| Explanation & Hint:
Among the provided options, the two actions that could indicate suspicious behavior deviating from the baseline and worth investigating further are:
- A spike in the amount of outbound traffic: This can be a sign of data exfiltration, where large amounts of data are being sent out of the network without authorization. Such spikes, especially if they are unusual for the normal network behavior, can indicate that sensitive data is being transferred to external entities, possibly by malware or an intruder.
- Regular crashing of host devices which was not seen earlier: Frequent and unexpected crashing of host devices can be a sign of malicious activity, such as the presence of malware or the exploitation of vulnerabilities in the system. This deviation from normal stability could indicate that the systems are under attack or compromised.
The other options might not necessarily indicate suspicious behavior:
- A lot of downloaded data such as software or web browsing: While this could be worth monitoring, it’s not inherently suspicious unless it deviates significantly from the normal pattern of network usage.
- Small uploads of any kind that are leaving the network: Small uploads are typical in many network environments, especially if they correspond to regular business activities like sending emails or using cloud services.
- A lot of inbound traffic to the web server in the network: High inbound traffic to a web server could be normal, especially if the server hosts popular services or websites. It would only be suspicious if it represents an abnormal increase or is associated with other indicators of an attack, such as a denial-of-service attack.
|