Computer Hacking Forensic Investigator (CHFI v10) — Question 114

You are an information security analyst at a large pharmaceutical company. While performing a routine review of audit logs, you have noticed a significant amount of egress traffic to various IP addresses on destination port 22 during off-peak hours. You researched some of the IP addresses and found that many of them are in Eastern Europe. What is the most likely cause of this traffic?

Answer options

• A. The organization's primary internal DNS server has been compromised and is performing DNS zone transfers to malicious external entities
• B. Data is being exfiltrated by an advanced persistent threat (APT)
• C. Malicious software on internal system is downloading research data from partner SFTP servers in Eastern Europe
• D. Internal systems are downloading automatic Windows updates

Correct answer: B

Explanation

The correct answer is B because the significant egress traffic to various IP addresses on port 22 during off-peak hours suggests a structured attempt to exfiltrate data, characteristic of advanced persistent threats (APTs). Option A does not accurately describe the activity as it wouldn't typically cause this level of outbound traffic. Option C implies legitimate data transfer rather than exfiltration, while D is unlikely due to the unusual time of the traffic and the specific destination IP addresses.