CompTIA CySA+ (CS0-001) — Question 243

While reviewing proxy logs, the security analyst noticed a suspicious traffic pattern. Several internal hosts were observed communicating with an external IP address over port 80 constantly. An incident was declared, and an investigation was launched. After interviewing the affected users, the analyst determined the activity started right after deploying a new graphic design suite. Based on this information, which of the following actions would be the appropriate NEXT step in the investigation?

Answer options

• A. Update all antivirus and anti-malware products, as well as all other host-based security software on the servers the affected users authenticate to.
• B. Perform a network scan and identify rogue devices that may be generating the observed traffic. Remove those devices from the network.
• C. Identify what the destination IP address is and who owns it, and look at running processes on the affected hosts to determine if the activity is malicious or not.
• D. Ask desktop support personnel to reimage all affected workstations and reinstall the graphic design suite. Run a virus scan to identify if any viruses are present.

Correct answer: C

Explanation

The correct answer is C because identifying the destination IP and examining running processes will help determine if the communication is malicious, allowing for a more informed response. Option A does not address the immediate issue of the suspicious traffic; option B focuses on rogue devices without confirming the nature of the traffic; and option D, while thorough, may not be necessary if the activity can be confirmed as benign or malicious through investigation.