CompTIA CySA+ (CS0-001) — Question 145
An analyst identifies multiple instances of node-to-node communication between several endpoints within the 10.200.2.0/24 network and a user machine at the IP address 10.200.2.5. This user machine at the IP address 10.200.2.5 is also identified as initiating outbound communication during atypical business hours with several IP addresses that have recently appeared on threat feeds.
Which of the following can be inferred from this activity?
Answer options
- A. 10.200.2.0/24 is infected with ransomware.
- B. 10.200.2.0/24 is not routable address space.
- C. 10.200.2.5 is a rogue endpoint.
- D. 10.200.2.5 is exfiltrating data.
Correct answer: D
Explanation
The correct answer is D because the user machine at 10.200.2.5 is engaging in unusual outbound communication, which suggests potential data exfiltration. Options A and B do not directly address the behavior observed, while option C, while plausible, does not account for the specific evidence of data being sent to recently flagged IP addresses.