cysa+ practice test Advanced Practice Exam: Hard Questions 2025

A SOC is receiving intermittent alerts that a critical Linux jump host is performing DNS queries for high-entropy subdomains (e.g., 35+ random characters) across many second-level domains. PCAP shows the queries are mostly TXT lookups with unusually large responses. The jump host is used by administrators and has legitimate access to internal DNS resolvers only (no direct internet). The organization wants to confirm or refute DNS tunneling while minimizing operational disruption and avoiding false positives from legitimate security tools. Which approach is MOST appropriate to validate the suspected tunneling and contain it if confirmed?

A SIEM correlation rule flags possible lateral movement: a workstation authenticates to 25 servers via Kerberos within 10 minutes, then an administrative share (C$) is accessed on several targets. EDR shows no malware, and the user claims they were running an inventory script. You need to distinguish legitimate automation from credential abuse (e.g., pass-the-ticket) using the strongest available evidence with minimal assumptions. Which additional data source and indicator combination is BEST to confirm credential theft versus legitimate use?

Your organization uses a cloud email security gateway and has a strict requirement to prevent data exfiltration via outbound email while keeping false positives low for legal and HR workflows. A recent incident involved a user sending sensitive customer records in encrypted password-protected ZIP files. The gateway cannot inspect encrypted attachments. Which control design BEST addresses this gap while balancing privacy and operational constraints?

During threat hunting, you observe periodic outbound HTTPS connections from an internal application server to a domain with newly registered WHOIS data. The TLS handshake uses a valid public certificate issued to a different, unrelated organization. JA3/JA4 fingerprints match common browser profiles, but the destination ASN is a small VPS provider. The SOC wants to decide whether to block immediately or investigate further. Which action provides the BEST balance of rapid risk reduction and preserving evidence for a potential incident response?

A vulnerability scanner reports a critical remote code execution finding on an internet-facing service. The service runs behind a reverse proxy and is only reachable via mutual TLS (mTLS) from a small set of partner IPs. The scanner did not authenticate and tested from an internal network segment. Leadership wants a remediation plan within 24 hours. What is the MOST defensible next step to determine true risk and prioritize actions?

A monthly vulnerability report shows a sharp increase in critical findings after enabling authenticated scanning. Many findings are configuration issues on Windows endpoints (e.g., weak local policy settings). Patch teams argue these should not be tracked as vulnerabilities, and the SOC is concerned remediation will stall due to ownership disputes. What is the BEST approach to drive measurable risk reduction while maintaining accurate metrics?

A development team uses containers orchestrated in a cluster. A scan identifies a critical CVE in a base image layer, but the vulnerable package is not used at runtime (no binaries executed; package present only due to the parent image). The team proposes ignoring it to avoid rebuilding images frequently. As the security analyst, you must recommend a decision that accounts for exploit chains, supply-chain risk, and operational impact. What is the BEST recommendation?

After containment of a ransomware incident, the IR team discovers evidence that the attacker had domain admin access for at least two weeks. Backups appear intact, but there are signs of potential firmware-level persistence on a subset of endpoints and possible golden ticket usage. The business wants to restore quickly while ensuring the attacker cannot re-enter. Which recovery strategy is MOST appropriate?

An organization uses a SOAR platform to auto-contain hosts when high-confidence phishing is detected. Recently, multiple executives were auto-contained during a board meeting due to a campaign that spoofed an internal system and triggered the playbook. Post-incident review shows the detection was correct, but the containment action caused unacceptable business impact. Which change to the automation design BEST reduces future business disruption without weakening security outcomes?

A security manager must brief both executives and a technical IR team after detecting suspected data exfiltration to a third-party SaaS from a compromised user account. The manager needs to communicate impact and actions without overstating certainty, while also enabling technical teams to continue investigation. Which reporting approach is MOST effective?