CCNA Security Operations Questions

75 of 291 questions · Page 3/4 · Security Operations topic · Answers revealed

151
MCQmedium

A vulnerability scan identifies a critical patch for a fleet of internet-facing servers. The operations lead wants to apply it immediately during peak business hours because the exploit is public. What is the BEST next step?

A.Install the patch on all servers immediately without testing
B.Use the emergency change process with testing, approval, and a rollback plan
C.Wait until the next quarterly maintenance window to avoid any risk
D.Patch only one production server and assume the rest will be fine
AnswerB

An emergency change still needs controlled validation so the organization reduces risk without creating avoidable outages.

Why this answer

The correct answer is B because an emergency change process allows the critical patch to be applied quickly while still incorporating essential steps like testing, approval, and a rollback plan. This balances the urgency of a public exploit with the need to avoid unintended service disruptions during peak business hours, aligning with change management best practices in Security Operations.

Exam trap

The trap here is that candidates may choose option A, thinking speed is the only priority, but the exam tests the balance between urgency and risk management through formal change control processes.

How to eliminate wrong answers

Option A is wrong because installing the patch on all servers immediately without testing risks introducing compatibility issues or system instability, which could cause widespread outages during peak hours. Option C is wrong because waiting until the next quarterly maintenance window ignores the critical nature of a public exploit, leaving systems vulnerable to active attacks in the interim. Option D is wrong because patching only one production server and assuming the rest will be fine does not address the fleet-wide vulnerability and provides a false sense of security, as the unpatched servers remain exposed.

152
MCQmedium

A SIEM alert shows a successful VPN login for an executive account from an unusual country, followed 3 minutes later by large downloads from a file share the user rarely accesses. Which log source should the analyst review next to determine whether the session came from the user's assigned laptop or an unmanaged device?

A.VPN concentrator logs
B.Endpoint detection and response telemetry from the user's laptop
C.DNS query logs from the internal resolver
D.Email gateway logs for the executive mailbox
AnswerB

EDR telemetry can confirm the device identity, user activity, and whether the endpoint was trusted and healthy.

Why this answer

B is correct because endpoint detection and response (EDR) telemetry from the user's laptop provides granular process-level and network-level data, including the source IP of the VPN session, the device's hostname, and whether the VPN client software was initiated from the managed laptop's operating system. This allows the analyst to confirm if the VPN session originated from the assigned corporate device or from an unmanaged device using stolen credentials.

Exam trap

Cisco often tests the misconception that VPN concentrator logs alone can identify the device type, but they only show authentication and external IP, not whether the session originated from the assigned managed laptop.

How to eliminate wrong answers

Option A is wrong because VPN concentrator logs only show the external IP address and authentication details, not whether the session came from the user's assigned laptop or an unmanaged device—they lack device-level identifiers like hostname or EDR agent presence. Option C is wrong because DNS query logs from the internal resolver only show domain name resolution requests, not the source device identity or VPN client origin, so they cannot differentiate between a managed and unmanaged device.

153
MCQmedium

An NDR tool shows a production web server sending small, periodic DNS queries to random-looking subdomains under a domain the company does not use. The pattern repeats every 60 seconds, even when normal web traffic is idle. What is the best interpretation and next step?

A.This is normal DNS behavior, so no action is needed unless users report an outage.
B.Suspect DNS-based command-and-control, then isolate the server and collect logs and packet data for analysis.
C.Rotate the DNS server’s administrator password and leave the web server online.
D.Assume the web server is performing routine certificate renewal checks and ignore the alert.
AnswerB

Regular outbound DNS queries to random subdomains can indicate tunneling or command-and-control traffic. The fact that it repeats at a fixed interval strengthens that suspicion. The best next step is to contain the host so the activity cannot continue, while preserving logs and packet captures for investigation. This lets the team determine whether malware, a rogue process, or a misconfiguration is responsible without losing evidence.

Why this answer

The small, periodic DNS queries to random-looking subdomains under an unused domain are a classic indicator of DNS-based command-and-control (C2) communication. Attackers often use DNS tunneling to exfiltrate data or send commands, as DNS traffic is typically allowed through firewalls. The fact that the pattern persists even during idle web traffic confirms it is not related to normal server operations, making isolation and forensic collection the appropriate next step.

Exam trap

The trap here is that candidates may mistake periodic DNS queries for legitimate maintenance traffic (like certificate renewal or NTP sync) and overlook the key indicator of random-looking subdomains under an unused domain, which is a hallmark of DNS tunneling for C2.

How to eliminate wrong answers

Option A is wrong because periodic DNS queries to random subdomains under an unused domain are not normal DNS behavior; legitimate DNS queries are typically for known, resolvable domains and do not exhibit a consistent 60-second pattern during idle periods. Option C is wrong because rotating the DNS server's administrator password does not address the compromised web server's outbound C2 traffic; the server itself must be isolated and investigated. Option D is wrong because certificate renewal checks use well-known domains (e.g., from a Certificate Authority) and do not involve random-looking subdomains under an unused domain; ignoring the alert could allow persistent C2 activity to continue.

154
MCQmedium

EDR detects encoded PowerShell launched from a word processor, a process attempt to read LSASS memory, and an outbound HTTPS connection to a rare domain. What should the analyst do first?

A.Isolate the endpoint from the network while keeping it powered on for investigation.
B.Delete the user's profile to stop the malicious process immediately.
C.Patch the word processor before reviewing any alerts or logs.
D.Reboot the system immediately to clear anything running in memory.
AnswerA

This is the correct first action because the host shows clear signs of active compromise and possible credential theft. Network isolation limits further spread and command-and-control activity, while leaving the system powered on preserves volatile evidence for later analysis. That balance supports both containment and investigation, which is the right sequence when EDR indicates live malicious behavior.

Why this answer

The EDR alerts indicate a likely credential theft attempt (LSASS read) and C2 communication (rare domain). Isolating the endpoint preserves forensic evidence in memory and disk while preventing further data exfiltration or lateral movement, which is the immediate containment priority per incident response best practices.

Exam trap

The trap here is that candidates may choose reboot (D) thinking it clears malware, but CompTIA emphasizes preserving evidence and containing the threat first, as rebooting destroys volatile data needed for forensic analysis.

How to eliminate wrong answers

Option B is wrong because deleting the user profile destroys volatile evidence (e.g., process memory, registry artifacts) and may not stop a process running in system context. Option C is wrong because patching the word processor is a long-term remediation step, not an immediate response to an active compromise. Option D is wrong because rebooting clears memory-resident malware and forensic artifacts, potentially losing critical evidence of the attack chain.

155
MCQhard

Based on the exhibit, which issue should be remediated first by the operations team? A small company has limited maintenance windows and can address only one of several findings this week.

A.db-lab02, because high-severity findings always outrank medium and critical findings.
B.printsrv03, because it is internet-facing and has no vendor patch available.
C.vpn-gw01, because it is internet-facing, exploitable now, and a fix is available.
D.None of these, because the team should wait for the next quarterly review before changing anything.
AnswerC

The VPN gateway is the most urgent issue because it is externally reachable, has a critical remote code execution flaw, and a vendor patch already exists. That combination creates high likelihood and high impact. The reboot requirement is inconvenient, but it is still the most actionable and dangerous finding. The other issues are either isolated from production or partially mitigated by compensating controls.

Why this answer

Option C is correct because vpn-gw01 is internet-facing, has an active exploit (CVSS score indicating current exploitation), and a vendor patch is available. In risk management, the highest priority is given to assets that are exposed to the internet, currently exploitable, and have a known fix, as this combination presents the most urgent threat to the organization's security posture.

Exam trap

The trap here is that candidates often assume severity (e.g., critical vs. high) is the sole determinant of remediation priority, ignoring the critical factors of internet exposure, exploitability, and patch availability that CompTIA emphasizes in risk management scenarios.

How to eliminate wrong answers

Option A is wrong because it incorrectly states that high-severity findings always outrank medium and critical findings; severity is only one factor in prioritization, and internet exposure, exploitability, and patch availability are equally important. Option B is wrong because printsrv03, while internet-facing with no vendor patch, does not have an active exploit, making it less urgent than an asset that is currently exploitable. Option D is wrong because waiting for the next quarterly review would leave a known, exploitable vulnerability unpatched, violating the principle of timely remediation for critical risks.

156
MCQmedium

A security analyst is reviewing web server logs after a user reports that the company website displayed an error message containing raw database queries. The log shows repeated requests to the product search page with the following parameter: `?id=1 OR 1=1`. Which of the following should the analyst do FIRST to confirm the nature of the suspected attack?

A.Run a vulnerability scan against the web server.
B.Block the source IP address in the firewall.
C.Verify the request details against the web application firewall logs.
D.Isolate the web server from the network immediately.
AnswerC

This is the correct first step. The WAF logs will show if the request was identified as malicious and blocked, or if it passed through. This confirmation is crucial before any further action.

Why this answer

Option C is correct because the analyst should first verify the request details against the web application firewall (WAF) logs to confirm whether the WAF detected and blocked the SQL injection attempt. The parameter `?id=1 OR 1=1` is a classic SQL injection payload, and WAF logs provide immediate evidence of whether the request was flagged, allowed, or blocked, enabling the analyst to correlate the user's report with actual security controls before taking further action.

Exam trap

The trap here is that candidates may jump to containment (blocking or isolating) or scanning without first using existing logs to confirm the attack, failing to follow the incident response principle of 'verify before act'.

How to eliminate wrong answers

Option A is wrong because running a vulnerability scan is a proactive assessment step that should occur after confirming the attack; it does not help confirm the nature of a specific reported incident. Option B is wrong because blocking the source IP address in the firewall is a reactive containment measure that should be taken only after confirming the attack and understanding its scope, not as the first step. Option D is wrong because isolating the web server from the network immediately is an extreme containment action that could disrupt business operations and is premature without first confirming the attack via logs.

157
Multi-Selectmedium

A security operations center (SOC) analyst is investigating a potential malware outbreak. Which three of the following indicators of compromise (IOCs) would provide the strongest evidence of malicious activity? (Choose three.)

Select 3 answers
.An outbound connection from an internal workstation to a known command-and-control (C2) IP address
.A hash of a file that matches a known malware signature in a threat intelligence feed
.A registry key modification that creates a run key for persistence on a system
.An increase in legitimate web traffic to a corporate website from a new geographic region
.A user reporting a slow computer that started after installing a software update
.A single failed login attempt on a user account from an internal IP address

Why this answer

An outbound connection to a known C2 IP address is a strong indicator of compromise because it suggests the infected host is communicating with an attacker-controlled server to receive commands or exfiltrate data. This is a direct network-level IOC that is rarely seen in legitimate traffic, especially when the IP is listed in threat intelligence feeds as malicious.

Exam trap

Cisco often tests the distinction between anecdotal user reports and objective technical IOCs, where candidates mistakenly treat a user complaint or a single benign event as strong evidence of compromise.

158
Multi-Selecthard

EDR on a finance workstation shows Outlook launching mshta.exe, followed by a scheduled task named UpdateSvc_91 and repeated HTTPS beacons to a newly registered domain. The user is still working and has not rebooted. Which two telemetry sources would best help the analyst confirm the initial execution path and determine whether the host has communicated with other suspicious infrastructure? Select two.

Select 2 answers
A.EDR process tree and parent-child execution telemetry, because it reveals the original application that launched the script host.
B.Proxy or secure web gateway logs, because they show outbound destinations, categories, and repeated beacons to external sites.
C.Spooler service logs, because mshta.exe commonly prints documents before starting network activity.
D.RAID controller logs, because they show whether the workstation’s storage hardware is failing.
E.NTP synchronization logs, because time drift is the most likely cause of the alert.
AnswersA, B

The process tree shows the execution chain from Outlook to mshta.exe and any child processes that followed. That is the best way to confirm whether the attachment or message initiated the suspicious activity. It also helps distinguish user-driven execution from unrelated background activity.

Why this answer

Option A is correct because EDR process tree and parent-child execution telemetry directly reveal the initial execution path, showing that Outlook launched mshta.exe. This allows the analyst to trace the attack back to the original vector (e.g., a malicious email attachment or link) and understand how the script host was invoked, which is critical for identifying the root cause of the compromise.

Exam trap

The trap here is that candidates may overlook the importance of parent-child process telemetry and instead focus on irrelevant logs like Spooler or RAID, failing to recognize that the initial execution path is the key to understanding the attack vector.

159
MCQmedium

EDR flags a workstation after a word processor launches encoded PowerShell and the host begins contacting a rare domain over HTTPS. The user is still active. What is the best containment action from the EDR console?

A.Isolate the endpoint from the network while keeping it powered on.
B.Delete the suspicious PowerShell process from the console and close the alert.
C.Reimage the workstation immediately to return it to a clean state.
D.Power the workstation off and disconnect the SSD to preserve data.
AnswerA

This is the best containment step because it stops the suspected malware from communicating outward or moving laterally, while preserving the live system for follow-up investigation. Keeping the machine powered on protects volatile evidence such as memory, processes, and active connections. EDR isolation is especially useful when the user is still logged in and the host may still contain useful artifacts that would be lost by immediate shutdown.

Why this answer

Isolating the endpoint from the network while keeping it powered on is the best containment action because it immediately cuts off the command-and-control (C2) communication over HTTPS to the rare domain, preventing further data exfiltration or lateral movement, while preserving volatile memory and running processes for forensic analysis. This aligns with incident response best practices where containment must prioritize stopping the threat without destroying evidence.

Exam trap

The trap here is that candidates often choose to kill the process or power off the system, mistakenly believing that stopping the immediate malicious activity is sufficient, without understanding that containment must preserve forensic evidence and prevent re-infection or lateral movement.

How to eliminate wrong answers

Option B is wrong because deleting the suspicious PowerShell process from the console does not remove the underlying malware or persistence mechanism, and the endpoint remains connected to the network, allowing the attacker to re-establish C2 or execute additional payloads. Option C is wrong because reimaging the workstation destroys all forensic evidence, including volatile memory, logs, and artifacts that could reveal the attack vector, scope, and indicators of compromise, which is premature before a proper investigation. Option D is wrong because powering the workstation off and disconnecting the SSD destroys volatile memory (e.g., running processes, network connections, encryption keys) that are critical for understanding the attack, and it prevents live response actions such as memory acquisition or process analysis.

160
Multi-Selectmedium

An EDR alert shows suspicious PowerShell activity on a remote employee laptop, and the user is still logged in to cloud applications. Which two response actions are best if the device is believed to be actively compromised? Select two.

