CompTIA CySA+ Exam: First Step to Evaluate Potential Indicator of Compromise

Analyzing Outbound DNS Requests on Web Server

Prev Question Next Question

Question

A security is responding to an incident on a web server on the company network that is making a large number of outbound requests over DNS.

Which of the following is the FIRST step the analyst should take to evaluate this potential indicator of compromise?

Answers

A. Run an anti-malware scan on the system to detect and eradicate the current threat

B. Start a network capture on the system to look into the DNS requests to validate command and control traffic

C. Shut down the system to prevent further degradation of the company network

D. Reimage the machine to remove the threat completely and get back to a normal running state

E. Isolate the system on the network to ensure it cannot access other systems while evaluation is underway.

Show Answer

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D. E.

When responding to a potential security incident on a web server that is making a large number of outbound requests over DNS, the FIRST step the analyst should take to evaluate this potential indicator of compromise is to start a network capture on the system to look into the DNS requests to validate command and control traffic (answer B).

Starting a network capture on the system will allow the analyst to view the DNS requests being sent out by the system and investigate if any of these requests are being made to malicious domains associated with command and control traffic. This will help the analyst to determine if the system has been compromised and is communicating with an attacker-controlled domain, which would indicate a potential security incident.

The other answer options are not appropriate as the first step in responding to this incident:

Running an anti-malware scan on the system (answer A) may be useful, but it should not be the first step taken as it does not address the immediate concern of the suspicious DNS requests. Additionally, running an anti-malware scan may alert the attacker to the fact that their activities have been discovered, potentially allowing them to cover their tracks and evade detection.
Shutting down the system (answer C) may prevent further degradation of the company network, but it will also stop the suspicious DNS requests and may prevent the analyst from gathering valuable information about the incident. It is generally best to keep the system running so that the analyst can continue to observe its behavior and gather more information.
Reimaging the machine (answer D) is a drastic step that should only be taken if all other avenues have been exhausted and the system cannot be trusted. It should not be the first step taken as it does not address the immediate concern of the suspicious DNS requests, and it will also destroy any evidence that could be used to further investigate the incident.
Isolating the system on the network (answer E) may prevent the system from accessing other systems while evaluation is underway, but it does not address the immediate concern of the suspicious DNS requests. It is generally best to keep the system running so that the analyst can continue to observe its behavior and gather more information. Additionally, isolating the system may prevent the analyst from gathering network-level information about the incident.

Prev Question Next Question