A discovery scan is a type of reconnaissance activity performed to map the structure and components of a target system or application. Its primary goal is to identify assets, enumerate directories, and understand the overall layout—precisely what the analyst is tasked with. This initial mapping allows the analyst to define the scope for a more focused vulnerability scan and to explicitly exclude sensitive URIs or directories from further, potentially disruptive, testing. This activity is a prerequisite to in-depth scanning, not the in-depth scan itself.

A. Uncredentialed scan: This describes the authentication context (scanning without login credentials), not the specific objective of mapping the application's structure.

C. Vulnerability scan: This is a more intensive scan that actively probes for known weaknesses, which the scenario states will occur after this initial mapping phase.

D. Credentialed scan: This describes scanning with authenticated user privileges to assess the internal attack surface, which is not the stated goal of the initial reconnaissance.

1. National Institute of Standards and Technology (NIST). (2008). Technical Guide to Information Security Testing and Assessment (Special Publication 800-115).

Section 3.2

"Discovery

" describes this phase as the start of testing

used to "identify systems and the information on them" and to "develop a map of the network." This directly supports the concept of scanning to understand where the scan will go.

2. CompTIA. (2022). CompTIA Cybersecurity Analyst (CySA+) Certification Exam Objectives CS0-003.

Exam Objective 2.1

"Explain the importance of vulnerability management

" lists "Discovery" as a specific type of scan. This confirms its relevance and distinction from other scan types within the official exam curriculum.

3. Kruegel

C.

& Vigna

G. (2003). Anomalous Payload-Based Network Intrusion Detection. In Proceedings of the 5th International Symposium on Recent Advances in Intrusion Detection (RAID '02).

The paper

in its discussion of web application analysis

implicitly supports the concept of a discovery/crawling phase. Section 3

"Web Application Analysis

" describes the initial step as crawling the web application to "build a model of the application

" which is synonymous with a discovery scan's purpose of mapping URIs before deeper analysis. (Available via Springer or university libraries).

A formal incident declaration process is a critical component of an Incident Response Plan (IRP). Its most important function is to establish a clear, unambiguous line of authority. This ensures that only designated and qualified personnel can officially classify a security event as an incident, thereby triggering the allocation of significant organizational resources and initiating the formal response protocol. Without this documented authority, organizations risk delayed responses, confusion, premature or unnecessary escalations, and a general lack of control over the incident management lifecycle. This formal designation of authority is the cornerstone of an orderly and effective response.

A. To require that an incident be reported through the proper channels

This is incorrect because reporting channels are part of the initial detection and analysis phase, which precedes the formal declaration. The declaration process is what happens after an event has been reported.

C. To allow for public disclosure of a security event impacting the organization

This is incorrect because public disclosure is a communication task that occurs much later in the incident response process, if at all. The initial declaration is an internal trigger for the response team.

D. To establish the department that is responsible for responding to an incident

This is incorrect because the responsible department (e.g., CSIRT) and its roles are defined in the overarching Incident Response Plan, not within the specific procedure for declaration.

---

1. NIST Special Publication 800-61 Rev. 2

Computer Security Incident Handling Guide.

Section 2.3.2

"Policy

Plan

and Procedure Creation": This section emphasizes the need for a formal incident response policy that defines roles

responsibilities

and levels of authority. It states

"The incident response policy should also state which individuals have the authority to... declare an incident." This directly supports that identifying authority is a primary goal of formalizing the process.

2. Carnegie Mellon University

Software Engineering Institute (SEI)

Defining Incident Management Processes

CERT/CC

October 2018.

Section 3.2

"Declare an Incident": This document outlines the incident management process and states

"The goal of this step is to make a decision about whether the event should be declared an incident... This decision is usually made by an incident response team leader or manager." This highlights that the declaration is a formal decision point made by an authorized individual.

3. ISO/IEC 27035-1:2023

Information technology — Information security incident management — Part 1: Principles and process.

Section 7.3

"Decision and declaration": This international standard specifies that the incident management process must include a formal decision step. It states that criteria for declaring an incident should be established and that "the decision to declare an information security incident should be taken by a competent and authorized person or team." This reinforces the centrality of designated authority in the declaration process.

:

The primary differentiator for prioritization among the given options is the Attack Vector (AV) metric within the CVSSv3 string. The AV:N (Network) vector indicates that the vulnerability is exploitable remotely from the internet. This represents the broadest attack surface and the highest immediate risk, as an attacker requires no prior access to the local or adjacent network. When other metrics like Attack Complexity (AC:L), Privileges Required (PR:L), and Impact (C:H/I:H/A:H) are identical, the vulnerability that can be exploited from anywhere on the network should always be remediated first.

A. AV:P (Physical) requires physical access to the target system, representing the lowest level of risk and therefore the lowest priority for remediation.

B. AV:A (Adjacent) requires the attacker to be on the same local network, which is a more limited attack surface than a network-exploitable vulnerability.

D. AV:L (Local) requires the attacker to have existing access to the system, making it a lower priority than a remotely exploitable vulnerability.

1. FIRST.org

Inc. (2019). Common Vulnerability Scoring System v3.1: Specification Document. Section 2.1.1

Attack Vector (AV). The document states

"The Base Score is highest for a vulnerability that can be exploited remotely (AV:N)... This is because the attacker does not require any local or physical access to the vulnerable component." This directly supports prioritizing AV:N.

2. Mell

P.

& Scarfone

K. (2005). The Common Vulnerability Scoring System (CVSS) and Its Applicability to Federal Agency Systems (NISTIR 7435). National Institute of Standards and Technology. Section 3.1

"Base Metrics

" discusses how the Attack Vector metric captures the context by which vulnerability exploitation is possible

with Network being the most critical.

3. Purdue University. CS 42600: Computer Security

Lecture 18 - Vulnerabilities. Course materials discuss vulnerability analysis and CVSS. The lectures emphasize that the Attack Vector is a critical component for prioritization

with network-based vectors (AV:N) posing a significantly higher risk than local

adjacent

or physical vectors due to the vast number of potential remote attackers.

The primary objective is to implement compensating controls to contain an active adversary on a live system while maintaining critical functionality. Deploying an Endpoint Detection and Response (EDR) solution provides deep visibility into system activities and allows responders to actively block or disrupt malicious processes, thereby reducing the adversary's capabilities without taking the server offline. Concurrently, using microsegmentation allows for the creation of granular, stateful firewall policies that restrict network connectivity to only what is explicitly required—in this case, the connection from the web server to the database server on a specific port. This network-level control effectively contains the adversary, preventing lateral movement to other parts of the network while preserving the necessary service connections.

A. Dropping the tables on the database server is a destructive action that violates the requirement to keep the service functional and results in data loss.

C. Stopping the httpd service would make the web application inaccessible, directly contradicting the requirement to keep the web service running and accessible.

E. Commenting out the HTTP account in /etc/passwd would disable the service account, causing the web server process to fail and violating the accessibility requirement.

F. Moving the database to the already compromised web server would be a major architectural change that increases risk by consolidating assets on a compromised host.

1. National Institute of Standards and Technology (NIST). (2012). Special Publication 800-61 Rev. 2

Computer Security Incident Handling Guide.

Section 3.3.3

Containment

p. 27: This section outlines containment strategies

which include isolating affected hosts or network segments. Microsegmentation is a modern implementation of network segmentation that creates "secure zones in data centers and cloud deployments that allow companies to isolate workloads from one another and secure them individually." This directly supports option D as a containment strategy.

2. Souppaya

M.

& Scarfone

K. (2013). NIST Special Publication 800-128

Guide for Security-Focused Configuration Management of Information Systems.

Section 4.3

Isolate

p. 21: Discusses isolation as a security technique. "Isolation may be implemented through physical or logical separation... Logical separation can be accomplished through a variety of mechanisms

such as access control lists (ACLs) on routers and firewalls..." Microsegmentation is an advanced form of logical separation

aligning with this principle for containment (Option D).

3. Al-Shaer

E.

& Wei

J. (2021). Modeling and Verification of Micro-segmentation for Zero-Trust Security. In Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security (pp. 3215–3217).

Abstract & Section 1: The paper describes microsegmentation as a key enabler for a Zero-Trust security model

which "enforces strict access control and network segmentation to prevent lateral movement." This directly supports the use of microsegmentation (Option D) to contain an adversary.

DOI: https://doi.org/10.1145/3460120.3485373

4. Boicea

A.

et al. (2018). EDR

EPP

and NGAV: The new triple-threat in endpoint security. 2018 10th International Conference on Electronics

Computers and Artificial Intelligence (ECAI).

Section II.A

Endpoint Detection and Response (EDR): This section describes EDR as a solution that "records system activities and events taking place on endpoints... and provides forensic analysis and remediation capabilities to identify and stop attacks." This capability to actively reduce an adversary's actions supports Option B.

DOI: https://doi.org/10.1109/ECAI.2018.8679018

The most effective method for safeguarding Personally Identifiable Information (PII) during an incident investigation is to combine technical controls with administrative controls. Encrypting the data (a technical control) protects it from unauthorized access if the storage medium is compromised. Simultaneously, limiting permissions within the investigation team (an administrative control) adheres to the principle of least privilege, ensuring that only authorized personnel with a direct need-to-know can access the sensitive data. This dual approach minimizes the risk of accidental exposure or insider threats while still enabling the investigation to proceed.

