312-50V11 · Question #281
A company has hired a security administrator to maintain and administer Linux and Windows- based systems. Written in the nightly report file is the following: - Firewall log files are at the expected
The correct answer is D. Log the event as suspicious activity, continue to investigate, and act according to the site's. Firewall log files shrinking repeatedly after midnight is a strong indicator of log tampering or deletion, which warrants investigation before escalation.
Question
A company has hired a security administrator to maintain and administer Linux and Windows- based systems. Written in the nightly report file is the following:
- Firewall log files are at the expected value of 4 MB.
- The current time is 12am. Exactly two hours later the size has
decreased considerably.
- Another hour goes by and the log files have shrunk in size again.
Which of the following actions should the security administrator take?
Options
- ALog the event as suspicious activity and report this behavior to the incident response team
- BLog the event as suspicious activity, call a manager, and report this as soon as possible.
- CRun an anti-virus scan because it is likely the system is infected by malware.
- DLog the event as suspicious activity, continue to investigate, and act according to the site's
How the community answered
(35 responses)- A3% (1)
- B9% (3)
- C3% (1)
- D86% (30)
Why each option
Firewall log files shrinking repeatedly after midnight is a strong indicator of log tampering or deletion, which warrants investigation before escalation.
Reporting immediately to the incident response team without further investigation may bypass the site's established policy and skip necessary evidence-gathering steps.
Calling a manager immediately is premature - the site's incident response policy should dictate escalation paths, and acting outside that process can compromise the investigation.
Running an antivirus scan is not the appropriate first response to log file size anomalies, which more specifically suggest log tampering or deletion rather than malware infection.
Log files should only grow unless they are being cleared or rotated, and unexpected shrinkage at irregular intervals suggests an attacker may be covering their tracks by deleting log entries. The correct procedure is to document the anomaly, continue gathering evidence, and follow the site's incident response policy rather than escalating prematurely or taking unilateral action. Acting according to established site policy ensures proper chain of custody and appropriate escalation steps.
Concept tested: Incident response procedures for log file anomalies
Source: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf
Topics
Community Discussion
No community discussion yet for this question.