nerdexam
GIAC

GCIH · Question #586

During routine examination of bandwidth data for your company's DMZ, an anomaly was discovered with the activity to a public-facing, download only FTP server. To begin your investigation, traffic and

The correct answer is D. 06:45 to 7:30. Since the machine described to go with this bandwidth chart is a public download only FTP server, a large spike in upload (inbound) traffic would be worthy of further investigation. Normal FTP download traffic has a small amount of input traffic and large amounts of outbound traf

Incident Response & Cyber Kill Chain

Question

During routine examination of bandwidth data for your company's DMZ, an anomaly was discovered with the activity to a public-facing, download only FTP server. To begin your investigation, traffic and logs files from which time frame should be reviewed?

Exhibit

GCIH question #586 exhibit

Options

  • A14:15 to 15:30
  • B09:00 to 12:45
  • C00:00 to 04:30
  • D06:45 to 7:30

How the community answered

(23 responses)
  • A
    9% (2)
  • B
    13% (3)
  • C
    4% (1)
  • D
    74% (17)

Explanation

Since the machine described to go with this bandwidth chart is a public download only FTP server, a large spike in upload (inbound) traffic would be worthy of further investigation. Normal FTP download traffic has a small amount of input traffic and large amounts of outbound traffic. The three incorrect answers all exhibit this behavior.

Topics

#anomaly detection#FTP server#bandwidth analysis#log review timeframe

Community Discussion

No community discussion yet for this question.

Full GCIH Practice