Select 2 answers
A.Isolate the endpoint through the EDR tool or quarantine its network access.
B.Collect a live response package or volatile data before cleanup begins.
C.Power off the laptop immediately to stop the activity as fast as possible.
D.Wait until the user returns the laptop to the office for physical inspection.
E.Remove the EDR agent so the attacker cannot detect the investigation.
AnswersA, B

Network isolation is the fastest way to stop additional attacker communication, lateral movement, and command execution from the compromised laptop. It contains the incident while preserving the system state for investigation. EDR quarantine is particularly useful for remote devices because it can be applied without physical access to the endpoint.

Why this answer

Option A is correct because isolating the endpoint via the EDR tool or quarantining its network access immediately stops the attacker's ability to communicate with command-and-control servers, preventing lateral movement and further data exfiltration. This containment action is a critical first step in incident response for an actively compromised device, as it preserves the integrity of the investigation while halting malicious activity.

Exam trap

The trap here is that candidates confuse 'stopping the activity' with 'powering off the device,' failing to recognize that volatile data collection must precede any shutdown to preserve forensic evidence.

161
MCQmedium

A security analyst is reviewing the perimeter firewall logs. The analyst observes repeated TCP SYN packets from a single external IP address (203.0.113.50) to multiple internal IP addresses on TCP port 3389. The packets are sent with a consistent 50-millisecond interval. There are no subsequent SYN-ACK or RST packets from the internal hosts in the logs. The analyst suspects this is a reconnaissance scan. Which of the following additional log sources would provide the most definitive evidence to confirm this suspicion?

A.DNS query logs from the internal DNS server
B.Web proxy logs from the corporate proxy server
C.Intrusion detection system (IDS) logs from a network-based IDS placed behind the firewall
D.VPN gateway authentication logs
AnswerC

A network-based IDS monitors all traffic and uses signatures to detect reconnaissance activities such as port scans. The IDS logs would provide an alert with the signature name (e.g., 'TCP Port Scan') and details about the source IP and targeted hosts, confirming the scan.

Why this answer

Option C is correct because a network-based IDS placed behind the firewall can inspect the full packet payload and detect the specific pattern of TCP SYN packets without corresponding SYN-ACK or RST responses, which is characteristic of a SYN scan (a type of reconnaissance scan). The IDS can correlate the consistent 50-millisecond interval and the targeting of TCP port 3389 (RDP) across multiple internal IPs, providing definitive evidence of scanning behavior that firewall logs alone cannot confirm due to lack of session completion.

Exam trap

The trap here is that candidates may think firewall logs alone are sufficient to confirm a scan, but they miss that an IDS provides deeper packet inspection and pattern correlation that definitively identifies reconnaissance behavior, especially when the firewall drops the packets before they reach internal hosts.

How to eliminate wrong answers

Option A is wrong because DNS query logs would only show domain name resolution requests, not TCP SYN packets or port scanning activity; the attacker is using raw IP addresses (203.0.113.50) and targeting TCP port 3389, which does not involve DNS lookups. Option B is wrong because web proxy logs capture HTTP/HTTPS traffic (typically TCP ports 80/443) and would not record direct TCP SYN packets to port 3389 (RDP), as RDP traffic bypasses the proxy unless explicitly routed through it, which is uncommon.

162
MCQmedium

A Linux operations team needs to run a nightly script that restarts one service and archives its logs on 60 servers. Security does not want an administrator to log in interactively, and the script should have only the permissions needed for that job. What is the best approach?

A.Use the root account so the job never fails.
B.Create a dedicated service account with only the delegated rights needed, and run the script as a scheduled job.
C.Store an administrator's SSH key inside the script.
D.Have an operator log in and run the commands manually each night.
AnswerB

A dedicated noninteractive account supports automation while keeping permissions tightly scoped to the task. The account can be granted only the ability to restart the specific service and write the required log archive location, rather than full administrator access. Scheduling the job also makes the activity repeatable and auditable. This approach supports least privilege, reduces human error, and avoids interactive logons on every server.

Why this answer

Option B is correct because it follows the principle of least privilege by creating a dedicated service account with only the specific rights needed to restart the service and archive logs. Running the script as a scheduled job (e.g., via cron) eliminates the need for interactive login, satisfying the security requirement. This approach minimizes the attack surface and ensures the job runs automatically without exposing administrative credentials.

Exam trap

The trap here is that candidates often assume root is necessary for system service management, but SY0-701 tests the principle of least privilege and the ability to delegate specific rights via service accounts and sudoers policies.

How to eliminate wrong answers

Option A is wrong because using the root account grants unrestricted superuser privileges, violating the principle of least privilege and increasing the risk of catastrophic errors or compromise. Option C is wrong because storing an administrator's SSH key inside the script exposes the private key to anyone who can read the script, creating a credential theft vulnerability and violating secure key management practices. Option D is wrong because requiring an operator to log in manually each night introduces human error, inconsistency, and violates the security policy that prohibits interactive login.

163
MCQmedium

A vulnerability dashboard shows four new findings. Which one should be remediated first by the operations team? - A low-severity issue on an offline lab VM - A medium-severity issue on a payroll server with no known exploit - A critical issue on an internet-facing web server with an available exploit - A high-severity issue on a test workstation that is not domain joined

A.The low-severity issue on the offline lab VM.
B.The medium-severity issue on the payroll server with no known exploit.
C.The critical issue on the internet-facing web server with an available exploit.
D.The high-severity issue on the test workstation that is not domain joined.
AnswerC

This combines high severity, public exposure, and active exploitability, making it the highest-priority risk.

Why this answer

The critical issue on the internet-facing web server with an available exploit should be remediated first because it combines the highest severity (critical) with an active, exploitable vulnerability on an asset exposed to the public internet. In vulnerability management, remediation priority is determined by risk, which is a function of severity, exploitability, and asset exposure. An internet-facing web server with a known exploit represents an immediate threat that can be remotely compromised, unlike the other findings which are on isolated or less critical systems.

Exam trap

CompTIA often tests the principle that severity alone does not determine priority; candidates must consider exploitability and asset exposure, and the trap here is assuming a high-severity issue on any asset (like a test workstation) should be fixed before a critical issue on an internet-facing server, ignoring that the test workstation is isolated and not domain-joined, reducing its risk profile.

How to eliminate wrong answers

Option A is wrong because a low-severity issue on an offline lab VM poses minimal risk; the VM is not connected to the network, so exploitation is virtually impossible and remediation can be deferred. Option B is wrong because a medium-severity issue on a payroll server with no known exploit is less urgent; without an available exploit, the likelihood of successful attack is low, and the server, while sensitive, is not directly exposed to the internet. Option D is wrong because a high-severity issue on a test workstation that is not domain joined is isolated from the production domain and likely not accessible from the internet, reducing the attack surface and urgency compared to a critical, exploitable internet-facing server.

164
MCQhard

Based on the exhibit, what is the best eradication decision after containment? A quarantined endpoint was found to have a malicious startup item and a scheduled task. The team has already isolated it from the network and preserved memory for analysis.

A.Delete only the update.exe file and reconnect the host once the user confirms it is working.
B.Remove persistence artifacts and rebuild the endpoint from a known-good image before returning it to service.
C.Restore network connectivity now because no encryption was observed.
D.Change the DNS servers for the entire enterprise to block the malware domain.
AnswerB

The host contains a malicious executable plus two persistence mechanisms, so cleanup must remove more than the payload file. Reimaging from trusted media provides the most reliable eradication path, especially when the malware family is already identified and the machine has been quarantined. This reduces the chance of hidden remnants, registry persistence, or tampered system components surviving the response effort.

Why this answer

Option B is correct because after containment (network isolation and memory preservation), the best eradication step is to remove all persistence mechanisms (startup item and scheduled task) and rebuild the endpoint from a known-good image. This ensures that any undetected malware remnants, rootkits, or hidden artifacts are eliminated, preventing reinfection. Simply deleting files or changing DNS does not guarantee the system is clean, and reconnecting without a full rebuild risks lateral movement or data exfiltration.

Exam trap

The trap here is that candidates may choose Option A, thinking that deleting the malicious file is sufficient, but CompTIA emphasizes that persistence artifacts must be removed and a system should be rebuilt from a trusted image to ensure complete eradication.

How to eliminate wrong answers

Option A is wrong because deleting only the update.exe file leaves the scheduled task and startup item intact, and the user's confirmation of functionality does not verify security; the host could still have hidden persistence or other malware. Option C is wrong because restoring network connectivity without eradication ignores the possibility of dormant malware or backdoors, and the absence of encryption does not indicate the system is safe. Option D is wrong because changing enterprise DNS servers is a containment or mitigation step, not an eradication decision; it does not clean the compromised endpoint and may disrupt legitimate traffic.

165
MCQeasy

A user reports a ransomware note on one department file share, but other departments are still working normally. What is the best first containment action?

A.Shut down the entire company network immediately.
B.Disconnect the affected file share or server from the network.
C.Delete the ransom note and wait to see whether the problem returns.
D.Restore the share immediately before checking what caused the incident.
AnswerB

Isolating the affected system is the best first containment step because it helps stop the malware from spreading while preserving the rest of the environment. The goal in early incident response is to reduce impact quickly without causing unnecessary downtime. Once contained, responders can investigate scope, preserve evidence, and begin eradication and recovery.

Why this answer

Option B is correct because the immediate priority in a ransomware incident is to contain the threat by isolating the affected system to prevent lateral movement. Disconnecting the file share or server from the network stops the ransomware from encrypting additional files or spreading to other departments via SMB or other protocols. This aligns with the NIST SP 800-61 containment strategy, which emphasizes rapid isolation without disrupting unaffected systems.

Exam trap

The trap here is that candidates may choose Option A (full network shutdown) because they think it is the safest action, but the exam emphasizes precise, least-disruptive containment that preserves evidence and limits business impact.

How to eliminate wrong answers

Option A is wrong because shutting down the entire company network is overly disruptive, may destroy volatile evidence (e.g., memory-resident malware), and is unnecessary when only one department is affected. Option C is wrong because deleting the ransom note does not remove the ransomware executable or prevent further encryption; it ignores the active threat and wastes critical response time. Option D is wrong because restoring the share without first containing the incident risks immediate re-infection, as the ransomware may still be active on the network or the restored files could be re-encrypted.

166
MCQmedium

A SIEM correlates three failed MFA prompts for a payroll admin account from one IP, a successful login two minutes later from the same IP, and a new mailbox forwarding rule to an external address. What is the best immediate action?

A.Reset the password and leave the account enabled so the user can keep working.
B.Disable the account and revoke active sessions and tokens.
C.Delete the forwarding rule and monitor the account for a few hours.
D.Wait for the user to confirm the login before taking any action.
AnswerB

This is the best immediate containment step because the signs strongly indicate account compromise. Disabling the account stops new authentication, while revoking sessions and tokens cuts off any already-established access that could continue to act as the user. That combination contains the incident quickly and limits further mailbox manipulation, data theft, or privilege misuse while the team investigates logs and confirms scope.

Why this answer

Option B is correct because the combination of failed MFA prompts followed by a successful login and immediate creation of an external mailbox forwarding rule is a classic indicator of account compromise (e.g., adversary-in-the-middle or token theft). Disabling the account and revoking active sessions and tokens stops the attacker from maintaining access and prevents further data exfiltration via the forwarding rule, which is the most urgent containment step in incident response.

Exam trap

CompTIA often tests the misconception that deleting the malicious artifact (forwarding rule) is sufficient, when in reality the priority is to contain the compromised account by disabling it and revoking all sessions.

How to eliminate wrong answers

Option A is wrong because resetting the password alone does not invalidate active sessions or tokens, allowing the attacker to continue using existing authenticated sessions. Option C is wrong because deleting only the forwarding rule without disabling the account leaves the attacker with continued access to the mailbox and the ability to recreate the rule or perform other malicious actions. Option D is wrong because waiting for user confirmation delays containment, giving the attacker more time to exfiltrate data or establish persistence, and the user may not be aware of the compromise.

167
MCQmedium

A SOC analyst confirms that a critical Linux virtual machine is making outbound connections to a known malicious IP address. The application owner says the VM hosts a revenue system that cannot be powered off without causing a major outage. What is the best containment action?

A.Shut down the VM immediately to stop all malicious activity.
B.Isolate the VM at the network layer while keeping it powered on.
C.Wait for the next maintenance window before taking action.
D.Reimage the VM from a known-good template immediately.
AnswerB

This reduces further attacker communication and spread while preserving the system state for investigation and minimizing business disruption.

Why this answer

Option B is correct because network isolation (e.g., applying a firewall ACL or moving the VM to a quarantine VLAN) stops outbound malicious traffic while keeping the revenue-critical system powered on and available for forensic analysis. This balances security containment with business continuity, as shutting down the VM (Option A) would cause a major outage, and waiting (Option C) would allow continued data exfiltration or lateral movement.

Exam trap

The trap here is that candidates may assume immediate shutdown is always the best containment action, but the exam tests the ability to prioritize business continuity while still containing the threat through network-layer isolation.

How to eliminate wrong answers

Option A is wrong because immediately shutting down the VM would cause a major outage for the revenue system, violating the requirement to avoid disruption, and it would destroy volatile forensic evidence (e.g., memory, active connections). Option C is wrong because waiting for the next maintenance window allows the malicious outbound connections to continue, risking data exfiltration, further compromise, or lateral movement to other systems.

168
MCQmedium

Based on the exhibit, which finding is the best candidate for immediate remediation or emergency mitigation?

A.VPN-EDGE01, because a critical internet-facing RCE with public exploit code has the highest risk.
B.FILE-02, because file servers often affect many users and should always come before perimeter systems.
C.TEST-VM-17, because any high-severity issue deserves the fastest response regardless of exposure.
D.PRINTER-3F, because default credentials are the easiest issue to exploit and therefore the most dangerous.
AnswerA

VPN-EDGE01 combines severity, exposure, and exploit availability. A critical remote code execution flaw on an internet-facing device is the most urgent because attackers can reach it directly from outside the organization. Public proof-of-concept code further lowers the effort needed to exploit it. When prioritizing vulnerabilities, this combination usually receives immediate remediation or emergency mitigation.

Why this answer

Option A is correct because VPN-EDGE01 is an internet-facing device with a critical remote code execution (RCE) vulnerability that has public exploit code available. This combination of high severity, network exposure, and weaponized exploit makes it the highest risk and most urgent for immediate remediation or emergency mitigation.

Exam trap

The trap here is that candidates may prioritize by severity alone (high vs. critical) or by ease of exploitation (default credentials), ignoring the critical factor of network exposure and the presence of public exploit code, which together create the highest immediate risk.

