Certified Threat Intelligence Analyst (CTIA) — Question 8

Jim works as a security analyst in a large multinational company. Recently, a group of hackers penetrated into their organizational network and used a data staging technique to collect sensitive data. They collected all sorts of sensitive data about the employees and customers, business tactics of the organization, financial information, network infrastructure information and so on.
What should Jim do to detect the data staging before the hackers exfiltrate from the network?

Answer options

• A. Jim should identify the attack at an initial stage by checking the content of the user agent field.
• B. Jim should analyze malicious DNS requests, DNS payload, unspecified domains, and destination of DNS requests.
• C. Jim should monitor network traffic for malicious file transfers, file integrity monitoring, and event logs.
• D. Jim should identify the web shell running in the network by analyzing server access, error logs, suspicious strings indicating encoding, user agent strings, and so on.

Correct answer: C

Explanation

The correct answer is C because monitoring network traffic for malicious file transfers and reviewing event logs can help identify data staging activities before the data is exfiltrated. Options A and B focus on user agent and DNS analysis, which are less effective for detecting the data staging process, while option D pertains to identifying web shells, which is not directly related to detecting data staging.