200-201 Network Intrusion Analysis • Set 2
200-201 Network Intrusion Analysis Practice Test 2 — 15 questions with explanations. Free, no signup.
You are a security analyst for a financial institution. Over the past hour, the intrusion detection system has generated multiple alerts for outbound traffic from a single internal host (10.0.0.50) to various external IP addresses on port 443. The alerts indicate that the host is making HTTPS connections to IPs that are associated with known command and control servers. Additionally, the host has been observed making DNS queries for domains that are algorithmically generated (e.g., rgj3k2.example.com, fh7d8s.example.net). The host is a Windows 10 workstation used by an employee in the accounting department. The employee reports that they have not noticed any unusual behavior, but they did click on a link in a phishing email yesterday. The network administrator confirms that the host's firewall rules allow outbound HTTPS traffic. You have access to endpoint logs, network flow data, and packet captures. Which course of action should you take FIRST?