nerdexam
Cisco

350-201(NEW-127Q) · Question #61

350-201(NEW-127Q) Question #61: Real Exam Question with Answer & Explanation

The correct answer is A. network scanning, unauthorized access, data tampering, and botnet activity. Option A correctly maps each observation to its logical phase in the attack lifecycle: observation 1 (rapid connections from a single external IP) represents network scanning (reconnaissance), observation 2 (C&C communication) indicates the server was already compromised via unau

Threat Analysis and Incident Response

Question

A security analyst is investigating an attack on an organization's database server and must determine the sequence of events based on the analysis of traffic patterns. The observations have been made:
  1. Multiple rapid connections to the database server from an external IP address were detected.
  2. The database server started to communicate with a known command-and-control server.
  3. Many database records were accessed and modified within a short period.
  4. A sudden increase in inbound traffic to the database server from various IP addresses was observed. Based on this information, what is correct the sequence of events during the attack?

Options

  • Anetwork scanning, unauthorized access, data tampering, and botnet activity
  • Bunauthorized access, data tampering, network scanning, and botnet activity
  • Cdata tampering, network scanning, botnet activity, and unauthorized access
  • Dbotnet activity, unauthorized access, data tampering, and network scanning

Explanation

Option A correctly maps each observation to its logical phase in the attack lifecycle: observation 1 (rapid connections from a single external IP) represents network scanning (reconnaissance), observation 2 (C&C communication) indicates the server was already compromised via unauthorized access and malware is phoning home, observation 3 (mass record access/modification) is classic data tampering, and observation 4 (inbound traffic from multiple IPs) signals botnet activity leveraging the now-compromised server.

  • B is wrong because it places unauthorized access before scanning - attackers must probe first to find an entry point.
  • C is wrong because data tampering cannot precede access; you can't modify what you haven't reached yet.
  • D is wrong for the same reason as C and B - both place network scanning last, when it is always the initial reconnaissance phase.

Memory tip: Use the acronym SUTD - Scan, Unlock (unauthorized access), Tamper, Deploy (botnet) - to remember that an attacker must first see the target, then enter it, then exploit it, and finally weaponize it.

Topics

#Attack Sequencing#Incident Investigation#Network Forensics#Cybersecurity Kill Chain

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full 350-201(NEW-127Q) Practice