GIAC
GCIH · Question #407
GCIH Question #407: Real Exam Question with Answer & Explanation
The correct answer is D: Install only older versions of software, remove the 'Block All' setting on the firewall, and falsify the. A honeypot generates the most meaningful attacker traffic when it appears genuinely vulnerable, using outdated software and permissive firewall rules to attract real exploitation attempts.
Question
If virtual machines are relatively easy for an attacker to detect, the next best thing might be to put so much honey in your honeypot, attackers won't be able to resist. Which actions would result in the most meaningful traffic on your honeypot?
Options
- AInstall the latest OS and patches, use interesting usernames and easy to guess passwords, don't
- BSet file and folder permissions so everyone has full access, allow full directory browsing on the
- CGive the server a tempting name, create directories and files with appealing names, and create
- DInstall only older versions of software, remove the 'Block All' setting on the firewall, and falsify the
Explanation
A honeypot generates the most meaningful attacker traffic when it appears genuinely vulnerable, using outdated software and permissive firewall rules to attract real exploitation attempts.
Common mistakes.
- A. Using the latest OS and patches eliminates the exploitable vulnerabilities that attract sophisticated attackers, making the honeypot appear too hardened to be a worthwhile target.
- B. Open file permissions may generate some post-compromise activity but do not address the network-level attractiveness required to draw initial attacker connections to the system.
- C. Appealing directory and file names can entice an attacker who is already inside, but do not create the vulnerable network-facing surface needed to attract attackers in the first place.
Concept tested. Honeypot configuration to maximize attacker engagement
Reference. https://www.sans.org/white-papers/1397/
Community Discussion
No community discussion yet for this question.