Which THREE of the following are indicators that a network may be compromised by a botnet?
C&C communication is a hallmark of botnet activity.
Why this answer
Option A is correct because botnet-infected systems typically communicate with command-and-control (C2) servers to receive instructions or exfiltrate data. Unusual outbound traffic to known C2 IPs or domains is a strong indicator of botnet activity, as legitimate traffic rarely targets these addresses. Security monitoring tools often use threat intelligence feeds to flag such connections.
Exam trap
Cisco often tests the distinction between generic attack symptoms (like high ICMP volume) and specific botnet indicators (like C2 communication and beaconing), so candidates mistakenly select Option C because they associate any unusual traffic with botnets without considering the precise behavioral patterns.