CAS-005 · Question #345
CAS-005 Question #345: Real Exam Question with Answer & Explanation
The correct answer is C: Review NetFlow logs for unexpected increases in egress traffic.. When investigating potential ransomware infections, one of the key indicators of compromise (IoC) is abnormal outbound traffic, especially if the ransomware is attempting to communicate with a command and control (C&C) server to receive further instructions or send exfiltrated da
Question
A systems administrator is working with the SOC to identify potential intrusions associated with ransomware. The SOC wants the systems administrator to perform network-level analysis to identify outbound traffic from any infected machines. Which of the following is the most appropriate action for the systems administrator to take?
Options
- AMonitor for IoCs associated with C&C communications.
- BTune alerts to Identify changes to administrative groups.
- CReview NetFlow logs for unexpected increases in egress traffic.
- DPerform binary hash comparisons to identify infected devices.
Explanation
When investigating potential ransomware infections, one of the key indicators of compromise (IoC) is abnormal outbound traffic, especially if the ransomware is attempting to communicate with a command and control (C&C) server to receive further instructions or send exfiltrated data. Reviewing NetFlow logs is an effective way to identify unusual outbound traffic patterns, particularly unexpected increases in egress traffic that might indicate infected machines attempting to connect to external servers. NetFlow logs provide insight into the volume, destination, and origin of traffic, helping to identify anomalous or suspicious communications typically associated with ransomware activity.
Community Discussion
No community discussion yet for this question.