Examice

Exam GCIH All QuestionsBrowse all questions from this exam

Question 52

You are the leader of an incident handling team for a mid-size manufacturer in the United States. Several of your company's products are patented and several processes used in the manufacturing process are considered trade secrets. A member of your company's firewall team sent you a tcpdump of a firewall log thought looked suspicious. The packets in question had the same external source IP address, the same internal destination IP addresses, and the same source and destination ports were used in each packet. The only difference between the packets was that the TTL's had been incremented. How can you best determine if this is a sign of something malicious or not?

Set up a host intrusion detection system on the host with the internal IP address

Gather more data from your firewall logs and from other system logs inside your network

Check the Internet Storm Center's Top 10 Source IPs Report to see if the external IP address is listed

Run a protocol analyzer on your computer with a filter that will only show the internal or external IP address

Correct Answer: B

To best determine if the suspicious activity is a sign of something malicious, it is necessary to gather more data from your firewall logs and other system logs inside your network. This comprehensive approach allows you to understand the broader context and nature of the activity, correlate events across different systems, and potentially identify patterns or anomalies indicative of an attack. Single-point solutions like setting up a host intrusion detection system or checking an IP reputation list do not provide the depth of insight required to make an informed determination.

Discussion

straleOption: B

In my opinion, described scenario looks like a firewalking attack (since only TTL is changing and incrementing). 1. Option A - HIDS will give us information only on affected host (which is a valid point), but it won't necessarily help in understanding the broader context of the suspicious activity observed in the firewall logs. 2. Option C - Internet Storm Center's Top 10 Source IPs Report will provide us information is external IP address with a bad reputation (which is a valid point), but will not provide us the sign of something malicious in organisation's network. 3. Option D - with protocol analyzer and stated filters, we would be able to see only protocols in use, which is a valid point, but no related to affected attack. It won't provide insights into the nature or intent of the observed activity. Option B gives the most comprehensive overview, because an network team could get logs from all network devices and determine the nature of current activity