Module 2: Network Monitoring and Analysis

Q: What type of attack involves the unauthorized transmission of data from a system?

• Packet classification
• Packet crafting
• Data leak
• Data exfiltration 

Explanation: A system's data exfiltration is the right phrase to use when referring to the unlawful transport of data from the system. The term "data transfer" refers to the unsanctioned movement of information from inside the network of an organization to a remote location or system that is under the control of an adversary. It often includes sensitive or secret information and may take place via a variety of channels, including file transfers, uploads to cloud services, or communication channels that are not within the organization's authorization.

Q: What tactic do malicious actors use to maintain and expand unauthorized access into a network?

• Exfiltration
• Data size reduction
• Lateral movement 
• Phishing

Explanation: Lateral migration is a technique that malicious actors use to sustain and spread their illegal access into a network. Afterward, movement refers to the strategies and procedures that people use to go further into a network after they have first gained access to it. The compromise of new systems, the elevation of rights, and the accessing of sensitive data or resources that are not originally accessible from their point of entry are all examples of this kind of activity. It is an essential stage in many cyber assaults that are being carried out to accomplish their goals inside a certain environment.

Q: Which packet component contains protocol information?

• Route
• Header 
• Payload
• Footer

Explanation: The header of a packet contains critical information that is required for routing and delivering the packet over a network. This information includes the source and destination addresses, the protocol type (for example, TCP or UDP), the length of the packet, and any other control information vital for the process.

Q: The practice of capturing and inspecting network data packets that are transmitted across a network is known as _____.

• port sniffing
• packet sniffing
• packet capture
• protocol capture

Explanation: Packet sniffing is the process of collecting and examining network data packets that are distributed over a network. This activity is also known as network traffic analysis.

Q: Network protocol analyzer tools are available to be used with which of the following? Select two answers.

• Internet protocol
• Graphical user interface 
• Command-line interface
• Network interface card

Explanation: Utilizing the network interface card of a computer or other device, these technologies are often able to collect network traffic. Users can see and study recorded network packets with the use of a graphical user interface of several network protocol analyzer programs.

Q: Which layer of the TCP/IP model is responsible for accepting and delivering packets in a network?

• Network Access
• Application
• Internet 
• Transport

Explanation: Within the TCP/IP paradigm, the Internet layer is responsible for the routing and forwarding of packets across various networks. Upon receiving data from the Transport layer, it wraps the information into packets, also known as datagrams, and then finds the most efficient route for the packets to take to reach their destination across linked networks. Because of this, the right solution is the Internet layer.

Q: What is used to determine whether errors have occurred in the IPv4 header?

• Protocol
• Flags
• Checksum 
• Header

Explanation: Mistakes can arise during the process of sending packets over a network; the checksum is a number that is computed over the IPv4 header to identify these issues. It does this by ensuring that the checksum value produced by the sender is the same as the header that was received. This helps to guarantee that the header information is accurate. Should problems be found in the header, the packet may be deleted, or an error-handling mechanism may be activated. Both of these options are possible.

Q: Which tcpdump option applies verbosity?

• -i
• -c
• -n
• -v 

Explanation: If you use the -v option with tcpdump, the output will have a higher degree of verbosity, which will provide you with more specific information on the packets that you have captured. This option may be useful in acquiring extra context and obtaining a better understanding of the network data that is being analyzed.

Q: Examine the following tcpdump output:

22:00:19.538395 IP (tos 0x10, ttl 64, id 33842, offset 0, flags [P], proto TCP (6), length 196) 198.168.105.1.41012 > 198.111.123.1.61012: Flags [P.], cksum 0x50af (correct), seq 169, ack 187, win 501, length 42

What is the source IP address?

• 41012
• 198.168.105.1 
• 22:00:19.538395
• 198.111.123.1

Explanation: This information is presented in the format sourceIP.sourcePort, which is placed before port number 41012. Therefore, the source IP address of the packet is 198.168.105.1. This is the address from which the packet originated.

Q: Fill in the blank: _____ describes the amount of data that moves across a network.

• Network data
• Data exfiltration
• Network traffic 
• Traffic flow

Explanation: Within the context of a network architecture, the term "network traffic" refers to the data packets that are sent and received across the network. This includes both local area networks (LANs) and wide area networks (WANs). There are many other kinds of data that it incorporates, including, but not limited to, emails, online pages, file transfers, and multimedia streams.

Q: Which of the following behaviors may suggest an ongoing data exfiltration attack? Select two answers.

