Attack Symptoms And Solutions Flashcards
You receive an alert indicating a sudden and significant increase in outbound network traffic from a critical server. What steps would you take to investigate this incident?
Run netstat on the machine
Review Netflow information if available
Gather information from server owner if there have been any changes
Perform initial assessment of the logs and data I captured
Review running tasks and services
If potential compromise, kill the PID responsible for the data exfiltration, notify Security management.
Malware scan
You notice an unusually high number of failed login attempts on a critical network device. How would you approach this situation to determine if it’s a brute-force attack?
Drop device connection
Contact relevant business contacts
Based on result either allow traffic, or escalate to security manager.
You receive an alert indicating an unauthorized device has connected to your organization’s Wi-Fi network. How would you handle this incident to identify the rogue device and mitigate the potential threat?
Examine the network address assigned to the device.
Obtain the hardware address (MAC address) of the rogue device.
Use the hardware address to identify the type of device.
Determine the subnet and DHCP scope the address falls under for more clues.
Use this information to physically locate the device
You detect a suspicious pattern of network traffic consistent with a DDoS (Distributed Denial of Service) attack targeting your organization. What actions would you take to mitigate the impact and restore normal network operations?
Confirm the DDoS attack by reviewing IDS alerts.
Check connection logs for traffic patterns and origins.
Contact relevant stakeholders for any legitimate traffic spikes.
If confirmed as an attack, review firewall logs for attacking IP addresses.
Blacklist attacking IPs and domains using automated tools.
Implement protective measures like isolating critical infrastructure and rate limiting connections.
An employee reports that their workstation is behaving erratically and displaying strange pop-up messages. How would you investigate this as a potential malware or ransomware incident?
Disable Windows restore points.
Capture netstat -anob output for analysis.
Airgap the affected workstation to prevent further communication.
Investigate the source of strange pop-up messages.
Check for recently installed programs or browser changes.
Review running services and task scheduler.
Eradicate the infection and investigate netstat findings.
Run an antivirus scan and, if necessary, restore from a clean point.
You receive an alert about an anomalous login from an employee’s account, accessing sensitive files at an unusual time of day. How would you respond to this potential insider threat?
Begin logging all system events if not being done already
Check the geo-ip information of the connection
Disconnect the network connection and isolate the device.
Contact the department’s business contact from the security escalation guide.
Verify with the business leader if the employee’s actions were authorized.
If legitimate, allow the data transfer.
If unauthorized, escalate to the security manager for further actions.
Your SIEM system alerts you to a series of DNS queries to known malicious domains originating from an internal host. How would you investigate and stop this potential malware communication?
Assign the host to an isolated subnet without internet access.
Review device and DNS logs using the SIEM.
Move the device to a secure VLAN that has no internet connection to reduce the chances of spread.
Investigate the device for unauthorized software that may be originating the outbound internet traffic
Perform virus scan
eradicate the threat
A critical server suddenly becomes unresponsive, and you suspect a potential server compromise. What steps would you take to isolate and assess the extent of the compromise?
Follow incident triage steps and notify affected parties and stakeholders.
Isolate the server by assigning its interface to an isolated VLAN.
Attempt out-of-band access to the server to assess system integrity.
Investigate the extent of compromise.
Escalate if necessary
You notice a sudden surge in network traffic on a non-standard port that’s typically not in use. How would you investigate this to determine if it’s an unauthorized application or a covert channel used by an attacker?
Capture network traffic on the port.
Identify the system previously using the port.
Contact the business leader for confirmation.
If unauthorized, close the network port and escalate following guidelines.
An email from a trusted source containing a seemingly legitimate attachment is flagged as suspicious by your email gateway. What actions would you take to analyze the attachment and protect your organization from a potential phishing attack?
Inspect the email header for originating server details.
Validate SPF and DKIM records for the sending domain.
Seek end-user verification and explore alternative file-sharing methods.
A user reports receiving a suspicious email asking for sensitive information, and they’ve clicked on a link within the email. How would you respond to this potential social engineering attempt?
Review the email header for domain legitimacy.
Enforce email server rules based on SPF inspection.
Blacklist spoofed addresses.
Run a virus scan on the employees machine.
Provide user education on social engineering tactics.
You receive an alert indicating a sudden surge in failed SSL handshake attempts on your web server. How would you investigate this as a potential SSL/TLS-based attack?
Review the source addresses of failed SSL handshakes.
Blacklist repeated offending IP addresses.
Request a change to ensure the use of TLS 1.1 or higher for web server security.
Your intrusion detection system (IDS) alerts you to a potential SQL injection attempt on a critical web application. What steps would you take to assess and mitigate this threat?
You notice an unusual pattern of network traffic consistent with lateral movement between internal systems. How would you investigate and contain this potential advanced persistent threat (APT)?
You receive an alert about unauthorized access to a privileged account that’s used for server administration. How would you respond to this incident to prevent further compromise of critical systems?
