Exam CAS-003 topic 1 question 48 discussion

Actual exam question from CompTIA's CAS-003

Question #: 48
Topic #: 1

An advanced threat emulation engineer is conducting testing against a client's network. The engineer conducts the testing in as realistic a manner as possible.
Consequently, the engineer has been gradually ramping up the volume of attacks over a long period of time. Which of the following combinations of techniques would the engineer MOST likely use in this testing? (Choose three.)

A. Black box testing
B. Gray box testing
C. Code review
D. Social engineering
E. Vulnerability assessment
F. Pivoting
G. Self-assessment
H. White teaming
I. External auditing

Show Suggested Answer

Suggested Answer: AEF 🗳️

by tek at March 16, 2020, 11:58 p.m.

Comments

Submit Cancel

tek

Highly Voted 5 years, 4 months ago

The emulation part means this one is correct A. Black box testing E. Vulnerability assessment F. Pivoting

upvoted 8 times

D1960

4 years ago

Not so sure. I think by "emulation" they mean it has to seem like a real attack. Social engineering is widely used, that would certainly seem like a real attack. Black box testing is not really a "technique" used to break into a network. The threat emulation engineer not using a black box method would not make the attacks seem any less real.

upvoted 1 times

...

Jslap

Most Recent 3 years, 5 months ago

Everyone keeps saying AEF. Are we confusing Vulnerability Scans with Vulnerability Assessments here? If the engineer is black box testing and pivoting, then he was able to exploit a vulnerability to gain access. I've never heard of pivoting as part of a vulnerability assessment. Also, the argument against social engineering as a technique to gain access into a network just because its a NETWORK test is stupidly weak. Also also, black box testing IS a technique per All-In-One CASP+ Exam Guide pg. 365 Going with ADF. Source: All-In-One CASP+ Exam Guide CAS-003 pg. 366, pg. 357, pg. 352-357

upvoted 1 times

...

TheThreatGuy

4 years, 4 months ago

I can't see vulnerability assessment as correct just because that is not part of a "real world" scenerio. If we want these realistic then we would use the same tools as an attacker. Black box, social engineering, and pivoting.

upvoted 2 times

D1960

4 years ago

Attackers use vulnerability assessments. That is completely "real world."

upvoted 2 times

...

justaguy90

4 years, 6 months ago

The first sentence says "conducting testing", but the answer wants "combination of techniques". It also asks about going against a "clients network". So I would say social engineering is out since this person is an "advanced threat emulation engineer". A. Black box testing E. Vulnerability Assessment F. Pivoting

upvoted 1 times

Trap_D0_r

4 years, 5 months ago

AEF I agree that testing against the NETWORK, is different than vulnerability testing against an ORGANIZATION or Information System. This rules out Social Engineering (You don't socially engineer network vulnerability, typically).

upvoted 1 times

D1960

4 years, 4 months ago

"testing against the NETWORK, is different than vulnerability testing against an ORGANIZATION" I don't think so. If I am trying to break into your organization's network, then a social engineering attack against your organization is social engineering attack against your network. Also, Black Box testing is *not* a testing technique. There are only three *techniques* listed: vulnerability assessment, pivoting, and social engineering.

upvoted 1 times

...

D1960

4 years, 7 months ago

Maybe: DFF ? Why not: E. Vulnerability assessment ? Seems as likely as F. Pivoting. Maybe A. Black box testing is wrong? The question asks: "Which of the following combinations of *techniques* . . ." Black box testing is a type of testing, not a technique.

upvoted 1 times