SecProve

Symptom-vs-cause

Trap answers mitigate the most visible symptom while leaving the underlying technique active. The correct answer addresses the cause, even if it's less obvious from the stem.

Most common in
CySA+CISSPGCIHSecurity+

The Trap in One Sentence

You mitigated the most visible symptom rather than the underlying technique. Blocking the destination addresses the symptom; stopping the agent addresses the cause.

Pairs Candidates Confuse

Block the C2 IPvsRemove the implant

Symptom (callout) vs cause (the malware)

Add rate limitingvsFix the vulnerable endpoint

Symptom (abuse volume) vs cause (the flaw)

Disable the user accountvsRevoke the compromised credential

Symptom (one identity) vs cause (the leaked secret)

How to Avoid It

  • Ask: 'If I do this, does the underlying attack technique still work elsewhere?' If yes, it's a symptom.
  • Permanent fixes target the root; temporary fixes target visible behavior.
  • When the stem mentions 'eradication' or 'remediation', the answer is the cause-level action.

Frequently Asked Questions

How do I recognize a symptom-vs-cause trap in an exam question?

When one choice addresses the most-visible effect of an attack and another addresses the underlying mechanism, the question is testing whether you can find the root cause. The trap rewards the obvious-but-superficial answer and punishes you for not asking "does the underlying technique still work elsewhere if I do this?"

What's the tell-tale stem phrasing that signals this trap?

Stems mentioning "eradication," "remediation," "permanent fix," "prevent recurrence," or "root cause" are explicitly asking for the cause-level answer. Stems mentioning "mitigate," "contain," or "stop the immediate impact" are asking for symptom-level. Match the depth.

If a symptom and a cause both seem to fit, how do I decide?

Apply the persistence test: "if I do this, will the underlying attack technique still work?" If yes, it's symptom-level. Blocking a C2 IP stops THIS callout but the implant still works against the next IP. Removing the implant addresses the cause. The exam usually rewards the persistent fix.

What's a real example of a symptom-vs-cause trap?

Stem: "A compromised host is making outbound connections to a known C2 domain. What is the BEST PERMANENT remediation?" Choices: (a) block the C2 domain at the firewall, (b) remove the malware from the host, (c) add the domain to the EDR blocklist, (d) reset the host's DNS resolver. (a), (c), (d) all address symptoms — the malware will find another C2 channel. (b) is the cause-level fix.

How is symptom-vs-cause different from temporal-confusion?

Symptom-vs-cause is about depth of fix (surface vs root). Temporal-confusion is about timing (before/during/after the event). They co-occur: "PERMANENT remediation" implies post-event AND cause-level. But the dimensions are distinct.

Why do item writers love this distractor mechanism?

It tests whether candidates understand attack chains, not just signature-based defense. SOC analysts who default to "block the IOC" without asking "what enabled this" will miss these questions. The trap discriminates threat-mindset candidates from indicator-mindset ones.

Where does this trap show up most often?

CySA+ Domain 3 (Incident Response) features it on most IR questions. GCIH is built around it. CISSP Domain 7 uses it for both IR and threat modeling. Sec+ Domain 4 (Operations) uses it on remediation-prioritization stems.

How do I deliberately drill against this archetype?

Use the trap drill linked from the section above to focus reps on this pattern. Practice the verbal pattern: "the attack technique is [X]; blocking [Y] addresses the symptom; the cause-level fix is [Z]." Apply this to every IR or remediation stem before answering.

Practice Against This Trap

4 cert-prep questions currently use this archetype as a distractor. Run a trap drill to face them in a row.

Run a Symptom-vs-cause trap drill →

Related Traps