A threat feed notes malicious actors have been infiltrating companies and exfiltration data to a specific set of domains Management at an organization wants to know if it is a victim.
Which of the following should the security analyst recommend to identity this behavior without alerting any potential malicious actors?
A . Create an IPS rule to block these domains and trigger an alert within the SIEM tool when these domains are requested
B . Add the domains to a DNS sinkhole and create an alert m the SIEM toot when the domains are queried
C . Look up the IP addresses for these domains and search firewall logs for any traffic being sent to those IPs over port 443
D . Query DNS logs with a SIEM tool for any hosts requesting the malicious domains and create alerts based on this information
Answer: D
Leave a Reply