A. "Close the data so only the company has access" is overly broad and insecure, as it does not implement the principle of least privilege within the organization.

C. Creating a data deletion procedure is a crucial part of data lifecycle management but is not the most immediate or primary action for safeguarding data during an active incident.

D. "Permissions are open only to the company" is not a security control; it implies a lack of internal access controls and violates the principle of least privilege.

---

1. National Institute of Standards and Technology (NIST) Special Publication 800-122

Guide to Protecting the Confidentiality of Personally Identifiable Information (PII).

Section 4.4

"Restrict PII Access

" states

"Organizations should restrict access to PII to only those individuals who have a need to know... This is often referred to as the principle of least privilege." (Page 29).

Section 4.5

"Protect PII at Rest and in Transit

" recommends

"Organizations should consider using encryption to protect the confidentiality of PII... PII should be encrypted when it is stored (at rest)..." (Page 30). This directly supports combining limited permissions and encryption.

2. National Institute of Standards and Technology (NIST) Special Publication 800-61 Rev. 2

Computer Security Incident Handling Guide.

Section 3.2.5

"Handling

" discusses the importance of protecting evidence and sensitive data during an investigation. It states

"Handling of data should be performed according to the policies and procedures that were established in the preparation phase... This includes... protecting sensitive information." (Page 31). This implies that pre-defined controls like access limitation and encryption should be applied.

3. MIT OpenCourseWare

6.858 Computer Systems Security

Fall 2014.

Lecture 1

"Introduction; Threat models

" introduces the core security principles of confidentiality

integrity

and availability. The lecture materials emphasize that confidentiality is often enforced through a combination of access control mechanisms and encryption

which aligns directly with the correct answer. (Available at ocw.mit.edu).

The threat actor's actions of compiling, testing, and modifying a malicious downloader to evade specific security controls fall directly into the Weaponization stage of the Cyber Kill Chain. This stage is defined by the creation or modification of a malicious payload (the "weapon") that is tailored to the target environment. The actor is using intelligence gathered during reconnaissance to build an effective tool for the subsequent stages of the attack. The primary activity described is the creation of the malicious artifact, not its delivery or execution.

A. Delivery: This stage involves transmitting the weapon to the target (e.g., via a phishing email or a malicious website), which has not yet occurred in the scenario.

B. Reconnaissance: This stage focuses on gathering information about the target. While the actor used intelligence, the core action described is building the tool, not gathering the data.

C. Exploitation: This stage involves triggering the malicious code on the victim's system to gain access. The actor is still in the preparation phase on their own systems.

1. Hutchins

E. M.

Cloppert

M. J.

& Amin

R. M. (2011). Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains. Lockheed Martin Corporation. In Section 3

"Stage 2: Weaponization

" the authors state

"Weaponization...couples a remote access trojan with an exploit into a deliverable payload." This directly aligns with creating a malicious downloader.

2. NIST. (2016). NIST Special Publication 800-150: Guide to Cyber Threat Information Sharing. National Institute of Standards and Technology. Section 2.3.1 describes the Cyber Kill Chain

where Weaponization is the stage for creating the malicious payload before the Delivery stage.

3. SANS Institute. (2015). The Sliding Scale of Cyber Security. SANS Technology Institute. Page 5 describes the kill chain stages

defining Weaponization as the point where an attacker "chooses a weapon...and packages it for delivery." The act of compiling and testing fits this definition.

Risk transfer is a risk management strategy that involves shifting the financial consequences of a potential loss to a third party. Purchasing cyber insurance is a classic example of this principle. The organization pays a premium to an insurance company, which in turn agrees to cover the financial damages resulting from a specified cyber incident (e.g., data breach, ransomware attack). This action does not eliminate or reduce the likelihood of the risk itself but transfers the associated financial burden from the organization to the insurer.

A. Accept: Risk acceptance involves acknowledging a risk and making a deliberate decision to take no action, bearing any potential losses. Purchasing insurance is an active response, not acceptance.

B. Avoid: Risk avoidance means eliminating the risk by ceasing the activity that creates it (e.g., disconnecting a system from the internet). Insurance manages the consequences, it does not avoid the activity.

C. Mitigate: Mitigation involves implementing controls (e.g., firewalls, encryption, training) to reduce the likelihood or impact of a risk. Insurance is a financial tool, not a technical or procedural control.

