Complete CS0-003 CompTIA Materials

To identify the initial compromise, the analyst should start with the earliest suspicious activity in the timeline and pivot into the audit logs for the principal (identity) associated with that first alert.

Here, the first notable event is 02:00 excessive API failures tied to jdoe12@myorg.com. That commonly indicates password guessing, token misuse, or other authentication abuse attempts. The next events (02:15 metadata service access, 05:10 mass VM creation by a service account, 05:40 malware) look like follow-on activity after an initial foothold. Therefore, the best first step is to check whether those API failures were followed by any successful API calls by that user and then correlate those successful actions to the later stages in project staging-01.

This approach aligns with CySA+ guidance that analysts should use logs + timestamps to build a timeline and correlate events across identities/systems to understand scope and progression:

Sybex emphasizes correlating events from multiple sources and using that correlation to determine scope and impact:Exact extract (Sybex Study Guide): “Security analysts are often asked to help analyze that data… Knowing if other events are correlated with the initial event… [and] understanding what systems, users, services, or other assets were involved…”

Secbay underscores that logs and timestamps are key to forming an accurate incident timeline (which is exactly what we’re doing by starting from the earliest alert):Exact extract (Secbay Press): “System and application logs with timestamps help create a timeline of events, aiding in understanding when specific actions occurred during the incident.”

Why Option B is best vs. the others

B starts with the earliest suspicious identity and seeks successful API activity that would confirm compromise and explain subsequent actions (metadata access → service account actions → malware).

A is too broad initially (“all activity under project staging-01”) and anchors on a VM that only appears later; it’s not the best first pivot when you already have an earlier suspect identity.

C starts at the compute-instance phase (05:10) rather than the earliest authentication/API anomaly (02:00), so it’s more likely to find post-compromise actions rather than the initial entry.

D anchors on a specific later VM (fd031f) and compute APIs, again likely after the initial compromise.

References (CompTIA CySA+ CS0-003 documents / study guides used):

Mike Chapple & David Seidl, CompTIA CySA+ Study Guide (CS0-003): correlate other events with the initial event; identify involved users/systems/services

Secbay Press, CompTIA CySA+ Exam Prep Guide (CS0-003): logs + timestamps build a timeline of events and support analysis of incident progression

Step 1: Analyzing the SFTP Log

The SFTP log provides a record of file transfer and login activities:

User “sjames” logged in from several IP addresses:

192.168.10.32 and 192.168.10.37 (internal network IPs)

32.111.16.37 and 41.21.18.102 (external IPs)

We see file alterations in the /var/www directory, which is commonly the web directory.

Modified files: about_us.html, index.html

Suspicious activity:

192.168.11.102 and 41.21.18.102 modified the files.

32.111.16.37 had failed login attempts, indicating possible unauthorized access attempts.

The most suspicious IP here is 41.21.18.102, as it’s associated with direct file modifications, possibly indicating unauthorized access.

Step 2: Reviewing Netstat

The netstat output shows active connections and their states:

IP 41.21.18.102 has an ESTABLISHED connection with port 22, commonly used for SFTP.

IP 32.111.16.37 is also attempting connections, and 32.111.16.37 connections are in a TIME_WAIT state, showing prior connections were recently closed.

The netstat output reaffirms 41.21.18.102 is actively connected and potentially involved in malicious activities.

Step 3: Checking the HTTP Access Log

The HTTP Access log shows access to about_us.html:

32.111.16.37 repeatedly accessed /about_us.html with 404 errors, indicating attempts to reach non-existing pages.

41.21.18.102 accessed the 200 status code, showing successful page requests, but since this IP was modifying files directly on the server, it might be testing or verifying changes.

Again, 41.21.18.102 stands out as it matches both successful file modification and page request patterns, while 32.111.16.37 shows unsuccessful attempts.

Step 4: Selecting the IP of Concern

Based on the above analysis:

Answer: 41.21.18.102 should be the IP of concern due to its direct file modifications on critical web files (about_us.html, index.html).

Step 5: Identifying the Indicator of Compromise

Potential indicators include unauthorized file modifications:

Modified index.html file is the correct answer, as it indicates direct changes to website content and is often a clear sign of compromise.

Step 6: Selecting Corrective Actions

To mitigate and prevent further compromise:

Change the password on the “sjames” account: The account was used across various IPs, indicating potential account compromise.

Block external SFTP access: Restricting SFTP to internal IPs only would prevent unauthorized external modifications. Since 41.21.18.102 was external, this would stop similar threats.

Summary

IP of Concern: 41.21.18.102

Indicator of Compromise: Modified index.html file

Corrective Actions:

Change the password on the sjames account

Block external SFTP access

These selections address both the immediate security breach and implement a preventative measure against future unauthorized access.

The error messages point to two core issues common in cloud assessments:

Authentication error → credentials/API access not correctly configured (keys/tokens/CLI auth).

Instance not found on preset location → the tool is looking in the wrong region/location (cloud resources are region-scoped).

Cloud infrastructure assessment tools typically require API-based access and allow configuration to include/exclude regions. The All-in-One guide explains that cloud tools like Scout Suite and Prowler work via cloud APIs and require configuration to enable programmatic access, and Prowler specifically can include/exclude regions:

Exact extract (All-in-One Exam Guide): Scout Suite “works by managing the interactions with cloud assets via the platform API…”

Exact extract (All-in-One Exam Guide): “Prowler offers a fair amount of configuration to allow the tool programmatic access via the Amazon API…”

Exact extract (All-in-One Exam Guide): Prowler “provides the option to… include or exclude certain AWS services or regions…”

These extracts support why the fix is to set the correct region and ensure valid authentication/keys, which maps directly to Option C (set_regions … and set_key).

Why the other options don’t match the errors:

A / B look like generic module/session execution flags (more like exploitation frameworks), not “fix authentication + wrong region.”

D (--whoami, --data) is identity/data querying; it doesn’t correct credential setup or region selection.

References (CompTIA CySA+ CS0-003 documents / study guides used):

All-in-One CS0-003: Scout Suite uses cloud provider APIs; Prowler requires API access configuration and supports region selection/exclusion

ABusiness Impact Analysis (BIA)is the correct document thatidentifies critical servicesand definesRecovery Point Objectives (RPOs)andRecovery Time Objectives (RTOs). It helps organizations determine the impact of downtime and the maximum tolerable outages for business functions.

Disaster recovery plan (A)uses the information from the BIA.

Playbooks (C)are tactical and focus on specific incidents.

Backup plans (D)support BIA but don ' t define RPO/RTO themselves.