How to eliminate wrong answers

Option B is wrong because file servers, while affecting many users, do not inherently present a higher risk than an internet-facing device with a critical RCE; prioritizing by user count over exposure and exploitability is a common prioritization error. Option C is wrong because a high-severity issue on a non-internet-facing test VM (TEST-VM-17) is less urgent than a critical RCE on an internet-facing edge device, as the test VM has limited exposure and lower likelihood of exploitation. Option D is wrong because default credentials on a printer (PRINTER-3F), while easily exploitable, typically have limited impact compared to a critical RCE on a perimeter VPN gateway that could lead to full network compromise.

169
MCQeasy

An administrator wants to add a new vendor IP range to a firewall rule in production. What is the best change-management step to reduce risk?

A.Apply the change immediately during peak business hours.
B.Test and approve the change before implementing it in production.
C.Allow the entire vendor subnet permanently without review.
D.Skip documentation to speed up the rollout.
AnswerB

Change management should include review, approval, and testing before production deployment. This reduces the chance of outages, misconfigurations, and unintended access. A controlled change window and validation steps are especially important for firewall rules because small mistakes can break connectivity or create security gaps.

Why this answer

Option B is correct because change management requires testing and approval before applying changes to production systems. Adding a new vendor IP range to a firewall rule without validation could inadvertently allow malicious traffic or block legitimate traffic, leading to a security breach or service disruption. Testing in a non-production environment or using a change window ensures the rule behaves as intended and aligns with the organization's security policy.

Exam trap

The trap here is that candidates may think immediate implementation (Option A) is acceptable for urgent security fixes, but the question specifies adding a new vendor IP range, which is a planned change that must follow proper change management procedures to avoid unintended access or downtime.

How to eliminate wrong answers

Option A is wrong because applying the change immediately during peak business hours violates change management best practices and risks causing outages or security gaps when the network is under heavy load, making rollback difficult. Option C is wrong because allowing the entire vendor subnet permanently without review bypasses the principle of least privilege and could expose the network to unnecessary risk if the vendor's IP range changes or includes untrusted addresses. Option D is wrong because skipping documentation undermines audit trails and incident response; without records, administrators cannot verify what changes were made or revert them if needed.

170
MCQeasy

Based on the exhibit, which control would best reduce unauthorized follow-on entry into the records room?

A.Install a mantrap so only one person can pass through at a time.
B.Add more network firewall rules around the records room door.
C.Increase the screen lock timeout on nearby workstations.
D.Replace the UPS batteries to stop unauthorized people from entering.
AnswerA

A mantrap is designed to prevent tailgating and piggybacking by controlling one person through an entry point at a time. The exhibit shows someone followed an authorized employee into a sensitive room after the badge granted access. A mantrap directly addresses that weakness and is a common physical-security control for restricted areas.

Why this answer

A mantrap is a physical security control consisting of a small space with two interlocking doors, designed to allow only one person to pass at a time. This prevents tailgating and piggybacking, which are common methods of unauthorized follow-on entry into a restricted area like a records room.

Exam trap

The trap here is that candidates may confuse logical access controls (firewall rules, screen lock timeouts) or power-related controls (UPS) with physical access controls, failing to recognize that the question specifically targets unauthorized follow-on entry through a physical door.

How to eliminate wrong answers

Option B is wrong because network firewall rules control logical access to network resources, not physical entry through a door. Option C is wrong because increasing the screen lock timeout on workstations reduces the risk of unauthorized logical access to a computer, but does nothing to prevent a person from physically following an authorized user into the records room. Option D is wrong because replacing UPS batteries ensures backup power for equipment, but has no effect on preventing unauthorized physical entry.

171
MCQeasy

A file server begins encrypting documents, and the SOC confirms the activity is malicious. Which incident response step should happen first to limit further damage?

A.Lessons learned
B.Containment
C.Recovery
D.Post-incident reporting
AnswerB

Containment is the first response step that limits spread and stops the incident from getting worse.

Why this answer

Containment is the correct first step because it isolates the compromised file server from the network, preventing the ransomware from encrypting additional shares or spreading laterally. The SMB protocol (port 445) used for file sharing would be blocked at the switch or firewall, halting further encryption of documents. This aligns with the NIST SP 800-61 incident response lifecycle, where containment precedes eradication and recovery.

Exam trap

CompTIA often tests the misconception that recovery (e.g., restoring from backup) is the first priority, but containment must come first to stop the active damage and prevent reinfection.

How to eliminate wrong answers

Option A is wrong because lessons learned occurs after the incident is fully resolved, not during active encryption. Option C is wrong because recovery (e.g., restoring from backups) cannot happen until the threat is contained and eradicated; attempting recovery first could re-encrypt data. Option D is wrong because post-incident reporting is a final step for documentation and compliance, not an immediate action to limit damage.

172
MCQmedium

During malware containment, an analyst needs to preserve transient information from a compromised Windows workstation that is still running. Which action is MOST appropriate before shutdown or imaging?

A.Capture memory and live process information with approved response tools
B.Immediately unplug the workstation and carry it to the evidence room
C.Run a full antivirus scan to clean the machine before analysis
D.Clear the event logs so the malicious activity is easier to isolate
AnswerA

Live memory and process data can disappear on shutdown, so capturing them preserves valuable forensic evidence.

Why this answer

Option A is correct because transient information such as running processes, network connections, and memory-resident malware is lost when the system is powered off. Capturing memory and live process data with approved forensic tools (e.g., FTK Imager, DumpIt, or WinPmem) preserves volatile evidence critical for incident analysis and attribution, in accordance with the order of volatility (RFC 3227).

Exam trap

The trap here is that candidates may think immediate power-off preserves evidence, but it actually destroys volatile data, which is the most time-sensitive and valuable for incident response.

How to eliminate wrong answers

Option B is wrong because immediately unplugging the workstation causes a loss of volatile data (memory, network connections, running processes) and may corrupt the file system, destroying transient evidence. Option C is wrong because running a full antivirus scan modifies the system state, potentially deleting or altering malware artifacts and violating forensic integrity principles. Option D is wrong because clearing event logs destroys historical evidence of malicious activity, making it harder to reconstruct the attack timeline and violating the preservation of evidence.

173
Multi-Selectmedium

A SIEM alert shows a successful sign-in to a cloud admin portal from an unusual country, followed by mailbox forwarding-rule changes four minutes later. Which two log sources should the analyst review first to confirm whether the account was abused? Select two.

Select 2 answers
A.Identity provider and MFA authentication logs for the account session
B.Cloud application audit logs for mailbox and rule changes
C.Printer spooler logs from the user’s workstation
D.DHCP lease logs for the office network
E.USB device connection logs from the user’s laptop
AnswersA, B

These logs show whether the sign-in was legitimate, challenged, or bypassed by a compromised session.

Why this answer

Option A is correct because the identity provider (IdP) logs will show the authentication method used (e.g., SAML, OIDC) and the MFA logs will confirm whether a valid second factor was presented. If the sign-in succeeded without MFA or with a compromised token, it indicates account takeover. These logs are the first place to verify the legitimacy of the session.

Exam trap

The trap here is that candidates may focus on network-level logs (DHCP, printer) because they associate 'unusual country' with network location, but the question specifically requires logs that directly capture authentication events and mailbox rule changes in the cloud.

174
MCQmedium

A SIEM correlates VPN logs and sees the same public IP make one failed login attempt against 56 different user accounts over 25 minutes. The usernames vary, but the password value appears to be the same in each attempt. Ten minutes later, one of those accounts authenticates successfully from the same IP, and no password-reset events are recorded. Which attack pattern is most likely?

A.Password spraying against multiple accounts with a shared password guess.
B.A brute-force attack focused on a single account with repeated rapid guesses.
C.A replay attack using captured authentication traffic from a previous session.
D.Credential stuffing using known breached username and password pairs.
AnswerA

This pattern matches password spraying because the attacker tries one common password across many usernames to avoid lockouts and reduce noisy failures. The same source IP, low failure count per account, and eventual success on one account are classic clues. Analysts should treat the successful login as potentially compromised and review related authentication, MFA, and session activity immediately.

Why this answer

The SIEM logs show the same public IP attempting to authenticate with 56 different usernames using the same password. This is the hallmark of a password spraying attack, where an attacker tries a single common password against many accounts to avoid account lockout policies. The subsequent successful authentication from the same IP, without a password reset, confirms the guessed password was valid for one account.

Exam trap

The trap here is that candidates confuse password spraying with brute-force attacks, failing to recognize that the key differentiator is the single password used against multiple accounts versus multiple passwords against a single account.

How to eliminate wrong answers

Option B is wrong because a brute-force attack focuses on a single account with many rapid password guesses, not a single password against many accounts. Option C is wrong because a replay attack would reuse captured authentication tokens or hashes from a previous session, not attempt login with a plaintext password across multiple usernames.

175
Multi-Selecthard

EDR reports that a workstation launched PowerShell from a word processor, created a scheduled task named WinUpdateSvc, and began making repeated HTTPS connections to a rare external domain. The user is still logged in to several cloud apps. Which two response actions are best to initiate from the EDR console? Select two.

Select 2 answers
A.Isolate the endpoint from the network to stop further communication and lateral movement.
B.Collect an EDR triage package or memory-focused artifact before powering the device off.
C.Delete the scheduled task immediately so the host returns to normal operation.
D.Reimage the workstation from the golden image as the first response.
E.Ignore the alert because the PowerShell binary is built into Windows and therefore safe.
AnswersA, B

Isolation is the fastest way to contain a compromised endpoint when the device is still active. It prevents additional command-and-control traffic, reduces the chance of lateral movement, and can be done without immediately shutting down the machine. This is the primary EDR containment action in a live incident.

Why this answer

Option A is correct because isolating the endpoint from the network immediately stops the active HTTPS command-and-control (C2) communication and prevents lateral movement to other systems. Given the suspicious chain (word processor spawning PowerShell, creating a scheduled task, and connecting to a rare external domain), this is a strong indicator of a malware infection or unauthorized remote access. Isolation preserves the forensic state while cutting off the attacker's access.

Exam trap

The trap here is that candidates may think deleting the scheduled task (Option C) is sufficient to remediate, but the exam emphasizes that removing artifacts without addressing the root cause is ineffective, and that isolation and forensic collection are the correct first steps in incident response.

176
MCQmedium

Help desk staff must restart one Windows service and read its event logs on 150 servers, but they should not have local administrator rights or interactive logon to the systems. Which approach best supports this requirement?

A.Create one shared local administrator account for the entire help desk team.
B.Add the staff to the local Administrators group on every server.
C.Use a Just Enough Administration constrained endpoint for the allowed tasks.
D.Run the maintenance job under each technician's personal account on a schedule.
AnswerC

JEA lets administrators define narrowly scoped remote management rights, which is ideal for limited service control and log access.

Why this answer

Just Enough Administration (JEA) allows you to create constrained PowerShell endpoints that delegate specific administrative tasks—such as restarting a service and reading event logs—without granting full local administrator rights or interactive logon. By defining role capabilities that limit cmdlets and parameters, help desk staff can perform only the required operations on all 150 servers via a constrained endpoint, meeting the security requirement precisely.

Exam trap

The trap here is that candidates often assume that adding users to the local Administrators group or using a shared admin account is the simplest way to delegate tasks, overlooking that JEA provides a secure, auditable, and least-privilege alternative that specifically prevents interactive logon and limits command scope.

How to eliminate wrong answers

Option A is wrong because a shared local administrator account violates the principle of least privilege and non-repudiation, as it cannot audit individual actions and provides full administrative access. Option B is wrong because adding staff to the local Administrators group grants them interactive logon rights and unrestricted control over each server, which directly contradicts the requirement to avoid local admin rights and interactive logon. Option D is wrong because running maintenance jobs under each technician's personal account on a schedule does not prevent interactive logon or grant administrative rights, but it fails to provide the on-demand, constrained access needed for ad-hoc restarts and log reading, and it introduces scheduling complexity without addressing the delegation requirement.

177
MCQmedium

After seizing a suspected insider's laptop, a responder makes a bit-for-bit image of the drive. The legal team asks what step most directly proves the image was not altered after acquisition. What should be done?

A.Record the laptop's hostname and the user who last logged in.
B.Compute and document cryptographic hashes of the source media and the forensic image.
C.Copy the most recent files to a USB drive for quick review.
D.Return the laptop to the user once the image is saved.
AnswerB

Matching hashes provide strong integrity verification and are a standard way to show the acquired evidence has not changed.

Why this answer

Option B is correct because computing and documenting cryptographic hashes (e.g., SHA-256 or MD5) of both the source media and the forensic image immediately after acquisition creates a verifiable digital fingerprint. If the hash values match, it proves that the image is an exact, unaltered copy of the original drive. This step is foundational to maintaining the chain of custody and ensuring data integrity in forensic investigations.

Exam trap

The trap here is that candidates may confuse documentation steps (like recording hostnames) with integrity verification, or think that copying files to a USB drive is a valid forensic preservation method, when only cryptographic hashing provides mathematical proof of non-alteration.

How to eliminate wrong answers

Option A is wrong because recording the hostname and last logged-in user is part of documentation but does not provide any cryptographic verification that the image was not altered after acquisition. Option C is wrong because copying the most recent files to a USB drive for quick review introduces a separate copy that is not a bit-for-bit duplicate and does not prove the integrity of the original forensic image. Option D is wrong because returning the laptop to the user after imaging violates chain of custody and could allow tampering with the original evidence, but it does not directly prove the image was unaltered.

178
MCQmedium

A SOC analyst receives an alert from the VPN appliance and identity platform. In the last 10 minutes, a user account had 14 failed VPN logons from one country, then one successful login from a different country. The user calls the help desk and says they have not used their account today. What should the analyst do first?

A.Block the foreign IP address at the firewall and wait for more alerts before acting.
B.Disable the user account and revoke active sessions or tokens while escalating the event as a suspected account compromise.
C.Reset the user password and close the alert because the new password will stop the attack.
D.Reimage the user’s laptop immediately to remove any possible malware before taking other steps.
AnswerB

The successful login after repeated failures, combined with the user’s confirmation that they were not active, strongly suggests compromise. The fastest effective containment is to disable the account and invalidate existing sessions or tokens so the attacker cannot continue using stolen credentials. This preserves the ability to investigate while stopping ongoing access. It is a stronger first action than a password reset alone, which may leave active tokens usable.

Why this answer

Option B is correct because the combination of multiple failed logins from one country followed by a successful login from a different country, combined with the user's denial of activity, is a classic indicator of account compromise (e.g., credential stuffing or token theft). Disabling the account and revoking active sessions/tokens immediately stops the attacker's access, preventing further lateral movement or data exfiltration, while escalation ensures proper incident response. This aligns with the CompTIA incident response process: identification, containment, eradication, and recovery.

