A cybersecurity analyst is reviewing SIEM logs and observes consistent requests originating from an internal host to a blocklisted external server. Which of the following best describes the activity that is taking place?
Correct Answer: D. Beaconing
Analysis: Beaconing refers to the activity where malware or compromised systems regularly check in with a command and control (C2) server for instructions or to report status. This is characterized by consistent and repeated network traffic from an internal host to an external server, especially one that is blocklisted.
Explanation of Other Options:
A. Data exfiltration: This involves transferring sensitive data out of the organization, but it would typically show large amounts of data being sent, not just consistent requests.
B. Rogue device: This refers to unauthorized devices connected to the network, which may not necessarily show consistent traffic to a specific external server.
C. Scanning: Scanning involves probing other devices or networks for vulnerabilities and would show different traffic patterns, usually a variety of destination IP addresses rather than consistent connections to a single blocklisted server.
D) Beaconing
No indication of data exfil. Bandwidth usage isn't reported to be at high levels. Consistent requests, not data. Could be a simple ping. Also not C, since it's going from internal to external, so wouldn't be a probing scan from the outside. B doesn't make sense in this context.
C. Scanning
In this scenario, the consistent requests originating from an internal host to a blocklisted external server indicate scanning activity. Scanning typically involves sending multiple requests or probes to various hosts or services to identify vulnerabilities or discover open ports. When an internal host is repeatedly attempting to connect to a blocklisted external server, it suggests that it may be attempting to scan or probe the server for vulnerabilities or open ports. This behavior should be investigated further to determine the intent and potential risks associated with the scanning activity.
There are constant requests from an internal server to an external server. Since no data is clearly visible in the LOG, this is the definition of beaconing. A scan would be the other way around, from an external server (or computer) to an internal one and no constant requests would be made.
Since the SIEM LOG does not show any data but simply requests to establish communication, it seems to indicate beaconing.
upvoted 3 times
...
This section is not available anymore. Please use the main Exam Page.CS0-003 Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
luiiizsoares
5 months, 2 weeks ago[Removed]
1 year, 5 months agoAlizade
1 year, 5 months agoFoeMarc
1 year, 6 months agokmordalv
1 year, 6 months agokmordalv
1 year, 8 months ago