limiting. The successful login from a foreign IP confirms the attacker eventually guessed the correct password.

Exam trap

The trap here is that candidates confuse 'multiple failed attempts from various IPs' with credential stuffing, but the key differentiator is that credential stuffing uses known credential pairs, not systematically generated passwords against a single account.

How to eliminate wrong answers

Option B (Credential stuffing) is wrong because credential stuffing uses previously breached username/password pairs from other services, not different passwords generated on the fly; the log shows varied passwords, not reused credentials. Option C (Password spraying) is wrong because password spraying targets many usernames with a single common password, whereas this attack focuses on one user account with many different passwords. Option D (Dictionary attack) is wrong because a dictionary attack uses a predefined list of likely passwords (e.g., from a wordlist), but the description of 'various IP addresses' and 'different passwords' suggests a brute-force approach rather than a limited dictionary set.

251
MCQmedium

Based on the exhibit, which action should the incident response team take next to eradicate the threat?

A.Return the workstation to the user since the outbound connection was blocked.
B.Delete only the scheduled task and reconnect the host to monitor for more alerts.
C.Reimage the endpoint from a known-good build and reset potentially exposed credentials.
D.Close the incident because memory capture has already preserved the evidence.
AnswerC

The logs show a likely malicious macro, encoded PowerShell, a dropped script, and persistence through a scheduled task. That combination indicates a high-confidence compromise with uncertain scope. Reimaging removes hidden persistence more reliably than piecemeal cleanup, and credential resets are appropriate because finance activity occurred on the device and credentials may have been captured.

Why this answer

Option C is correct because the exhibit indicates a confirmed compromise (e.g., a scheduled task establishing outbound C2 traffic). Eradication requires removing all traces of the attacker's foothold, which is best achieved by reimaging the endpoint from a known-good build. Additionally, any credentials that may have been exposed during the compromise must be reset to prevent lateral movement or re-entry.

Exam trap

The trap here is that candidates may think deleting the scheduled task (Option B) is sufficient for eradication, but CompTIA emphasizes that any confirmed compromise requires full reimaging to ensure no hidden persistence remains.

How to eliminate wrong answers

Option A is wrong because simply returning the workstation to the user after blocking an outbound connection does not remove the underlying threat (e.g., the scheduled task or persistence mechanism) and assumes the attacker cannot adapt or use alternate C2 channels. Option B is wrong because deleting only the scheduled task leaves other potential persistence mechanisms (e.g., registry run keys, services, or WMI subscriptions) intact, and reconnecting the host without full remediation risks re-infection or continued attacker access. Option D is wrong because closing the incident after memory capture ignores the need for eradication; evidence preservation does not eliminate the active threat, and the host remains compromised.

252
MCQeasy

A company laptop is collected as evidence in a suspected theft case. Which action best supports chain of custody?

A.Place the laptop on a desk until the investigator is available.
B.Record each transfer with date, time, handler name, and signatures.
C.Reset the laptop so the legal team can access it more easily.
D.Remove the hard drive and connect it to a personal workstation.
AnswerB

Chain of custody requires a documented record of who handled the evidence, when it changed hands, and under what conditions. These records help prove integrity and admissibility later. Accurate transfer documentation is one of the most important parts of evidence handling in a forensic case.

Why this answer

Option B is correct because chain of custody requires documenting every transfer of evidence with date, time, handler name, and signatures to maintain a verifiable record of who had possession of the laptop at all times. This ensures the evidence is admissible in court by proving it has not been tampered with or altered since collection. Without this documentation, the defense could argue the evidence was compromised, undermining the entire case.

Exam trap

CompTIA often tests the misconception that preserving evidence means making it easier to access (like resetting or removing components), when in fact the priority is maintaining the original state and documenting every touchpoint to ensure legal admissibility.

How to eliminate wrong answers

Option A is wrong because leaving the laptop on a desk unattended violates the principle of secure evidence handling, as it creates an unaccounted gap in custody where the device could be tampered with or accessed by unauthorized individuals. Option C is wrong because resetting the laptop destroys all data, including potential evidence such as logs, files, and user activity, which is irreversible and violates forensic best practices that require preserving the original state of evidence. Option D is wrong because removing the hard drive and connecting it to a personal workstation risks altering the drive's contents (e.g., timestamps, metadata) and introduces potential contamination from the workstation's operating system, breaking the chain of custody and compromising forensic integrity.

253
MCQmedium

A security analyst notices that a phishing campaign is targeting employees with emails that appear to be from the company's IT support team. The emails contain a link to a website that mimics the corporate password reset portal. Which of the following controls would be MOST effective in preventing users from reaching the malicious website, assuming the link uses HTTPS?

A.Implement a URL filtering policy on the company's web proxy.
B.Deploy an email security gateway that performs sandboxing of attachments.
C.Enable multi-factor authentication on all corporate accounts.
D.Conduct a security awareness training session on phishing.
AnswerA

Correct. URL filtering on a web proxy can block access to known malicious or lookalike domains, preventing users from even reaching the phishing site, regardless of the link's HTTPS status.

Why this answer

A URL filtering policy on the company's web proxy is the most effective control because it can block access to the malicious website based on its domain, category, or reputation, regardless of whether the link uses HTTPS. Since the proxy can perform SSL/TLS inspection (decrypting the HTTPS traffic) or use domain reputation lists, it prevents users from even reaching the phishing site. This directly addresses the core issue of users navigating to a known or suspicious URL.

Exam trap

The trap here is that candidates assume HTTPS encryption makes URL filtering impossible, but the exam expects you to know that web proxies can inspect or block HTTPS traffic using SSL/TLS decryption or domain-based filtering, making URL filtering still effective.

How to eliminate wrong answers

Option B is wrong because an email security gateway that performs sandboxing of attachments is designed to analyze malicious file attachments, not to block links to external websites; the phishing email contains a link, not an attachment, so sandboxing would not prevent users from clicking the link. Option C is wrong because multi-factor authentication (MFA) protects accounts after credentials are compromised, but it does not prevent users from reaching the malicious website or entering their credentials on the fake portal; MFA is a defense-in-depth layer, not a preventive control for URL access.

254
MCQeasy

A server room is sometimes left open while technicians carry equipment in and out. Which control best helps detect and discourage unauthorized entry?

A.A written reminder poster on the wall
B.A CCTV camera covering the entrance
C.A brighter color for the server room door
D.A larger monitor in the nearby office
AnswerB

Video surveillance helps deter misuse and provides records if access must be reviewed later.

Why this answer

A CCTV camera covering the entrance provides continuous monitoring and recording of activity, which both detects unauthorized entry in real time and creates a deterrent effect through the awareness of surveillance. Unlike passive measures, it offers forensic evidence and can be integrated with access control systems to alert security personnel of breaches.

Exam trap

The trap here is that candidates may confuse administrative controls like signage with detective controls, overlooking that only active surveillance (CCTV) provides both detection and deterrence for an unsecured physical entry point.

How to eliminate wrong answers

Option A is wrong because a written reminder poster is a passive administrative control that relies on voluntary compliance and provides no detection or deterrence against intentional unauthorized entry. Option C is wrong because a brighter color for the door is purely cosmetic and has no impact on security monitoring, access control, or deterring unauthorized individuals.

255
Matchingmedium

Match each incident response action to its primary purpose during a suspected endpoint compromise.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Contain the incident and limit spread to other systems

Preserve evidence that could disappear after power-off

Eradicate persistence and return the system to a trusted state

Recover business operations and return service to normal

Complete lessons learned and improve future response

Why these pairings

Incident response actions are sequenced to contain, preserve, analyze, remove, and learn from the incident. Isolating prevents spread; volatile data capture is time-sensitive; imaging preserves evidence; log analysis reveals details; eradication cleans the system; lessons learned improve processes.

256
MCQmedium

A security analyst in the SOC is investigating a potential DNS tunneling incident. The analyst has identified a workstation that is making thousands of DNS queries to an external domain with base64-encoded subdomains. The analyst suspects that sensitive files from the workstation are being exfiltrated by encoding their contents into the subdomains of the DNS queries. Which of the following log sources will provide the most definitive evidence to confirm that the contents of a specific sensitive file are being transmitted in the DNS queries?

