During a routine threat-hunting exercise, a security analyst reviews several data points that could signal insider-driven data theft. The analyst can examine workstation performance metrics, login records, internal east-west traffic statistics, and outbound flow logs collected at the internet gateway. Which single data set would give the analyst the most reliable early warning that an employee is exfiltrating proprietary files to an external destination?
Logging and reviewing login times
Monitoring processor and memory usage on workstations
Monitoring outbound traffic for large data transfers to external IP addresses
Outbound flow logs (or other monitoring of egress traffic) reveal the volume, destination IP address, and protocol of data leaving the network. Detecting a sudden large transfer to an unrecognized external host is a direct indicator of data exfiltration and can be acted on immediately. Internal bandwidth metrics, CPU/memory statistics, and login timestamps may show anomalous behavior but do not conclusively demonstrate that data has left the organization, making them less reliable for spotting exfiltration in progress.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
Why is monitoring outbound traffic the most reliable method to detect data exfiltration?
Open an interactive chat with Bash
What tools can be used to monitor outbound traffic for data exfiltration?
Open an interactive chat with Bash
How can large data transfers to external IP addresses be distinguished from legitimate activity?