Analyzing Security Monitoring Data – Practice Questions

Blue Team

Question 1

A system analyst decides to run a packet capture after reading about a security breach in an industry newsletter. The engineer uses tcpdump on a Linux workstation and requires that output written onto a file. Evaluate the available command switches for the tcpdump command and determine which accomplishes the desired goal.

  1. -w
  2. -r
  3. -n
  4. -e


The tcpdump command is a command-line packet capture utility for Linux. The tcpdump command uses the -w option to write the capture output results to a file. A .pcap extension normally identifies packet capture files.

The tcpdump command uses the -r option to read the contents of a packet capture file.

The tcpdump command uses the -n option to show network address information in numeric format (does not resolve host names).

The tcpdump command uses the -e option to include the data link (Ethernet) header when performing a packet capture.

Question 2

A security engineer analyzes network traffic flow collected from a database. The engineer uses the IP Flow Information Export (IPFIX) IETF standard as a resource for data collection, and notices a pattern in the data traffic for specific IP addresses at night. Evaluate the terminology and conclude what the IT engineer records.

  1. Flow label
  2. Flow record
  3. Keys
  4. Netflow


NetFlow is a Cisco-developed means of reporting network flow information to a structured database. The redevelopment of NetFlow as the IP Flow Information Export (IPFIX), is now the IETF standard. Traffic matching a flow label is a flow record.

With NetFlow, a selection of keys is a flow label.

With NetFlow, packets sharing the same characteristics, referred to as keys, defines a particular traffic flow.

NetFlow is a network flow reporting method that provides useful information about packets that traverse enabled devices. It can report on information, such as the networking protocol interface used, the version and type of IP used, and the source and destination IP addresses.

Question 3

A systems administrator is configuring security in an Active Directory domain. Which Microsoft Windows feature does the admin plan to utilize when deploying a group policy to a variety of Windows versions in order to whitelist a file system location?

  1. Active Directory Users and Computers
  2. AppLocker
  3. Windows Defender Application Control (WDAC)
  4. Software Restriction Policies (SRP)


Software Restriction Policies (SRP), available for most versions and editions of Windows, configure as group policy objects (GPOs) to whitelist file system locations, from which executables and scripts can launch.

Active Directory Users and Computers is a tool used to configure user and computer accounts in a domain infrastructure.

AppLocker improves configuration options and default usage of SRP. Notably, the admin can apply AppLocker policies to user and group accounts, rather than just computer accounts.

The admin can use Windows Defender Application Control (WDAC) to create Code Integrity (CI) policies, used on their own, or in conjunction with AppLocker.

Question 4

Modern malware with APT-like capabilities will complete a typical attack in several stages. Evaluate the possibilities and determine which stage an attacker uses to modify target data.

  1. Strengthen access
  2. Concealment
  3. Action on objectives
  4. Maintain access


Once attackers have enough permissions to assets of interest, they will use tools to covertly copy or modify the data or target system, depending on their motive. This is known as action on objectives.

To strengthen access, attackers use malware to identify and infect other systems, possibly of higher value (such as moving from a workstation to a server).

When enabling concealment, attackers may choose to maintain access, but put any malicious tools into a dormant mode to avoid detection.

To maintain access, the malware will install some type of remote access trojan (RAT) to give the adversary a command and control mechanism over the victim machine.

Question 5

A network administrator routinely reviews firewall logs for pertinent information. From the logs, the firewall provides a great deal of insight into potential threats. Evaluate the given choices, and determine which area of security intelligence the firewall provides.

  1. Connections permitted or denied
  2. Forward proxy mode
  3. Routing rules
  4. Address object assignments


Firewall logs can provide a wide range of useful security intelligence, such as connections permitted or denied. Such patterns within log data can help to identify any security holes in access and port-based security policies.

When a security appliance or host operates in forward proxy mode, it sits near the client network, and forwards user traffic to the cloud network when the contents of that traffic comply with policy.

The system uses firewall routing rules to allow traffic between subnets and interfaces.

The system uses firewall address object assignments to map IP addresses to systems and hosts on the network.

Question 6

An engineer learns a new security threat mitigation technique. The technique maps an IP address to a non-existent host, and is useful in stopping denial of service attacks. Traffic heading to these IPs can be captured for analysis or discarded. Considering the available techniques, which might the engineer try to use? (Select all that apply.)

  1. Black hole
  2. Sinkhole
  3. Forward proxying
  4. Reverse proxying


In network architecture, a black hole drops traffic before it reaches its intended destination, and without alerting the source. A simple example is traffic sent to an IP address that an admin mapped to a non-existent host.

A sinkhole is similar to configuring a black hole, and often used interchangeably. With sinkholing however, an admin usually retains some ability to analyze and forward the captured traffic.

With forward proxying, a proxy server forwards user traffic to the cloud network if the contents of that traffic comply with policy.

A reverse proxy provides for protocol-specific inbound traffic. An admin can configure a reverse proxy to listen for client requests from a public network.

Question 7

A systems engineer configures a company’s Internet access by using a proxy server. The client’s machines require a configuration in order to use the proxy. The engineer employs a server-based policy to automate the configuration. Considering how the engineer may implement a proxy, evaluate and conclude which approach the engineer uses.

  1. Reverse
  2. Transparent
  3. Forced
  4. Non-transparent


A non-transparent proxy requires configuring the client with the server address, in order to use it. In this way, the client uses the proxy, rather than directly accessing the Internet.

