CAS-003 · Question #543
CAS-003 Question #543: Real Exam Question with Answer & Explanation
The correct answer is B: An outside command and control system is attempting to reach an infected system.. Repeated 'call home' messages at the network boundary are a well-known indicator of command and control (C2) traffic, where external attacker infrastructure attempts to communicate with malware already installed on an internal company system.
Question
Options
- AAttackers are running reconnaissance on company resources.
- BAn outside command and control system is attempting to reach an infected system.
- CAn insider trying to exfiltrate information to a remote network.
- DMalware is running on a company system
Explanation
Repeated 'call home' messages at the network boundary are a well-known indicator of command and control (C2) traffic, where external attacker infrastructure attempts to communicate with malware already installed on an internal company system.
Common mistakes.
- A. Reconnaissance involves scanning, probing, or enumeration to gather information about targets, producing different network signatures such as port scans or DNS queries - not the repetitive structured beacon pattern characteristic of 'call home' C2 traffic.
- C. Insider exfiltration involves outbound transfers of sensitive files or data, which would produce large upload flows or unusual data patterns - not the low-bandwidth, repetitive 'call home' beacon messages associated with C2 communication.
- D. While malware running on a company system is implied by the scenario, this answer does not address the specific network behavior being observed; option B more precisely identifies the mechanism of external C2 communication that explains why 'call home' messages appear at the network boundary.
Concept tested. Command and control C2 call home traffic detection and identification
Reference. https://attack.mitre.org/tactics/TA0011/
Community Discussion
No community discussion yet for this question.