ExamTopics Logo
Mail Us[email protected]
Menu
Comptia Discussions
exam questions

Exam CS0-001 All Questions

View all questions & answers for the CS0-001 exam
Go to Exam

Exam CS0-001 topic 1 question 406 discussion

Actual exam question from CompTIA's CS0-001
Question #: 406
Topic #: 1
[All CS0-001 Questions]

An analyst identifies multiple instances of node-to-node communication between several endpoints within the 10.200.2.0/24 network and a user machine at the IP address 10.200.2.5. This user machine at the IP address 10.200.2.5 is also identified as initiating outbound communication during atypical business hours with several IP addresses that have recently appeared on threat feeds.
Which of the following can be inferred from this activity?

  • A. 10.200.2.0/24 is infected with ransomware.
  • B. 10.200.2.0/24 is not routable address space.
  • C. 10.200.2.5 is a rogue endpoint.
  • D. 10.200.2.5 is exfiltrating data.
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️
by s3curity1 at June 5, 2020, 11:57 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
BigBo01010
Highly Voted 4 years, 9 months ago
This question is on the exam.
upvoted 5 times
kyky
4 years, 7 months ago
i agree
upvoted 5 times
...
...
xyz47
Most Recent 2 years, 1 month ago
so... you have information of subnet and a host and about outbound communication and based on that you're able to infer this is data exfiltration. I don't think you can infer more than probability of endpoint being rogue.
upvoted 1 times
...
s3curity1
4 years, 10 months ago
There's very little information for this question to say that this is data exfil. Initiating outbound connections to suspicious ip addresses can mean different sort of things, but, i think it is safe to say that this is a rogue endpoint.
upvoted 2 times
TheThreatGuy
4 years, 10 months ago
Rogue endpoint would suggest that the device is not supposed to be there.... There is less info to confirm that than there is to confirm data exfil... So I'd go with Data Exfil
upvoted 6 times
...
Blind_Hatred
4 years, 10 months ago
From the Cybersecurity Analyst Certification Bundle: "A common approach to exfiltrating data is to first consolidate it in a staging location within the target network. Adversaries don’t want to duplicate efforts or exfiltration streams because such duplication would also make them easier to detect. Instead, they will typically coordinate activities within a compromised network. This means that even if multiple agents are searching for sensitive files in different subnets, they will tend to copy those files at the coordination hub at which they are staged, prepared, and relayed to an external repository. Unfortunately, these internal flows will usually be difficult to detect because they may resemble legitimate functions of the organization."
upvoted 5 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago