312-50V10 · Question #141
You are working as a Security Analyst in a company XYZ that owns the whole subnet range of 23.0.0.0/8 and 192.168.0.0/8. While monitoring the data, you find a high number of outbound connections. You
The correct answer is A. Botnet Attack. Multiple compromised internal hosts sending data to a single blacklisted external IP is the defining pattern of a botnet, where infected machines communicate with a centralized command-and-control server.
Question
You are working as a Security Analyst in a company XYZ that owns the whole subnet range of 23.0.0.0/8 and 192.168.0.0/8. While monitoring the data, you find a high number of outbound connections. You see that IP's owned by XYZ (Internal) and private IP's are communicating to a Single Public IP. Therefore, the Internal IP's are sending data to the Public IP. After further analysis, you find out that this Public IP is a blacklisted IP, and the internal communicating devices are compromised. What kind of attack does the above scenario depict?
Options
- ABotnet Attack
- BSpear Phishing Attack
- CAdvanced Persistent Threats
- DRootkit Attack
How the community answered
(31 responses)- A77% (24)
- B13% (4)
- C6% (2)
- D3% (1)
Why each option
Multiple compromised internal hosts sending data to a single blacklisted external IP is the defining pattern of a botnet, where infected machines communicate with a centralized command-and-control server.
A botnet is a network of malware-infected devices (bots) controlled by a threat actor through a command-and-control (C&C) server. The scenario - many internal IPs compromised and funneling outbound traffic to one blacklisted public IP - matches the C&C beacon pattern exactly, confirming a botnet attack.
Spear phishing is a targeted social engineering technique delivered via email to trick specific individuals; it describes an initial attack vector, not an ongoing pattern of outbound network connections from multiple hosts.
Advanced Persistent Threats describe a stealthy, long-duration intrusion campaign by sophisticated actors; the term characterizes the attacker's methodology and persistence, not the specific network traffic pattern of many hosts beaconing one IP.
A rootkit is malware that conceals its presence on a single compromised host at the OS level; it does not explain a network-wide pattern of multiple systems communicating outbound to a single external address.
Concept tested: Botnet command-and-control traffic pattern identification
Source: https://www.cisa.gov/news-events/news/understanding-botnets
Topics
Community Discussion
No community discussion yet for this question.