A reverse proxy provides for protocol-specific inbound traffic. Configuring a reverse proxy will allow the system to listen for client requests from a public network.

A transparent proxy (or “forced” or “intercepting”) intercepts client traffic, without reconfiguring the client.

A forced proxy is also known as a transparent proxy. It is named such due to the fact that any specific configuration does not have to occur at the client workstation. All traffic is passed through the proxy based on the network addressing and configuration.

Question 8

The latest firewall appliance with advanced threat protection (ATP) technology captures suspicious data and places it in an isolated environment for further analysis. This isolation process can be described as which of the following?

  1. Filtering
  2. Sandboxing
  3. Forwarding
  4. Blocking


Sandboxing is a technique that isolates untrusted data in a closed, virtual environment to conduct tests and analyze the data for threats and vulnerabilities.

Filtering is a technique used in devices, such as firewalls and routers, to allow access to only certain types of content or websites when used with a firewall.

Forwarding is a technique used in devices, such as firewalls or routers, to forward any incoming traffic to a specific host or port on a host.

Blocking is a technique used in devices, such as firewalls and routers, to deny traffic based on rules that may use particular ports, addresses, and services.

Question 9

80.0% completeQuestion

An executive at an organization receives an email stating that financial data for the organization requires updating. Acting on suspicion, the executive asks IT to investigate. IT staff use which approach in their investigation?

  1. Investigate inbound firewall logs
  2. Review message server trace logs
  3. Analyze the message Internet header
  4. Check email address name resolutionSolution

An email message’s Internet header contains address information for the recipient and sender, plus details of the servers handling transmission of the message between them, using the fields set out in the Simple Mail Transfer Protocol (SMTP).

Inbound firewall logs are useful when investigating the types of traffic and the applied rules on a firewall connection.

Message server trace logs are useful when investigating the valid delivery of an email message to a recipient.

Checking an email address for name resolution can be useful when the need to determine if a domain name exists.

Question 10

A security specialist configures an internal email system with enhanced spoofing protection. The approach specifies an alignment mechanism that verifies that the domain identified in the header from field, matches the domain in the envelope from field. Which solution does the specialist implement?

  1. Domain-based Message Authentication, Reporting, and Conformance
  2. Sender Policy Framework
  3. Domain Keys Identified Mail
  4. Digital Signatures


The Domain-based Message Authentication, Reporting, and Conformance (DMARC) framework ensures that the system effectively utilizes SPF and DKIM. It specifies an alignment mechanism to verify that the domain identified in the rule header from field matches the domain in the envelope from field.

Sender Policy Framework (SPF) uses a DNS record published by an organization hosting email services. The SPF record identifies the hosts that are authorized to send email from that domain.

Domain Keys Identified Mail (DKIM) provides a cryptographic authentication mechanism. This can replace or supplement SPF.

With an email system, a digital signature verifies the identity of a sender by using keys.

You are a security expert for a technology consulting firm. As part of your core set of duties, you perform vulnerability management activities for businesses that do not have an in-house IT presence.

A medium-sized manufacturing business has recently requested your services to investigate and remedy a possible infrastructure breach. An on-site contact mentions that a virtual private network (VPN) configuration exists for remote access to the internal firewall. Past employees likely have access to the VPN due to a recent, abrupt change in employment for many previous staff members. It may be that a disgruntled ex-employee has done something to cause the issues. Your investigation focuses on the manufacturing business’s internal firewall, its current configuration, and potential changes that must be made.


  • Users report that an internal Windows (SRV1) server is not accessible.
  • Users report that they cannot access the Internet.
  • Server SRV2 is not synchronizing Active Directory properly.
  • The firewall uses access-based rules.
  • Servers SRV1 and SRV1 are both AD Domain Controllers.

Firewall Access Rules:

FromToSourceDest.ServiceActionSuggested Rule Change:Rule Change Impact:
WANLANANYSRV1ANYALLOWREMOVE POLICYRemove external access to server

Firewall Port Rules:

FromToSourceDest.PortActionSuggested Rule Change:Rule Change Impact:
DMZLANANYSRV123ALLOWANY-ANY-23-DENYDisable external telnet


Currently, users cannot connect to server SRV1 or connect to the Internet. SRV1 is also not communicating properly with other domain controllers in Active Directory.

Firewall Access Rules:

The DMZ to LAN rule should change to ANY-ANY-ANY DENY to disable any incoming traffic from DMZ to Lan.

Currently, Server SRV1 has access denied to any destination on the lan. The rule is set to ANY-ANY-ANY-ALLOW. This allows all systems LAN access, as there should be no restrictions for LAN to any internal system.

There is no need for an external to internal rule, since the current WAN to LAN rule allows access to the internal SRV1. Therefore, IT Security can remove this policy.

The LAN to WAN DENY rule is blocking internet access. Changing the rule to ALLOW will unblock Internet access.

Firewall Port Rules:

A port-based rule exists for telnet from the DMZ to server SRV1. As there is no need for external access to the LAN from the DMZ, the strictest choice of DENY is set for ANY source and ANY destination.

LDAP and Active Directory use the blocked Port 389; therefore, the solution is to set this rule to ALLOW.

Secure Shell (SSH) connections use Port 22, which currently allows this type of connection from the outside to the server. Placing a DENY in the rule will prevent access.

Leave a Reply

Your email address will not be published. Required fields are marked *