CompTIA CySA+ (CS0-003) — Question 390

During a routine review of DNS logs, a security analyst observes that Host X has been making frequent DNS requests to domains with random alphanumeric strings (e.g.. atd8ekthj.xyz). IPS anomaly rules are blocking these domains. This behavior started shortly after a new software Installation on the host. Which of the following should the analyst do first to determine whether Host X has been compromised?

Answer options

• A. Allow the domains because the DNS requests are part of a misconfigured software update.
• B. Check the software installation logs for errors and reinstall the software.
• C. Block all outbound connections from the host to prevent further DNS queries.
• D. Use threat intelligence to check if the queried domains are associated with legitimate sites.

Correct answer: D

Explanation

The correct answer is D because using threat intelligence to verify the legitimacy of the queried domains can help identify if they are malicious. Options A and C do not address the potential compromise, and B may not provide immediate clarity on whether the host is compromised.