A.The DNS server logs showing the queried domains and subdomains.
B.The workstation's process creation logs showing which process initiated the DNS queries.
C.A full packet capture of the network traffic from the workstation showing the complete DNS messages.
D.The firewall logs showing outbound connections from the workstation to the external DNS server on port 53.
AnswerC

A full packet capture includes the entire DNS query packet, including the complete subdomain portion. The analyst can extract and decode the base64-encoded subdomain data and compare it directly to the contents of a sensitive file on the workstation to definitively confirm data exfiltration.

Why this answer

Option C is correct because a full packet capture (PCAP) contains the complete DNS query and response messages, including the raw payload of the subdomain fields. This allows the analyst to extract the base64-encoded data from the subdomains and decode it to verify that it matches the contents of the suspected sensitive file. DNS server logs (option A) typically only record the queried domain names, not the full DNS message payload, and may truncate long subdomains.

Process creation logs (option B) show which executable made the queries but not the data being sent. Firewall logs (option D) only show connection metadata (source, destination, port) and never the DNS query content.

Exam trap

The trap here is that candidates assume DNS server logs contain the full query payload, but in practice they often log only the resolved domain name and may truncate long subdomains, making packet capture the only definitive source for reconstructing exfiltrated data.

How to eliminate wrong answers

Option A is wrong because DNS server logs usually store only the queried domain name and response code, not the full DNS message payload; base64-encoded subdomains may be truncated or omitted entirely. Option B is wrong because process creation logs (e.g., Event ID 4688 in Windows) reveal the parent process and command line but do not capture the actual DNS query data transmitted over the network. Option D is wrong because firewall logs record only connection-level details (IP addresses, ports, timestamps) and never include the application-layer payload of DNS queries.

257
MCQhard

Based on the exhibit, which change best improves recovery resilience against a repeat ransomware incident?

A.Keep the current design and add more NAS storage capacity.
B.Move the NAS to the same subnet as the file server for faster backups.
C.Use an immutable or offline backup copy that production credentials cannot modify.
D.Shorten the backup retention period to reduce storage use.
AnswerC

The incident showed that the attacker could encrypt both production and the backup share because the backup target stayed online and writable. An immutable or offline copy breaks that dependency and prevents the same credentials from destroying recovery data. In ransomware recovery, backup survivability matters more than convenience, so this change gives the strongest resilience improvement.

Why this answer

Option C is correct because ransomware often encrypts or deletes accessible backups. An immutable or offline backup copy (e.g., using S3 Object Lock, Write Once Read Many (WORM) storage, or air-gapped tape) ensures that even if production credentials are compromised, the backup data cannot be modified or deleted by the attacker. This directly preserves a clean recovery point after a ransomware incident.

Exam trap

The trap here is that candidates often assume faster backups (Option B) or more capacity (Option A) improve resilience, but they overlook the fundamental requirement that backups must be protected from modification by the attacker, which only immutability or an air gap provides.

How to eliminate wrong answers

Option A is wrong because adding more NAS storage capacity does not protect existing backups from being encrypted or deleted by ransomware; it only increases the volume of data at risk. Option B is wrong because moving the NAS to the same subnet as the file server exposes the backup storage to the same network-based attacks and lateral movement, making it easier for ransomware to reach and corrupt the backups. Option D is wrong because shortening the backup retention period reduces the number of available recovery points, increasing the risk of data loss and potentially eliminating the last clean backup before the ransomware attack.

258
Multi-Selectmedium

EDR flags encoded PowerShell launched by a spreadsheet application and an outbound HTTPS connection to a rare domain. Which two response actions are best to take from the EDR console first? Select two.

Select 2 answers
A.Isolate the endpoint from the network through the EDR platform
B.Collect a triage package or memory snapshot before remediation, if supported
C.Uninstall the spreadsheet application immediately
D.Reboot the endpoint to clear the suspicious script
E.Wait for a second alert before taking any action
AnswersA, B

Isolation limits lateral movement and command-and-control traffic while preserving the host for investigation.

Why this answer

Isolating the endpoint from the network (A) is correct because it immediately stops the outbound HTTPS connection to the rare domain, preventing potential command-and-control (C2) data exfiltration or further payload download. Collecting a triage package or memory snapshot (B) is correct because the encoded PowerShell script and suspicious process chain are volatile artifacts that may be lost on reboot or remediation, and capturing them preserves forensic evidence for analysis.

Exam trap

CompTIA often tests the misconception that rebooting or uninstalling the application is a valid first response, when in fact both destroy volatile evidence and fail to contain the active threat.

259
MCQmedium

A monthly scan finds a critical remote-code-execution issue on an internet-facing VPN appliance. The vendor has released a fix, but the appliance can only be rebooted during the weekend maintenance window in five days. What is the BEST immediate action to lower risk until patching can occur?

A.Apply a compensating control such as restricting access to trusted source IPs and disabling nonessential remote access features
B.Wait for the weekend because the exploit is not confirmed
C.Remove logging from the appliance to improve performance during the wait
D.Run another scan every hour and do nothing else
AnswerA

A compensating control lowers exposure right away when the patch cannot be installed immediately, which is the safest short-term option.

Why this answer

Option A is correct because applying a compensating control—such as restricting access to trusted source IPs via an ACL and disabling nonessential remote access features like unused VPN protocols or administrative interfaces—immediately reduces the attack surface. This mitigates the risk of exploitation of the remote-code-execution vulnerability on the internet-facing VPN appliance until the vendor patch can be applied during the scheduled maintenance window. The key is to implement network-layer controls that block untrusted sources from reaching the vulnerable service, buying time without requiring a reboot.

Exam trap

The trap here is that candidates may think waiting for the maintenance window is acceptable because the vulnerability is unconfirmed, but the exam expects proactive risk reduction through compensating controls rather than passive delay.

How to eliminate wrong answers

Option B is wrong because waiting for the weekend assumes the exploit is not confirmed, but a critical remote-code-execution vulnerability on an internet-facing appliance is inherently high-risk; the scan finding indicates a real issue, and delaying action without compensating controls leaves the organization exposed to active exploitation. Option C is wrong because removing logging from the appliance does not lower risk; it actually reduces visibility into potential attacks and may violate compliance requirements, while doing nothing to prevent exploitation of the vulnerability. Option D is wrong because running another scan every hour and doing nothing else provides no risk reduction; scanning repeatedly does not block or mitigate the vulnerability, and it wastes resources without addressing the immediate threat.

260
MCQmedium

A vulnerability scan finds that an old print server still has SMBv1 enabled. The business says the vendor will not support a patch for at least two months, but the server must stay online. What is the best temporary mitigation?

A.Move the server to a restricted network segment and allow SMB access only from required hosts.
B.Turn off endpoint logging to reduce performance impact until the vendor releases a patch.
C.Increase the password length requirement for all users and keep the server on the same network.
D.Schedule a weekly reboot to clear any malicious sessions and reduce the chance of exploitation.
AnswerA

This is a strong temporary control because it directly limits who can reach the vulnerable service. Reducing reachable hosts is a standard way to lower risk when remediation must be delayed.

Why this answer

Option A is correct because network segmentation is the most effective temporary mitigation when a patch is unavailable. By moving the print server to a restricted VLAN or firewall zone and applying an access control list (ACL) that permits SMB traffic only from known, required hosts, you reduce the attack surface and prevent widespread exploitation of SMBv1 vulnerabilities (e.g., EternalBlue). This approach follows the principle of least privilege and containment, buying time until the vendor releases a patch.

Exam trap

The trap here is that candidates may choose a reactive measure like rebooting or a non-technical control like password changes, failing to recognize that containment via network segmentation is the only proactive defense that directly limits the exploit's reach without requiring a patch.