1. National Institute of Standards and Technology (NIST). (2011). Special Publication (SP) 800-39

Managing Information Security Risk: Organization

Mission

and Information System View.

Section 2.3

Page 10: This document outlines the four fundamental risk response strategies. It explicitly defines risk sharing/transfer as a method "to shift risk from one group or individual to another (e.g.

by using insurance)."

2. National Institute of Standards and Technology (NIST). (2020). NISTIR 8286

Integrating Cybersecurity and Enterprise Risk Management (ERM).

Section 2.3.2

Page 13: In the discussion on Risk Response

this publication lists "Transferring (or sharing) risk to another party

such as through insurance" as a primary risk response option.

3. Peyton

E. (2006). Lecture 15: Risk Management. 1.040/1.401 Project Management

Fall 2006. Massachusetts Institute of Technology: MIT OpenCourseWare.

Slide 14

"Risk Response Planning": This university course material identifies four strategies for negative risks. It defines "Transfer" as shifting the risk and its consequences to a third party and lists "Insurance" as the prime example of this strategy.

The foundational step in a risk-based approach to cybersecurity is asset management, which begins with identifying and valuing assets. To categorize and prioritize systems for protection based on the sensitivity of their content (confidentiality, integrity, and availability), a security analyst must first determine the value of each asset. This valuation dictates the level of security controls required and guides all subsequent risk management activities, such as vulnerability scanning and control implementation. Without understanding the asset's value, it is impossible to appropriately prioritize security efforts or justify the cost of protective measures.

A. Interviewing users is a useful data-gathering step, but it does not establish the authoritative business value or impact, which is necessary for formal categorization.

B. Scanning for vulnerabilities is a subsequent step in risk assessment. The criticality of a vulnerability is determined by its potential impact on a valued asset.

C. Configuring alerts is a proactive security control. This action is typically performed after systems have been categorized and appropriate security baselines have been established.

1. National Institute of Standards and Technology (NIST) Special Publication 800-30

Revision 1

Guide for Conducting Risk Assessments. Section 2.2

"Conduct Assessment

" outlines the process which begins with identifying assets and their value to determine the impact of a loss of confidentiality

integrity

or availability. Specifically

Task 2-3

"Determine impact

" relies on the value of the system and data.

2. Federal Information Processing Standards (FIPS) Publication 199

Standards for Security Categorization of Federal Information and Information Systems. Section 3

"Security Categorization

" states

"The first step in the security categorization process is to identify the information types processed

stored

or transmitted by the information system." This process is directly tied to determining the value and sensitivity of the information asset to establish a security category.

3. Purdue University

Information Security Risk Management (CS 52600) Courseware. The risk management lifecycle taught in this program begins with "Asset Identification and Valuation

" establishing it as the prerequisite step before threat analysis or vulnerability assessment. This is a standard model in academic cybersecurity curricula.

Security Orchestration, Automation, and Response (SOAR) platforms are designed to integrate disparate security tools and automate workflows. The primary mechanism for enabling a SOAR platform to communicate with, command, and control tools from different vendors is through Application Programming Interfaces (APIs). APIs provide a standardized programmatic interface that allows the SOAR solution to send instructions (e.g., "block this IP on the firewall," "isolate this endpoint with the EDR") and retrieve data from various security products, thereby orchestrating actions across the entire security stack.

A. STIX/TAXII: These are standards for formatting and transporting threat intelligence data, not for executing commands or actions on security platforms.

C. Data enrichment: This is a process where a SOAR platform augments initial alert data with more context; it is a function, not the technology used for cross-platform control.

D. Threat feed: A threat feed is a source of threat intelligence data that a SOAR platform consumes. It does not provide the mechanism to automate actions on other tools.

1. National Institute of Standards and Technology (NIST). (2022). Security Orchestration

Automation

and Response (SOAR) and the Security Operations Center (SOC) (NISTIR 8362). In Section 2.2

"SOAR Capabilities

" the document states

"SOAR platforms integrate with other security tools and systems through APIs... This integration allows the SOAR platform to collect data from and send commands to the other tools."

2. Carnegie Mellon University Software Engineering Institute (SEI). (2019). A Look at SOAR (Security Orchestration

Automation

and Response). The publication notes that a key feature of SOAR is its ability to "integrate with other security tools through application programming interfaces (APIs)." This integration is what enables the orchestration and automation of security tasks.

3. SANS Institute. (2019). SOAR: A Practitioner's Guide to Security Orchestration

Automation

and Response. This guide explains that the core of SOAR's integration capability relies on APIs

referring to them as the "connective tissue" that allows the SOAR platform to interact with and control a diverse set of security tools for automated response actions. (p. 5).