GIAC
GCIH · Question #348
GCIH Question #348: Real Exam Question with Answer & Explanation
Sign in or unlock GCIH to reveal the answer and full explanation for question #348. The question stem and answer options stay visible for context.
Incident Response & Cyber Kill Chain
Question
You are the leader of an incident handling team for a mid-size manufacturer in the United States. Several of your company's products are patented and several processes used in the manufacturing process are considered trade secrets. A member of your company's firewall team sent you a tcpdump of a firewall log thought looked suspicious. The packets in question had the same external source IP address, the same internal destination IP addresses, and the same source and destination ports were used in each packet. The only difference between the packets was that the TTL's had been incremented. How can you best determine if this is a sign of something malicious or not?
Options
- ASet up a host intrusion detection system on the host with the internal IP address
- BGather more data from your firewall logs and from other system logs inside your network
- CCheck the Internet Storm Center's Top 10 Source IPs Report to see if the external IP address is
- DRun a protocol analyzer on your computer with a filter that will only show the internal or external
Unlock GCIH to see the answer
You've previewed enough free GCIH questions. Unlock GCIH for full answers, explanations, the timed quiz mode, progress tracking, and the master PDF. Question stem and options stay visible so you can still see what's on the exam.
Topics
#TTL analysis#incident triage#HIDS#firewall log analysis