Exam trap

The trap here is that candidates may think resetting the password (Option C) is sufficient, but they overlook that active sessions and tokens must be explicitly revoked to fully contain the compromise, as per CompTIA's emphasis on session management in incident response.

How to eliminate wrong answers

Option A is wrong because blocking the foreign IP address alone is insufficient—the attacker may use multiple IPs or proxies, and waiting for more alerts delays containment, allowing the attacker to continue malicious activity. Option C is wrong because resetting the password without revoking active sessions or tokens leaves existing authenticated sessions intact; the attacker could still use a stolen session token or OAuth refresh token to maintain access. Option D is wrong because reimaging the laptop is premature and unnecessary—the compromise is likely credential-based, not malware-based, and the user's laptop may not be involved; this wastes time and resources before proper investigation.

179
MCQmedium

A user reports that a shared department drive is rapidly renaming files and creating ransom notes on a Windows file server. The SOC confirms suspicious activity is still occurring on that server. What should the incident responder do first?

A.Shut down the server immediately to stop all malicious activity.
B.Isolate the server from the network while keeping it powered on if possible.
C.Restore the drive from backup before collecting any evidence.
D.Inform users to continue working until the forensic team arrives.
AnswerB

Network isolation contains the spread while preserving memory and other volatile evidence for analysis.

Why this answer

Option B is correct because the immediate priority is to contain the ransomware outbreak by isolating the server from the network, which stops the malicious activity from spreading to other systems while preserving volatile evidence (e.g., running processes, memory contents) for forensic analysis. Powering off the server (Option A) would destroy this critical evidence and may not stop the encryption process if it is already in memory. Isolation via network disconnection (e.g., disabling the NIC or unplugging the cable) is the standard first step in incident response for active ransomware.

Exam trap

The trap here is that candidates assume immediate shutdown (Option A) is the safest action, but CompTIA emphasizes containment without destroying evidence, making network isolation the correct first step in active ransomware incidents.

How to eliminate wrong answers

Option A is wrong because shutting down the server immediately destroys volatile evidence (e.g., memory-resident malware, active network connections) and may allow the ransomware to complete encryption on disk before the OS halts. Option C is wrong because restoring from backup before collecting evidence can overwrite forensic artifacts and may reintroduce the vulnerability if the root cause is not identified. Option D is wrong because informing users to continue working risks further data loss and lateral movement of the ransomware across the network.

180
Matchingmedium

Match each security monitoring artifact from the SOC alert queue to the best investigation focus.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Investigate possible script-based malware execution launched through a document

Check for suspicious domain lookups that may indicate command-and-control activity

Look for beaconing behavior from a potentially compromised endpoint

Assess for stolen credentials or credential-stuffing activity

Why these pairings

Each alert type suggests a specific investigation focus: phishing requires email analysis; malware needs file/behavior analysis; brute force focuses on auth logs; data exfiltration looks at outbound traffic; privileged misuse examines user activity; ransomware involves encryption events.

181
MCQmedium

A digital forensics analyst is investigating a suspected insider threat. The analyst has acquired a laptop used by the suspect. The analyst needs to obtain a forensic image of the hard drive without altering any data. The laptop is running and logged into the suspect's user account. Which of the following is the most appropriate first step for the analyst to take?

A.Pull the power cord from the laptop to immediately shut down the system and prevent any further system writes.
B.Boot the laptop from a forensic boot CD that loads a write-blocker driver and then create a forensic image.
C.Perform a live acquisition of the hard drive using a network forensic tool while the system is still running.
D.Ask the suspect to log off and shut down the laptop normally, then remove the hard drive and image it using a write-blocker.
AnswerA

This is correct because powering off by unplugging immediately stops the operating system from writing any additional data to the hard drive, preserving the current state. After the system is off, the analyst can safely remove the drive and image it using a hardware write-blocker.

Why this answer

Option A is correct because immediately removing power (hard shutdown) stops all system writes and preserves the current state of the hard drive without any further changes. This is critical in forensic acquisition to maintain data integrity and avoid altering evidence, especially when the system is logged in and actively writing to the disk.

Exam trap

The trap here is that candidates often choose live acquisition (Option C) thinking it preserves volatile data, but the question specifically asks for a forensic image of the hard drive without altering data, and a hard shutdown is the only method that guarantees no further writes to the disk.

How to eliminate wrong answers

Option B is wrong because booting from a forensic CD would require a reboot, which alters the system state (e.g., writes to memory, changes page files, and may trigger TRIM on SSDs), potentially destroying volatile evidence and violating forensic best practices. Option C is wrong because performing a live acquisition while the system is running risks modifying the disk (e.g., file system metadata updates, journal writes, and background processes) and may not capture a bit-for-bit accurate image due to active writes during the acquisition process.

182
Multi-Selecteasy

A SOC analyst reviews one user account and sees several failed logins from a single IP, then a successful login from the same IP, followed by a new inbox forwarding rule to an external address. Which two findings most strongly suggest account compromise? Select two.

Select 2 answers
A.Repeated failed logins followed by a successful login from the same source IP.
B.The user authenticated during normal business hours.
C.A new inbox forwarding rule sends mail to an external address.
D.The user accessed email from a corporate laptop.
E.The password age is 89 days.
AnswersA, C

This pattern matches credential guessing or spraying followed by a successful sign-in.

Why this answer

Option A is correct because a brute-force attack pattern—multiple failed logins followed by a successful authentication from the same external IP—strongly indicates credential compromise. This sequence suggests the attacker guessed or obtained the password and then successfully logged in. The single source IP ties the failed attempts to the eventual successful session, making it a classic indicator of account takeover.

Exam trap

Cisco often tests the concept that a single successful login after failures is not enough—candidates must recognize that the forwarding rule is the second critical indicator, not the timing of the login.

183
MCQhard

Based on the exhibit, what is the most important next IR action?

A.Change the password again and monitor the mailbox for a few days.
B.Revoke active sessions and OAuth consent grants for the account.
C.Restore the deleted inbox rule from backup to preserve evidence.
D.Close the incident because the forwarding rule was removed.
AnswerB

The password has already been changed and the inbox rule removed, but the audit trail shows an OAuth consent grant and a refresh token issued from an unfamiliar IP. Those tokens can continue to authorize access even after a password reset. Revoking active sessions and removing the malicious consent closes the persistent access path.

Why this answer

The exhibit shows a compromised account with a suspicious inbox rule forwarding emails externally. The most critical next step is to revoke active sessions and OAuth consent grants to immediately terminate the attacker's access and prevent further data exfiltration, as changing the password alone does not invalidate existing OAuth tokens or active sessions.

Exam trap

The trap here is that candidates assume changing the password is sufficient to stop an attacker, but they overlook that OAuth tokens and active sessions persist independently of password changes, allowing continued unauthorized access.

How to eliminate wrong answers

Option A is wrong because changing the password again does not revoke existing OAuth tokens or active sessions, so the attacker could maintain access via cached credentials or token-based authentication. Option C is wrong because restoring the deleted inbox rule from backup is not the most important next action; preserving evidence is secondary to stopping active compromise, and the rule may have already been removed by the attacker. Option D is wrong because closing the incident after removing the forwarding rule ignores the fact that the attacker still has active sessions and OAuth grants, leaving the account vulnerable to further abuse.

184
MCQmedium

A security analyst notices a sudden increase in outbound traffic from a database server that normally only communicates with internal application servers. The server is running a standard OS with no recent changes. Which of the following actions should the analyst take FIRST to determine if the server is compromised?

A.Run a full antivirus scan on the server.
B.Check the server's running processes for unknown executables.
C.Block all outbound traffic from the server at the firewall.
D.Review the server's event logs for failed login attempts.
AnswerB

Reviewing running processes is a fast, direct way to identify suspicious programs that might be generating the unusual traffic. Unfamiliar processes are a classic indicator of compromise.

Why this answer

Checking the server's running processes for unknown executables is the first and most direct step to identify if an attacker has established a foothold. A sudden outbound traffic spike without recent configuration changes strongly suggests a malicious process (e.g., a reverse shell or data exfiltration tool) is running. Examining running processes allows the analyst to spot suspicious executables or command-line arguments before taking more disruptive actions like blocking traffic or running a scan.

Exam trap

The trap here is that candidates often jump to blocking traffic (Option C) as a quick fix, but the FIRST action must be to gather evidence by inspecting running processes, as blocking prematurely destroys forensic data and violates the principle of 'do no harm' during incident response.

How to eliminate wrong answers

Option A is wrong because running a full antivirus scan is a reactive, signature-based step that may miss custom or fileless malware, and it can take significant time, delaying the immediate investigation of the anomalous traffic. Option C is wrong because blocking all outbound traffic at the firewall is a containment action that should be taken after confirming compromise, not first, as it could disrupt legitimate business operations and alert the attacker prematurely. Option D is wrong because reviewing event logs for failed login attempts focuses on authentication anomalies, which is less relevant when the traffic spike is already occurring and the server has no recent changes; the priority is to identify currently running malicious processes.

185
Multi-Selectmedium

An investigator needs to make a forensic image of a suspect laptop without changing the original drive contents. Which two practices should be used? Select two.

Select 2 answers
A.Use a hardware or software write blocker during acquisition
B.Record SHA-256 hashes of the source and the image to verify integrity
C.Mount the drive read/write so hidden files are easier to access
D.Defragment the drive first to improve imaging speed
E.Install triage tools directly on the suspect laptop
AnswersA, B

A write blocker prevents the acquisition tool from modifying the source drive.

Why this answer

A hardware or software write blocker is essential because it intercepts and blocks any write commands from the operating system to the suspect drive, ensuring that no data is altered during acquisition. This preserves the original drive's contents in a forensically sound state, which is a fundamental requirement for evidence admissibility.

Exam trap

The trap here is that candidates often confuse 'verifying integrity after acquisition' (option B) with 'preventing alteration during acquisition' (option A), or they mistakenly think that mounting a drive read/write is acceptable if done carefully, not realizing that even read-only mounting by the OS can write metadata.

186
MCQmedium

A security analyst is reviewing network flow logs and notices a series of outbound connections from a single internal workstation to an external IP address on TCP port 443. The connections occur every 5 minutes, each lasting about 2 seconds, and the amount of data transferred per connection is consistently around 1 KB. The workstation's user reports no unusual activity. The analyst checks the host's EDR logs and sees no malicious processes or known indicators. Which type of activity is this pattern most consistent with?

A.Beaconing to a command-and-control server
B.Normal software update check
C.DNS tunneling
D.Data exfiltration via HTTPS
AnswerA

Correct. Beaconing is characterized by regular, periodic connections with small data transfers, used by malware to maintain a persistent command-and-control channel. The fixed 5-minute interval and ~1 KB payload strongly match this pattern.

Why this answer

This pattern is most consistent with beaconing to a command-and-control (C2) server because the connections are periodic (every 5 minutes), short-lived (2 seconds), and consistently transfer a small amount of data (~1 KB) over HTTPS (TCP 443). These characteristics—regular intervals, low data volume, and stealthy use of encrypted channels—are hallmarks of C2 beaconing used by malware to maintain persistence and receive instructions without raising immediate suspicion.

Exam trap

The trap here is that candidates confuse periodic HTTPS connections with normal software updates, but the key differentiator is the extremely consistent timing and tiny data size—updates are rarely this regular or this small, while C2 beaconing is designed to be minimal and predictable to evade detection.

How to eliminate wrong answers

Option B is wrong because normal software update checks typically occur at irregular intervals (e.g., daily or weekly) or on system startup, not every 5 minutes, and they often transfer larger payloads (e.g., several MB) or involve multiple connections to CDNs, not a consistent 1 KB every 2 seconds. Option C is wrong because DNS tunneling uses UDP port 53 (or TCP 53 for large queries) to encapsulate data in DNS requests/responses, not TCP port 443, and would show unusual DNS query patterns (e.g., long subdomains, high query rates) rather than consistent HTTPS connections. Option D is wrong because data exfiltration via HTTPS typically involves larger data transfers (e.g., multiple MB or GB) or sustained throughput, not a tiny 1 KB every 5 minutes, and would likely show anomalous outbound data volumes or unusual destination IPs, not a fixed, low-bandwidth pattern.

187
MCQeasy

Based on the exhibit, what should the team do next to confirm the backups can actually be used during an outage?

A.Increase the retention period before making any restore attempts.
B.Perform a test restore to a nonproduction location and verify the recovered files.
C.Delete older backup sets so the backup window is shorter.
D.Convert the backups to full backups only so the status report is simpler.
AnswerB

A test restore is the best way to validate that backups are usable during recovery. Successful backup jobs alone do not guarantee that data can be restored quickly, completely, or without corruption. Restoring to a nonproduction location confirms the files open correctly and helps the team measure recovery readiness before an actual incident.

Why this answer

Option B is correct because the only way to confirm that backups are usable during an outage is to perform a test restore to a nonproduction location and verify the recovered files. This validates the integrity of the backup data, the restore process, and that the files are complete and functional, which is a core principle of backup validation (often called a 'restore test' or 'disaster recovery drill'). Simply reviewing backup status reports or increasing retention does not prove that the data can be successfully restored.

Exam trap

The trap here is that candidates often assume a successful backup job (green status) guarantees recoverability, but the exam tests the distinction between backup completion and restore validation—CompTIA often tests this by making 'increase retention' or 'simplify backup type' seem like proactive steps, when only a test restore confirms usability.

How to eliminate wrong answers

Option A is wrong because increasing the retention period only keeps more historical copies of backups; it does not test whether those backups are actually restorable or contain valid data. Option C is wrong because deleting older backup sets to shorten the backup window does not validate the usability of the remaining backups and may actually reduce recovery point objectives (RPO) unnecessarily. Option D is wrong because converting to full backups only simplifies the status report but does not test the restore process; full backups can still be corrupt or incomplete without a restore verification.

188
MCQmedium

A SOC analyst receives an alert that a domain admin account authenticated to a file server at 02:14 from a jump host that is normally used only by the infrastructure team. The Windows logs also show a scheduled task launching a backup script at the same time, and the backup team says the task was created during yesterday's change window. What is the best next step to determine whether this is a false positive?

A.Disable the domain admin account immediately and wait for the backup team to respond.
B.Correlate the authentication event with the change ticket and the scheduled task details.
C.Escalate the alert as confirmed compromise because the login occurred after hours.
D.Delete the scheduled task so it cannot be used again.
AnswerB

This directly verifies whether the login and task were expected parts of an approved maintenance activity.

Why this answer

Option B is correct because the alert involves a domain admin authentication from a jump host at an unusual time, but the scheduled task was created during a change window. Correlating the authentication event with the change ticket and the scheduled task details allows the SOC analyst to verify if the activity was authorized, preventing unnecessary incident response. This step aligns with the incident response process of validating alerts before taking action.

Exam trap

The trap here is that candidates assume any after-hours admin login is malicious, but the scheduled task created during a change window provides a legitimate explanation that must be verified through correlation.

How to eliminate wrong answers

Option A is wrong because disabling the domain admin account immediately without investigation could disrupt legitimate operations and is premature; the activity may be authorized. Option C is wrong because escalating as a confirmed compromise based solely on after-hours login ignores the possibility of scheduled maintenance or authorized changes, leading to false positives. Option D is wrong because deleting the scheduled task destroys evidence and could break legitimate business processes; the task should be analyzed, not removed.

189
MCQeasy

After a workstation hardening baseline is updated, the security team wants to confirm that finance laptops actually match the new settings. Which control is the best way to verify this?

A.Run a configuration compliance scan against the updated baseline
B.Ask users whether they think their laptops are secure
C.Assume the baseline was applied because the change ticket was approved
D.Delete the old baseline so there is only one policy to reference
AnswerA

A compliance scan directly compares the endpoint settings to the approved baseline and identifies gaps quickly.

Why this answer

A configuration compliance scan compares the current settings of the finance laptops against the updated hardening baseline. This automated process checks specific registry keys, file permissions, service states, and security policy settings (e.g., via SCAP or CIS benchmarks) to verify alignment. It provides objective, measurable evidence of compliance, unlike subjective user feedback or assumptions.

Exam trap

The trap here is that candidates may confuse change management approval (Option C) with actual technical verification, overlooking the need for a direct compliance check to confirm implementation.

How to eliminate wrong answers

Option B is wrong because asking users whether they think their laptops are secure relies on subjective opinion and lacks technical verification; users cannot accurately assess registry settings, service configurations, or Group Policy objects. Option C is wrong because assuming the baseline was applied based solely on an approved change ticket ignores the possibility of failed deployments, manual overrides, or configuration drift; change management does not guarantee technical enforcement. Option D is wrong because deleting the old baseline does not verify that the new settings are actually applied; it only removes a reference point, leaving no way to measure compliance or detect deviations.

190
MCQmedium

A company is placing a customer-facing web application behind a new security control. The team wants to block malicious HTTP requests such as injection attempts before they reach the application server, with minimal code changes to the app itself. Which control is the best fit?

A.Network access control (NAC) at the switch port.
B.Web application firewall (WAF) in front of the application.
C.Data loss prevention (DLP) on the email gateway.
D.Endpoint detection and response (EDR) on the web server only.
AnswerB

A WAF inspects HTTP traffic and can block common web exploits without requiring changes to the application code.

Why this answer

A web application firewall (WAF) is specifically designed to inspect and filter HTTP/HTTPS traffic at the application layer (Layer 7), blocking malicious payloads such as SQL injection and cross-site scripting (XSS) before they reach the web server. It operates without requiring changes to the application code, making it the ideal choice for this scenario.

Exam trap

The trap here is that candidates may confuse a WAF with a network firewall or NAC, thinking any 'security control' placed in front of a server can block application-layer attacks, but only a WAF operates at Layer 7 with HTTP-specific inspection capabilities.

How to eliminate wrong answers

Option A is wrong because Network Access Control (NAC) operates at Layer 2/3 to enforce access policies based on device posture or authentication at the switch port, and it cannot inspect or block application-layer HTTP attacks like injection attempts. Option C is wrong because Data Loss Prevention (DLP) on the email gateway is designed to monitor and prevent exfiltration of sensitive data in email traffic, not to filter malicious HTTP requests targeting a web application. Option D is wrong because Endpoint Detection and Response (EDR) on the web server only detects and responds to threats at the host level after they have reached the server, whereas the requirement is to block attacks before they reach the application server with minimal code changes.

191
MCQmedium

An employee reports a ransomware note on a file server. The server is still powered on, shares are still being accessed, and management wants service restored as quickly as possible. What should the incident response team do first?

A.Power off the server immediately to stop all attacker activity
B.Isolate the server from the network while keeping it powered on
C.Start restoring from backup before collecting any logs or memory data
D.Delete the ransomware note and suspicious files to reduce business disruption
AnswerB

Isolation contains spread and preserves volatile data, which supports both recovery decisions and investigation.

Why this answer

The correct first step is to isolate the server from the network while keeping it powered on. This preserves volatile evidence (e.g., memory, running processes, network connections) that is critical for forensic analysis and understanding the ransomware's entry vector. Powering off would destroy this data, and restoring from backup prematurely could reintroduce the infection or miss evidence needed to prevent recurrence.

Exam trap

The trap here is that candidates often assume immediate power-off is the safest containment action, but CompTIA emphasizes preserving volatile evidence first, as powering off destroys critical forensic data that may be needed for decryption or attribution.

How to eliminate wrong answers

Option A is wrong because powering off the server immediately destroys volatile data in RAM (e.g., encryption keys, active network connections, process artifacts) that are essential for forensic analysis and may be needed to decrypt files or identify the ransomware variant. Option C is wrong because restoring from backup before collecting logs or memory data risks restoring an infected state or missing evidence that could reveal how the ransomware entered, allowing it to strike again.

192
MCQmedium

A security analyst receives an alert from the intrusion detection system (IDS) indicating a high volume of outbound traffic from a single internal workstation to an external IP address known to be associated with a command-and-control (C2) server. The workstation's user reports no unusual activity. Which of the following should the analyst do FIRST?

A.Disconnect the workstation from the network.
B.Run a full antivirus scan on the workstation.
C.Review firewall logs to see if the traffic is being blocked.
D.Inform the user to shut down the workstation.
AnswerA

This is correct because immediate containment is critical. Isolating the workstation stops potential data exfiltration and prevents the attacker from using the system to move laterally or execute further commands.

Why this answer

The IDS alert indicates a high volume of outbound traffic to a known C2 server, which strongly suggests the workstation is compromised and communicating with an attacker. Disconnecting the workstation from the network (Option A) is the immediate containment step to prevent data exfiltration and further C2 communication, following the NIST incident response framework's containment phase. This action stops the threat at the network layer without waiting for additional analysis.

Exam trap

CompTIA often tests the principle that containment (disconnecting the network) must precede eradication (antivirus scan) or analysis (log review), and the trap here is that candidates choose a less disruptive step like running a scan or checking logs, thinking they need more data before acting.

How to eliminate wrong answers

Option B is wrong because running a full antivirus scan takes time and may not detect advanced or custom malware, and it does not stop ongoing C2 traffic; containment must occur first. Option C is wrong because reviewing firewall logs to see if traffic is blocked is a passive analysis step that delays containment; the IDS already detected the traffic, so the priority is to stop it, not verify blocking. Option D is wrong because informing the user to shut down the workstation relies on the user's action, which introduces delay and potential error, and shutdown may destroy volatile evidence (e.g., memory artifacts) needed for forensic analysis.

193
MCQmedium

A SOC analyst receives an EDR alert showing a finance laptop creating encrypted archives and then attempting SMB connections to several internal file shares. The user is still logged in, and the business wants to stop possible spread without destroying volatile evidence. What should the analyst do first?

A.Power off the laptop immediately to stop all activity.
B.Isolate the endpoint from the network using the EDR containment feature.
C.Reimage the laptop from a gold image as soon as possible.
D.Disable the user account in Active Directory and wait for the malware to stop.
AnswerB

This cuts off the host from reaching other systems while preserving the powered-on state, which helps protect volatile evidence.

Why this answer

Option B is correct because the EDR containment feature isolates the endpoint from the network while preserving all running processes, memory, and disk state. This stops the encrypted archives from being exfiltrated via SMB and prevents lateral movement, but keeps volatile evidence (e.g., active malware processes, network connections) intact for forensic analysis.

Exam trap

The trap here is that candidates confuse 'stopping the spread' with 'destroying evidence,' and choose power-off or reimage, failing to recognize that containment in EDR is designed specifically to halt network propagation while preserving forensic data.

How to eliminate wrong answers

Option A is wrong because powering off the laptop destroys volatile evidence (e.g., memory-resident malware, active network connections, encryption keys in RAM) and may trigger anti-forensic mechanisms. Option C is wrong because reimaging wipes all data, including critical forensic artifacts like the encrypted archives, malware binaries, and registry changes, making incident response impossible. Option D is wrong because disabling the user account does not stop the malware already running on the laptop from continuing its SMB connections and encryption activity, as the process operates with the user's cached credentials or tokens.

194
Multi-Selectmedium

A company is implementing controls to protect against insider threats. Which three of the following controls are most effective for detecting and preventing data exfiltration by a malicious insider? (Choose three.)

Select 3 answers
.Deploying Data Loss Prevention (DLP) solutions to monitor and block sensitive data leaving via email or USB
.Implementing user behavior analytics (UBA) to flag unusual access patterns or large downloads
.Enforcing strict role-based access controls (RBAC) with the principle of least privilege
.Requiring all employees to use complex passwords changed every 30 days
.Installing antivirus software on all endpoints
.Conducting annual security awareness training for all staff

Why this answer

Data Loss Prevention (DLP) solutions are effective because they can inspect content in real time, blocking sensitive data from being sent via email, copied to USB, or uploaded to cloud services. User Behavior Analytics (UBA) detects anomalies such as a user downloading thousands of records at 3 AM, which is a strong indicator of malicious intent. Role-Based Access Control (RBAC) with least privilege limits the data a user can access, reducing the attack surface and making exfiltration harder even if credentials are compromised.

Exam trap

The trap here is that candidates often confuse general security controls (like password policies or antivirus) with controls specifically designed to detect or prevent data exfiltration, leading them to select options that are good security practices but irrelevant to the scenario.

195
MCQmedium

An email attachment from an external supplier is not blocked by signature-based AV, but the SOC wants to see whether it drops files, launches child processes, or contacts suspicious domains before delivery to users. Which control best fits?

A.Network IDS, because it passively monitors traffic for known threats.
B.Sandboxing, because it detonates the file in an isolated environment.
C.DLP, because it prevents sensitive data from leaving the organization.
D.NAC, because it controls whether a device can join the network.
AnswerB

A sandbox can safely execute the attachment and reveal malicious actions such as file drops, process spawning, and outbound callbacks.

Why this answer

Sandboxing is the correct control because it detonates the file in an isolated, virtualized environment to observe its runtime behavior, such as dropping files, spawning child processes, or making outbound connections to suspicious domains. This goes beyond signature-based AV by analyzing dynamic behavior rather than static file hashes or patterns. The SOC's goal is to assess the file's actions before delivery, which sandboxing directly addresses.

Exam trap

The trap here is that candidates confuse passive monitoring (IDS) with active behavioral analysis (sandboxing), assuming IDS can detect unknown threats by watching traffic, but IDS lacks the ability to execute and observe the file's runtime actions in an isolated environment.

How to eliminate wrong answers

Option A is wrong because Network IDS passively monitors traffic for known threat signatures but cannot detonate or analyze the behavior of an email attachment in isolation; it would only alert on network-level indicators after the file is executed. Option C is wrong because DLP (Data Loss Prevention) focuses on preventing sensitive data from leaving the organization via monitoring content in transit or at rest, not on analyzing file behavior or detecting malicious actions like dropping files or contacting domains. Option D is wrong because NAC (Network Access Control) enforces policies on device compliance and network admission, such as checking for up-to-date antivirus or patch levels, and has no capability to execute or analyze email attachments for behavioral threats.

196
MCQeasy

Based on the exhibit, what should the analyst do before opening the forensic image for examination?

A.Mount the image read-write so the analyst can begin searching immediately.
B.Calculate and compare the image hash to the source hash before analysis.
C.Defragment the original SSD so the files will be easier to search later.
D.Compress the image into a ZIP file to reduce storage usage before verifying it.
AnswerB

Hash verification confirms that the forensic image matches the original drive and has not changed during transfer or storage. This is a key evidence-handling step because it supports integrity and admissibility. The analyst should document the result in the case notes and chain of custody before examining the contents.

Why this answer

Before examining a forensic image, the analyst must verify its integrity by calculating its hash (e.g., MD5, SHA-1, SHA-256) and comparing it to the known hash of the original source. This ensures the image is an exact, unaltered copy, which is critical for maintaining the chain of custody and admissibility of evidence. Option B is correct because hash verification is the foundational step in forensic analysis.

Exam trap

The trap here is that candidates may think mounting the image immediately is efficient, but they overlook the critical integrity check required before any analysis to ensure the evidence is unaltered.

How to eliminate wrong answers

Option A is wrong because mounting the image read-write would allow writes to the image, altering its data and breaking the chain of custody; forensic images must always be mounted read-only. Option C is wrong because defragmenting the original SSD would modify the source data, destroying evidence and violating forensic best practices; analysis is performed on the image, not the original drive. Option D is wrong because compressing the image into a ZIP file before verifying its hash would change the file's hash, making it impossible to verify integrity against the source; verification must occur on the uncompressed image.

197
Multi-Selecthard

A Windows laptop is believed to be involved in a credential-theft incident. It is still powered on, connected to Wi-Fi, and the user reports that the screen recently locked by itself. The SOC can reach the device remotely through EDR. Which two actions should be taken before the laptop is shut down? Select two.

Select 2 answers
A.Capture volatile data such as running processes and active network connections while the system is still live.
B.Place the endpoint into network isolation through the EDR console to stop further attacker communication.
C.Run a full antivirus scan immediately, because the scan report will serve as the primary evidence.
D.Reboot the laptop into Safe Mode so the attacker’s code will not load.
E.Power off the laptop immediately to prevent the incident from spreading further.
AnswersA, B

Volatile data disappears on shutdown, so collecting it first protects the most transient evidence. Running processes and live connections can reveal malware, remote-control tools, or current attacker activity. This is especially important when the device is still powered on and reachable through EDR.

Why this answer

Option A is correct because capturing volatile data (e.g., running processes, active network connections, memory contents) is a critical first step in forensic response. This data resides in RAM and is lost when the system is powered off, so it must be collected while the laptop is still live to preserve evidence of the attacker's current activities, such as active credential theft tools or command-and-control connections.

Exam trap

The trap here is that candidates often choose to immediately power off or run an antivirus scan, mistakenly believing these actions contain the incident, when in fact they destroy critical volatile evidence and violate forensic best practices.

198
MCQmedium

A security analyst observes a critical server generating unusually high outbound traffic to an external IP address that is listed on a threat intelligence feed as a known command-and-control server. The analyst suspects the server is compromised. According to standard incident response procedures, what should the analyst do NEXT?

A.Reboot the server to clear any malicious processes from memory
B.Isolate the server from the network to stop the communication
C.Apply the latest security patches to the server
D.Ignore the alert because the external IP might be a false positive
AnswerB

Isolation (e.g., disconnecting the network cable or blocking traffic at the switch) immediately stops the exfiltration and prevents the attacker from issuing further commands, while preserving evidence for later forensic analysis.

