When an investigation uncovers increased outbound network traffic on non-standard ports and failed logins, the next critical step is to examine logs for repeated file requests that could indicate an exploit attempt. Learn the best practices for effectively containing an intrusion in this scenario according to ECCouncil’s Computer Hacking Forensic Investigator (CHFI) certification exam.
Table of Contents
Question
During an investigation, a forensics analyst discovers an unusual increase in outbound network traffic, network traffic traversing on non-standard ports, and multiple failed login attempts on a host system. The analyst also found that certain programs were using these unusual ports, appearing to be legitimate. If these are the primary Indicators of Compromise, what should be the next immediate step in the investigation to contain the intrusion effectively?
A. Enforcing stringent password policies and re-authenticating all users to prevent further login anomalies
B. Examining the logs for repeated requests for the same file, indicating a possible exploit attempt
C. Analyzing Uniform Resource Locators for any signs of phishing or spamming activities
D. Conducting a deep dive into user-agent strings to determine if there is any spoofing of device OS and browser information
Answer
The next immediate step in the investigation should be:
B. Examining the logs for repeated requests for the same file, indicating a possible exploit attempt
Explanation
When faced with the unusual network activity and failed login attempts described, the top priority is to identify and stop any active intrusion or exploit. Repeated requests for the same file in the logs is a strong indicator that an attacker may be attempting to exploit a vulnerability to gain unauthorized access.
By quickly examining the logs for this exploit pattern, the analyst can pinpoint the targeted system and specific exploit being used. This allows them to take swift action to block the intrusion, such as shutting down the compromised service, patching the vulnerability, or isolating the impacted system.
The other options, while relevant for the broader investigation and security posture, do not directly address the urgent need to contain the active intrusion:
A. Enforcing password policies and re-authenticating users helps prevent further compromise but doesn’t stop the current attack.
C. Analyzing URLs for phishing/spam relates more to the initial vector of compromise rather than stopping the exploit in progress.
D. Examining user-agent strings for spoofing provides useful information but is not as critical as identifying and blocking the active intrusion.
In summary, when presented with signs of an ongoing intrusion like unusual network/port activity and failed logins, examining the logs for exploit patterns should be the next immediate focus to identify and contain the threat. A prompt, targeted response is crucial to minimize damage and prevent further compromise of the system and network.
ECCouncil 312-49v10 certification exam practice question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the ECCouncil 312-49v10 exam and earn ECCouncil 312-49v10 certification.