Which of the following is an important aspect that should be included in the lessons-learned step after an incident?
Answer(s): A
Option A is correct because the lessons-learned phase focuses on identifying improvements to the incident response plan and procedures to prevent recurrence. A) Correct — emphasizes updating IR playbooks, runbooks, and communication workflows based on findings. B) Incorrect — assigning blame is counterproductive; CS practice emphasizes blameless post-incident reviews focusing on process improvements, not individuals. C) Incorrect — legal evidence handling is an investigative activity; lessons learned should reflect process enhancements, not ongoing legal procedures. D) Incorrect — financial impact analysis may be part of business continuity or risk assessment but is not the primary focus of lessons learned in IR lifecycle.
The security operations team is required to consolidate several threat intelligence feeds due to redundant tools and portals. Which of the following will best achieve the goal and maximize results?
Option A is correct because a single pane of glass consolidates multiple threat intel feeds into one unified interface, reducing tool fragmentation and improving correlation, visibility, and response efficiency.A) Correct — aligns threat intelligence into a centralized dashboard, enabling streamlined ingestion, correlation, and faster decision-making across feeds.B) Incorrect — single sign-on focuses on authentication across tools, not consolidation of threat intelligence content or feeds.C) Incorrect — data enrichment adds context to indicators but does not merge or deduplicate feeds from multiple sources.D) Incorrect — deduplication removes duplicate items within a dataset; it does not consolidate multiple feeds into one view.
Which of the following would a security analyst most likely use to compare TTPs between different known adversaries of an organization?
Option A is correct because MITRE ATT&CK provides a publicly available knowledge base of adversary TTPs (techniques, tactics, and procedures) used to compare and map behaviors across different actors. Incorrect — B: Cyber Kill Chain is a threat modeling framework describing attacker progression, not a direct TTP comparison across adversaries. Incorrect — C: OWASP focuses on application security vulnerabilities, not adversary TTPs. Incorrect — D: STIX/TAXII are data models/transport for threat intelligence sharing, not a structured framework for comparing TTPs between known adversaries.
An analyst is remediating items associated with a recent incident. The analyst has isolated the vulnerability and is actively removing it from the system. Which of the following steps of the process does this describe?
Option A is correct because eradication involves removing threat components from the environment after containment, completing the cleanup phase of remediation. Incorrect —B) Recovery is restoring systems to normal operations after eradication, not the active removal itself.C) Containment is isolating affected systems to prevent spread, which occurs earlier; it’s not the removal phase.D) Preparation is the proactive planning phase before an incident, not the remediation actions taken during or after containment.
Joe, a leading sales person at an organization, has announced on social media that he is leaving his current role to start a new company that will compete with his current employer. Joe is soliciting his current employer's customers. However, Joe has not resigned or discussed this with his current supervisor yet. Which of the following would be the best action for the incident response team to recommend?
Answer(s): D
Option D is correct because incident response should involve lawful, organizationally approved processes and coordination with HR/legal before taking any user-level actions, to avoid policy violations or data loss. A, B, and C are premature technical actions that could impact user data, violate privacy, or contravene corporate policy without proper authorization and evidence of risk escalation. Isolating a PC (A) or wiping/reimaging (B/C) could disrupt legitimate work or violate employment/records laws. Without documented policy and authorization, the IR team should escalate to HR/legal and follow formal incident handling procedures, including evidence collection and containment planning.
The Chief Information Security Officer is directing a new program to reduce attack surface risks and threats as part of a zero trust approach. The IT security team is required to come up with priorities for the program. Which of the following is the best priority based on common attack frameworks?
Option A is correct because reducing administrator and privileged access aligns with zero trust and common attack frameworks (principle of least privilege, PAM controls) to minimize attack surface and limit insider/external abuse. It directly reduces harmful blast radius and credential abuse opportunities.B) Incorrect — network-based IDS detects threats but does not reduce attack surface; it is a detection/control tool, not a preventive privilege reduction prioritized in zero trust.C) Incorrect — thorough incident response is important but not the top preventive priority to shrink attack surface; frameworks prioritize access controls and segmentation first.D) Incorrect — enabling SSO improves usability but can expand trust boundaries if not paired with strong access controls; not the primary practical reduction of attack surface.
