CAS-005 Question #136: Real Exam Question with Answer & Explanation

Question

SIMULATION During the course of normal SOC operations, three anomalous events occurred and were flagged as potential IoCs. Evidence for each of these potential IoCs is provided. INSTRUCTIONS Review each of the events and select the appropriate analysis and action options for each IoC. If at any time you would like to bring back the initial state of the simulation, please click the Reset All button. Answer: IoC 1 Indicators: DNS queries for a suspicious subdomain (update.s.domain, *.s.domain) Responses include odd CNAME and A records Activity resembles contacting a malicious domain Correct Selections: Analysis: The service is attempting to resolve a malicious domain Action: Implement a blocklist for known malicious ports IoC 2 Indicators: ICMP Echo (ping) requests from 10.0.5.5 to multiple hosts All packets are dropped Suggests a device is probing the network Correct Selections: Analysis: Someone is footprinting a network subnet Action: Block ping requests across the WAN interface IoC 3 Indicators: BitTorrent traffic (/announce?info_hash, peer_id, application/x-bittorrent) Indicates P2P protocol activity Correct Selections: Analysis: An employee is using P2P services to download files Action: Enforce endpoint controls on third-party software installations

Options

• taskReview each of the events and select the appropriate analysis and action options for each IoC.
• prerequisites

Explanation

SOC IoC Analysis & Response — Exam Explanation

Overall Goal

A SOC analyst must do two things for each IoC: correctly identify what is happening (analysis) and select the most targeted remediation (action). The skill being tested is matching the type of threat to the appropriate control layer — DNS/domain threats get blocklists, network scanning gets interface rules, and endpoint software abuse gets endpoint controls.

IoC 1 — Suspicious DNS Queries

Indicators: DNS queries to update.s.domain, *.s.domain with unusual CNAME/A record responses.

Step 1 — Analysis: "The service is attempting to resolve a malicious domain"

DNS is the first observable sign of C2 (command-and-control) communication. Wildcard subdomains (*.s.domain) and odd CNAME chains are classic DNS-based C2 or malware staging techniques (domain generation algorithms, DNS tunneling). The host is reaching out, meaning something on the network is already compromised or attempting to beacon home.

Step 2 — Action: "Implement a blocklist for known malicious ports/domains"

The correct layer of control is at the DNS/domain level — block resolution of the malicious domain so the beacon cannot phone home. This is more surgical than firewall port blocking.

What goes wrong if skipped: Without blocking the domain, the malware continues to resolve it and can receive instructions or exfiltrate data even if you patch the host.

IoC 2 — ICMP Sweep from 10.0.5.5

Indicators: ICMP Echo requests from one internal IP to many hosts; all packets dropped.

Step 3 — Analysis: "Someone is footprinting a network subnet"

A single host sending ICMP pings to a broad range of IPs is a ping sweep — the reconnaissance phase of an attack. The attacker (or compromised host) is mapping which hosts are alive before targeting them. The fact that packets are dropped means defenses are partially working, but the activity itself is still a threat signal.

Step 4 — Action: "Block ping requests across the WAN interface"

Since the sweep is probing the network perimeter/subnet, blocking ICMP at the WAN interface prevents external footprinting and limits what an external attacker can learn. Blocking at the WAN (not just internally) addresses the attack surface.

What goes wrong if skipped: Even dropped pings can yield timing/response information. Leaving ICMP open at WAN allows ongoing reconnaissance of your external topology.

IoC 3 — BitTorrent Traffic

Indicators: HTTP requests containing /announce?info_hash, peer_id, application/x-bittorrent MIME type.

Step 5 — Analysis: "An employee is using P2P services to download files"

These are unambiguous BitTorrent protocol signatures. This is a policy violation (not necessarily malware), but P2P on a corporate network introduces serious risks: inadvertent data exfiltration, malware-laced torrents, and bandwidth abuse.

Step 6 — Action: "Enforce endpoint controls on third-party software installations"

The root cause is that a user installed a BitTorrent client on a corporate endpoint. The correct long-term control is endpoint management (application whitelisting, MDM/EDR policy) to prevent unauthorized software installation — not just blocking the port (which users can circumvent by tunneling).

What goes wrong if skipped: Blocking the port alone is a cat-and-mouse game. Without endpoint controls, users install new P2P clients or use alternative ports.

Memory Tips

Mnemonic: "D-N-E" — Domain threats → DNS blocklist, Network recon → Network interface, Endpoint software → Endpoint policy.

The key principle: match the remediation to the attack surface. Don't use a sledgehammer (full port block) when a scalpel (domain blocklist or endpoint policy) is more appropriate and harder to evade.

No community discussion yet for this question.