Security analysts have noticed the network becomes flooded with malicious packets at specific times of the day. Which of the following should the analysts use to investigate this issue?
Security analysts have noticed the network becomes flooded with malicious packets at specific times of the day. Which of the following should the analysts use to investigate this issue?
Security analysts should use bandwidth monitors to investigate the issue of the network becoming flooded with malicious packets at specific times of the day. Bandwidth monitors can help identify unusual spikes in network traffic and can be used to monitor bandwidth usage by specific hosts or applications. By analyzing the data collected by the bandwidth monitors, analysts can identify the source and nature of the malicious traffic, enabling them to take appropriate actions to mitigate the attack.
Bandwidth monitors can be used to capture network traffic and identify any unusual traffic patterns, such as a spike in traffic during specific times of the day. This can help security analysts investigate and identify any potential malicious activity. Web metadata is not likely to be useful in investigating network traffic, system files are typically used to troubleshoot and diagnose system issues, and correlation dashboards are used to analyze and present data from multiple sources in a single view.
-B is correct, Bandwidth monitors Security analysts should use bandwidth monitors to investigate the issue of the network becoming flooded with malicious packets at specific times of the day. Bandwidth monitors can help identify unusual spikes in network traffic and can be used to monitor bandwidth usage by specific hosts or applications. By analyzing the data collected by the bandwidth monitors, analysts can identify the source and nature of the malicious traffic.
Bandwidth Monitors Chapter 8, “Using Risk Management Tools,” discusses several tools used to capture network traffic, and these can be used as bandwidth monitors forensic investigations. It’s common for administrators to keep these packet captures. By comparing captures taken at different times, investigators can determine changes in network traffic. If an organization recently suffered a data breach, investigators may be able to identify when there was an increase in outgoing traffic. This may help them determine when the network was first attacked, and maybe even the first computer that was infected with malware." -Security+ Get Certified Get Ahead SY0-601 by Darril Gibson
In more detail for those interested... A bandwidth monitor tracks bandwidth use over all areas of the network, including devices, applications, servers, WAN, and Internet links, and that information will assist you in keeping an eye on inbound and outbound bandwidth within your network and help you identify which hosts are using the most bandwidth. One benefit of deploying bandwidth monitors is that they map out historical trends for capacity planning. With bandwidth monitors, you can quickly identify abnormal bandwidth usage, top talkers, and unique communications, all useful in finding infected systems that may be exfiltrating data or scanning the network looking to spread to other hosts....
...Bandwidth monitors provide critical information before, during, and after investigations. Incident responders can use this baseline information to determine when the attacked host started to overcommunicate outbound or to spread internally. The historical information is key to determining “normal” for the attacked network and host, what is normal communication for that specific host, and what is normal for the network in general. There are several developers of bandwidth monitors, and some devices have built-in bandwidth logging and monitoring. -Pearson IT Security+ SY0-601 Cert Guide by Santos, Tayor & Mlodzianowski
It's got to be B
The packets are already identified as malicious. The spike is in traffic and the pattern is already noticed. Those are information that bandwidth monitor will provide. The investigation here is to determine the possible sources and causes of the spike and that will be provided by Correlation logs. I choose option D.
I go with D: correlation dashboards are tools that allow security analysts to monitor and analyze multiple sources of data and events in real time.. They can help identify patterns, trends,anomalies and threats by correlating different types of of data and events such as network traffic, logs, alerts, and incidents. they can also help investigate network flooding by showing source, destination, volume and type of malicious packets and their impact on the network performance and availability. Reference: https://www.comptia.org/blog/what-is-a-correlation dashboard.
The best way for analysts to investigate this issue is through D. Correlation dashboards. Correlation dashboards allow analysts to visualize and correlate different data points in real-time, making it easier to identify patterns and anomalies such as the flooding of malicious packets at specific times. These dashboards can integrate data from various sources, including network traffic, system logs, and security alerts, providing a comprehensive view of the network’s security posture. While options A, B, and C can provide useful information, they may not offer the holistic view or real-time analysis capabilities that a correlation dashboard can. Therefore, a correlation dashboard would be the most effective tool for investigating this issue.
Correlation dashboards are part of comprehensive security systems that can integrate various data sources, including bandwidth monitors, to provide a detailed analysis of security events. These dashboards not only help in identifying the spikes in traffic but also assist in pinpointing the nature of the traffic, the potential sources, and any patterns associated with the malicious packets. This makes them highly valuable for investigating complex network issues like the one described.
Bandwidth monitors are just providing information that they already have guys
I think D is the perfect option for investigating
The security analysts should use "Bandwidth Monitors" to investigate the issue of the network becoming flooded with malicious packets at specific times of the day. Bandwidth monitors can help identify the source and volume of traffic on the network, which can be used to determine if the malicious packets are causing the network congestion. This information can then be used to identify the source of the malicious packets and take appropriate action to mitigate the attack.