A security analyst is reviewing application logs and notices a spike in outbound communication from an internal application server that usually communicates only within its subnet. What is the MOST appropriate initial action the analyst should take?
Investigate the source and destination details of the outbound communication.
Ignore the spike as it is a normal fluctuation.
Block outbound traffic from the server.
Disable the server to prevent further communication.
The most appropriate initial action is to investigate the source and destination details of this unexpected outbound communication. This can help identify whether the spike is due to a legitimate change in behavior (such as a new feature or update) or potentially malicious activity (like data exfiltration). Blocking traffic or disabling the server might be too disruptive without concrete evidence that the activity is malicious. Ignoring the spike might overlook a potential threat.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What specific details should the analyst investigate in the application logs?
Open an interactive chat with Bash
What are some potential causes for the spike in outbound communication?
Open an interactive chat with Bash
What steps can be taken if malicious activity is confirmed during the investigation?