Free CompTIA CS0-003 Practice Exam with Questions & Answers | Set: 13

The correct answer is D. MITRE ATT&CK.

MITRE ATT&CK is a framework that maps the tactics, techniques, and procedures (TTPs) of various threat actors and groups, based on real-world observations and data. MITRE ATT&CK can help a Chief Information Security Officer (CISO) to map all the attack vectors that the company faces each day, as well as to align their security controls around the most relevant and prevalent threats. MITRE ATT&CK can also help the CISO to assess the effectiveness and maturity of their security posture, as well as to identify and prioritize the gaps and improvements .

The other options are not the best recommendations for mapping all the attack vectors that the company faces each day. OSSTMM (Open Source Security Testing Methodology Manual) (A) is a methodology that provides guidelines and best practices for conducting security testing and auditing, but it does not map the TTPs of threat actors or groups. Diamond Model of Intrusion Analysis (B) is a model that analyzes the relationships and interactions between four elements of an intrusion: adversary, capability, infrastructure, and victim. The Diamond Model can help understand the characteristics and context of an intrusion, but it does not map the TTPs of threat actors or groups. OWASP (Open Web Application Security Project) © is a project that provides resources and tools for improving the security of web applications, but it does not map the TTPs of threat actors or groups.

The correct answer is B. Replace the current MD5 with SHA-256.

The vulnerability that the security analyst is able to exploit is a hash collision, which is a situation where two different files produce the same hash value. Hash collisions can allow an attacker to bypass the integrity or authentication checks that rely on hash values, and submit malicious files to the system. The web application uses MD5, which is a hashing algorithm that is known to be vulnerable to hash collisions. Therefore, the analyst should suggest replacing the current MD5 with SHA-256, which is a more secure and collision-resistant hashing algorithm.

The other options are not the best suggestions to mitigate the vulnerability with the fewest changes to the current script and infrastructure. Deploying a WAF (web application firewall) to the front of the application (A) may help protect the web application from some common attacks, but it may not prevent hash collisions or detect malicious files. Deploying an antivirus application on the hosting system © may help scan and remove malicious files from the system, but it may not prevent hash collisions or block malicious files from being submitted. Replacing the MD5 with digital signatures (D)may help verify the authenticity and integrity of the files, but it may require significant changes to the current script and infrastructure, as digital signatures involve public-key cryptography and certificate authorities.

Group Policy Objects (GPO) are a feature in Windows environments that allow administrators to control settings and permissions across user accounts and computers within an organization. GPOs can restrict user permissions to prevent unauthorized installation or modification of applications, making them the best choice for centrally managing user capabilities on Windows systems. While HIPS (Host Intrusion Prevention Systems), Registry, and DLP (Data Loss Prevention) have their own uses, GPOs provide a scalable and enterprise-level solution for application control as per CompTIA Security+ guidelines.

Registry artifacts and EDR data are two data sources that can provide valuable information about the root cause of a malware outbreak. Registry artifacts can reveal changes made by the malware to the system configuration, such as disabling security services, modifying startup items, or creating persistence mechanisms1. EDR data can capture the behavior and network activity of the malware, such as the initial infection vector, the command and control communication, or the lateral movement2. These data sources can help the analyst identify the malware family, the attack technique, and the threat actor behind the outbreak.

Vulnerability B is the vulnerability that the analyst should be most concerned about, knowing that end users frequently click on malicious links sent via email. Vulnerability B is a remote code execution vulnerability in Microsoft Outlook that allows an attacker to run arbitrary code on the target system by sending a specially crafted email message. This vulnerability is very dangerous, as it does not require any user interaction or attachment opening to trigger the exploit. The attacker only needs to send an email to the victim’s Outlook account, and the code will execute automatically when Outlook connectsto the Exchange server. This vulnerability has a high severity rating of 9.8 out of 10, and it affects all supported versions of Outlook. Therefore, the analyst should prioritize patching this vulnerability as soon as possible to prevent potential compromise of the workstations.

According to the CompTIA CySA+ Study Guide: Exam CS0-003, 3rd Edition1, the best technique to provide the necessary assurance for embedded software that drives centrifugal pumps at a power plant is formal methods. Formal methods are a rigorous and mathematical approach to software development and verification, which can ensure the correctness and reliability of critical software systems. Formal methods can be used to specify, design, implement, and verify embedded software using formal languages, logics, and tools1.

Containerization, manual code reviews, and static and dynamic analysis are also useful techniques for software assurance, but they are not as rigorous or comprehensive as formal methods. Containerizationis a method of isolating and packaging software applications with their dependencies, which can improve security, portability, and scalability. Manual code reviews are a process of examining the source code of a software program by human reviewers, which can help identify errors, vulnerabilities, and compliance issues. Static and dynamic analysis are techniques of testing and evaluating software without executing it (static) or while executing it (dynamic), which can help detect bugs, defects, and performance issues1.

When prioritizing vulnerabilities, analysts consider theCVSS score, whether the system isinternet-facing, and ifsensitive datais involved. The primary goal is to mitigate the mostexploitableandimpactfulrisks first.

Let's break down the key components:

Attack Vector (AV): Whether the attack can be launched remotely (N = Network) or locally (L = Local).

Attack Complexity (AC): The difficulty of executing the attack (L = Low, H = High).

Privileges Required (PR): The level of access needed for exploitation (N = None, L = Low, H = High).

User Interaction (UI): Whether user interaction is required for the attack (N = No, R = Required).

Scope (S): Whether the attack affects other systems (C = Changed, U = Unchanged).

Confidentiality (C), Integrity (I), Availability (A): The impact level (H = High, L = Low, N = None).

Evaluating Each System:

System 1 (CVSS: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:H)

Internet-facing✅

No sensitive data❌

High confidentiality and availability impact✅

Moderate risk due to requiring low privileges

System 2 (CVSS: AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:H)

Not internet-facing❌

No sensitive data❌

Lower priority since it’s local-only

System 3 (CVSS: AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L)

Internet-facing✅

Contains sensitive data✅

But very low likelihood of exploit (requires physical access, high privileges, user interaction)

Lower priority due to high attack complexity

System 4 (CVSS: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:H)

Internet-facing✅

No sensitive data❌

No privileges required for exploitation✅

High impact on confidentiality and availability✅

Most critical due to remote exploitability and system-wide scope

System 5 (CVSS: AV:L/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N)

Internet-facing✅

Contains sensitive data✅

But requires high privileges, high attack complexity, and user interaction

Lower priority than System 4

System 6 (CVSS: AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:H)

Not internet-facing❌

No sensitive data❌

Same as System 2 (low priority due to being local-only)

Final Decision: Patch System 4 First

System 4 is themost criticalbecause:

It isinternet-facing(higher exposure).

It has ahigh CVSS score.

Itrequires no privileges(easy to exploit).

It hassystem-wide scope impact(can affect other systems).

Thus, it should bepatched firstto minimize security risks.

The MITRE ATT&CK framework is specifically designed for tracking Tactics, Techniques, and Procedures (TTPs) associated with cyber threats. It provides a detailed matrix of known adversarial behaviors, which is useful for correlating SIEM data to known attack patterns. According to CompTIA CySA+, MITRE ATT&CK is an industry-standard framework for threat intelligence and behavior analysis, making it the ideal tool for tracking malicious IP addresses and understanding their tactics. Other options like OSSTMM, the Diamond Model, and OWASP do not focus on TTPs as directly as MITRE ATT&CK does.

The suspicious entry on the host-based IDS logs indicates that a reverse shell was executed on the host, which connects to the remote IP address 10.1.2.3 on port 8080. The shell script option D uses the netstat command to check if there is any active connection to that IP address and port, and prints “Malicious activity” if there is, or “OK” otherwise. This is the most accurate way to confirm if the reverse shell is still active, as the other options may not detect the connection or may produce false positives.

ReferencesCompTIA CySA+ Study Guide: Exam CS0-003, 3rd Edition, Chapter 8: Incident Response, page 339.Reverse Shell Cheat Sheet, Bash section.