Why this answer

Option B is correct because isolating the server from the network immediately stops the outbound command-and-control (C2) communication, preventing data exfiltration and further compromise. This aligns with the first step in the NIST SP 800-61 incident response process—containment—before any eradication or recovery actions are taken. Rebooting or patching without isolation could destroy volatile evidence (e.g., memory-resident malware) and allow the attacker to persist or escalate.

Exam trap

The trap here is that candidates confuse the containment phase with eradication or recovery, choosing to reboot or patch immediately instead of isolating the system to stop the active threat and preserve evidence.

How to eliminate wrong answers

Option A is wrong because rebooting the server destroys volatile memory evidence (e.g., running processes, network connections) that is critical for forensic analysis, and the malware may survive via persistence mechanisms like scheduled tasks or registry run keys. Option C is wrong because applying patches is a remediation step that should only occur after containment and evidence preservation; patching does not stop active C2 traffic and may alert the attacker. Option D is wrong because ignoring the alert violates the principle of verifying alerts; the threat intelligence feed indicates a known C2 IP, and the high outbound traffic is a strong indicator of compromise that must be investigated.

199
MCQmedium

A security analyst is monitoring logs from the cloud access security broker (CASB) and observes that a user account downloaded 500 GB of data from a highly sensitive SharePoint document library within a single hour. The user's historical baseline shows an average daily download of less than 10 MB. Additionally, the log shows the session originated from an IP address in a country where the company has no employees or business operations. Which of the following actions is the most appropriate for the analyst to take?

A.Immediately block the user account and the source IP address at the CASB.
B.Contact the user directly by phone to verify whether they initiated the download.
C.Initiate the organization's incident response process for a potential data exfiltration event.
D.Disable the SharePoint document library and remove all user permissions to prevent further data loss.
AnswerC

Correct. The combination of anomalous data volume and unusual geolocation strongly suggests a security incident. The analyst should follow the incident response plan, which typically includes preserving logs, engaging the incident response team, and escalating per policy.

Why this answer

Option C is correct because the combination of a massive data download (500 GB vs. a 10 MB baseline) and a session originating from a country with no business presence strongly indicates a potential data exfiltration event. Initiating the incident response process ensures that the organization follows a structured, documented procedure to contain, analyze, and remediate the threat, preserving forensic evidence and coordinating response actions. The CASB log provides the initial indicators, but the incident response plan is the appropriate framework for handling such high-risk anomalies.

Exam trap

The trap here is that candidates may choose to immediately block or contact the user, failing to recognize that the incident response process is the systematic, first-step action for potential data exfiltration, as it balances containment with forensic preservation and legal considerations.

How to eliminate wrong answers

Option A is wrong because immediately blocking the user account and source IP at the CASB may destroy forensic evidence (e.g., active sessions, logs) and could alert a potential attacker, hindering further investigation; a controlled containment step within the incident response process is preferred. Option B is wrong because contacting the user directly by phone risks tipping off a malicious insider or an attacker who has compromised the account, and the user may not be the actual actor behind the anomalous activity. Option D is wrong because disabling the SharePoint document library and removing all user permissions is a drastic, premature action that disrupts legitimate business operations and may not be necessary if the threat is isolated to a single account; containment should be coordinated through incident response procedures.

200
MCQmedium

After hours, EDR alerts show a finance laptop encrypting local files and trying SMB connections to nearby workstations. The user is still logged in, and management wants the fastest step that limits spread while preserving evidence. What should the SOC do first?

A.Shut down the laptop immediately to stop any further activity.
B.Use EDR to isolate the laptop from the network.
C.Run a full antivirus scan before making any network changes.
D.Reimage the laptop right away from a standard corporate image.
AnswerB

This quickly contains the incident by cutting off network access while leaving the system powered on for investigation and evidence preservation.

Why this answer

Option B is correct because EDR isolation immediately blocks all network communication (including SMB) while preserving the endpoint's state for forensic analysis. This stops lateral movement and further encryption without losing volatile data like memory or running processes, which a shutdown would destroy.

Exam trap

The trap here is that candidates confuse 'stopping the activity' with 'shutting down,' not realizing that isolation halts network propagation without destroying the evidence needed for root-cause analysis.

How to eliminate wrong answers

Option A is wrong because shutting down the laptop destroys volatile evidence (e.g., memory-resident malware, encryption keys, active network connections) and may trigger anti-forensic routines. Option C is wrong because running a full antivirus scan while the system is still on the network allows the ransomware to continue encrypting files and spreading via SMB, and scans can be evaded by modern malware. Option D is wrong because reimaging wipes all evidence of the attack, including the ransomware binary, logs, and artifacts needed for incident response and attribution.

201
MCQmedium

Following a ransomware incident, management wants to verify that backups are usable and that a restored file server will meet recovery expectations before declaring the system trusted again. Which action is best?

A.Review the backup job logs and mark the backups as valid.
B.Perform a documented restore test in an isolated environment and validate the recovered data.
C.Increase the retention period so more restore points are available later.
D.Create a new full backup immediately after the incident and trust that one instead.
AnswerB

A restore test proves the backup can be recovered and helps confirm the data and services meet continuity requirements.

Why this answer

Option B is correct because performing a documented restore test in an isolated environment is the only action that directly validates the integrity and usability of backups, ensuring the restored file server meets recovery point objective (RPO) and recovery time objective (RTO) expectations. This process verifies that the backup data is not corrupted, encrypted, or incomplete, which is critical after a ransomware incident where backups may have been targeted. Without such a test, management cannot confidently declare the system trusted, as logs or retention changes do not prove data recoverability.

Exam trap

The trap here is that candidates assume backup logs or increased retention are sufficient to prove recoverability, but CompTIA emphasizes that only a documented restore test in an isolated environment provides the empirical evidence needed to declare a system trusted after a security incident.

How to eliminate wrong answers

Option A is wrong because reviewing backup job logs only confirms that the backup process completed without errors, but it does not verify that the actual data is usable, free from ransomware encryption, or restorable to a functional state. Option C is wrong because increasing the retention period merely preserves more restore points for future use, but it does not validate the current backups' integrity or usability, and it may retain compromised backups. Option D is wrong because creating a new full backup immediately after the incident does not guarantee that the backup is free from malware or that the restored system will meet recovery expectations; it only provides a fresh copy without validation.

202
MCQmedium

A SOC analyst detects that a user's workstation is sending large volumes of data to an unusual external IP address during non-business hours. The analyst has already isolated the workstation by disconnecting it from the network. What is the NEXT step in the incident response process?

A.Reimage the workstation to remove any malware
B.Perform a forensic analysis of the workstation to collect evidence
C.Reset the user's password to prevent further unauthorized access
D.Notify law enforcement immediately
AnswerB

After containment, forensic analysis is necessary to determine the cause and scope of the incident, preserve evidence, and inform further actions. This aligns with industry-standard incident response frameworks.

Why this answer

After isolating the workstation, the next step in the incident response process is to perform forensic analysis to collect evidence. This aligns with the NIST SP 800-61 framework, where containment (isolation) is followed by eradication and recovery, but evidence collection must occur before any destructive actions like reimaging. The forensic analysis preserves volatile data (e.g., memory, network connections) and non-volatile data (e.g., disk artifacts) to determine the scope and cause of the data exfiltration.

Exam trap

The trap here is that candidates often confuse containment with eradication, selecting reimaging (Option A) prematurely without recognizing that evidence preservation is a mandatory step before any destructive remediation in the incident response process.

How to eliminate wrong answers

Option A is wrong because reimaging the workstation destroys potential evidence (e.g., malware binaries, registry keys, log files) before forensic analysis can be performed, violating the order of the incident response process. Option C is wrong because resetting the user's password addresses authentication but does not remediate the underlying compromise (e.g., a backdoor or data exfiltration tool) and is not the immediate next step after isolation. Option D is wrong because notifying law enforcement is a strategic decision that typically occurs after evidence is collected and the incident is fully characterized, not as the immediate next step after isolation.

203
MCQmedium

Several Windows servers were built from the same image, and all of them use the same local Administrator password. What is the best operational hardening change?

A.Keep the shared password but store it in a spreadsheet with restricted access.
B.Implement a tool that automatically sets unique local admin passwords on each server.
C.Remove all administrator accounts from the servers.
D.Change the password manually once a year on one server only.
AnswerB

This is the best hardening change because shared local administrator passwords create an easy lateral-movement path if one server or credential is exposed. A password management solution that generates unique local admin passwords reduces blast radius while preserving administrative access. It also supports safer operational management because the passwords can still be retrieved or rotated through controlled processes instead of being duplicated across systems.

Why this answer

Option B is correct because using a tool like Local Administrator Password Solution (LAPS) automates the rotation of unique, complex passwords for each server's local administrator account. This eliminates the risk of lateral movement if one server's credentials are compromised, as each machine has a distinct password stored securely in Active Directory.

Exam trap

The trap here is that candidates may think storing the password securely (Option A) is sufficient, but the core issue is the shared password itself, not just its storage; the exam emphasizes eliminating shared credentials across systems to prevent lateral movement.

How to eliminate wrong answers

Option A is wrong because storing the shared password in a spreadsheet, even with restricted access, still leaves a single point of failure; if the spreadsheet is breached, all servers are compromised. Option C is wrong because removing all administrator accounts would break essential administrative functions and is not a recommended hardening practice; instead, you should rename or disable the built-in Administrator account. Option D is wrong because manually changing the password once a year on only one server does not address the shared password issue across all servers and leaves the others vulnerable indefinitely.

204
MCQmedium

A branch office stores nightly backups on a NAS that is joined to the same Active Directory domain as the production servers. After a ransomware incident, management wants a backup design that is much harder for attackers to encrypt or delete. Which approach is the best improvement?

A.Increase the backup frequency to every hour while keeping the same NAS design.
B.Store all backups on the same network segment for faster restore access.
C.Maintain an offline or immutable backup copy in a separate administrative boundary.
D.Use only snapshots on the production storage array because they are instant to restore.
AnswerC

Offline or immutable backups resist tampering and remain available even if the production domain is compromised.

Why this answer

Option C is correct because maintaining an offline or immutable backup copy in a separate administrative boundary ensures that attackers cannot encrypt or delete the backups, even if they compromise the Active Directory domain. An offline backup (e.g., tape or disconnected disk) is physically isolated, while immutable backups (e.g., using S3 Object Lock or a NAS with WORM capabilities) prevent modification or deletion for a defined retention period. This design breaks the attacker's ability to propagate ransomware to the backup repository, addressing the core requirement of making backups much harder to encrypt or delete.

Exam trap

The trap here is that candidates often assume increasing backup frequency or keeping backups on the same network segment improves recovery speed, but they overlook the fundamental need for isolation and immutability to protect against ransomware encryption and deletion.

How to eliminate wrong answers

Option A is wrong because increasing backup frequency to every hour on the same NAS joined to Active Directory does not prevent attackers from encrypting or deleting the backups; if the NAS is compromised via the domain, all copies remain vulnerable. Option B is wrong because storing all backups on the same network segment as production servers increases the attack surface and allows ransomware to spread laterally to the backup storage, defeating the goal of isolation.

205
MCQeasy

A critical patch must be applied to a retail point-of-sale server. What is the best way to reduce business disruption?

A.Apply the patch during the busiest business hours to make the change sooner.
B.Schedule the patch during an approved maintenance window.
C.Skip the patch and rely on hope that the issue will not be exploited.
D.Turn off all backups so the patch process runs faster.
AnswerB

A maintenance window is the best choice because it lets the organization perform the update when user impact is expected to be lowest. This is a core change-control practice for systems that support business operations. It gives the team time to test, monitor, and recover if something goes wrong without affecting customers during peak use.

Why this answer

Scheduling the patch during an approved maintenance window is the best practice to minimize business disruption because it allows the organization to plan for downtime during low-activity periods, coordinate with stakeholders, and ensure rollback procedures are in place. For a retail point-of-sale (POS) server, applying a critical patch outside of business hours prevents transaction interruptions and potential revenue loss, aligning with change management policies that prioritize availability and security.

Exam trap

The trap here is that candidates may choose Option A, thinking that applying a patch sooner reduces risk, but they overlook the immediate business disruption and the importance of change management processes that prioritize availability over speed.

How to eliminate wrong answers

Option A is wrong because applying a patch during busiest business hours would directly disrupt customer transactions, causing immediate revenue loss and potential data integrity issues, which contradicts the goal of reducing business disruption. Option C is wrong because skipping a critical patch leaves the POS server vulnerable to known exploits, such as remote code execution or data breaches, which can lead to greater long-term disruption and regulatory non-compliance. Option D is wrong because turning off backups eliminates the ability to restore the system to a known good state if the patch causes a failure, increasing the risk of extended downtime and data loss.

206
MCQmedium

A security analyst detects a high volume of failed authentication attempts from IP address 203.0.113.1 against a web application. The attempts use different usernames, such as 'admin', 'root', 'test', and several common names. Account lockout policies are configured to lock an account after five failed attempts. Despite this, the analyst sees the attempts continuing over several hours. Which of the following security controls is most likely missing or improperly configured?

A.Increase the account lockout threshold to a lower number
B.Implement geofencing to block traffic from the attacker's region
C.Configure rate limiting per source IP address
D.Enable detailed failed login attempt logging
AnswerC

Rate limiting on the application or firewall level restricts the number of authentication attempts from a single IP address over a given time period, regardless of the username being tried. This directly counters the attacker's strategy of rotating usernames to bypass account lockout.

Why this answer

Rate limiting per source IP address is the correct control because it restricts the number of authentication requests from a single IP (203.0.113.1) within a given time window, regardless of the usernames used. Account lockout policies are ineffective here because the attacker is rotating through different usernames (e.g., 'admin', 'root', 'test'), so no single account reaches the five-failed-attempt threshold. By limiting the request rate from the source IP, the analyst can throttle the attacker's brute-force attempts without affecting legitimate users.

Exam trap

The trap here is that candidates assume account lockout policies are sufficient for all brute-force attacks, but they fail to recognize that rotating usernames (a 'password spraying' attack) bypasses per-account lockout, making per-source-IP rate limiting the correct mitigation.

How to eliminate wrong answers

Option A is wrong because decreasing the lockout threshold (e.g., to 3 attempts) would not stop the attack—the attacker is using different usernames, so no single account ever hits even a lower threshold. Option B is wrong because geofencing blocks traffic based on geographic location, but the attacker could be using a VPN or proxy to appear from a different region, and the question does not indicate the IP is from a specific region that should be blocked. Option D is wrong because enabling detailed failed login attempt logging would only improve visibility into the attack, not prevent or mitigate it; logging is a detective control, not a preventive or throttling control.

