An organization experiences a cybersecurity incident involving a command-and-control server. Which of the following logs should be analyzed to identify the impacted host? (Choose two.)
DHCP logs: Identify which device was assigned the IP address communicating with the C2 server.
Firewall logs: Show network traffic between the impacted host and the C2 server.
Since this is specifically asking about identifying the impacted host, I chose B and E.
B. Authentication - This log helps identify any unauthorized access or unusual login attempts related to compromised hosts.
E. Firewall - provide insights into incoming and outgoing traffic patterns, detecting comms with the C2 server to help identify the affected host.
C. DHCP and E. Firewall logs are the correct answers because they provide essential information to trace network communications and identify the specific host(s) impacted by the command-and-control server connection. Firewall logs help pinpoint unusual outbound connections, such as those from internal hosts to a suspicious external server, thus identifying potential breaches. DHCP logs map IP addresses to devices, while firewall logs reveal the network traffic patterns, making them both crucial for this analysis. DHCP logs are crucial for linking IP addresses seen in network activity to actual devices, especially in dynamic environments where IP addresses frequently change.
"command-and-control server" is the problem, attacker has accessed the network and taken control of a machine. We should check the inbound and outbound traffic logs. These will be on the Router(Network) and network Firewall.
To identify the impacted host in a cybersecurity incident involving a command-and-control server, the most relevant logs to analyze would be:
C. DHCP and E. Firewall
: Firewall logs capture network traffic and can show which internal hosts communicated with external IP addresses, including the command-and-control server.
By analyzing firewall logs, you can identify the internal IP addresses that initiated or received communication with the command-and-control server, helping to pinpoint the impacted host.
If you have already identified suspicious network traffic (e.g., connections to a C2 server) in firewall or network logs, the next step is often to determine which device was responsible for that traffic.
DHCP logs are necessary for this step because they map IP addresses to specific devices. Without this mapping, knowing the IP address alone is insufficient, especially in environments where IP addresses are dynamically assigned.
By consulting DHCP logs, you can quickly identify the physical or virtual device behind the suspicious activity.
Answer:
C. DHCP
E. Firewall
C: Impacted host. To trace back any suspicious network activity to a specific device
E: Firewall logs contain records of all incoming and outgoing traffic
upvoted 2 times
...
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Shaman73
Highly Voted 6 months, 1 week agoExam_Prep221
Most Recent 23 hours, 10 minutes agoc7b3ff0
1 month, 3 weeks agodbrowndiver
4 months, 1 week ago101e7ca
4 months, 3 weeks agoBimbo_12
4 months, 3 weeks agocdsu
5 months, 3 weeks ago