CompTIA CySA+ (CS0-001) — Question 232

Alerts have been received from the SIEM, indicating infections on multiple computers. Based on threat characteristics, these files were quarantined by the host- based antivirus program. At the same time, additional alerts in the SIEM show multiple blocked URLs from the address of the infected computers; the URLs were classified as uncategorized. The domain location of the IP address of the URLs that were blocked is checked, and it is registered to an ISP in Russia. Which of the following steps should be taken NEXT?

Answer options

• A. Remove those computers from the network and replace the hard drives. Send the infected hard drives out for investigation.
• B. Run a full antivirus scan on all computers and use Splunk to search for any suspicious activity that happened just before the alerts were received in the SIEM.
• C. Run a vulnerability scan and patch discovered vulnerabilities on the next pathing cycle. Have the users restart their computers. Create a use case in the SIEM to monitor failed logins on the infected computers.
• D. Install a computer with the same settings as the infected computers in the DMZ to use as a honeypot. Permit the URLs classified as uncategorized to and from that host.

Correct answer: B

Explanation

The correct answer is B because running a full antivirus scan and using Splunk helps to identify the extent of the infection and any suspicious activities leading to the alerts, which is crucial for effective remediation. Option A is too drastic and may not be necessary; C focuses on vulnerabilities rather than immediate threat assessment, and D risks further exposure by allowing potentially harmful URLs to interact with a new system.