How to eliminate wrong answers

Option B is wrong because turning off endpoint logging reduces visibility into potential attacks, making it harder to detect exploitation of SMBv1; it does not address the vulnerability. Option C is wrong because increasing password length does not mitigate the SMBv1 protocol-level flaws (e.g., lack of pre-authentication integrity checks, susceptibility to relay attacks); it only strengthens authentication, which is irrelevant to the unpatched service. Option D is wrong because scheduling a weekly reboot does not prevent exploitation; attackers can re-establish malicious sessions quickly after reboot, and the vulnerability remains fully exploitable between reboots.

261
MCQmedium

A Linux host is patched, but the scanner still flags the package as vulnerable. The vendor advisory says the distribution backported the fix, so the package version did not change. What should the analyst do before closing the ticket?

A.Verify the vendor advisory and package metadata, then document evidence of the fixed build.
B.Close the ticket immediately because the patch was installed successfully.
C.Raise the severity of the finding because the scanner still reports it.
D.Disable the scanner until the next maintenance window to avoid repeated alerts.
AnswerA

A version number alone can be misleading when a vendor backports a fix without changing the upstream version. The analyst should confirm the remediation using vendor notes, package release metadata, or other authoritative evidence. That ensures the finding is truly remediated before the ticket is closed and prevents a false assumption based only on a scanner result.

Why this answer

Option A is correct because when a vendor backports a security fix to an older package version without incrementing the version number, the vulnerability scanner may still flag the package based on its version string. The analyst must verify the vendor advisory and package metadata (e.g., using `rpm -q --changelog` or `dpkg --status`) to confirm the fix is present, then document this evidence to close the ticket with proper justification.

Exam trap

The trap here is that candidates assume a patched system always has a newer package version, but CompTIA tests the understanding that backported fixes keep the same version string, requiring manual verification of the changelog or vendor advisory.

How to eliminate wrong answers

Option B is wrong because closing the ticket without verification ignores the scanner's alert and the need for evidence that the backported fix is actually installed. Option C is wrong because raising the severity is inappropriate; the package is not vulnerable, and the scanner's false positive does not warrant escalation. Option D is wrong because disabling the scanner avoids the issue rather than resolving it, and the scanner should be tuned or the finding documented as a false positive.

262
Multi-Selectmedium

After restoring a virtual file server from backup, users can open shares, but the accounting application shows the previous day's transactions are missing. Which two steps should the administrator take next? Select two.

Select 2 answers
A.Verify whether the backup included application-consistent data and transaction logs
B.Restore the missing records from the latest pre-incident application backup or log backup
C.Leave the server as is because file shares are accessible
D.Delete the current backup set to avoid restoring the wrong version again
E.Reimage the server immediately without checking the restore point
AnswersA, B

This checks whether the backup captured enough application state to recover recent transactions.

Why this answer

Option A is correct because the accounting application's missing transactions indicate the backup may not have captured application-consistent data, such as open transaction logs or database writes. Without application consistency (e.g., using Volume Shadow Copy Service or a database-aware backup agent), the restore point may reflect a crash-consistent state where recent transactions were lost. Verifying the backup type ensures the administrator understands whether the data is recoverable from transaction logs or requires a separate application-level restore.

Exam trap

The trap here is that candidates assume file share accessibility equals full data recovery, overlooking the distinction between file-level and application-consistent backups, which is a core concept in CompTIA SY0-701 Domain 3.0 (Security Operations).

263
MCQmedium

A file server is actively renaming documents and generating ransom notes. The server hosts a shared drive used by finance, and users are still online. What is the best immediate action?

A.Shut the server down immediately to stop all activity as fast as possible.
B.Isolate the server from the network to contain the spread while preserving evidence.
C.Restore the file server from backup before checking whether the infection is still active.
D.Run a full antivirus scan and wait for the results before taking any other action.
AnswerB

Network isolation is the best immediate containment step because it limits lateral movement and reduces the chance that ransomware spreads to other systems or continues encrypting shared data. It is also less destructive than a hard shutdown, which can interfere with evidence collection. In incident response, containment should stop the impact while preserving the ability to investigate what happened.

Why this answer

Option B is correct because isolating the server from the network stops the ransomware from encrypting more files or spreading laterally, while preserving volatile evidence (e.g., running processes, memory contents) needed for forensic analysis. In a live incident, immediate disconnection (not shutdown) is the standard containment step per NIST SP 800-61 and SANS incident response guidelines, as it halts the attack without destroying data in memory or logs.

Exam trap

The trap here is that candidates confuse 'stopping the attack' with 'shutting down the system,' but CompTIA emphasizes that isolation (disconnecting the network cable or disabling the port) is the first step in containment to preserve evidence and avoid data loss.

How to eliminate wrong answers

Option A is wrong because shutting down the server destroys volatile evidence (e.g., active network connections, running ransomware processes in RAM) and may trigger the ransomware to delete or further encrypt files on shutdown, as many modern ransomware variants have persistence mechanisms that activate on system halt. Option C is wrong because restoring from backup before confirming the infection is neutralized risks re-infection if the backup itself is compromised or if the ransomware is still active on the network, and it bypasses the need for forensic preservation. Option D is wrong because running a full antivirus scan while the server is still online allows the ransomware to continue encrypting files and spreading to other systems, and signature-based scans often miss polymorphic or zero-day ransomware strains.

264
Multi-Selectmedium

A SIEM alert shows a workstation making repeated outbound HTTPS connections every 15 minutes to the same cloud IP address. The host belongs to the patch-management group, and the security team suspects an approved agent may be responsible. Which two checks best validate whether this is a false positive? Select two.

Select 2 answers
A.Verify that the destination domain and IP match the vendor's documented update service.
B.Compare the running process, parent process, and digital signature to the approved agent baseline.
C.Immediately isolate the workstation from the network without reviewing any other evidence.
D.Suppress every future alert from that subnet permanently.
E.Assume the traffic is benign because it occurs at a regular interval.
AnswersA, B

Correct because matching the observed destination to an approved vendor endpoint strongly supports legitimate automated behavior. It helps confirm that the traffic pattern aligns with expected patch-agent communications.

Why this answer

Option A is correct because verifying that the destination domain and IP match the vendor's documented update service directly confirms whether the outbound HTTPS traffic is legitimate patch-management activity. This step uses threat intelligence or vendor documentation to correlate the observed destination with the expected update infrastructure, which is a standard validation technique for reducing false positives in SIEM alerts.

Exam trap

The trap here is that candidates may choose immediate isolation (C) or permanent suppression (D) as quick fixes, but the exam tests the principle of validating evidence before taking irreversible actions and the importance of maintaining visibility for future threats.

265
MCQmedium

A security analyst at a financial firm detects an unusual spike in outbound network traffic from a database server that normally only communicates with internal web servers. The traffic is directed to numerous external IP addresses in various countries. According to established incident response procedures, what should be the analyst's immediate next step?

A.Disconnect the server from the network at the switch level.
B.Run a comprehensive antivirus scan on the server.
C.Notify the Chief Information Security Officer (CISO) of the incident.
D.Power off the server to prevent further damage.
AnswerA

Correct. Network isolation is a containment measure that stops the ongoing data exfiltration while preserving the server's state for later investigation. This aligns with the containment step in the NIST incident response framework.

Why this answer

Disconnecting the server at the switch level (e.g., shutting down the switch port or placing it in a quarantine VLAN) is the immediate containment step per incident response procedures. This stops the outbound data exfiltration without risking data loss or corruption that could occur from a hard power-off, and it preserves volatile memory evidence for forensic analysis.

Exam trap

The trap here is that candidates confuse 'immediate containment' with 'immediate notification' or 'immediate remediation,' but the SY0-701 incident response framework prioritizes stopping the active threat (containment) over escalation or scanning.

How to eliminate wrong answers

Option B is wrong because running an antivirus scan is a slower, non-immediate step that does not stop ongoing data exfiltration; the traffic spike indicates active compromise, not just a dormant infection. Option C is wrong because notifying the CISO is a notification step that should occur after containment, not as the immediate action; delaying containment allows further data loss. Option D is wrong because powering off the server destroys volatile evidence (e.g., memory-resident malware, active network connections) and can cause data corruption, whereas disconnecting at the switch level stops the traffic while preserving the system state for investigation.

