210-255 · Question #23
You see confidential data being exfiltrated to an IP address that is attributed to a known Advanced Persistent Threat group. Assume that this is part of a real attach and not a network misconfiguratio
The correct answer is D. action on objectives. Data exfiltration to a known threat actor's IP address represents the 'Actions on Objectives' phase, where the attacker fulfills their ultimate mission goal.
Question
You see confidential data being exfiltrated to an IP address that is attributed to a known Advanced Persistent Threat group. Assume that this is part of a real attach and not a network misconfiguration. Which category does this event fall under as defined in the Diamond Model of Intrusion?
Options
- Areconnaissance
- Bweaponization
- Cdelivery
- Daction on objectives
How the community answered
(35 responses)- A3% (1)
- B6% (2)
- C14% (5)
- D77% (27)
Why each option
Data exfiltration to a known threat actor's IP address represents the 'Actions on Objectives' phase, where the attacker fulfills their ultimate mission goal.
Reconnaissance is an early-stage activity focused on passive or active information gathering about the target, not the live transmission of stolen data to an external IP.
Weaponization involves crafting or modifying a payload or exploit tool, which occurs well before any active intrusion against the target environment.
Delivery refers to the mechanism used to transmit the weapon to the victim - such as a phishing email or malicious link - not the final exfiltration stage.
In the Cyber Kill Chain framework, 'Actions on Objectives' is the final phase where the attacker completes their intended mission, which commonly includes exfiltrating confidential data to an external system. Seeing data leave the network toward an APT-attributed IP confirms the attacker has successfully traversed all prior kill chain stages and is now executing their end goal. Note that while the question references the Diamond Model, the listed choices correspond to Cyber Kill Chain phases - 'Actions on Objectives' correctly categorizes active exfiltration regardless of this labeling discrepancy.
Concept tested: Cyber Kill Chain actions on objectives phase classification
Source: https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html
Topics
Community Discussion
No community discussion yet for this question.