Refer to the exhibit. During a risk identification exercise for the internal network, the risk manager reviews this firewall log entry. Which of the following risks is MOST directly suggested by this log entry?
SMB is commonly used for lateral movement in attacks.
Why this answer
The firewall log shows an inbound SMB connection (port 445) from a workstation (10.0.0.5) to a server (10.0.0.10). SMB is commonly used for file sharing and remote administration, and if the workstation is compromised, an attacker can leverage SMB to move laterally to the server, potentially gaining access to sensitive data or escalating privileges. This aligns with the risk of lateral movement, which is a primary concern in internal network segmentation.
Exam trap
The trap here is that candidates may focus on the protocol (SMB) and assume data exfiltration (Option A) without considering the direction of traffic (inbound to the server) and the typical use of SMB for lateral movement in internal networks.
How to eliminate wrong answers
Option A is wrong because SMB is a protocol for file sharing and remote administration, not typically used for exfiltration; exfiltration often uses HTTP/S, FTP, or DNS tunneling, and the log shows a single inbound connection, not a sustained outbound data transfer. Option C is wrong because the log shows traffic from the workstation to the server (inbound to the server), not the workstation accessing the internet via the server; internet access would typically involve outbound traffic to external IPs, not internal SMB connections. Option D is wrong because a DDoS attack requires a flood of traffic from multiple sources to overwhelm a target, and this log shows a single connection from one workstation to one server, with no indication of volume or distributed sources.