Free Splunk SPLK-5001 Practice Exam with Questions & Answers | Set: 2

The primary difference between a Distributed Denial of Service (DDoS) attack and a Denial of Service (DoS) attack is in the source of the attack. ADDoSattack involves multiple compromised systems (often part of a botnet) attacking a single target, overwhelming it with traffic or requests. In contrast, aDoSattack typically involves a single source attacking the target. The goal of both attacks is to make a service unavailable, but DDoS attacks are usually more difficult to defend against because of their distributed nature.

Tacticsare the overarching objectives or strategies attackers use during their operations, whiletechniquesare the specific methods used to achieve these tactics. In this case,gathering information about a target(often referred to as Reconnaissance) is atacticbecause it represents a high-level objective of understanding the target. The other options provided (persistence, phishing, privilege escalation) are specifictechniquesused to achieve the broader goals or tactics.

To investigate which process initiated a network connection, an analyst would use theEndpointdata model in Splunk Enterprise Security. The Endpoint data model contains fields related to processes, file activity, and host-level data, which are essential for tracing back the source of suspicious network activity to the specific process or application that initiated it. This is crucial for understanding the scope of an attack and determining the origin of malicious network traffic.

Top of Form

Bottom of Form

The scenario described is an example ofLeast Frequency of Occurrence Analysis. This threat-hunting technique focuses on identifying events or behaviors that occur infrequently, under the assumption that rare activities could indicate abnormal or suspicious behavior. By filtering out users who log in frequently and focusing on those with rare login attempts, the threat hunter aims to identify potentially suspicious activity that warrants further investigation. This technique is particularly effective in detecting stealthy attacks that might evade more common detection methods.

Top of Form

Bottom of Form

Unusual Traffic Patterns:

The key observation here is that one of the servers is sending out a significantly large amount of data to a single external system, with no corresponding increase in incoming traffic.

Possible Threat Activities:

A. Data Exfiltration:

This scenario typically aligns with data exfiltration, where an attacker has successfully compromised a system and is sending out large volumes of stolen data to an external server.

Data exfiltration often involves consistent or large data transfers over time to an external IP address, which matches the description provided.

B. Network Reconnaissance:

While reconnaissance involves scanning and probing, it generally does not produce large outbound data flows but rather small, frequent connection attempts or queries.

C. Data Infiltration:

Infiltration would involve incoming data to the compromised server, which contradicts the scenario as there is no observed increase in incoming traffic.

D. Lateral Movement:

Lateral movement would involve traffic between internal systems rather than large amounts of data being sent to an external system.

Scenario Analysis:Conclusion:Given the evidence of large data transfers to a single external system without corresponding inbound traffic,data exfiltrationis the most likely scenario. This suggests that an adversary has compromised the server and is extracting valuable or sensitive data from the organization.

Data Exfiltration Techniques:Techniques such as those documented in the MITRE ATT&CK framework (e.g.,T1041 - Exfiltration Over C2 Channel) detail how attackers move data out of a network.

Incident Response Playbooks:Many incident response frameworks emphasize monitoring for unusual outbound traffic as a primary indicator of data exfiltration.

References:

Therexcommand in Splunk can be used to extract or replace data using regular expressions. To dynamically replace values with a specific pattern, such as replacing credit card numbers with "X", the mode needs to be set tosed. Thesedmode allows for string replacement within a field using regular expressions, enabling the substitution of matching patterns with a specified string.

Thestatscommand is used to generate statistics, such as counts, over specific fields. In this case, the commandindex=security_logs eventtype=failed_login | stats count as failed_attempts by src_ip | sort -failed_attemptscreates a temporary table that counts the number of failed login attempts (failed_attempts) for each source IP (src_ip). Thesort -failed_attemptsensures the results are ordered by the number of failed attempts in descending order, making it easier for an analyst to identify problematic IPs.

AnIntrusion Detection System (IDS)typically sits at the network perimeter and is designed to detect suspicious traffic, including command and control (C2) traffic and other potentially malicious activities.

Intrusion Detection Systems:

IDS are deployed at strategic points within the network, often at the perimeter, to monitor incoming and outgoing traffic for signs of malicious activity.

These systems are configured to detect various types of threats, including C2 traffic, which is a key indicator of compromised systems communicating with an attacker-controlled server.

Incorrect Options:

A. Host-based firewall:This is more focused on controlling traffic at the endpoint level, not at the network perimeter.

B. Web proxy:Primarily used for controlling and filtering web traffic, but not specifically designed to detect C2 traffic.

C. Endpoint Detection and Response (EDR):Focuses on endpoint protection rather than monitoring network perimeter traffic.

Network Security Practices:IDS implementation is a standard practice for perimeter security to detect early signs of network intrusion.

In this scenario, the analyst cannot conclude whether the Notable Event is a true positive or a false positive due to the absence of necessary logs and artifacts. The appropriate eventdisposition in this case is "Other," as it indicates that further action is required, such as ingesting the missing logs. The involvement of a security engineer to ensure the necessary data is available for proper investigation is implied, making "Other" the most suitable option.