Section 29: Indicators of Compromise

Question 1

Switched Port Analyzer (SPAN)

Answer 1

Allows for the copying of ingress and/or egress communications from one or more switch ports to another

Question 2

NetFlow

Answer 2

▪ A Cisco-developed means of reporting network flow info to a structured database

● Protocol interface
● IP version/type
● Source/destination IP
● Source/destination port
● IP service type

Question 3

Flow Analysis vs Full Packet Capture

Answer 3

o Full Packet Capture (FPC)
▪ Captures the entire packet, including the header and the payload for all traffic entering and leaving a network

o Flow Analysis
▪ Relies on a flow collector, which records metadata and statistics rather than recording each frame that passes through the network

Flow analysis does not provide the actual content of the traffic

Question 4

Zeek

Answer 4

Passively monitors a network like a sniffer, but only logs full packet
capture data of potential interest

▪ Performs normalization of the data and stores it as a tab-delimited or JSON-formatted text files

Question 5

Multi Router Traffic Grapher (MRTG)

Answer 5

Multi Router Traffic Grapher (MRTG)

▪ Creates graphs showing traffic flows through the network interfaces of routers and switches by polling the appliances using SNMP

Question 6

File Integrity Monitoring (FIM)

Answer 6

▪ A host-based IDS that creates a hash digest for every file being monitored on the given system