An organization experiences a cybersecurity incident involving a command-and-control server. Which of the following logs should be analyzed to identify the impacted host? (Choose two.)
n the context of a command-and-control (C2C) server, analyzing network and firewall logs is more effective for identifying the impacted host. These logs provide detailed information about network traffic, including connections to and from the C2C server, which can help pinpoint the affected devices.
The two most relevant logs to analyze in this scenario would be:
D. Network
Network logs can provide insights into the traffic patterns and connections related to the C2C server.
E. Firewall
Firewall logs can help identify any unusual or unauthorized connections to the C2C server, aiding in the identification of the impacted host.
Bing copilot is saying C and D.
The best two logs to analyze for identifying the impacted host in a command-and-control incident would be:
Network logs: These provide detailed information about network traffic, including connections to and from the command-and-control server.
DHCP logs: These help map IP addresses to specific devices at given times, which is crucial for identifying the impacted host.
While firewall logs are valuable for security information, network and DHCP logs together provide the most comprehensive data needed to pinpoint the specific host involved.
Network Logs (D):
Network logs are crucial for identifying communication between the compromised host and the command-and-control server. These logs will typically include details of network traffic, including IP addresses, ports, protocols, and patterns of communication. By analyzing network logs, you can track outbound connections that may have been initiated by the infected host to communicate with the command-and-control server.
Firewall Logs (E):
Firewall logs are useful for identifying inbound and outbound traffic that is blocked or allowed by the firewall. They can help pinpoint suspicious traffic patterns, such as attempts to connect to known malicious IP addresses (such as the command-and-control server). Firewall logs will also show if the infected host tried to bypass any restrictions to communicate with external servers.
Since this is specifically asking about identifying the impacted host, I chose B and E.
B. Authentication - This log helps identify any unauthorized access or unusual login attempts related to compromised hosts.
E. Firewall - provide insights into incoming and outgoing traffic patterns, detecting comms with the C2 server to help identify the affected host.
C. DHCP and E. Firewall logs are the correct answers because they provide essential information to trace network communications and identify the specific host(s) impacted by the command-and-control server connection. Firewall logs help pinpoint unusual outbound connections, such as those from internal hosts to a suspicious external server, thus identifying potential breaches. DHCP logs map IP addresses to devices, while firewall logs reveal the network traffic patterns, making them both crucial for this analysis. DHCP logs are crucial for linking IP addresses seen in network activity to actual devices, especially in dynamic environments where IP addresses frequently change.
"command-and-control server" is the problem, attacker has accessed the network and taken control of a machine. We should check the inbound and outbound traffic logs. These will be on the Router(Network) and network Firewall.
To identify the impacted host in a cybersecurity incident involving a command-and-control server, the most relevant logs to analyze would be:
C. DHCP and E. Firewall
: Firewall logs capture network traffic and can show which internal hosts communicated with external IP addresses, including the command-and-control server.
By analyzing firewall logs, you can identify the internal IP addresses that initiated or received communication with the command-and-control server, helping to pinpoint the impacted host.
If you have already identified suspicious network traffic (e.g., connections to a C2 server) in firewall or network logs, the next step is often to determine which device was responsible for that traffic.
DHCP logs are necessary for this step because they map IP addresses to specific devices. Without this mapping, knowing the IP address alone is insufficient, especially in environments where IP addresses are dynamically assigned.
By consulting DHCP logs, you can quickly identify the physical or virtual device behind the suspicious activity.
Answer:
C. DHCP
E. Firewall
C: Impacted host. To trace back any suspicious network activity to a specific device
E: Firewall logs contain records of all incoming and outgoing traffic
upvoted 2 times
...
This section is not available anymore. Please use the main Exam Page.SY0-701 Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Shaman73
Highly Voted 10 months, 3 weeks agoVincentvdS
Most Recent 2 months, 3 weeks agoAces155
3 months, 1 week agoAces155
3 months, 1 week ago41c27e6
3 months, 4 weeks agoc7b3ff0
6 months, 1 week agodbrowndiver
8 months, 3 weeks ago101e7ca
9 months, 1 week agoBimbo_12
9 months, 1 week agocdsu
10 months, 1 week ago