207
MCQmedium

An IDS generates an alert for possible SQL injection against an internal reporting portal at 02:00. The web logs show the source IP belongs to the company's approved vulnerability scanner, the request path matches the scheduled test window, and the WAF blocked the request. What is the most appropriate analyst conclusion?

A.Treat it as a confirmed intrusion and immediately take the portal offline.
B.Close it as expected activity after validating the scanner schedule and source IP.
C.Classify it as malware because the blocked payload proves the scanner is infected.
D.Disable the WAF rule so the scanner can complete without generating more alerts.
AnswerB

The logs align with an authorized scanner operating during a planned maintenance window, and the WAF successfully blocked the payload. After confirming the scan authorization, the alert can be documented and closed as expected activity rather than escalated as a live attack.

Why this answer

Option B is correct because the alert matches expected, authorized activity: the source IP belongs to the approved vulnerability scanner, the request occurred during the scheduled test window, and the WAF blocked the malicious payload. This is a classic false positive triggered by legitimate security testing, not an actual intrusion. The analyst should validate the scanner schedule and source IP, then close the alert as expected activity.

Exam trap

The trap here is that candidates see a blocked SQL injection payload and assume it is a real attack, forgetting to verify whether the source is an authorized vulnerability scanner operating during a scheduled test window.

How to eliminate wrong answers

Option A is wrong because taking the portal offline is an overreaction to a false positive; the request was from an authorized scanner and blocked by the WAF, so there is no confirmed intrusion. Option C is wrong because classifying the scanner as infected based solely on a blocked SQL injection payload is a logical leap; scanners intentionally send malicious payloads to test defenses, and the WAF block proves the control worked, not that the scanner is compromised. Option D is wrong because disabling the WAF rule would remove protection against real attacks, and the scanner can still complete its tests with the WAF blocking its payloads—the alerts can be tuned or suppressed instead.

208
MCQmedium

A nightly backup job shows "Completed successfully" in the backup console, but a test restore fails with an authentication error after the backup service account password was rotated last week. What is the best next step?

A.Increase the retention period so the backup console will keep more copies.
B.Update the backup application with the current service account credentials and rerun a restore validation test.
C.Disable the backup software firewall rule and try the restore again later.
D.Delete and recreate all protected files because the backup repository is probably corrupt.
AnswerB

This action resolves the likely credential mismatch and confirms the backup process is actually usable during recovery. Backup success alone is not enough if restore fails.

Why this answer

The backup job succeeded because the service account had cached credentials or the backup process itself didn't require re-authentication at that point. However, the restore operation failed because the backup application's stored credentials for accessing the backup repository are now stale after the password rotation. Updating the backup application with the current service account credentials (Option B) directly resolves the authentication error and allows a proper restore validation test.

Exam trap

The trap here is that candidates assume a 'Completed successfully' backup job means all related processes are healthy, but the exam tests the distinction between backup success and restore success, highlighting that credential rotation can break restore without affecting backup.

How to eliminate wrong answers

Option A is wrong because increasing the retention period only keeps more backup copies; it does not fix the underlying authentication issue caused by stale credentials. Option C is wrong because disabling a firewall rule is unrelated to an authentication error; the error indicates a credentials mismatch, not a network connectivity or firewall block. Option D is wrong because deleting and recreating files is a destructive action that assumes corruption, but the backup repository is likely intact; the problem is purely an authentication failure during restore, not data corruption.

209
MCQmedium

An engineering firm backs up its file server every night to a NAS that is always mounted to the production domain. After a ransomware event, management asks for the most effective improvement to reduce the chance that backups are encrypted along with production data. What should be recommended?

A.Increase the backup frequency but leave the NAS always online
B.Keep an offline or immutable backup copy that is not continuously reachable from production
C.Store backups in the same server room for faster restore times
D.Use only local snapshots on the file server because they are simpler to manage
AnswerB

Offline or immutable backups resist encryption by ransomware because the attacker cannot easily modify or destroy them from the compromised environment.

Why this answer

Option B is correct because an offline or immutable backup copy that is not continuously reachable from the production domain prevents ransomware from encrypting it. Since the NAS is always mounted to the production domain, it is vulnerable to lateral movement and encryption by ransomware. An offline backup (e.g., tape or disconnected disk) or an immutable backup (e.g., using S3 Object Lock or a write-once file system) ensures that even if production data is compromised, the backup remains intact and recoverable.

Exam trap

The trap here is that candidates may think increasing backup frequency or keeping backups local improves security, but the core issue is that the backup must be isolated from the production domain to survive a ransomware attack that encrypts all reachable data.

How to eliminate wrong answers

Option A is wrong because increasing backup frequency while leaving the NAS always online does not protect against encryption; ransomware can encrypt both the live data and the mounted backup during the same attack window. Option C is wrong because storing backups in the same server room does not address the security issue; it only improves restore speed but still leaves the backup accessible to ransomware that has compromised the production network. Option D is wrong because local snapshots on the file server are stored on the same volume or system that is being attacked, so they can be encrypted or deleted by ransomware just like the original data.

210
MCQmedium

A monthly vulnerability scan identifies a critical vulnerability on a public-facing VPN appliance, but the vendor says no patch is available yet. The service must remain online for remote workers. What is the best compensating control to reduce risk right away?

A.Ignore the finding until the next quarterly review because there is no patch available.
B.Move the appliance to a less critical VLAN and leave all access rules unchanged.
C.Apply virtual patching or traffic filtering to block exploit attempts until remediation is possible.
D.Disable logging so that attackers cannot learn the appliance version from log data.
AnswerC

Filtering malicious traffic is a practical compensating control when a permanent fix is not yet available.

Why this answer

Option C is correct because virtual patching or traffic filtering (e.g., via an IPS or WAF) provides immediate, compensating protection by inspecting and blocking exploit traffic targeting the vulnerability, without requiring the vendor to release a patch. This allows the VPN appliance to remain online for remote workers while reducing the risk of exploitation until a permanent fix is available.

Exam trap

The trap here is that candidates may assume a missing patch means no action is possible, or that VLAN segmentation alone is sufficient, when in fact compensating controls like virtual patching are the correct immediate response for unpatched critical vulnerabilities on internet-facing systems.

How to eliminate wrong answers

Option A is wrong because ignoring a critical vulnerability until the next quarterly review leaves the organization exposed to active exploitation, especially on a public-facing appliance; risk does not disappear just because no patch exists. Option B is wrong because moving the appliance to a less critical VLAN without changing access rules does not prevent an attacker from reaching the vulnerability—VLANs provide logical separation but do not filter application-layer exploit attempts, and the same access rules would still allow malicious traffic to the device.

211
MCQeasy

After a phishing account compromise has been contained and the attacker’s mailbox forwarding rule was removed, what should the team do next?

A.Stop the investigation because the forwarding rule was deleted.
B.Reset credentials and verify there are no other persistence methods before recovery.
C.Close the ticket and tell the user to be more careful next time.
D.Wait one week before taking any action so the attacker does not notice.
AnswerB

Eradication requires removing attacker access and checking for additional changes before returning to normal operations.

Why this answer

After removing a mailbox forwarding rule, the team must reset the compromised account's credentials and verify that no other persistence mechanisms (e.g., additional forwarding rules, OAuth app grants, or mailbox delegation) remain. This ensures the attacker cannot regain access using cached credentials or alternate backdoors, which is critical before returning the account to production.

Exam trap

The trap here is that candidates assume removing the visible persistence mechanism (the forwarding rule) is sufficient, but CompTIA tests the understanding that attackers often deploy multiple backdoors, and credential reset plus full verification is mandatory before recovery.

How to eliminate wrong answers

Option A is wrong because stopping the investigation after deleting a single forwarding rule ignores other potential persistence methods like hidden inbox rules, OAuth tokens, or SMTP auth compromises. Option C is wrong because closing the ticket without remediation leaves the account vulnerable and fails to address the root cause of the compromise. Option D is wrong because waiting a week allows the attacker to re-establish persistence or exfiltrate more data, violating the principle of timely incident response.

212
Matchingmedium

Match each change-management practice to the best description for reducing patching risk in production.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Use a phased rollout to catch compatibility issues early

Provide a rollback or backout plan if the patch fails

Place the work inside a maintenance window

Create a baseline that supports recovery and comparison

Apply change control and obtain approval

Why these pairings

These change-management practices reduce patching risk by ensuring proper review, scheduling, rollback capability, pre-testing, documentation, and automation to minimize errors.

213
MCQeasy

EDR flags a workstation because a word processor launched an unusual script and then contacted a rare external domain. What is the best immediate action?

A.Isolate the workstation from the network using the EDR tool.
B.Wait for another alert before taking any action.
C.Delete the word processor immediately.
D.Reboot the workstation to see if the behavior happens again.
AnswerA

This is the best immediate containment step because it stops the workstation from communicating with a possible attacker while preserving the system for further analysis. EDR isolation is designed for exactly this type of suspicious endpoint behavior. It limits lateral movement, reduces data exfiltration risk, and gives responders time to investigate before deciding on cleanup or reboot actions.

Why this answer

Isolating the workstation with the EDR tool is the best immediate action because it contains the potential compromise by cutting off network communication, preventing lateral movement or data exfiltration while preserving forensic evidence. The combination of an unusual script execution from a word processor and a connection to a rare external domain strongly suggests a possible malware infection or remote access trojan (RAT) that requires immediate containment.

Exam trap

The trap here is that candidates may think rebooting (Option D) is a safe first step, but it can destroy volatile evidence and does not contain the threat, whereas isolation via EDR is the correct containment action per incident response best practices.

How to eliminate wrong answers

Option B is wrong because waiting for another alert could allow the threat to spread or exfiltrate data, violating the principle of timely containment in incident response. Option C is wrong because deleting the word processor does not address the underlying malicious script or process that may still be running, and it destroys potential forensic evidence. Option D is wrong because rebooting the workstation may terminate the suspicious process but does not prevent the system from being re-infected or the attacker from re-establishing access, and it could also clear volatile memory evidence.

214
MCQmedium

A SOC analyst receives a SIEM alert for a possible brute-force attack against a remote access portal. The alert shows 240 failed logins from the same source IP over 4 minutes, followed by one successful login. Before escalating as an incident, what is the BEST evidence to check to determine whether the alert is a false positive caused by approved activity?

A.Whether the source IP belongs to the company help desk
B.Whether there is a change ticket or test plan for the access portal and the activity matches the approved maintenance window
C.Whether the user account has MFA enabled
D.Whether the firewall is in inline mode
AnswerB

A documented change, test plan, and matching maintenance window provide the strongest evidence that the alert reflects approved work rather than malicious activity.

Why this answer

A change ticket or test plan that matches the observed activity (240 failed logins followed by a successful login during an approved maintenance window) would indicate that the alert is a false positive caused by authorized testing or maintenance, not a malicious brute-force attack. This is the best evidence because it directly ties the SIEM alert to approved, scheduled activity, which is a standard operational control for change management.

Exam trap

The trap here is that candidates may assume a help desk IP or MFA automatically validates the activity, but only a documented change ticket or test plan provides the necessary evidence to classify the alert as a false positive under standard incident response procedures.

How to eliminate wrong answers

Option A is wrong because the source IP belonging to the company help desk does not automatically make the activity approved; help desk staff could still be performing unauthorized or malicious actions, and the IP alone does not provide evidence of a change ticket or test plan. Option C is wrong because MFA being enabled on the user account does not explain the 240 failed logins from a single source IP; MFA is a security control that would mitigate the impact of a successful login but does not prove the activity was approved or that the alert is a false positive.

215
MCQhard

Based on the exhibit, which change best improves both recovery time and recovery point for the ERP database? A mid-sized company has a two-hour RTO and a 30-minute RPO, but its current backup design cannot meet either objective during restore testing.

A.Add a second nightly full backup at 23:30 to the same NAS device.
B.Move the NAS to a different VLAN but keep the backup schedule unchanged.
C.Implement frequent transaction log backups and a pre-staged standby or automated recovery image.
D.Increase backup retention from one month to one year.
AnswerC

Transaction log backups reduce the amount of data lost between full backups, improving the RPO. A pre-staged standby or automated recovery image shortens rebuild time, improving the RTO. Together, these changes directly address both recovery objectives instead of simply storing the same backups more safely or for longer. The test results show that the current restore approach is far too slow and too coarse.

Why this answer

Option C is correct because implementing frequent transaction log backups (e.g., every 5–10 minutes) allows point-in-time recovery, reducing the recovery point objective (RPO) to minutes. A pre-staged standby or automated recovery image reduces recovery time objective (RTO) by eliminating the need to restore from scratch, enabling near-instant failover. This directly addresses the company's inability to meet its 30-minute RPO and 2-hour RTO during restore testing.

Exam trap

The trap here is that candidates confuse backup frequency (e.g., more full backups) with recovery point improvement, failing to recognize that only transaction log backups or incremental changes can reduce RPO below the full backup interval, and that pre-staging is required to meet aggressive RTOs.

How to eliminate wrong answers

Option A is wrong because adding a second nightly full backup to the same NAS device does not reduce the recovery point window (still up to 24 hours of data loss) and does not improve recovery time (restore still takes hours from a full backup). Option B is wrong because moving the NAS to a different VLAN addresses network segmentation or security, not backup performance or recovery objectives; it has no impact on RTO or RPO. Option D is wrong because increasing retention from one month to one year only extends how far back data can be restored, not how quickly or with how little data loss; it does not improve RTO or RPO.

216
MCQeasy

A vulnerability scan finds a critical flaw on a public-facing server and a medium flaw on a lab system that is not connected to the production network. Which issue should be fixed first?

A.The medium flaw on the isolated lab system, because all vulnerabilities should be fixed in alphabetical order.
B.The critical flaw on the public-facing server, because it has higher business risk.
C.Both systems can wait until the next quarterly patch cycle.
D.The lab system, because internal systems always outrank external systems.
AnswerB

Public exposure and critical severity make this issue more likely to be exploited and more impactful.

Why this answer

The critical flaw on the public-facing server should be fixed first because it presents a higher business risk. A public-facing server is directly accessible from the internet, making it a prime target for attackers. Exploiting a critical vulnerability could lead to data breaches, service disruption, or unauthorized access, with immediate and severe business impact.

In contrast, the medium flaw on an isolated lab system poses no direct threat to production operations or sensitive data.

Exam trap

The trap here is that candidates may assume all vulnerabilities must be fixed in order of severity alone, ignoring the crucial factor of asset exposure and business context, or they may mistakenly believe that internal systems are always more critical than external ones.

