ExamTopics Logo
Mail Us[email protected]
Menu
Comptia Discussions
exam questions

Exam CS0-002 All Questions

View all questions & answers for the CS0-002 exam
Go to Exam

Exam CS0-002 topic 1 question 132 discussion

Actual exam question from CompTIA's CS0-002
Question #: 132
Topic #: 1
[All CS0-002 Questions]

A team of security analysts has been alerted to potential malware activity. The initial examination indicates one of the affected workstations is beaconing on TCP port 80 to five IP addresses and attempting to spread across the network over port 445. Which of the following should be the team's NEXT step during the detection phase of this response process?

  • A. Escalate the incident to management, who will then engage the network infrastructure team to keep them informed.
  • B. Depending on system criticality, remove each affected device from the network by disabling wired and wireless connections.
  • C. Engage the engineering team to block SMB traffic internally and outbound HTTP traffic to the five IP addresses.
  • D. Identify potentially affected systems by creating a correlation search in the SIEM based on the network traffic.
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️
by I_heart_shuffle_girls at Jan. 18, 2021, 10:25 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
I_heart_shuffle_girls
Highly Voted 4 years, 3 months ago
D looks correct.
upvoted 17 times
RokzyBalboa
4 years, 3 months ago
Yes D looks the best since the question references what to do next in the detection phase.
upvoted 11 times
...
...
DrChats
Highly Voted 3 years, 11 months ago
detect is to identify........D
upvoted 9 times
...
heinzelrumpel
Most Recent 1 year, 9 months ago
Selected Answer: D
D because they are stil in thh Identification Phase
upvoted 2 times
...
SimonR2
1 year, 9 months ago
A little tip i've found with questions like this is to look for a keyword in each of the answers and then match that with the IR life cycle. - Escalate - Remove - Block - Identify In the Detection & Analysis phase we are looking into "potential" malware activity we are going to want to "Identify" before we Escalate, Block or Remove.
upvoted 4 times
NIKTES
1 year, 8 months ago
Great logic
upvoted 1 times
...
...
kill_chain
1 year, 10 months ago
Selected Answer: D
I don't think C is a detection phase. as the question states.
upvoted 1 times
...
Dutch012
1 year, 10 months ago
NEXT step during the "detection phase"
upvoted 2 times
...
kiduuu
2 years ago
Selected Answer: D
Creating a correlation search in the Security Information and Event Management (SIEM) system based on the network traffic can help the team identify potentially affected systems and gather more information on the behavior of the malware. This step will also help the team to determine the scope of the incident and prioritize their response efforts accordingly. Engage the engineering team to block SMB traffic internally and outbound HTTP traffic to the five IP addresses, is not the immediate next step as the team needs to gather more information before engaging other teams and blocking traffic.
upvoted 1 times
...
ksr933
2 years, 1 month ago
I'm going for D. The question mentioned "potential malware". We don't know yet if it's really malware. Next step is finding out the behavior if it's malicious. If the question states that malware is detected then we would immediately do the C.
upvoted 1 times
...
Snkrsnaker1
2 years, 1 month ago
Selected Answer: C
Answer is C: Based on this by CompTIA: "Detection and Analysis—Determine whether an incident has taken place and assess how severe it might be (triage), followed by notification of the incident to stakeholders." We already did an initial assessment and based on the findings, it needs to be "triaged", which is still in the detection phase. Which is why C is the best answer. This thing is actively beaconing out, you need to take action on this first, then go to D. So that is my reasoning for choosing C.
upvoted 2 times
...
2Fish
2 years, 1 month ago
Selected Answer: D
D. It specifically mentions "detection" phase.
upvoted 1 times
...
shivas
2 years, 5 months ago
Selected Answer: D
Going with D. "NEXT step during the detection phase"
upvoted 2 times
...
Maniact165
2 years, 6 months ago
Selected Answer: D
D due to the wording of the question
upvoted 1 times
...
SolventCourseisSCAM
2 years, 6 months ago
Selected Answer: D
"during the detection phase of this response process", so it needs to take action D. After that option C can be taken with the process completed through SIEM.
upvoted 1 times
...
Abyad
2 years, 7 months ago
Selected Answer: D
What is asked here is the detection phase not the solution. so D is the best choice according to me
upvoted 3 times
...
Laudy
2 years, 8 months ago
"during the detection phase".... Definitely D.
upvoted 1 times
...
miabe
2 years, 9 months ago
Selected Answer: D
looks good to me
upvoted 2 times
...
cysa_1127
3 years, 2 months ago
Selected Answer: D
going with D
upvoted 2 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago