Back to CompTIA Cybersecurity Analyst+ (CySA+)

Security Operations

Enhance security operations processes, differentiate threat intelligence and threat hunting, and identify malicious activity using appropriate tools.

Covers system and network architecture concepts including log ingestion, operating system concepts, infrastructure, network architecture, identity and access management (IAM), encryption, and sensitive data protection. Includes analyzing malicious activity indicators such as network anomalies, host issues, application irregularities, and social engineering threats. Also covers tools and techniques for detecting malicious activity, threat intelligence and hunting, and process improvement strategies.
5 minutes 5 Questions

In the context of the CompTIA Cybersecurity Analyst+ (CySA+) certification, Security Operations constitutes the tactical, day-to-day defense of an organization's digital assets. It centers on the functionalities typically performed within a Security Operations Center (SOC), where analysts monitor, …

Concepts covered: Email header analysis, Log ingestion and SIEM integration, Operating system (OS) concepts for security, Infrastructure security concepts, Network architecture and security, Identity and access management (IAM), Unexpected communication patterns, Network anomaly detection, Bandwidth spikes and unusual traffic, Rogue device detection, Host-based indicators of compromise, Unauthorized software detection, Data exfiltration indicators, Application irregularities, Encryption and cryptographic concepts, Sensitive data protection, Service interruption analysis, Social engineering attack indicators, Wireshark for network analysis, Security Information and Event Management (SIEM), VirusTotal and malware analysis tools, Pattern recognition techniques, Python scripting for security, PowerShell for security operations, Threat actors and adversary profiles, Tactics, techniques, and procedures (TTPs), Confidence levels in threat intelligence, Threat intelligence collection methods, Intelligence sharing and ISACs, Threat hunting techniques, Hypothesis-driven threat hunting, Standardizing security operations processes, Streamlining security operations, Tool integration and automation, Single pane of glass monitoring

Test mode:
Start practice test
CySA+ - Security Operations Example Questions

Test your knowledge of Security Operations

Question 1

During a security architecture review, a team is discussing how to improve their monitoring capabilities across cloud, on-premises, and endpoint environments. A junior analyst asks why organizations invest in single pane of glass solutions when individual tools already provide their own dashboards. Which response BEST explains the strategic advantage of this consolidated approach?

Correct Answer: It enables correlation of events across disparate systems to identify complex attack patterns that span multiple security domains

The correct answer explains that a single pane of glass solution enables correlation of events across disparate systems to identify complex attack patterns that span multiple security domains.

This is the strategic advantage because modern cyberattacks often traverse multiple environments - an attacker might compromise an endpoint, move laterally through on-premises infrastructure, and exfiltrate data through cloud services. Individual tool dashboards only show their specific domain, making it nearly impossible to see the full attack chain. A consolidated view allows security analysts to correlate seemingly unrelated events across cloud, on-premises, and endpoint environments to detect sophisticated multi-stage attacks.

The other options are incorrect for the following reasons:

The option suggesting cost reduction by replacing all existing tools misrepresents single pane of glass solutions. These platforms typically aggregate and correlate data FROM existing tools rather than replacing them. Organizations still maintain their specialized security tools; the consolidated dashboard provides unified visibility.

The option about automated remediation across all systems describes a feature that may exist in some SOAR (Security Orchestration, Automation and Response) platforms, but this is not the primary strategic advantage of consolidated monitoring. The question specifically asks about monitoring capabilities and why consolidated views are valuable.

The option claiming it eliminates the need for specialized analysts is incorrect and potentially dangerous thinking. Consolidated dashboards still require skilled analysts to interpret complex security data, investigate alerts, and make informed decisions. Simplified views do not replace the need for expertise in understanding attack techniques, threat intelligence, and incident response procedures.

Question 2

A security analyst is reviewing a Wireshark capture and notices HTTP traffic containing encoded data in the User-Agent field that appears to follow a base64 pattern with regular beacon intervals of approximately 60 seconds. Which threat activity does this traffic characteristic most strongly suggest?

Correct Answer: Command and control communication using HTTP as a covert channel for malware beaconing

Command and control communication using HTTP as a covert channel for malware beaconing is the correct answer.

The traffic characteristics described are classic indicators of Command and Control (C2) activity:

  1. Base64 encoded data in User-Agent field: Attackers commonly use encoding schemes like base64 to obfuscate malicious commands or exfiltrated data within HTTP headers. The User-Agent field is a popular location for hiding C2 communications because it normally contains legitimate browser information and is often not scrutinized closely.

  2. Regular beacon intervals of approximately 60 seconds: This consistent timing pattern is a hallmark of malware beaconing behavior. Compromised systems typically 'check in' with their C2 servers at regular intervals to receive commands or report status. The predictable 60-second interval is a strong indicator of automated malicious activity rather than organic user traffic.

  3. HTTP as a covert channel: Malware authors frequently use HTTP because it blends in with normal web traffic and typically passes through firewalls unimpeded.

The other options are incorrect because:

  • Standard browser telemetry does not typically use encoded data in the User-Agent field with such precise timing intervals. Browser telemetry uses proper API endpoints and structured data formats.

  • Load balancing health checks would use dedicated health check endpoints and would not embed encoded data in User-Agent headers. They also typically occur between infrastructure components, not from endpoints to external servers.

  • Legitimate software update mechanisms use standard authentication methods and APIs, not encoded data hidden in User-Agent strings. Update polling would also typically occur at longer, more variable intervals.

Question 3

A security analyst examining a Wireshark capture of suspected lateral movement activity observes multiple SMB connections from a single workstation to various internal servers. The analyst notices that each SMB session negotiation includes NTLM authentication with the same username but different challenge-response pairs. When applying the display filter 'ntlmssp.auth.username' to correlate these events, which additional Wireshark analysis technique would best help determine if credential harvesting tools like Mimikatz were used prior to this activity?

Correct Answer: Correlating the timeline of NTLM authentications with process creation artifacts by exporting objects and cross-referencing with endpoint logs

The correct answer involves correlating the timeline of NTLM authentications with process creation artifacts by exporting objects and cross-referencing with endpoint logs.

This approach is the most effective because Mimikatz and similar credential harvesting tools leave artifacts at the endpoint level, not within the network traffic itself. Wireshark can capture the authentication attempts resulting from credential abuse, but it cannot reveal how those credentials were obtained. By exporting relevant objects from the packet capture and correlating timestamps with endpoint logs (such as Windows Security Event logs showing process creation events like Event ID 4688), analysts can identify if Mimikatz.exe or similar tools were executed before the lateral movement activity began.

The option suggesting filtering for Kerberos AS-REQ packets to identify golden ticket usage is problematic because golden tickets are Kerberos-based attacks, and the scenario specifically describes NTLM authentication being used. Additionally, detecting golden tickets requires analyzing ticket granting tickets and service tickets, not AS-REQ patterns alone.

The option proposing SMB2 command filtering with time delta analysis to detect pass-the-hash signatures is flawed because smb2.cmd == 5 represents tree connect operations, and rapid file enumeration timing alone cannot confirm pass-the-hash attacks. This approach would show file access patterns but provides no evidence of how credentials were initially harvested.

The option about using IO Graphs to plot NTLM timing intervals for anomaly detection is a legitimate network analysis technique for identifying unusual patterns, but it cannot determine if credential harvesting tools were used. Timing analysis can show suspicious authentication behavior but cannot attribute the source of credential compromise to specific tools like Mimikatz.

More Security Operations questions
702 questions (total)
Start 100 question test