How to eliminate wrong answers

Option A is wrong because fixing vulnerabilities in alphabetical order is not a valid prioritization method; risk-based prioritization based on severity and exposure is the industry standard. Option C is wrong because delaying remediation of a critical flaw on a public-facing server until the next quarterly patch cycle could leave the organization exposed to exploitation for an unacceptable period; critical vulnerabilities often require immediate patching or compensating controls. Option D is wrong because internal systems do not always outrank external systems; in fact, public-facing systems typically have higher risk due to internet exposure, and isolated lab systems have minimal business risk.

217
MCQeasy

During a disaster recovery test, what is the most important thing to confirm about the backup?

A.That the backup files exist in storage.
B.That the data can be restored and is usable after recovery.
C.That the backup system uses encryption.
D.That the backup is stored on tape instead of disk.
AnswerB

The real purpose of a backup is successful recovery. During testing, the team should verify that the data restores correctly and that applications or users can actually use it afterward. This confirms the backup supports business continuity and is not merely sitting in storage as an unreadable copy.

Why this answer

The most important thing to confirm about a backup during a disaster recovery test is that the data can be restored and is usable after recovery. This validates the integrity and completeness of the backup, ensuring that the recovery point objective (RPO) and recovery time objective (RTO) can be met. Simply verifying that backup files exist does not guarantee they are not corrupted or that the restoration process will succeed, which is why a full restore test is critical.

Exam trap

The trap here is that candidates often confuse backup existence with backup usability, assuming that if the backup file is present and encrypted, it must be restorable, but CompTIA emphasizes that only a successful restore test confirms recoverability.

How to eliminate wrong answers

Option A is wrong because merely confirming that backup files exist in storage does not validate their integrity, consistency, or ability to be restored; a backup file could be present but corrupted or incomplete. Option C is wrong because encryption protects data at rest or in transit but has no bearing on whether the backup can be successfully restored and used; encryption is a security control, not a recovery validation. Option D is wrong because the storage medium (tape vs. disk) is irrelevant to the core requirement of recoverability; both media can hold valid or invalid backups, and the choice depends on factors like speed, cost, and retention, not on the ability to restore.

218
MCQmedium

An EDR console reports possible beaconing from a workstation because it makes outbound HTTPS connections to the same cloud IP every 15 minutes. The workstation belongs to the patch-management team, and the destination resolves to a vendor update service. Which evidence best supports closing the alert as a false positive?

A.The workstation user says the activity looks normal and no files were encrypted.
B.The source IP appears on a blocklist, so the alert must be malicious.
C.Process lineage and signed agent logs show the patch client initiated the traffic on schedule.
D.The workstation has antivirus installed, which means outbound beaconing is impossible.
AnswerC

Process lineage and agent logs provide strong proof that the traffic came from the approved patch client. When the destination is a known vendor service and the timing matches the expected update schedule, the repeated connections are likely normal behavior. This is exactly the kind of evidence analysts should use to validate a detection instead of escalating a benign operational pattern.

Why this answer

Option C is correct because it provides verifiable evidence that the outbound HTTPS connections are legitimate: the process lineage and signed agent logs confirm the patch-management client initiated the traffic on its scheduled update cycle. This aligns with the expected behavior of a patch-management tool, which often uses HTTPS to a vendor update service at regular intervals. The EDR's beaconing detection is a false positive because the traffic is not malicious but rather a routine, authorized activity.

Exam trap

The trap here is that candidates may assume any periodic outbound connection is malicious beaconing, ignoring that legitimate software update services often use scheduled HTTPS connections to the same IP, and that process lineage and signed logs are the definitive evidence to validate the traffic's legitimacy.

How to eliminate wrong answers

Option A is wrong because user testimony and the absence of file encryption are subjective and do not provide technical proof that the network traffic is legitimate; beaconing can occur without immediate encryption events. Option B is wrong because the source IP appearing on a blocklist does not automatically make the alert malicious—blocklists often include legitimate services, and the destination is a known vendor update service. Option D is wrong because having antivirus installed does not prevent outbound beaconing; antivirus software does not block legitimate HTTPS connections initiated by authorized processes, and beaconing can still occur even with AV present.

219
MCQeasy

A technician restores a file server from backup, but the business wants confidence that the recovery process will work during an outage. What should the team do most often to validate the backups?

A.Review the backup vendor brochure for proof that recovery will work.
B.Perform regular restore tests using sample files or systems.
C.Increase the backup retention period without testing restores.
D.Change the backup password every day and skip verification.
AnswerB

Restore testing proves backups are readable, complete, and usable when recovery is needed.

Why this answer

Option B is correct because the only way to gain confidence that backups can be successfully restored during an actual outage is to perform regular, documented restore tests. This validates the integrity of the backup media, the correctness of the restoration procedure, and the recoverability of data within the required recovery time objective (RTO). Without testing, assumptions about backup reliability remain unverified, which can lead to catastrophic data loss when a real disaster occurs.

Exam trap

The trap here is that candidates assume that simply having backups or extending retention is sufficient, but CompTIA emphasizes that only actual restore testing provides verifiable proof of recoverability, not the presence of backup files or vendor claims.

How to eliminate wrong answers

Option A is wrong because a vendor brochure only describes theoretical capabilities under ideal conditions, not the actual performance or compatibility of the backup solution with the specific server hardware, software, and data sets in use. Option C is wrong because increasing retention without testing does nothing to validate that the stored backup files are not corrupt, incomplete, or incompatible with the current restore environment. Option D is wrong because changing the backup password daily adds unnecessary administrative overhead and skipping verification removes the only automated check for backup integrity, making it impossible to detect silent data corruption or failed backup jobs.

220
MCQmedium

A SIEM reports a successful sign-in to a SaaS admin portal from a new country, followed three minutes later by multiple configuration changes to mailbox forwarding rules. The account owner says they were in the office and did not approve any changes. What should the analyst check next?

A.The identity provider and MFA logs to confirm whether the session was legitimately authenticated or hijacked.
B.The office printer logs to see whether the user printed the mailbox rules.
C.The antivirus signature version on the user’s laptop only.
D.The DNS cache on the user’s laptop to find the forwarding rule target.
AnswerA

Because the sign-in succeeded and configuration changes followed quickly, the key question is whether the session was legitimately established or taken over. Identity provider logs, MFA approvals, token issuance, and session details can confirm whether the login came from the owner or from a stolen credential/session. This is the most direct way to validate the alert before taking disruptive action.

Why this answer

Option A is correct because the SIEM alert shows a successful sign-in from a new country followed by suspicious configuration changes, which is a classic indicator of session hijacking or credential theft. Checking the identity provider (IdP) and MFA logs allows the analyst to verify if the authentication was legitimate (e.g., from a known device/IP) or if the session token was stolen and reused, as MFA can be bypassed via token replay or consent phishing. This step directly addresses the core question of whether the session was authorized or compromised.

Exam trap

The trap here is that candidates may focus on endpoint indicators (antivirus, DNS) or unrelated logs (printer) instead of recognizing that the core issue is authentication integrity, which must be verified through identity provider and MFA logs.

How to eliminate wrong answers

Option B is wrong because office printer logs are irrelevant to mailbox forwarding rule changes; they record print jobs, not authentication or email configuration events. Option C is wrong because antivirus signature versions on the user's laptop only indicate whether malware definitions are up to date, but they do not provide evidence of session hijacking or unauthorized configuration changes in a cloud SaaS portal. Option D is wrong because the DNS cache on the user's laptop stores domain-to-IP mappings, not the target address of mailbox forwarding rules; forwarding rule targets are stored in the email server's transport rules or mailbox settings, not in local DNS.

221
Multi-Selecteasy

A workstation is suspected of running malware and contacting an unknown host. Which two actions belong in the containment phase? Select two.

Select 2 answers
A.Isolate the workstation from the network.
B.Block the malicious IP or domain at the firewall or proxy.
C.Reimage the workstation immediately before collecting evidence.
D.Tell the user to keep working until tomorrow.
E.Delete recent logs to reduce noise.
AnswersA, B

Isolating the workstation stops spread while keeping the system available for analysis.

Why this answer

Isolating the workstation from the network (A) immediately stops the malware's ability to communicate with the command-and-control (C2) server, preventing data exfiltration and further propagation. Blocking the malicious IP or domain at the firewall or proxy (B) is a containment action that prevents any system on the network from reaching the known malicious host, even if other hosts are already compromised. Both actions align with the NIST SP 800-61 containment strategy of stopping the spread and impact of an incident.

Exam trap

The trap here is that candidates confuse the containment phase with the eradication phase, mistakenly thinking that reimaging (Option C) is a containment action when it is actually an eradication step that should only occur after evidence collection and analysis.

222
MCQmedium

A security operations analyst is tuning a SIEM correlation rule designed to detect brute-force password attacks against domain user accounts. The current rule generates an alert when a single user account has more than 10 failed logon attempts within a 5-minute window. The SOC team is overwhelmed by thousands of alerts each day, the vast majority of which are triggered by legitimate users who accidentally mistype their passwords. Which of the following modifications to the rule would most effectively reduce false positives while still detecting actual brute-force attacks?

A.Increase the failed attempt threshold to 20 attempts within the same 5-minute window.
B.Modify the rule to trigger only when the failed attempts originate from multiple distinct source IP addresses.
C.Modify the rule to trigger only when the failed attempts are against multiple distinct user accounts.
D.Add an exception to suppress alerts for any user account that has a valid password reset request within the same time period.
AnswerB

This is correct because a genuine brute-force attack often uses a distributed set of source IPs to evade rate limiting, whereas a legitimate user mistyping typically connects from a single IP. This change filters out most false positives while still detecting distributed attacks.

Why this answer

Option B is correct because brute-force attacks often distribute failed attempts across multiple source IP addresses to evade detection, while legitimate users typically mistype from a single IP. By requiring failed attempts from multiple distinct source IPs, the rule filters out accidental mistypes (single IP) and still catches distributed brute-force attacks, which is a common evasion technique.

Exam trap

The trap here is that candidates may focus on adjusting numeric thresholds (Option A) as a quick fix, overlooking the behavioral pattern of source IP diversity that distinguishes accidental mistypes from coordinated brute-force attacks.

How to eliminate wrong answers

Option A is wrong because simply increasing the threshold to 20 attempts may reduce false positives but also allows a brute-force attacker to make more attempts before detection, increasing the risk of a successful compromise. Option C is wrong because requiring failed attempts against multiple distinct user accounts would detect a password spraying attack, not a single-user brute-force attack, and would miss targeted brute-force attempts against one account. Option D is wrong because a valid password reset request does not guarantee that subsequent failed attempts are benign; an attacker could still be brute-forcing the same account after a reset, and suppressing alerts based on this would create a dangerous blind spot.

223
MCQhard

Based on the exhibit, what is the best-supported conclusion for the SOC analyst?

A.The traffic is normal web browsing to a content delivery network.
B.The host is likely using DNS tunneling or DNS-based command and control.
C.The issue is most likely ARP spoofing on the local switch port.
D.The evidence most strongly indicates a password spraying campaign.
AnswerB

The repeated TXT queries, predictable timing, small UDP payloads, and absence of proxy traffic strongly suggest data or commands are being carried over DNS. The unique subdomains and steady beacon interval are classic indicators of DNS tunneling or DNS-based command-and-control. The signed PDF reader only shows how the activity may have started, not that it is benign.

Why this answer

The exhibit shows a high volume of DNS queries to multiple unusual domains with long subdomain strings, which is a classic indicator of DNS tunneling or DNS-based command and control (C2). DNS tunneling encodes data in DNS queries and responses, allowing attackers to exfiltrate data or communicate with a C2 server while bypassing traditional network controls. The SOC analyst should recognize this pattern as anomalous DNS activity rather than normal web browsing.

Exam trap

The trap here is that candidates may confuse DNS tunneling with normal DNS resolution for CDN services, but the key differentiator is the abnormal volume and structure of the DNS queries, not the destination IP addresses.

How to eliminate wrong answers

Option A is wrong because normal web browsing to a content delivery network (CDN) would generate HTTP/HTTPS traffic to known CDN domains, not an excessive number of DNS queries to obscure, randomly generated subdomains. Option C is wrong because ARP spoofing operates at Layer 2 and would manifest as duplicate IP addresses or unusual ARP traffic, not as a high volume of DNS queries. Option D is wrong because a password spraying campaign involves repeated login attempts across multiple accounts, which would appear as authentication logs (e.g., Windows Event ID 4625) rather than DNS query patterns.

224
Multi-Selecteasy

After a ransomware event, management wants proof that backups can actually be used before trusting them. Which two activities best validate recoverability? Select two.

Select 2 answers
A.Restore a sample file or folder into an isolated test environment.
B.Compare restored data with hashes or known-good source copies.
C.Trust a backup because the job status shows completed successfully.
D.Increase backup retention without testing restore ability.
E.Keep backups on production servers for quicker access during incidents.
AnswersA, B

A test restore shows whether the backup can actually bring data back.

Why this answer

Restoring a sample file or folder into an isolated test environment (Option A) directly validates that the backup data is readable, the restore process works, and the data can be accessed in a clean environment. This is the most practical way to prove recoverability without risking production systems, as it tests the actual restore workflow end-to-end.

Exam trap

The trap here is that candidates often assume a successful backup job status (Option C) guarantees recoverability, but the exam emphasizes that only actual restore testing and integrity verification (Options A and B) provide true validation.

225
Multi-Selecthard

A server room sits below a chilled-water line, and occasional condensation is forming on the pipe during humid afternoons. Facilities wants the earliest warning before water reaches equipment and a way to get an alert even if no one is onsite. Which two controls should be implemented? Select two.

Select 2 answers
A.Install a networked water-leak detection cable beneath the raised floor near the chilled-water line.
B.Add monitored environmental alerts that notify the NOC or building management system when the sensor trips.
C.Replace standard doors with mantraps to prevent tailgating at the room entrance.
D.Increase firewall logging on the server VLAN to spot moisture-related outages.
E.Use temperature-only sensors because condensation always raises heat first.
AnswersA, B

A leak-detection cable gives direct, early warning when moisture appears near the highest-risk area.

Why this answer

A networked water-leak detection cable is the correct choice because it provides continuous, real-time monitoring for moisture along the length of the cable. When condensation drips onto the cable, it completes a circuit between two conductors, triggering an immediate alert. This gives the earliest possible warning before water reaches server equipment, even in an unattended facility.

Exam trap

The trap here is that candidates may confuse environmental monitoring with network or access controls, selecting options like mantraps or firewall logging that address different security domains but do not solve the specific water-detection and alerting requirement.

← PreviousPage 3 of 4 · 291 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Security Operations questions.