Question

A security analyst who is concerned about sensitive data exfiltration reviews the following:

10:01:32. 384853 IP (tos 0x0, ttl 64, id 40587, offset 0, flags [DF], proto ICMP (1), length 1500 -> : ICMP echo reply, id 1592, seq 8, length 1500

Which of the following tools would allow the analyst to confirm if data exfiltration is occurring?

A. Port scanner
B. SCAP tool
C. File integrity monitor
D. Protocol analyzer

Answer 1

A Protocol analyzer is the best tool to use when confirming if data exfiltration is occurring because it allows for the inspection of data packets to detect unauthorized transmission of sensitive information.

Step-by-step explanation:

The question relates to identifying the appropriate tool to confirm if data exfiltration is occurring by analyzing network traffic. Among the tools listed, a Protocol analyzer is the correct choice. Protocol analyzers, also known as network analyzers or packet sniffers, can inspect the data packets in real-time or from log files, enabling a security analyst to look deep into the packet payloads to detect if there is any sensitive data being transmitted in an unauthorized manner. A Protocol analyzer will help discern the nature of the traffic and verify if sensitive information is being compromised.

A Port scanner is useful for detecting open ports and services but does not analyze the content of network traffic. An SCAP tool (Security Content Automation Protocol) helps in automating the monitoring of system security but is not designed for analyzing network traffic content. A File integrity monitor checks for unauthorized changes to files but does not monitor live network traffic for potential data exfiltration.