CompTIA CySA+ Practice Test (CS0-003)

The most appropriate initial strategy is to implement compensating controls. This allows the organization to reduce the immediate risk of the critical vulnerability while a plan is made to apply the permanent fix (the patch) in a way that minimizes business disruption, such as during a scheduled maintenance window. Immediately applying the patch ignores the stated business requirement of no interruption. Postponing remediation or simply accepting the risk without any mitigation leaves the organization unacceptably exposed to a critical threat.

A fishbone diagram is a visual tool that helps in identifying the cause and effect relationships that contribute to a particular event or incident. It is beneficial for pinpointing why control failures occurred during a security incident, as it forces the analysis team to explore multiple dimensions of potential failure points. Event tree analysis is used for probabilistic risk assessment but does not focus specifically on control failures. Pareto charts are useful for prioritizing issues based on their severity but don't establish cause-and-effect relationships. A Gantt chart is a project management tool for scheduling and doesn't apply to the analysis of control failures.

Re-imaging nodes one at a time, while ensuring the rest of the cluster continues to function, is the correct remediation technique in this scenario. This approach allows for maintaining high-availability and business continuity while each node is being addressed sequentially. Re-imaging all nodes simultaneously would reduce the redundancy and could lead to downtime, violating the high-availability requirement. Patching without re-imaging may not remove the threat completely if the system is deeply compromised, and restoring from backup is an option only after confirming the backups are clean and doing so one at a time to maintain uptime.

Regulatory reporting typically involves notifying a government agency or regulatory body about a data breach or other security incident. This is often required by law to ensure that the agency is aware of potential risks and can take appropriate actions. The other options are not specific to regulatory compliance.

Law enforcement should be engaged when the facts suggest criminal activity (for example, data theft, extortion, or network intrusion that crosses jurisdictions) or when statutes or regulations mandate external reporting. This ensures that any potential crime is investigated, preserves admissible evidence, and keeps the organization in regulatory compliance. Routine security events or purely internal matters do not automatically require police involvement, and premature disclosure can hamper containment or create jurisdictional conflicts. Options B, C, and D each describe situations that either lack evidence of criminality or defer unnecessarily and therefore are not appropriate triggers for contacting law enforcement.

Wireshark is the most appropriate tool for this task as it is a network protocol analyzer that captures packets and allows for in-depth inspection of their contents. This enables an analyst to reconstruct the communication between the compromised host and the external IP. Nmap is a network scanner used for discovering hosts and open ports, not for deep packet analysis. Nessus is a vulnerability scanner used to identify security weaknesses, which is not its function here. Metasploit is an exploitation framework used for penetration testing, not for analyzing captured network traffic.

SOAR platforms are designed to help organizations efficiently and effectively respond to security events by automating workflows and orchestrating various security tasks. They are not just about automation, but also about integrating different security tools and providing a coordinated response to incidents. This results in a faster response time, reduced manual effort, and a more streamlined security operation. While all the other options mentioned can be components of a SOAR solution, it is the SOAR platform itself that provides the necessary infrastructure for orchestration and automation.

The correct answer is Burp Suite, as it is a popular suite of tools designed specifically for web application security testing, with functionality that includes automated scanning for common web vulnerabilities as well as manual testing tools. Nmap is mostly used for network discovery and security auditing rather than in-depth web application testing. Prowler is focused on AWS security best practices and does not specialize in general web application scanning. GNU debugger (GDB) is used for debugging programs, not for scanning web applications for vulnerabilities.

An effective executive summary presents a high-level overview of the incident that concentrates on business impact-such as operational disruption, financial loss, or reputational damage-plus any immediate next steps. Executives generally do not need detailed technical artifacts like full log files or attacker TTPs; they need to understand how the incident affects the organization so they can authorize resources and set priorities. Therefore, highlighting the incident's impact is the most useful content for this audience.

Securing the original evidence while making a forensic copy is essential to maintain the integrity of the evidence for legal purposes and analysis. By using write blockers, analysts ensure that no additional data is written to the original evidence, which helps in preserving the state of the storage media at the time of the incident. The other options, while important in the forensic process, do not represent the initial action that should be taken to protect the integrity of the investigation.

An after-action report (also called a lessons-learned or post-incident review) systematically documents what happened, compares expected versus actual outcomes, and identifies strengths and gaps in the response process. This retrospective analysis is specifically intended to measure incident-handling effectiveness and drive process improvements. Vulnerability scans and penetration tests are proactive security assessments performed before an incident; continuous monitoring tracks the environment in real time rather than evaluating a past event.

After securing the environment by patching the vulnerability, it is essential to validate that the threat has been fully eradicated. This typically involves performing a thorough re-evaluation of the affected systems to ensure no residual malicious activity is present. Simply monitoring for new incidents or moving to recovery without this step could result in overlooking remaining threats.

Creating a hash of the storage media ensures that any data retrieved remains unchanged from its original state. By comparing the initial hash value with a subsequent one, any changes to the data can be identified, thereby confirming the data's integrity throughout the analysis. Images and copies of the system, while useful for analysis, do not directly maintain the integrity of the original evidence. While timestamps can provide information about when data was created or modified, they do not protect or verify the integrity of the evidence.

The display filter feature in Wireshark enables users to filter displayed packets based on specific criteria, such as protocols. In this scenario, using the display filter 'http' will show only HTTP traffic.

Container escape occurs when a malicious actor manages to break out of the container and gain access to the host system. Enforcing namespace isolation ensures that containers do not have system-level access, thereby minimizing the risk of container escape. This segregation of resources and environments helps maintain the unique security boundaries of each container. While other measures like data encryption, centralized logging, and API security are also important, they do not specifically address the risk of container escape.