CompTIA Security+ (SY0-601) — Question 53

While reviewing an alert that shows a malicious request on one web application, a cybersecurity analyst is alerted to a subsequent token reuse moments later on a different service using the same single sign-on method. Which of the following would BEST detect a malicious actor?

Answer options

• A. Utilizing SIEM correlation engines
• B. Deploying Netflow at the network border
• C. Disabling session tokens for all sites
• D. Deploying a WAF for the web server

Correct answer: A

Explanation

Using SIEM correlation engines is the best choice because they aggregate and analyze logs from various sources, allowing for the detection of patterns that indicate malicious activity, such as token reuse. In contrast, deploying Netflow may provide visibility into traffic but won't specifically identify token misuse. Disabling session tokens altogether would hinder legitimate user access and is not a practical solution. A WAF can help protect against attacks but may not directly detect token reuse incidents.