• Network performance issues
• Multiple successful multi-factor authentication logins
• Unexpected modifications to files containing sensitive data 
• Outbound network traffic to an unauthorized file hosting service 

Explanation: In light of this, it seems that files that hold sensitive information are being subjected to illegal modifications, which may be part of an effort to steal data. This implies that data is being transported from the network of the company to an external destination that is not allowed, which is a strategy that is often used in operations that include the exfiltration of data.

Q: Do packet capture files provide detailed snapshots of network communications?

• Yes. Packet capture files provide information about network data packets that were intercepted from a network interface. 
• No. Packet capture files do not contain detailed information about network data packets. 
• Maybe. The amount of detailed information packet captures contain depends on the type of network interface that is used.

Explanation: It is common practice to store packet capture files in formats such as pcap. These files include a wealth of information on network communications, such as the contents of data packets, source and destination addresses, protocols used, timestamps, and more. Since they capture an accurate record of the activity that is taking place on a network at a certain moment in time, these files are vital for network analysis, troubleshooting, and forensic investigations.

Q: Fill in the blank: tcpdump is a network protocol analyzer that uses a(n) _____ interface.

• Linux
• graphical user
• command-line 
• internet

Explanation: In most cases, users interact with tcpdump using a command-line interface (CLI), which allows them to set parameters and filters to collect and analyze network traffic in real-time. When it comes to network monitoring and analytic duties, this command line interface enables flexibility and automation.

Q: Which IPv4 field determines how long a packet can travel before it gets dropped?

• Time to Live 
• Header Checksum
• Options
• Type of Service

Explanation: The Time to Live field of the IPv4 header is responsible for determining the maximum number of hops (routers) that a packet may go through before it is rejected by a router. The primary purpose of this feature is to stop packets from circulating endlessly if there are routing loops or other problems with the network. When a packet is forwarded from one router to another, the TTL value is decreased by at least one. If the TTL value hits zero, the packet is destroyed, and an ICMP Time Exceeded message may be issued back to the sender.

Q: What is the process of breaking down packets known as?

• Checksum
• Fragment Offset
• Fragmentation 
• Flags

Explanation: If a packet is unable to traverse network connections with lesser Maximum Transmission Unit (MTU) sizes or when it exceeds the MTU size of a network segment, fragmentation will occur. Fragments are created by dividing the original packet into smaller pieces, and each of these fragments has its own header. This header contains a Fragment Offset and Flags that describe the fragment's location and how it is related to the original packet. Over networks that do not support the entire size of the original packet, this procedure makes it possible to send huge packets over such networks.

Q: Which tcpdump option is used to specify the capture of 5 packets?

• -n 5
• -i 5
• -c 5 
• -v 5

Explanation: tcpdump may be configured to capture a certain number of packets before it departs by using the -c option, which is followed by a number. In this particular scenario, the -c 5 option instructs tcpdump to collect five packets before coming to a halt. It is typical practice to choose this option in situations when you want just a small number of packets for the purposes of analysis or troubleshooting.

Q: Examine the following tcpdump output:

22:00:19.538395 IP (tos 0x10, ttl 64, id 33842, offset 0, flags [P], proto TCP (6), length 196) 198.168.105.1.41012 > 198.111.123.1.61012: Flags [P.], cksum 0x50af (correct), seq 169, ack 187, win 501, length 42

Which protocols are being used? Select two answers.

• IP 
• UDP
• TCP 
• TOS

Explanation: This result does not make any reference to the User Datagram Protocol (UDP), and the Type of Service (TOS) field is a reference to a field in the IPv4 header, but it is not a protocol in and of itself.

Q: Fill in the blank: Network protocol analyzers can save network communications into files known as a _____.

• packet capture 
• payload
• protocol
• network packet

Explanation: Network protocol analyzers can preserve network conversations in a file format known as packet capture.

Q: Which layer of the TCP/IP model does the Internet Protocol (IP) operate on?

• Application
• Internet 
• Transport
• Network Access

Explanation: One of the layers of the TCP/IP paradigm that the Internet Protocol (IP) works on is the Internet layer.

Q: What are some defensive measures that can be used to protect against data exfiltration? Select two answers.

• Utilize lateral movement
• Deploy multi-factor authentication 
• Monitor network activity 
• Reduce file sizes

Explanation: The use of these measures contributes to the enhancement of security by including several levels of authentication and continually monitoring network traffic for any suspicious behaviors connected to the release of data.

Q: Fill in the blank: The transmission of data between devices on a network is governed by a set of standards known as _____.

• headers
• payloads
• ports
• protocols 

Explanation: The protocols that control the transfer of data between devices on a network are a collection of standards that govern the transport of data.