Exam CS0-002 topic 1 question 271 discussion

C is not the correct answer. 83hht23.org-int.org reaches out to 8.8.8.8 (Google DNS) on the correct port 53. Google DNS give name resolution and 83hht23.org-int.org connects to Yandex.ru via HTTPS on correct port 443. (Yandex.ru was ok, its just google in Russia. Test makers are just trying to be inclusive) webserver.org-dmz.org reaches out to whatever 131.52.88.45 is… maybe it’s a DNS server….. on port 53 weird but so far ok… webserver.org-dmz.org then reaches out to 131.52.88.45 with HTTPS protocol on port 10999. Now the red flag is thrown out. 10999 is not the standard port for HTTPS. It does it twice. webserver.org-dmz.org = bad

The focus of the investigation should be on the traffic to "ftps.bluemed.net" because this domain stands out as it's not part of the organization's typical internal or external domains. The fact that the organization's proprietary data was found for sale on the internet suggests that an unauthorized transfer of data may have occurred. Therefore, analyzing traffic to external domains that are not recognized or part of normal operations is crucial in this scenario.

Cyka Blyat! Ivan is up to no good.

https://www.examtopics.com/discussions/comptia/view/42706-exam-cs0-002-topic-1-question-117-discussion/

Going with A here. Ports are too suspicious.

Key phrase in the question: "possible compromise after its proprietary data was found for sale on the internet" Out of all the options, ftps.bluemed.net should be investigated since this is an external host that interacted with the organization's FTP server. 83hht23.org-int.org is an internal host browsing the internet, making DNS queries to Google DNS and visiting the Yandex website. Unsuspicious. webserver.org-dmz.org is the web server in the DMZ. Traffic looks unsuspicious

Going with A here, there is a big red flag for an https connection using a non-standard port.

Based on the information provided, the focus of the investigation should be option C, 83hht23.org-int.org. This domain appears to be communicating with external systems over DNS and HTTPS ports. It is possible that this communication is related to the possible data breach and the data being sold on the internet. Further investigation is needed to determine whether this communication is legitimate or malicious.

C is correct

C. 83hht23.org-int.org should be the focus of the investigation. The logs show that this IP is sending DNS queries to 8.8.8.8 (Google's DNS) and making HTTPS connections to 77.88.55.66 (yandex.ru). This could indicate that the IP is attempting to exfiltrate data or carry out other malicious activities. Further investigation is necessary to determine the nature and extent of the compromise.