CompTIA CySA+ (CS0-003) — Question 149

The SOC received a threat intelligence notification indicating that an employee’s credentials were found on the dark web. The user’s web and log-in activities were reviewed for malicious or anomalous connections, data uploads/downloads, and exploits. A review of the controls confirmed multifactor authentication was enabled. Which of the following should be done first to mitigate impact to the business networks and assets?

Answer options

• A. Perform a forced password reset.
• B. Communicate the compromised credentials to the user.
• C. Perform an ad hoc AV scan on the user's laptop.
• D. Review and ensure privileges assigned to the user’s account reflect least privilege.
• E. Lower the thresholds for SOC alerting of suspected malicious activity

Correct answer: A

Explanation

The correct answer is A, as performing a forced password reset immediately secures the account from further unauthorized access. While communicating with the user (B) or reviewing privileges (D) are important, they should happen after ensuring the account is secured. An antivirus scan (C) and adjusting alert thresholds (E) are less urgent in this context.