266
MCQmedium

A branch office uses a NAS for nightly backups, but the NAS is joined to the same domain as the production servers. After ransomware encrypted both production data and backups, management wants the most effective change to reduce the chance of backup tampering without a major redesign. Which control should be implemented?

A.Increase the retention period so deleted files can be recovered for longer.
B.Move backups to a larger NAS with more available storage capacity.
C.Keep one backup copy offline or immutable and outside the production domain.
D.Run backups more frequently to the same NAS so newer files are captured sooner.
AnswerC

An offline or immutable copy is the strongest practical protection against ransomware that can reach the network backup target. Separating that copy from the production domain also reduces the chance that compromised admin credentials can alter it. This improves resilience without requiring a full redesign, and it gives the organization a trusted recovery source even if online backups are encrypted or deleted.

Why this answer

Option C is correct because keeping one backup copy offline or immutable and outside the production domain ensures that even if ransomware compromises the domain, it cannot encrypt or tamper with that isolated copy. This breaks the chain of trust between the production environment and the backup storage, directly addressing the root cause of the incident.

Exam trap

The trap here is that candidates often choose more frequent backups or larger storage, thinking that having more copies or more space provides protection, when the real vulnerability is the shared domain trust that allows ransomware to access and encrypt backups.

How to eliminate wrong answers

Option A is wrong because increasing the retention period only keeps deleted files longer, but does not prevent ransomware from encrypting or deleting the backups themselves on the same domain-joined NAS. Option B is wrong because moving to a larger NAS with more storage capacity does not change the fact that the NAS is still joined to the same domain, leaving backups vulnerable to the same ransomware attack. Option D is wrong because running backups more frequently to the same NAS only creates more copies that are all equally susceptible to encryption or deletion by ransomware that has domain access.

267
MCQmedium

A web team is moving a customer portal behind a new inspection device. They need something that can examine HTTP requests, block malicious patterns like injection attempts, and still allow normal browsing. Which control is most appropriate?

A.IDS, because it alerts on suspicious traffic without affecting application delivery.
B.WAF, because it understands web requests and can block malicious application-layer traffic.
C.DLP, because it can stop sensitive data from being posted to the portal.
D.NAC, because it verifies whether devices are allowed onto the network.
AnswerB

A web application firewall is designed to inspect HTTP and HTTPS traffic and stop common web attacks before they reach the app.

Why this answer

A WAF (Web Application Firewall) is the correct choice because it operates at Layer 7 (application layer) and is specifically designed to inspect HTTP/HTTPS traffic. It can parse web requests, identify malicious patterns such as SQL injection or XSS payloads, and block them while allowing legitimate traffic to pass through to the customer portal.

Exam trap

The trap here is that candidates often confuse an IDS with an IPS (Intrusion Prevention System) and assume an IDS can block traffic, but an IDS is passive and only generates alerts, whereas a WAF is an active, inline control that can both detect and block application-layer attacks.

How to eliminate wrong answers

Option A is wrong because an IDS (Intrusion Detection System) is a passive device that only alerts on suspicious traffic; it cannot block malicious requests inline, so it would not prevent injection attempts from reaching the portal. Option C is wrong because DLP (Data Loss Prevention) focuses on detecting and preventing unauthorized transmission of sensitive data, not on blocking web application attacks like injection attempts. Option D is wrong because NAC (Network Access Control) verifies device compliance and access rights at the network layer, but it does not inspect application-layer HTTP requests or block injection patterns.

268
MCQmedium

After containment and eradication of malware on several laptops, the team restores the devices from known-good images and verifies that users can authenticate and access email. Which action should occur NEXT to complete the incident response lifecycle and reduce future impact?

A.Close the ticket immediately because the systems are working again
B.Perform a lessons-learned review and update playbooks, controls, or detections based on the incident
C.Reimage the laptops again even though they were already restored and tested
D.Disable all email access for the organization until the next quarterly meeting
AnswerB

A post-incident review captures what worked, what failed, and what should change so the same problem is less likely to recur.

Why this answer

Option B is correct because the incident response lifecycle includes a post-incident activity phase where the team conducts a lessons-learned review to identify gaps in security controls, update playbooks, and improve detection signatures. This step ensures that the organization reduces the likelihood and impact of similar incidents in the future, completing the lifecycle beyond just restoring operations.

Exam trap

The trap here is that candidates assume the incident response lifecycle ends once systems are restored and operational, overlooking the mandatory post-incident activity phase that ensures continuous improvement and prevents recurrence.

How to eliminate wrong answers

Option A is wrong because closing the ticket immediately after restoration skips the critical post-incident review phase, leaving vulnerabilities unaddressed and missing opportunities to improve defenses. Option C is wrong because reimaging the laptops again is redundant and wastes resources; the devices have already been restored from known-good images and verified for functionality. Option D is wrong because disabling all email access until a quarterly meeting is an extreme, unnecessary measure that disrupts business operations and does not address the root cause or improve security posture.

269
MCQmedium

A security analyst receives an alert from the intrusion detection system indicating that a workstation in the finance department has established an outbound connection to a known malicious IP address using an encrypted protocol. The analyst verifies the alert and checks the user's activity logs, which show no legitimate business reason for the connection. According to the incident response process, what should the analyst do NEXT?

A.Begin the eradication phase by immediately reimaging the workstation.
B.Isolate the workstation from the network to contain the threat.
C.Conduct a full forensic analysis of the workstation's hard drive.
D.Update the firewall rule to block all outbound traffic to the malicious IP.
AnswerB

Isolation is a key containment step. It stops the compromised workstation from communicating with the malicious IP and prevents lateral movement within the network, limiting potential damage.

Why this answer

According to the NIST SP 800-61 incident response process, containment is the immediate priority after verification to prevent further damage or data exfiltration. Since the workstation has an active encrypted outbound connection to a known malicious IP with no legitimate business reason, isolating the network interface (e.g., disabling the port, blocking the MAC address, or unplugging the cable) stops the threat from communicating while preserving the system state for later analysis. This aligns with the containment phase, which must precede eradication or full forensic analysis.

Exam trap

Cisco often tests the order of the incident response phases (Preparation, Detection & Analysis, Containment, Eradication, Recovery, Post-Incident) and the trap here is that candidates jump to eradication or forensic analysis without first containing the active threat, which violates the fundamental priority of stopping the bleeding before cleaning up.

How to eliminate wrong answers

Option A is wrong because eradication (e.g., reimaging) should only occur after containment and a proper forensic acquisition; skipping containment risks losing volatile evidence and allows the attacker to continue lateral movement or data exfiltration. Option C is wrong because conducting a full forensic analysis before containment is premature and dangerous—the active encrypted connection could still be exfiltrating data, and the analyst must first isolate the host to stop the attack and preserve the system state for later analysis.

270
MCQeasy

After a file server is restored from backup, users can open the share, but the business wants to be sure the recovery was successful. What should the administrator verify next?

A.Only that the restore completed without any error message.
B.That representative files open correctly and the restored data matches the required recovery point.
C.That the server has enough free disk space for future growth.
D.That the backup software icon appears green on the console.
AnswerB

This is the best answer because restore verification should confirm both data usability and recovery accuracy. A successful job status alone is not enough; the team should test sample files, confirm permissions, and ensure the data reflects the expected recovery point objective. That proves the backup can actually support operations after an outage and not just complete technically.

Why this answer

Option B is correct because verifying that representative files open correctly and match the required recovery point (RPO) confirms data integrity and completeness, not just that the restore process ran without errors. This aligns with the backup validation principle of performing a data integrity check, such as comparing file hashes or checking timestamps, to ensure the restored data is usable and meets the business's recovery objectives.

Exam trap

The trap here is that candidates assume a successful restore job status (no errors) is sufficient, but CompTIA tests the understanding that validation requires actual data verification against the recovery point, not just process completion.

