CompTIA CS0-003 Exam Practice Test Instant Access

Question 1

In the last hour, a high volume of failed RDP authentication attempts has been logged on a critical server. All of the authentication attempts originated from the same remote IP address and made use of a single valid domain user account. Which of the following mitigating controls would be most effective to reduce the rate of success of this brute-force attack? (Select two).

AIncrease the granularity of log-on event auditing on all devices.

BEnable host firewall rules to block all outbound traffic to TCP port 3389.

CConfigure user account lockout after a limited number of failed attempts.

DImplement a firewall block for the IP address of the remote system.

EInstall a third-party remote access tool and disable RDP on all devices.

FBlock inbound to TCP port 3389 from untrusted remote IP addresses at the perimeter firewall.

Answer : C, F

To mitigate brute-force attacks, implementing an account lockout policy (C) prevents continuous attempts by locking the account after a set number of failed logins. Blocking inbound connections on TCP port 3389 (RDP) from untrusted IP addresses (F) limits access, reducing the attack surface. According to CompTIA Security+, these controls effectively prevent unauthorized access. While blocking specific IPs (D) or disabling RDP (E) can also help, the lockout and firewall rules provide broader, proactive protection against this attack type.

Question 2

Which of the following is the best framework for assessing how attackers use techniques over an infrastructure to exploit a target's information assets?

AStructured Threat Information Expression

BOWASP Testing Guide

COpen Source Security Testing Methodology Manual

DDiamond Model of Intrusion Analysis

Answer : D

The Diamond Model of Intrusion Analysis focuses on understanding the relationships between the adversary, their capabilities, infrastructure, and victim. It provides a structured approach to examining how attackers exploit information assets. According to CompTIA CySA+, this model is valuable for detailing attack patterns and understanding the infrastructure attackers use. The other options, like Structured Threat Information Expression (A) and OWASP Testing Guide (B), address threat data sharing and web application testing, respectively, while the Open Source Security Testing Methodology Manual (OSSTMM) (C) covers general security testing procedures.

Question 3

A SOC analyst observes reconnaissance activity from an IP address. The activity follows a pattern of short bursts toward a low number of targets. An open-source review shows that the IP has a bad reputation. The perimeter firewall logs indicate the inbound traffic was allowed. The destination hosts are high-value assets with EDR agents installed. Which of the following is the best action for the SOC to take to protect against any further activity from the source IP?

AAdd the IP address to the EDR deny list.

BCreate a SIEM signature to trigger on any activity from the source IP subnet detected by the web proxy or firewalls for immediate notification.

CImplement a prevention policy for the IP on the WAF.

DActivate the scan signatures for the IP on the NGFWs.

Answer : A

Blocking the IP address at the EDR (Endpoint Detection and Response) level provides an immediate, targeted response to the detected reconnaissance activity, preventing further interaction with the high-value assets. EDR tools are designed to detect and block malicious IPs across endpoints. According to CompTIA CySA+, this proactive step is effective for isolating and mitigating threats on specific endpoints. While creating SIEM signatures (B) is useful for monitoring, and policies on WAF (C) and NGFWs (D) can provide additional layers of defense, the most immediate protective action is to block at the endpoint level.

Question 4

An analyst is reviewing a dashboard from the company's SIEM and finds that an IP address known to be malicious can be tracked to numerous high-priority events in the last two hours. The dashboard indicates that these events relate to TTPs. Which of the following is the analyst most likely using?

AMITRE ATT&CK

BOSSTMM

CDiamond Model of Intrusion Analysis

DOWASP

Answer : A

The MITRE ATT&CK framework is specifically designed for tracking Tactics, Techniques, and Procedures (TTPs) associated with cyber threats. It provides a detailed matrix of known adversarial behaviors, which is useful for correlating SIEM data to known attack patterns. According to CompTIA CySA+, MITRE ATT&CK is an industry-standard framework for threat intelligence and behavior analysis, making it the ideal tool for tracking malicious IP addresses and understanding their tactics. Other options like OSSTMM, the Diamond Model, and OWASP do not focus on TTPs as directly as MITRE ATT&CK does.

Question 5

A systems administrator needs to gather security events with repeatable patterns from Linux log files. Which of the following would the administrator most likely use for this task?

AA regular expression in Bash

BFilters in the vi editor

CVariables in a PowerShell script

DA playbook in a SOAR tool

Answer : A

Regular expressions are powerful tools for searching text based on specific patterns, making them ideal for parsing Linux log files to detect security events with repeatable patterns. In Bash, regular expressions can be used in commands like grep or awk to efficiently filter log data. CompTIA CySA+ emphasizes the use of regular expressions in log analysis for pattern matching, a common requirement for identifying suspicious activities in log files. Options B, C, and D are less suited for this specific task due to their limited pattern-matching capabilities or platform constraints.

Question 6

AMITRE ATT&CK

BOSSTMM

CDiamond Model of Intrusion Analysis

DOWASP

Answer : A

The MITRE ATT&CK framework is widely used for tracking and categorizing Tactics, Techniques, and Procedures (TTPs) of adversaries. TTPs help analysts understand the behaviors and methods attackers employ during incidents, making this framework particularly useful in SIEM dashboards for correlating and identifying threats. While the other options (OSSTMM, Diamond Model, OWASP) offer various security methodologies, MITRE ATT&CK is specifically focused on documenting adversary behaviors, making it the best fit here. CompTIA CySA+ often emphasizes MITRE ATT&CK for mapping and understanding threat behaviors in incident response.

Question 7

Which of the following best explains the importance of network microsegmentation as part of a Zero Trust architecture?

ATo allow policies that are easy to manage and less granular

BTo increase the costs associated with regulatory compliance

CTo limit how far an attack can spread

DTo reduce hardware costs with the use of virtual appliances

Answer : C

Microsegmentation involves dividing a network into smaller, isolated segments to restrict lateral movement within the network. This is crucial within a Zero Trust architecture, which assumes that no entity (internal or external) is inherently trustworthy. By limiting access to only necessary network segments, microsegmentation reduces the impact of a potential breach by containing it within a limited area. CompTIA emphasizes microsegmentation as an effective strategy to minimize risk and improve security posture by isolating resources based on the principle of least privilege.

CompTIA CS0-003 CompTIA Cybersecurity Analyst (CySA+) Exam Practice Test