During an extended holiday break, a company suffered a security incident. This information was properly relayed to appropriate personnel in a timely manner, and the server was up to date and configured with appropriate auditing and logging. The Chief Information Security Officer wants to find out precisely what happened. Which of the following actions should the analyst take first?
Option A is correct because cloning the affected virtual server preserves the original state for forensically sound analysis, preventing contamination or alteration of evidence during examination. This aligns with standard incident response and digital forensics practice to create a working copy for analysis.B is incorrect because analyzing logs directly on the live system risks altering evidence and may be hindered by ongoing activity; evidence should be preserved via a forensic copy first.C is incorrect because restoring to a last known-good backup alters the system state, erasing potential evidence and hindering incident reconstruction.D is incorrect because immediate shutdown should be avoided if containment and preservation steps are not yet completed; it can destroy volatile data and hinder investigation.
A systems administrator is reviewing after-hours traffic flows from data center servers and sees regular, outgoing HTTPS connections from one of the servers to a public IP address. The server should not be making outgoing connections after hours. Looking closer, the administrator sees this traffic pattern around the clock during work hours as well. Which of the following is the most likely explanation?
Option A is correct because persistent, regular HTTPS connections to a public IP from a server indicate C2 beaconing behavior, where a compromised host communicates with an adversary’s infrastructure to receive commands or exfiltrate data. The after-hours and around-the-clock pattern aligns with automated beaconing rather than legitimate maintenance traffic.B is incorrect because data exfiltration would show large or unusual data transfer, not just regular, small HTTPS connections to a single external endpoint. C is incorrect since anomalous activity on unexpected ports would involve nonstandard ports; HTTPS over port 443 is expected. D is incorrect because port scanning generates rapid, short-lived connection attempts, not steady outbound HTTPS to one host. E is incorrect as a rogue device implies a new device on the network, not ongoing outbound beaconing from an existing server.
Share your comments for CompTIA CS0-003 exam with other users:
90% of questions was there but i failed the exam, i marked the answers as per the guide but looks like they are not accurate , if not i would have passed the exam given that i saw about 45 of 50 questions from dump
answer to this question "what administrative safeguards should be implemented to protect the collected data while in use by manasa and her product management team? " it should be (c) for the following reasons: this administrative safeguard involves controlling access to collected data by ensuring that only individuals who need the data for their job responsibilities have access to it. this helps minimize the risk of unauthorized access and potential misuse of sensitive information. while other options such as (a) documenting data flows and (b) conducting a privacy impact assessment (pia) are important steps in data protection, implementing a "need to know" access policy directly addresses the issue of protecting data while in use by limiting access to those who require it for legitimate purposes. (d) is not directly related to safeguarding data during use; it focuses on data transfers and location.
password lockout being the correct answer for question 37 does not make sense. it should be geofencing.
for question 4, the righr answer is :recover automatically from failures
question number 4s answer is 3, option c. i
very good questions
i am confused about the answers to the questions. are the answers correct?
very usefull
need certification.
great exam prep
i require dump
good morning, could you please upload this exam again,
hi can you please upload the dumps for sap contingent module. thanks
good questions
looking forward to the real exam
good ones for exam preparation
this is a good experience
hi everyone
waiting for the dump. please upload.
upload cks exam questions
awesome training material
where is dump
q. 289 - the correct answer should be b not d, since the question asks for the most secure way to provide access to a s3 bucket (a single one), and by principle of the least privilege you should not be giving access to all buckets.
please i need if possible h12-831,
good collection of questions and solution for pl500 certification
i would like to appear the exam.
i am very happy as i cleared my comptia a+ 220-1101 exam. i studied from as it has all exam dumps and mock tests available. i got 91% on the test.
need this dump
its really good to eventuate knowledge before appearing for the actual exam.
this is great
please i want the questions to pass the exam
i need to pass exam
great, i appreciate it.
please could you upload (isc)2 certified in cybersecurity (cc) exam questions