How to eliminate wrong answers

Option A is wrong because a restore completing without error messages only confirms the process finished, not that the data is intact or usable; silent corruption or missing files can occur. Option C is wrong because verifying free disk space for future growth is a capacity planning task unrelated to validating the success of a specific recovery operation. Option D is wrong because a green icon on the backup software console only indicates the backup job ran, not that the restored data is correct or meets the recovery point objective.

271
MCQmedium

An email gateway receives a macro-enabled spreadsheet from an external supplier. Signature-based scanning does not flag it, but the security team wants to observe whether it drops files, creates persistence, or contacts suspicious domains before delivery to the user. Which tool best meets this need?

A.DLP, because it prevents any document from leaving the organization.
B.Sandboxing, because it detonates the file and observes malicious behavior safely.
C.NAC, because it can block the supplier's laptop from the network.
D.A SIEM, because it can block the attachment and quarantine the message.
AnswerB

Sandboxing is designed to execute suspicious files in a controlled environment and watch what they do. That makes it ideal when signature-based tools miss a potentially malicious attachment and the team wants to see whether it drops files, modifies persistence settings, or reaches out to command-and-control infrastructure. It gives analysts behavior-based insight before the attachment reaches the end user.

Why this answer

Sandboxing is the correct choice because it detonates the file in an isolated, controlled environment to observe its runtime behavior, such as dropping files, creating persistence mechanisms, or making outbound connections to suspicious domains. Unlike signature-based scanning, sandboxing can detect unknown or zero-day malware by analyzing behavioral indicators without risking the production network.

Exam trap

CompTIA often tests the distinction between passive detection (signature-based, SIEM correlation) and active behavioral analysis (sandboxing), leading candidates to choose SIEM because they confuse log aggregation with dynamic file analysis.

How to eliminate wrong answers

Option A is wrong because DLP (Data Loss Prevention) focuses on preventing unauthorized exfiltration of sensitive data, not on analyzing file behavior for malware. Option C is wrong because NAC (Network Access Control) enforces access policies based on device compliance, not on detonating and analyzing attachments. Option D is wrong because a SIEM (Security Information and Event Management) aggregates and correlates logs for detection and alerting, but it does not actively detonate files or observe runtime behavior; it relies on data from other tools.

272
Drag & Dropmedium

Drag and drop the steps for the RADIUS authentication process into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

RADIUS uses UDP; the NAS acts as a client to the RADIUS server, which authenticates and authorizes the user.

273
MCQmedium

A security analyst detects repeated outbound traffic from a single workstation to an IP address listed on a public threat intelligence feed as a known command-and-control server. The user reports that the workstation is behaving slowly and that antivirus software is up to date. According to incident response best practices, what should the analyst do FIRST?

A.Disconnect the workstation from the network
B.Run a full antivirus scan on the workstation
C.Notify the user that their workstation may be compromised
D.Check the firewall logs to confirm the destination IP
AnswerA

Correct. Disconnecting the network cable or disabling the network interface immediately stops the outbound communication and contains the threat, which is the primary goal in the containment phase of incident response.

Why this answer

The correct first step is to disconnect the workstation from the network to immediately contain the threat and prevent further command-and-control (C2) communication. Since the traffic is already confirmed to a known C2 server via a public threat intelligence feed, the priority is to stop data exfiltration and potential lateral movement, not to gather more evidence or notify the user. Incident response best practices emphasize containment before eradication or notification to minimize damage.

Exam trap

The trap here is that candidates often choose to gather more evidence (Option D) or run a scan (Option B) first, forgetting that containment is the immediate priority once a live C2 connection is confirmed, per the NIST SP 800-61 incident response lifecycle.

How to eliminate wrong answers

Option B is wrong because running a full antivirus scan is a remediation step that should occur after containment; the malware may already be active and bypassing AV, so scanning first wastes time and risks continued C2 communication. Option C is wrong because notifying the user before containment could cause panic, lead to evidence tampering, or alert an insider threat; communication should follow established incident response procedures after containment. Option D is wrong because checking firewall logs to confirm the destination IP is redundant—the analyst already has confirmed the IP via a public threat intelligence feed—and delays the critical containment action.

274
MCQmedium

Following a ransomware incident, management wants proof that the organization can actually recover from its backups before declaring the backups trustworthy. What should the security team do next?

A.Check that the backup job completed successfully during the last seven days.
B.Restore a backup into an isolated test environment and validate the result.
C.Increase the backup retention period to reduce the chance of future loss.
D.Compress the backup files further so they take up less storage.
AnswerB

An isolated restore test proves the backup can be recovered and helps verify that data and services meet recovery expectations.

Why this answer

Option B is correct because the only way to prove that backups are trustworthy after a ransomware incident is to perform a full restoration into an isolated test environment and validate the integrity, completeness, and functionality of the recovered data. Simply checking that backup jobs completed successfully (Option A) does not verify that the backup data is uncorrupted, free from ransomware, or restorable in a real scenario. A controlled restore test provides tangible evidence that the recovery process works and the data is usable, which is the core requirement of management’s request for proof of recoverability.

Exam trap

The trap here is that candidates often confuse backup completion success with backup recoverability, assuming that a successful backup job log is sufficient proof, when in reality only a full restore test in an isolated environment can validate that the data is usable and free from corruption or ransomware payloads.

How to eliminate wrong answers

Option A is wrong because verifying that a backup job completed successfully only confirms that the backup process ran without errors; it does not validate that the backup data is intact, free from encryption by ransomware, or restorable to a usable state. Option C is wrong because increasing the backup retention period only retains more historical copies of data, but does not test or prove that any of those backups can actually be recovered successfully. Option D is wrong because compressing backup files further reduces storage usage but does not test the recoverability of the data; in fact, excessive compression could introduce corruption or increase restore time without providing any validation of backup trustworthiness.

275
MCQeasy

A SIEM alert shows 120 failed logins for one user account from three different countries within 10 minutes, followed by a successful login. What should the analyst do first?

A.Close the alert because the login eventually succeeded.
B.Verify the activity with related logs and check whether the account owner confirms the login.
C.Immediately delete the account to stop further access.
D.Reimage the user's laptop before collecting any information.
AnswerB

The first step is to validate the alert by correlating related logs and confirming whether the activity is expected.

Why this answer

Option B is correct because the analyst must first validate the alert by correlating the SIEM data with additional logs (e.g., authentication logs, firewall logs) and contacting the account owner to confirm whether the successful login was legitimate. This follows the incident response process of verification before action, preventing unnecessary disruption if the activity is benign (e.g., the user traveling with VPN).

Exam trap

The trap here is that candidates assume a successful login after failures means the attack succeeded and jump to containment (Option C or D), but the SY0-701 emphasizes that verification with the user and additional logs is the mandatory first step in the incident response process.

How to eliminate wrong answers

Option A is wrong because a successful login after multiple failed attempts is a classic sign of a brute-force or credential-stuffing attack; closing the alert ignores the potential compromise. Option C is wrong because immediately deleting the account destroys evidence and may lock out a legitimate user without investigation, violating the principle of least disruption. Option D is wrong because reimaging the laptop is a drastic containment step that should only occur after confirming compromise and preserving forensic evidence; it also assumes the attack vector is local, which may not be the case (e.g., remote credential abuse).

276
MCQeasy

A security scan finds a critical patch missing on a public-facing web server. The patch has already been tested in the lab and approved for deployment. What should the operations team do next?

A.Ignore the finding because the server is already protected by a firewall
B.Deploy the patch through the normal change process as soon as possible
C.Mark the vulnerability as accepted risk without notifying the business
D.Remove the web server from the asset inventory to prevent the scanner from finding it
AnswerB

A tested and approved patch should be moved into production quickly through the standard change process to reduce exposure.

Why this answer

Option B is correct because the patch has already been tested and approved, meaning it is ready for deployment. The operations team should follow the normal change management process to deploy the patch as soon as possible, ensuring the public-facing web server is secured against the critical vulnerability without bypassing organizational controls.

