An analyst notices there is an internal device sending HTTPS traffic with additional characters in the header to a known-malicious IP in another country. Which of the following describes what the analyst has noticed?
The analyst has noticed a behavior known as "beaconing."
A. Beaconing is a term used in cybersecurity to describe a pattern where an internal device, often compromised or part of a botnet, sends periodic and regular communications to a command and control server or a known-malicious IP address. These communications are often designed to be stealthy and can carry additional information, such as commands or data, within the headers or payloads of seemingly innocuous traffic like HTTPS.
The other options, B, C, and D, describe different security-related concepts
The analyst observed an internal device sending HTTPS traffic with unusual characters in the header to a known-malicious IP in another country.
This behavior is indicative of beaconing, which occurs when malware or a compromised system periodically contacts a command and control (C2) server for instructions.
The extra characters in the header suggest data exfiltration, encoding, or evasion techniques used by malware to avoid detection.
Beaconing Explained:
Beaconing is a technique used by malware or compromised systems to communicate with a command and control (C&C) server. Here's how it works:
Compromised Device: A device on the internal network becomes infected with malware or compromised by an attacker.
Communication Channel: The malware establishes a connection, typically HTTPS for encryption, to a known malicious IP address (the C&C server) located anywhere in the world.
Hidden Communication: The communication might use seemingly normal protocols (HTTPS) but often includes additional characters in the header that act as a signal to the C&C server. These extra characters might be difficult to detect without proper inspection.
C&C Server Purpose: The C&C server can then send instructions to the compromised device, download additional malware, or exfiltrate stolen data.
A) Beaconing
CompTIA Certmaster Topic 11A: Exploring Network Attack Indicators
A bot may beacon its C&C server by sending simple transmissions at regular intervals to unrecognized or malicious domains. Likewise, irregular peer-to-peer (P2P) traffic in the network could indicate that a bot is communicating with a centralized C&C server. Hosts in the C&C network are difficult to pin down because they frequently change DNS names and IP addresses, using techniques such as domain generation algorithms (DGAs) and fast flux DNS. Beacon activity is detected by capturing metadata about all the sessions established or attempted and analyzing it for patterns that constitute suspicious activity.
Also, the Sybex CySA+ Study Guide (Chapple and Seidl) says this about Beaconing:
Beaconing activity (sometimes a heartbeat) is activity sent to a C&C system as part of a botnet or malware remote control system and is typically sent as either HTTP or HTTPS traffic.
This section is not available anymore. Please use the main Exam Page.CS0-003 Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
nmap_king_22
Highly Voted 1 year, 2 months agoPassingQueen
Most Recent 2 months, 1 week agoPhanna
5 months, 2 weeks ago[Removed]
11 months, 2 weeks ago[Removed]
11 months, 2 weeks agoAlizade
12 months agobeaup
1 year ago