CAS-005 Question #208: Real Exam Question with Answer & Explanation

Question

A security operation analyst is reviewing the following log entries for suspicious activity: Which of the following should the analyst do first?

Options

• APerform a vulnerability scan on server 192.168.12.4.
• BSearch OSINT on the external IP 104.18.16.29.
• CReview host 192.168.12.56 for malicious software.
• DDisable the guest account on the host 192.168.12.4.

Explanation

Given log entries indicating suspicious activity, the security analyst's most immediate first step should be to investigate the suspected internal host for malicious software.

Common mistakes.

• A. Performing a vulnerability scan on server 192.168.12.4 addresses potential weaknesses but is not the immediate first response to active suspicious activity potentially originating from a different compromised host.
• B. Searching OSINT on the external IP 104.18.16.29 is a valuable step for threat intelligence, but the immediate priority is to address and contain the internal threat indicated by suspicious activity on an internal host.
• D. Disabling the guest account on host 192.168.12.4 is a good security hardening practice but is not the primary first step for responding to active suspicious activity from another internal host, which demands immediate investigation for compromise.

Concept tested. Incident response first steps and triage

No community discussion yet for this question.