CompTIA CySA+ (CS0-002) — Question 329

A security analyst responds to a series of events surrounding sporadic bandwidth consumption from an endpoint device. The security analyst then identifies the following additional details:

• Bursts of network utilization occur approximately every seven days.
• The content being transferred appears to be encrypted or obfuscated.
• A separate but persistent outbound TCP connection from the host to infrastructure in a third-party cloud is in place.
• The HDD utilization on the device grows by 10GB to 12GB over the course of every seven days.
• Single file sizes are 10GB.

Which of the following describes the most likely cause of the issue?

Answer options

• A. Memory consumption
• B. Non-standard port usage
• C. Data exfiltration
• D. System update
• E. Botnet participant

Correct answer: C

Explanation

The correct answer is C, Data exfiltration, as the characteristics of periodic high bandwidth usage, encrypted data, and significant growth in HDD utilization suggest that data is being stolen and sent to an external source. The other options do not align with the observed patterns; for example, memory consumption and system updates do not typically cause such a consistent increase in data transfer or HDD usage.