CompTIA SecurityX (CAS-005) — Question 23

A systems administrator is working with the SOC to identify potential intrusions associated with ransomware. The SOC wants the systems administrator to perform network-level analysis to identify outbound traffic from any infected machines. Which of the following is the most appropriate action for the systems administrator to take?

Answer options

• A. Monitor for IoCs associated with C&C communications.
• B. Tune alerts to Identify changes to administrative groups.
• C. Review NetFlow logs for unexpected increases in egress traffic.
• D. Perform binary hash comparisons to identify infected devices.

Correct answer: C

Explanation

The correct action is to review NetFlow logs for unexpected increases in egress traffic, as this can indicate data exfiltration from infected machines. Monitoring IoCs and tuning alerts are useful but do not directly analyze outbound traffic. Performing binary hash comparisons is more focused on identifying infected devices rather than analyzing network traffic.