Question 13 - CompTIA (CYSA+) Analyst+ CS0-003 Real Exam Questions [Jan 2026 Update]

Q: 13

A systems administrator is reviewing after-hours traffic flows from data-center servers and sees regular outgoing HTTPS connections from one of the servers to a public IP address. The server should not be making outgoing connections after hours. Looking closer, the administrator sees this traffic pattern around the clock during work hours as well. Which of the following is the most likely explanation?

Options

Correct Answer:

Explanation

The observed pattern of regular, periodic, outgoing HTTPS connections from a server to a single public IP address is a classic indicator of Command and Control (C2) beaconing. Malware on the compromised server establishes these connections to "call home" to its controller, receive instructions, or signal its operational status. Using a common protocol like HTTPS on port 443 is a technique used by adversaries to blend malicious traffic with legitimate network activity, making it harder to detect. The "around the clock" nature of the connections reinforces the automated, persistent nature of a C2 beacon.

Why Incorrect

B. Data exfiltration: This typically involves large or sustained data transfers, not the regular, repeating "heartbeat" pattern described in the scenario.

C. Anomalous activity on unexpected ports: The activity uses HTTPS (port 443), which is a very common and expected port for network traffic, not an unexpected one.

D. Network host IP address scanning: Scanning involves sending probes to many different IP addresses, whereas this activity is directed toward a single, specific public IP.

E. A rogue network device: The traffic originates from a known data-center server, which is a managed asset, not an unauthorized or unknown device on the network.

References

1. MITRE ATT&CK® Framework. (2023). Technique T1071: Application Layer Protocol. MITRE. Retrieved from https://attack.mitre.org/techniques/T1071/

Reference Detail: Sub-technique T1071.001 (Web Protocols) states

"Adversaries may communicate using HTTP and HTTPS to command and control victim systems... C2 traffic is often camouflaged as normal web traffic to avoid detection." This directly supports the use of HTTPS for C2 communications.

2. NIST Special Publication 800-61 Rev. 2. (2012). Computer Security Incident Handling Guide. National Institute of Standards and Technology. https://doi.org/10.6028/NIST.SP.800-61r2

Reference Detail: Section 2.3.3

"Sources of Precursors and Indicators

" discusses how network traffic analysis can reveal indicators of compromise. An unexpected outbound connection from a server

especially one with a regular pattern

is a strong indicator of a compromised host

consistent with C2 activity.

3. SANS Institute Reading Room. (2016). Beats on the Wire: A Security Analysis of Command and Control. SANS Technology Institute.

Reference Detail: Page 6 discusses C2 beaconing

stating

"A beacon is a periodic outbound connection attempt from a compromised host to a command and control server... The beaconing interval can be configured to be anything from seconds to days." This describes the exact behavior observed.

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE