Palo Alto Networks (PANW) Certified Cybersecurity Entry-level Technician (PCCET) Practice Exam

In which stage of the cyberattack lifecycle would you identify unusual communication between an internal database that should not access the internet and an external server?

• A. Exploitation
• B. Installation
• C. Command and Control
• D. Actions on the Objective

The correct answer is: Command and Control

Identifying unusual communication between an internal database and an external server falls squarely within the Command and Control stage of the cyberattack lifecycle. In this stage, attackers establish a communication channel between compromised systems within the target network and their external servers, which allows them to manage the attack remotely. This is often characterized by abnormal or unauthorized outbound traffic, which may indicate that data is being exfiltrated, commands are being sent to compromise systems, or that attackers are controlling the compromised network environment. Detecting such unusual communication is critical for cybersecurity professionals, as it can signal ongoing malicious activity, such as data breaches or persistent threats. Insights from monitoring systems usually help in recognizing these patterns, prompting investigations to assess whether a compromise has occurred and how to mitigate any potential damage. The other stages, such as exploitation and installation, are focused more on gaining initial access to the system and establishing a foothold, while Actions on the Objective pertains to achieving the attacker's goals, such as data theft or disruption. These stages do not specifically involve the key activity of monitoring external communications, making them less relevant to the scenario presented in the question.