Exam CS0-003 topic 1 question 151 discussion

I would say D. Data Exfiltration because it is unexpected outbound communication. Especially because it's been happening daily and the analyst is just now discovering it. You can find rogue devices with scans or sweeps according to Certmaster but I think they would've gave us more information if they wanted us to choose rogue devices.

The question says " Which of the following is potentially occurring?" the keyword there " POTENTIALLY".....that device can exfiltrate data through that email...

Obviously D.

Thank you for this question. It gives familiarization to tricks so test takers may be more aware. It says the team discovered a device that sends outbound email to a non-corporate address - but just not enough information to conclude that it's a rogue device. It might as well be a compromised workstation. There is definitely some outbound communication happening but not enough information to conclude that there's data being taken. A lot is left to the imagination.

It is not a point of debate whether it is an unauthorized device. The reliable fact is that information is flowing outside.

After revision, I agree D is the best answer. Beaconing (answer A and maby C) would be done through HTTP/HTTPS typically. If I want to send a mass amount of PII, I could easily do so through an email (which is the attack vector used in the question).

Terribly worded question. The device is not communicating to a peer, as in another device on same network. A rogue device most likely wouldn't show up on a scan. I don't know what abnormal OS process that would do this. Data Exfil seems like the most correct out of all of these.

B) rogue device on the network A) the word irregular throws me off. The question states it happens daily, at 10:00 PM. This is an established, determinable, regular attack. B) Seems like something CompTIA would ask for TBH C) nothing about the OS can be deduced from this. It's via email, not a system process D) No data is being exfilled. The emails could be investigated as part of DLP efforts.

Data Exfiltration (D): The most suspicious part of the activity is the daily sending of an email to a non-company address, which is a common method for data exfiltration. The timing (10:00 p.m.) also suggests an attempt to avoid detection.

If CompTIA were looking for answer B, it would not indicate in the question that the device sends data through the mail. It asks what is happening, or what action is taking place. Therefore, the answer to this question is D. It is true that it does not indicate what it is sending but it is transparent. The fact of discovering a device and that it is sending mail should be significant of a data exfiltration.

Let's break this down. It helps to take it one word at a time sometimes in CompTIA questions. After completing a review of network activity, the threat hunting team DISCOVERED a device on the network. This means this device wasn't known about to be on the network at all. From there, this device is regularly sending outbound emails. We have nothing to support any irregular peer-to-peer communication, and there is nothing showing the OS of this device is behaving abnormally. It is sending email through a mail client. That is normal. This leaves us with B and D. We cannot say data is being exfiltrated because there is nothing in the question which states what the email regularly being sent contains. For that matter, this behavior could be an advanced form of beaconing somehow. This only leaves us with deducing a rogue device has gotten onto the network.