312-50V11 · Question #141
You are working as a Security Analyst in a company XYZ that owns the whole subnet range of 23.0.0.0/8 and 192.168.0.0/8. While monitoring the data, you find a high number of outbound connections. You
The correct answer is A. Botnet Attack. Multiple internal compromised hosts communicating with a single blacklisted public IP describes a botnet, where infected machines are coordinated by a command-and-control server.
Question
You are working as a Security Analyst in a company XYZ that owns the whole subnet range of 23.0.0.0/8 and 192.168.0.0/8. While monitoring the data, you find a high number of outbound connections. You see that IP's owned by XYZ (Internal) and private IP's are communicating to a Single Public IP. Therefore, the Internal IP's are sending data to the Public IP. After further analysis, you find out that this Public IP is a blacklisted IP, and the internal communicating devices are compromised. What kind of attack does the above scenario depict?
Exhibit
Options
- ABotnet Attack
- BSpear Phishing Attack
- CAdvanced Persistent Threats
- DRootkit Attack
How the community answered
(42 responses)- A79% (33)
- B14% (6)
- C2% (1)
- D5% (2)
Why each option
Multiple internal compromised hosts communicating with a single blacklisted public IP describes a botnet, where infected machines are coordinated by a command-and-control server.
A botnet consists of multiple compromised devices (bots) that communicate with a centralized command-and-control (C2) server. The scenario describes exactly this: numerous internal IPs sending data to one blacklisted public IP, which is the hallmark C2 communication pattern used to exfiltrate data or receive instructions from an attacker.
Spear phishing is a targeted social-engineering email attack used to gain initial access, not a pattern of multiple hosts communicating outbound to a single C2 IP.
Advanced Persistent Threats describe a prolonged, stealthy intrusion campaign by sophisticated actors; while botnets can be used in APTs, the scenario specifically identifies a C2 communication pattern that is definitional to botnets.
A rootkit is a type of malware designed to hide its presence on a compromised host; it is not defined by multiple machines communicating to a single external IP.
Concept tested: Botnet command-and-control traffic identification
Source: https://www.cisa.gov/news-events/news/understanding-botnets
Topics
Community Discussion
No community discussion yet for this question.
