CompTIA Exam CAS-005 Topic 1 Question 12 Discussion

Comprehensive and Detailed

Understanding the Security Event:

HOST002 is the only device authorized for internet traffic. However, the SIEM logs show that VM002 is making network connections to web.corp.local.

This indicates unauthorized access, which could be a sign of lateral movement or network infection.

This is a red flag for potential malware, unauthorized software, or a compromised host.

Why Option D is Correct:

Unusual network traffic patterns are often an indicator of a compromised system.

VM002 should not be communicating externally, but it is.

This suggests a possible breach or malware infection attempting to communicate with a command-and-control (C2) server.

Why Other Options Are Incorrect:

A (Misconfiguration): While a misconfiguration could explain the unauthorized connections, the pattern of activity suggests something more malicious.

B (Security incident on HOST002): The issue is not with HOST002. The suspicious activity is from VM002.

C (False positives): The repeated pattern of unauthorized connections makes false positives unlikely.

CompTIA SecurityX CAS-005 Official Study Guide: Chapter on SIEM & Incident Analysis

MITRE ATT&CK Tactics: Lateral Movement & Network-based Attacks