CompTIA Security+ (SY0-701) — Question 369

A company suffered a critical incident where 30GB of data was exfiltrated from the corporate network. Which of the following actions is the most efficient way to identify where the system data was exfiltrated from and what location the attacker sent the data to?

Answer options

• A. Analyze firewall and network logs for large amounts of outbound traffic to external IP addresses or domains.
• B. Analyze IPS and IDS logs to find the IP addresses used by the attacker for reconnaissance scans.
• C. Analyze endpoint and application logs to see whether file-sharing programs were running on the company systems.
• D. Analyze external vulnerability scans and automated reports to identify the systems the attacker could have exploited a remote code vulnerability.

Correct answer: A

Explanation

Option A is correct because analyzing firewall and network logs allows for the identification of large data transfers to external destinations, directly indicating where the data was sent. Options B, C, and D focus on different aspects of security, such as reconnaissance or vulnerability exploitation, which do not directly reveal the exfiltration path or the destination of the data.