CompTIA CASP+ (CAS-004) — Question 173

A network administrator for a completely air-gapped and closed system has noticed that anomalous external files have been uploaded to one of the critical servers. The administrator has reviewed logs in the SIEM that were collected from security appliances, network infrastructure devices, and endpoints. Which of the following processes, if executed, would be MOST likely to expose an attacker?

Answer options

• A. Reviewing video from IP cameras within the facility
• B. Reconfiguring the SIEM connectors to collect data from the perimeter network hosts
• C. Implementing integrity checks on endpoint computing devices
• D. Looking for privileged credential reuse on the network

Correct answer: A

Explanation

Reviewing video from IP cameras can provide visual evidence of unauthorized access or suspicious behavior, directly linking an attacker to the anomaly. The other options, while useful for different security purposes, do not offer immediate visual proof of an intruder's actions in a closed system.