A company suffered a critical incident where 30GB of data was exfiltrated from the corporate network. Which of the following actions is the most efficient way to identify where the system data was exfiltrated from and where it was sent?
A.
Analyze firewall and network logs for large amounts of outbound traffic to external IP addresses or domains.
B.
Analyze IPS and IDS logs to find the IP addresses used by the attacker for reconnaissance scans.
C.
Analyze endpoint and application logs to see whether file-sharing programs were running.
D.
Analyze external vulnerability scans to identify exploitable systems.
To efficiently identify where data was exfiltrated from and where it was sent, the best action is to analyze firewall and network logs for unusually large outbound data transfers. Security+ SY0-701 emphasizes that network-level telemetry provides the most direct evidence of data exfiltration, including source IPs, destination IPs or domains, ports, protocols, timestamps, and data volume.
Firewall and flow logs can quickly reveal which internal systems transmitted large quantities of data externally and identify the attacker’s destination infrastructure. This approach is efficient because it focuses directly on the movement of data rather than preliminary or secondary indicators.
IPS/IDS logs (B) are more useful for detecting reconnaissance or intrusion attempts, not confirming data theft paths. Endpoint and application logs (C) may help identify tools used but are less efficient for mapping data movement. External vulnerability scans (D) identify weaknesses, not exfiltration activity.
Therefore, the most efficient action is A: Analyze firewall and network logs for large outbound traffic.
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit