Last Attempt CS0-003 Questions

The correct answer is B because the packet capture shows ICMP echo request traffic carrying data in the packet payload. ICMP echo requests are normally used for ping-style connectivity checks, not for transferring business data. The presence of millions of ICMP packets with payload data, combined with the fact that proprietary information is already appearing on the dark web, strongly indicates data exfiltration over an alternative protocol, often described as ICMP tunneling or protocol misuse.

The official CompTIA CySA+ CS0-003 objectives place this directly under Security Operations, specifically analyzing indicators of potentially malicious activity and using packet capture tools. The objectives explicitly include data exfiltration, unexpected outbound communication, packet capture, Wireshark, and tcpdump as relevant skills and tools for determining malicious activity.

Supporting extract from the CySA+ Study Guide: ICMP echo requests are produced by ping, and “Ping communications take place using the Internet Control Message Protocol (ICMP).” This confirms that the observed Type 8 echo request traffic is ICMP ping-style traffic, not a normal file-transfer or application protocol.

Supporting extract from the Secbay CySA+ guide: “Data Exfiltration: Unauthorized transfer of sensitive data from a system, potentially indicating a data breach or insider threat activity.” The same section also states that “Unexpected Outbound Communication” can indicate communication with malicious or unauthorized entities.

Why the other options are incorrect:

A is not the best answer because the evidence does not prove an insider or a command-and-control channel. The packet capture shows ICMP echo requests with data payloads, which points more directly to exfiltration.

C is incorrect because there is no evidence of malware propagation, scans, sweeps, or attempts to infect other systems.

D is incorrect because an ICMP DDoS would normally involve traffic intended to overwhelm a target. Here, the key indicator is data being carried inside ICMP echo request packets, and the business context is stolen proprietary information on the dark web.

Therefore, the most likely malicious activity is exfiltration over an alternative protocol.

Command and control (C2) is a phase of the Cyber Kill Chain that involves the adversary attempting to establish communication with a successfully exploited target. C2 enables the adversary to remotely control or manipulate the target system or network using various methods, such as malware callbacks, backdoors, botnets, or covert channels. C2 allows the adversary to maintain persistence, exfiltrate data, execute commands, deliver payloads, or spread to other systems or networks.

In this scenario, adding the IP address to the EDR (Endpoint Detection and Response) deny list is an immediate and effective way to block further reconnaissance activities from the malicious source. EDR solutions are designed to provide advanced endpoint security, including blocking specific IP addresses and preventing potentially harmful traffic. This proactive step aligns with CompTIA Cybersecurity Analyst (CySA+) best practices for threat prevention and response. While other options, such as using SIEM for monitoring (option B) or WAF policies (option C), provide additional layers of security, they do not directly block the threat in the same immediate way that adding the IP to the EDR deny list does.

A prioritized list of critical systems defined by executive leadership is the best option to use to develop a business continuity plan. A business continuity plan (BCP) is a system of prevention and recovery from potential threats to a company. The plan ensures that personnel and assets are protected and are able to function quickly in the event of a disaster1. A BCP should include a business impact analysis, which identifies the critical systems and processes that are essential for the continuity of the business operations, and the potential impacts of their disruption2. The executive leadership should be involved in defining the critical systems and their priorities, as they have the strategic vision and authority to make decisions that affect the whole organization3. A diagram of all systems and interdependent applications, a repository for all the software used by the organization, and a configuration management database in print at an off-site location are all useful tools for documenting and managing the IT infrastructure, but they are not sufficient to develop a comprehensive BCP that covers all aspects of the business continuity4. References: What Is a Business Continuity Plan (BCP), and How Does It Work?, Business continuity plan (BCP) in 8 steps, with templates, Business continuity planning | Business Queensland, Understanding the Essentials of a Business Continuity Plan