nerdexam
GIAC

GCIH · Question #488

Your organization has suffered several leaks of internally distributed documents. They have asked you to track down the culprit. You are embedding a four-letter string of characters in documents conta

The correct answer is B. Add a signature to your network-based IDS containing the four-letter string. The four-letter code embedded in the documents will serve to both identity when the document leaves your network, and identify who leaked it. You can catch the culprit by setting your IDS to search for those strings. Notifying the users would alert the culprit to your attempt, an

Incident Response & Cyber Kill Chain

Question

Your organization has suffered several leaks of internally distributed documents. They have asked you to track down the culprit. You are embedding a four-letter string of characters in documents containing proprietary information. Which step should you take before sending the document?

Options

  • AStore one of the documents on a honeypot with an easy-to-guess password
  • BAdd a signature to your network-based IDS containing the four-letter string
  • CAsk the users to contact the security team if they see any suspicious activity
  • DStart a full anti-virus scan of all suspect computers

How the community answered

(47 responses)
  • A
    2% (1)
  • B
    81% (38)
  • C
    13% (6)
  • D
    4% (2)

Explanation

The four-letter code embedded in the documents will serve to both identity when the document leaves your network, and identify who leaked it. You can catch the culprit by setting your IDS to search for those strings. Notifying the users would alert the culprit to your attempt, and although starting an anti-virus scan or storing the document on a honeypot may help shed light on the problem, they would not necessarily identify the document as it leaves your network.

Topics

#document watermarking#IDS signature#data leakage detection#canary tokens

Community Discussion

No community discussion yet for this question.

Full GCIH Practice