A security analyst is reviewing network flow data from a critical web server. The analyst observes a consistent, low-volume, hourly outbound connection over TCP port 443 to an IP address with no associated domain name and a poor reputation score. The server also shows a 15% increase in CPU usage and a large volume of successful authentication logs from the corporate IP range. Which finding is the strongest indicator of a potential command-and-control (C2) channel?
The use of TCP port 443 for the outbound connection
The large volume of successful authentications
The 15% increase in CPU usage
The consistent, low-volume connection to the low-reputation IP
The strongest indicator of a command-and-control (C2) channel is the consistent, low-volume, hourly outbound connection to a low-reputation IP address. This pattern is characteristic of C2 'heartbeat' traffic, where malware periodically checks in with its control server. While increased CPU usage and high authentication volumes can be IoCs, they are less specific and could be caused by legitimate activity. The use of TCP port 443 is a common evasion tactic but is not the primary indicator itself; the communication pattern is the key.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is an Indicator of Compromise (IoC)?
Open an interactive chat with Bash
How can outbound connections to unknown network locations indicate a compromise?
Open an interactive chat with Bash
How are suspicious outbound connections investigated further?