Exam trap

The trap here is that candidates assume a firewall or risk acceptance can substitute for patching a known vulnerability, but the exam emphasizes that compensating controls (like firewalls) do not eliminate the need for patch management, and risk acceptance requires formal business notification and approval.

How to eliminate wrong answers

Option A is wrong because a firewall does not patch application-layer vulnerabilities; it only filters traffic at the network and transport layers, leaving the web server's software flaw exploitable if an attacker reaches the service. Option C is wrong because marking a critical vulnerability as an accepted risk without notifying the business bypasses the formal risk acceptance process, which requires documented approval from management and a clear understanding of the business impact.

277
Multi-Selectmedium

A SOC analyst confirms that a user entered corporate credentials into a fake sign-in page. Mailbox logs now show a new forwarding rule sending messages to an external address, and the attacker may still have an active session. Which two actions should the analyst take first to contain the account compromise? Select two.

Select 2 answers
A.Reset the user's password and require a fresh authentication challenge.
B.Revoke active sessions and invalidate existing refresh tokens.
C.Delete the mailbox and create a new user account.
D.Disable all external email delivery for the entire organization.
E.Wait for the user to confirm whether the message was legitimate before acting.
AnswersA, B

Correct because changing the password removes the attacker’s known credential value and helps break direct password reuse. Requiring a fresh authentication challenge also helps ensure the next login is tied to the legitimate user rather than a stolen session.

Why this answer

Resetting the user's password (Option A) immediately invalidates the credentials the attacker phished, preventing further authentication with those stolen credentials. This is a foundational first step in account containment per NIST SP 800-61 incident response guidelines.

Exam trap

Cisco often tests the misconception that a password reset alone is sufficient to terminate an attacker's access, but the trap here is that session tokens and refresh tokens can remain valid, so both password reset AND session/refresh token revocation are required for complete containment.

278
MCQmedium

An employee reports a ransomware note on a finance laptop. The laptop is still powered on, connected to Wi-Fi, and the user says they were just working in a spreadsheet. Management wants the fastest safe response that also preserves evidence. What should the responder do first?

A.Shut the laptop down immediately to prevent further encryption activity.
B.Isolate the laptop from the network while keeping it powered on for volatile evidence collection.
C.Ask the user to close all open applications and log off normally.
D.Start deleting suspicious files to reduce the impact of the ransomware.
AnswerB

The best first action is to contain the threat without destroying live evidence. Disconnecting network access limits further spread or command-and-control activity, while keeping the system powered on preserves memory, running processes, and other volatile artifacts that may be critical to the investigation. This balances containment with evidence preservation, which is exactly what responders need at the start of an incident.

Why this answer

Option B is correct because the immediate priority is to contain the ransomware while preserving volatile evidence (e.g., memory contents, running processes, network connections) that could be critical for forensic analysis. Powering off the laptop (Option A) would destroy volatile data and may allow the ransomware to persist or trigger additional encryption on reboot. Isolating the network connection stops the ransomware from communicating with its command-and-control server or spreading laterally, while keeping the system powered on allows a responder to capture memory with tools like FTK Imager or LiME before performing a controlled shutdown.

Exam trap

Cisco often tests the misconception that shutting down a compromised system is the safest immediate action, but the trap here is that volatile evidence is lost and the ransomware may have anti-forensic shutdown triggers, making network isolation the correct first step.

How to eliminate wrong answers

Option A is wrong because immediately shutting down the laptop destroys volatile evidence (RAM, running processes, network connections) that could reveal the ransomware variant, encryption keys, or attacker infrastructure; it may also trigger a destructive payload on shutdown. Option C is wrong because asking the user to close applications and log off normally could trigger additional encryption, overwrite evidence in memory, or allow the ransomware to complete its encryption cycle; logging off may also terminate critical forensic artifacts like open network connections or process handles.

279
MCQmedium

A critical vulnerability is discovered on an internet-facing VPN appliance that cannot be patched for six weeks because the vendor has not released a fix. The VPN service must remain available. What is the best operational response?

A.Leave the appliance unchanged until the vendor releases a patch.
B.Apply compensating controls such as restricting source IPs and increasing monitoring.
C.Disable all logging so the appliance performs better under load.
D.Replace the VPN with a less secure remote access method to avoid the vulnerability.
AnswerB

When a patch is unavailable, risk should be reduced through compensating controls. Limiting who can reach the VPN and closely monitoring access attempts lowers exposure while maintaining service availability until remediation is possible.

Why this answer

Option B is correct because when a vulnerability cannot be patched immediately, compensating controls such as restricting source IPs via ACLs and increasing monitoring (e.g., enabling detailed logging and alerting on anomalous traffic) reduce the attack surface and improve detection of exploitation attempts. This approach maintains service availability while mitigating risk until the vendor releases a fix.

Exam trap

The trap here is that candidates may think leaving the appliance unchanged (Option A) is acceptable if no patch exists, but the exam expects proactive risk reduction through compensating controls rather than passive acceptance of the vulnerability.

How to eliminate wrong answers

Option A is wrong because leaving the appliance unchanged without any mitigation leaves the organization fully exposed to exploitation of the known vulnerability, which is unacceptable for a critical internet-facing device. Option C is wrong because disabling logging reduces visibility into potential attacks, making it harder to detect and respond to exploitation, and does not address the vulnerability itself. Option D is wrong because replacing the VPN with a less secure remote access method introduces new risks and likely violates security policies, whereas the goal is to maintain security while keeping the service available.

280
MCQmedium

A systems administrator says the backup software reports success every night, but no one has restored a server from backup in over a year. The business wants confidence that a file server can be recovered within the agreed recovery window. What is the best next action?

A.Trust the success status because completed jobs prove the backups are usable.
B.Perform a scheduled restore test in an isolated environment and measure the recovery time.
C.Delete older backups so that only the most recent set remains.
D.Extend retention indefinitely to avoid ever losing a recoverable copy.
AnswerB

Restore testing validates backup integrity and confirms the organization can meet recovery expectations.

Why this answer

Option B is correct because the only way to validate that backups are both restorable and meet the recovery time objective (RTO) is to perform a scheduled restore test in an isolated environment. Backup success logs only confirm that data was copied, not that the data is intact or that the restoration process completes within the agreed window. This aligns with the 3-2-1 backup rule and the principle of 'trust but verify' in backup validation.

Exam trap

The trap here is that candidates assume backup success logs are sufficient proof of recoverability, but CompTIA emphasizes that only a documented restore test can verify the backup's usability and adherence to the RTO.

How to eliminate wrong answers

Option A is wrong because backup success status only indicates that the backup job completed without errors, not that the backup data is restorable or that the recovery process will meet the RTO; data corruption, missing files, or incomplete snapshots can still occur. Option C is wrong because deleting older backups reduces the number of recovery points and increases the risk of data loss, especially if the most recent backup is corrupted or fails to restore. Option D is wrong because extending retention indefinitely does not address the core issue of verifying recoverability and can lead to storage bloat, increased costs, and compliance violations without proving that a restore is possible within the RTO.

281
MCQeasy

A user reports that their laptop is suddenly encrypting files and showing a ransom note. What should the incident response team do first?

A.Immediately restore the laptop from backup before collecting any information.
B.Isolate the laptop from the network to limit spread and preserve evidence.
C.Return the laptop to the user and monitor for additional alerts.
D.Apply all pending software updates to the laptop while it remains online.
AnswerB

Containment comes first to stop further damage while keeping the system available for analysis.

Why this answer

When a laptop suddenly encrypts files and displays a ransom note, it indicates an active ransomware infection. The incident response team's first priority is to isolate the laptop from the network to prevent the ransomware from spreading laterally to other systems and to preserve volatile evidence (e.g., memory contents, running processes) that could be lost if the system is powered off or reconnected. This aligns with the NIST SP 800-61 incident response guidelines, which emphasize containment before eradication or recovery.

Exam trap

The trap here is that candidates may confuse incident response phases and choose a recovery action (like restoring from backup) before containment, or they may mistakenly think applying updates is a valid response to an active infection, when in fact isolation is the mandatory first step per the NIST framework.

