GIAC
GCIH · Question #405
GCIH Question #405: Real Exam Question with Answer & Explanation
Sign in or unlock GCIH to reveal the answer and full explanation for question #405. The question stem and answer options stay visible for context.
Incident Response & Cyber Kill Chain
Question
An incident handler investigating abnormal system behavior has captured traffic from two client workstations. Both clients sent dozens of SYN packets to an external host WW3.ACME.NET on port 80. In response, WW3.ACME.NET returned RST packets. When the incident handler browses to WW3.ACME.NET on port 80 from a workstation reserved for incident investigations, the traffic patterns do not match what is seen on the other two clients. Based on this information, what should the incident handler look for next?
Options
- AWhether an IPS is identifying the outbound client traffic as malicious and blocking it.
- BWhether the external server is controlling infected hosts to map the internal network.
- CWhether the clients are infected and using crafted packets to transmit information.
- DWhether a firewall between the clients and external host is dropping packets.
Unlock GCIH to see the answer
You've previewed enough free GCIH questions. Unlock GCIH for full answers, explanations, the timed quiz mode, progress tracking, and the master PDF. Question stem and options stay visible so you can still see what's on the exam.
Topics
#network traffic analysis#covert channel#C2 communication#packet crafting