Exam CAS-005 topic 1 question 25 discussion

Explanation: Ransomware often communicates with Command and Control (C&C) servers or exfiltrates data, resulting in unusual outbound (egress) network traffic. NetFlow logs capture metadata about traffic flows (such as source/destination IPs, ports, bytes transferred), allowing the systems administrator to: Detect unusual or high-volume outbound traffic from machines that might be infected. Spot patterns consistent with data exfiltration or C&C communication. 🔍 Why the Others Are Less Suitable: A. Monitor for IoCs associated with C&C communications: This is a SOC-level activity, more about signature-based or behavioral monitoring — not direct network-level analysis by a systems admin. B. Tune alerts to identify changes to administrative groups: Useful for detecting privilege escalation, but not directly related to identifying ransomware's outbound traffic. D. Perform binary hash comparisons to identify infected devices: This is host-level analysis, not network-level. Also requires known malicious file hashes.