How to eliminate wrong answers

Option A is wrong because immediately restoring from backup without first isolating the system could allow the ransomware to re-encrypt the restored files if the infection is still active, and it destroys volatile evidence needed for forensic analysis. Option C is wrong because returning the laptop to the user and monitoring for additional alerts would allow the ransomware to continue encrypting files and potentially spread to other network resources, violating the containment principle. Option D is wrong because applying pending software updates while the laptop remains online does not stop the active encryption process and could trigger additional malicious activity; updates are a preventive measure, not an incident response containment step.

282
MCQeasy

EDR shows encoded PowerShell launched by a word processor and an outbound connection to a rare domain. What is the best immediate containment action?

A.Isolate the endpoint from the network using the EDR console.
B.Uninstall the word processor from every workstation.
C.Wait to see whether more alerts appear before responding.
D.Send a notice to all users reminding them not to open attachments.
AnswerA

Network isolation through EDR quickly limits attacker access and prevents further command-and-control communication. It also preserves the host for investigation while stopping spread to other systems. This is a standard first containment step when behavior strongly suggests active compromise.

Why this answer

Isolating the endpoint from the network using the EDR console is the best immediate containment action because it stops the outbound connection to the rare domain, preventing potential command-and-control (C2) communication or data exfiltration. The encoded PowerShell launched by a word processor strongly suggests a malicious macro or exploit, and isolating the host contains the threat without disrupting the entire network. This aligns with the incident response priority of containment before eradication or recovery.

Exam trap

The trap here is that candidates may choose a broad administrative action (like uninstalling software or sending user notices) instead of the precise, immediate technical containment step that stops the active threat at the network level.

How to eliminate wrong answers

Option B is wrong because uninstalling the word processor from every workstation is a broad, disruptive action that does not address the immediate threat on the affected host and may remove legitimate software needed for business operations. Option C is wrong because waiting for more alerts allows the potential C2 channel to remain active, increasing the risk of lateral movement or data theft. Option D is wrong because sending a user notice is a preventive or awareness measure, not an immediate containment action, and it does not stop the active malicious process or network connection.

283
MCQmedium

The web team is placing a public customer portal behind a control that can inspect HTTP requests, block malicious payloads such as SQL injection and cross-site scripting, and still allow legitimate application traffic without rewriting the app. Which control should they deploy?

A.An IDS placed on the same network segment as the web server.
B.A DLP appliance between users and the portal.
C.A WAF in front of the application.
D.A NAC solution on the switch ports feeding the portal.
AnswerC

A web application firewall is built to inspect HTTP and HTTPS traffic at the application layer and block common web attacks such as SQL injection and XSS. It can protect a public portal without requiring code changes, making it a practical compensating control while the application team improves secure coding. This is the best fit when the goal is to stop malicious web payloads before they reach the app.

Why this answer

A Web Application Firewall (WAF) is specifically designed to inspect HTTP/HTTPS traffic at the application layer (Layer 7), filtering out malicious payloads like SQL injection and cross-site scripting (XSS) while allowing legitimate requests to pass through. Unlike an IDS, a WAF operates inline and can actively block threats without requiring modifications to the application code, making it the ideal choice for protecting a public-facing web portal.

Exam trap

The trap here is that candidates often confuse an IDS (which only detects) with a WAF (which actively blocks), or they mistakenly think a DLP appliance can filter web application attacks, when in fact DLP focuses on data in motion or at rest, not on application-layer payload inspection.

How to eliminate wrong answers

Option A is wrong because an IDS (Intrusion Detection System) is a passive monitoring device that only alerts on suspicious traffic; it cannot block malicious payloads inline or prevent attacks without additional manual intervention. Option B is wrong because a DLP (Data Loss Prevention) appliance is designed to prevent unauthorized exfiltration of sensitive data, not to inspect and filter HTTP requests for SQL injection or XSS payloads. Option D is wrong because a NAC (Network Access Control) solution controls device access to the network at the switch port level based on compliance policies, but it does not inspect application-layer traffic or block web-based attacks.

284
MCQmedium

Based on the exhibit, what should the team do next after the account has been contained?

A.Close the incident because the password reset removed the attacker from the environment.
B.Remove mailbox persistence, revoke all tokens and app consent, then monitor for reentry.
C.Reimage the user's laptop before reviewing mailbox settings.
D.Restore the mailbox from backup to remove the forwarding rule and keep the user productive.
AnswerB

The exhibit shows post-compromise persistence through a forwarding rule and unauthorized OAuth consent. After containment, the team must eradicate those artifacts, revoke any remaining tokens or sessions, and verify that no attacker-controlled application retains access. That sequence moves the response from containment into eradication and prepares the account for safe recovery and monitoring.

Why this answer

Option B is correct because after containing a compromised account (e.g., disabling it or resetting its password), the attacker may still have established persistence mechanisms such as mailbox forwarding rules, OAuth app consent grants, or session tokens that survive a password reset. Removing these artifacts and revoking all tokens and app consents ensures the attacker cannot regain access via delegated permissions or persistent mailbox rules. Monitoring for reentry is critical to detect any residual access or new compromise attempts.

Exam trap

The trap here is that candidates assume a password reset fully evicts an attacker, overlooking that OAuth tokens and mailbox rules provide persistent access independent of the account password.

How to eliminate wrong answers

Option A is wrong because a password reset alone does not remove attacker‑created mailbox forwarding rules, OAuth app grants, or session tokens; the attacker could still access the mailbox via delegated permissions or persistent rules. Option C is wrong because reimaging the user's laptop addresses local device compromise but does not remediate cloud‑based persistence like mailbox forwarding rules or app consents that exist in the tenant. Option D is wrong because restoring the mailbox from backup removes the forwarding rule but does not revoke OAuth tokens or app consents, and it may reintroduce the same rule if the backup contains the malicious configuration; it also fails to address other persistence vectors.

285
MCQmedium

A security analyst receives an alert that a user clicked a link in a phishing email and entered their corporate credentials on a fake login page. Which of the following should the analyst do FIRST to minimize further damage?

A.Run a full antivirus scan on the user's workstation
B.Reset the user's password and force re-authentication
C.Disable the user's account and block the compromised system from the network
D.Contact law enforcement and report the phishing site
AnswerC

This is the correct first step. Disabling the account and isolating the system immediately prevents the attacker from using the stolen credentials to access resources, move laterally, or exfiltrate data.

Why this answer

Option C is correct because immediately disabling the user's account and blocking the compromised system from the network stops the attacker from using the stolen credentials to authenticate to corporate resources, such as email, VPN, or file shares. This containment step is the highest priority in incident response to prevent lateral movement and further compromise, as the attacker already has valid credentials and could be actively using them.

Exam trap

The trap here is that candidates often choose to reset the password first (Option B) because it seems like a direct fix, but they fail to recognize that the compromised system itself may be under attacker control, and without network isolation, the attacker could still pivot or use other stolen credentials.

How to eliminate wrong answers

Option A is wrong because running a full antivirus scan is a remediation step that should occur after containment; the immediate threat is credential theft, not necessarily malware, and scanning does not prevent the attacker from using the stolen credentials right now. Option B is wrong because resetting the user's password and forcing re-authentication only addresses the compromised account but does not isolate the system from the network; the attacker may have already established persistence or be using other compromised accounts, and the system itself could be under attacker control, so blocking it is necessary to prevent further damage.

286
Multi-Selectmedium

A new SIEM rule generates hundreds of alerts from a scheduled backup job that is known to be legitimate. Which two tuning changes are the best ways to reduce noise without losing visibility into real abuse? Select two.

Select 2 answers
A.Add a targeted exception for the known backup account, host, or signed process.
B.Keep the rule but alert only when the job runs outside its expected window or from an unexpected system.
C.Disable the SIEM rule entirely because backup jobs are normal.
D.Mark every backup-related alert as harmless without review.
E.Stop logging backup systems so they no longer create noise.
AnswersA, B

A targeted exception reduces repetitive false positives while still allowing the rule to catch unexpected activity. Limiting the exception to the specific backup account, host, or signed process keeps the control narrow and prevents broader blind spots. This is a common and appropriate tuning approach when a known-benign task is repeatedly triggering an alert.

Why this answer

Option A is correct because adding a targeted exception for the known backup account, host, or signed process allows the SIEM to suppress alerts for legitimate backup activity while still monitoring for anomalies. This reduces noise without disabling detection for potential abuse, such as an attacker using a compromised backup account or executing unauthorized backup processes.

Exam trap

The trap here is that candidates may think disabling the rule or ignoring alerts is acceptable for known-good activity, but the exam emphasizes tuning to reduce noise while preserving detection of anomalous behavior, not eliminating visibility entirely.

287
MCQmedium

A Linux web server was compromised through an outdated package. The team isolated the host, captured evidence, removed a malicious cron job, patched the vulnerable package, and confirmed no persistence remains. Which incident response phase are they primarily in now?

A.Identification, because the team is still confirming that the event happened.
B.Containment, because the host was isolated from the network.
C.Eradication, because malicious artifacts and the underlying weakness are being removed.
D.Lessons learned, because the server has already been secured.
AnswerC

Eradication focuses on removing malware, persistence, and the cause of compromise so the attacker cannot easily return.

Why this answer

The team has already identified the compromise, isolated the host, and removed the malicious cron job. Patching the vulnerable package addresses the root cause, which is the core of the Eradication phase. Confirming no persistence remains verifies that the eradication was successful, making this the current phase.

Exam trap

The trap here is that candidates confuse the isolation step (Containment) with the overall phase, but the question emphasizes the removal of the malicious cron job and patching, which are definitive Eradication actions.

How to eliminate wrong answers

Option A is wrong because Identification is the initial phase where the incident is discovered and confirmed; here, the team has already moved past that to active remediation. Option B is wrong because Containment focuses on limiting damage (e.g., network isolation), which was already performed; the team is now addressing the root cause and removing artifacts. Option D is wrong because Lessons Learned occurs after recovery is complete and involves post-incident review and documentation, not active patching and artifact removal.

288
MCQeasy

After a phishing incident, the security team wants to preserve evidence for later review. Which action is most appropriate?

A.Have the user delete the phishing email to avoid further exposure
B.Capture and save the email headers and message content
C.Forward the email to every employee as a warning
D.Change the user's office seat assignment immediately
AnswerB

Headers and message content help investigators trace delivery paths and identify indicators of compromise.

Why this answer

Option B is correct because preserving the email headers and message content is essential for forensic analysis. Email headers contain routing information, including the originating IP address, authentication results (SPF, DKIM, DMARC), and timestamps, which are critical for tracing the source of the phishing attack and understanding the attack vector. Deleting or forwarding the email would destroy this evidence, compromising the investigation.

Exam trap

The trap here is that candidates may think deleting or forwarding the email is a quick fix to prevent further harm, but the exam emphasizes that evidence preservation (via capture of headers and content) is the first priority in incident response, not containment or notification.

How to eliminate wrong answers

Option A is wrong because deleting the phishing email destroys the evidence needed for forensic analysis, including headers and metadata that could identify the attacker's infrastructure. Option C is wrong because forwarding the email to all employees increases the risk of further compromise, may violate data protection policies, and alters the original message headers, potentially invalidating the evidence. Option D is wrong because changing the user's office seat assignment has no relevance to preserving digital evidence; it is a physical security measure unrelated to incident response or evidence handling.

289
MCQeasy

A SIEM alert shows a payroll administrator account signed in at 02:10 from a country the employee has never visited. The employee says they are on vacation at home and did not travel. What should the analyst do first?

A.Immediately disable the account and wait for the employee to return.
B.Verify the login context with the user or manager and review recent authentication history.
C.Close the alert as a false positive because the user is on vacation.
D.Reimage the user’s workstation before checking any logs.
AnswerB

This is the best first step because alert triage should confirm whether the activity is truly suspicious before disruptive action is taken. Reviewing the user’s normal login patterns, recent sign-in history, and whether a VPN or travel exception exists helps distinguish a real compromise from an unusual but legitimate event. Good triage reduces unnecessary outages and focuses response effort appropriately.

Why this answer

Option B is correct because the first step in incident response is to verify the alert's validity and gather context before taking action. The analyst should review the SIEM logs for authentication details (e.g., source IP, geolocation, timestamp) and confirm with the user or manager whether the login was expected. This aligns with the NIST SP 800-61 incident response process, which emphasizes triage and validation before containment.

Exam trap

The trap here is that candidates may jump to containment (disabling the account) or dismissal (false positive) without performing the critical triage step of verifying the login context, which the exam emphasizes as the first action in the incident response process.

How to eliminate wrong answers

Option A is wrong because immediately disabling the account without verification could lock out a legitimate user and disrupt operations, violating the principle of least disruption during initial triage. Option C is wrong because closing the alert as a false positive without investigation ignores the possibility of credential theft or a compromised session, which is a common attack vector. Option D is wrong because reimaging the workstation is a drastic containment step that should only occur after confirming a compromise; it bypasses necessary log analysis and could destroy forensic evidence.

290
Multi-Selectmedium

Management wants to ensure a file server backed up every night can actually be restored within a 4-hour recovery time objective after an incident. Which two actions best improve recovery confidence? Select two.

Select 2 answers
A.Perform scheduled restore tests to an isolated environment.
B.Keep at least one backup copy offline or immutable.
C.Increase retention to keep backups for two years without changing restore testing.
D.Move the backup repository onto the same always-mounted file share as production data.
E.Reduce the number of user permissions on the file server without changing backup design.
AnswersA, B

Correct because restore testing proves the backups are usable and helps measure actual recovery time. A backup that has never been restored cannot be assumed to meet the recovery objective.

Why this answer

Option A is correct because performing scheduled restore tests to an isolated environment validates that the backup data is both readable and usable without risking corruption of the production environment. This directly confirms the ability to meet the 4-hour RTO by measuring actual restore times and identifying any issues with the backup process or media before a real incident occurs.

Exam trap

The trap here is that candidates often confuse backup retention (how long backups are kept) with backup recoverability, assuming that longer retention inherently improves recovery confidence, when in fact only periodic restore testing proves that backups are viable and can meet the RTO.

291
MCQmedium

A SIEM reviews VPN authentication logs and sees 36 different usernames each receive one failed login attempt from the same source IP over 20 minutes, followed by one successful login to an unrelated account. Which attack is most likely?

A.Password spraying against many accounts with a low number of attempts per account.
B.A brute-force attack focused on a single locked account.
C.A replay attack using captured authentication data.
D.A port scan that accidentally triggered authentication failures.
AnswerA

This pattern matches low-and-slow password spraying, where one or a few common passwords are tried against many accounts to avoid lockouts.

Why this answer

The SIEM observed 36 different usernames each receiving one failed login attempt from the same source IP over 20 minutes, followed by one successful login to an unrelated account. This pattern is characteristic of a password spraying attack, where an attacker tries a small number of common passwords against many accounts to avoid account lockout thresholds, and then uses a successful credential to pivot to another account. The low number of attempts per account (one each) and the wide spread of usernames distinguish it from brute-force or targeted attacks.

Exam trap

The trap here is that candidates often confuse password spraying with brute-force attacks, but the key differentiator is the distribution of attempts across many accounts versus many attempts on a single account.

How to eliminate wrong answers

Option B is wrong because a brute-force attack focused on a single locked account would show many failed attempts against that one username, not one attempt each across 36 different usernames. Option C is wrong because a replay attack would involve capturing and reusing valid authentication data (e.g., a Kerberos ticket or NTLM hash), not generating new failed login attempts from a source IP. Option D is wrong because a port scan does not generate authentication failures; it probes for open ports using TCP SYN or UDP packets, and any authentication failures would be coincidental and not follow a pattern of one attempt per username.

← PreviousPage 4 of 4 · 291 questions total

Ready to test yourself?

Try a timed practice session using only Security Operations questions.