GIAC Certified Incident Handler (GCIH) — Question 152

You are the leader of an incident handling team for a mid-size manufacturer in the United States. Several of your company's products are patented and several processes used in the manufacturing process are considered trade secrets. A member of your company's firewall team sent you a tcpdump of a firewall log thought looked suspicious. The packets in question had the same external source IP address, the same internal destination IP addresses, and the same source and destination ports were used in each packet. The only difference between the packets was that the TTL's had been incremented. How can you best determine if this is a sign of something malicious or not?

Answer options

• A. Set up a host intrusion detection system on the host with the internal IP address
• B. Gather more data from your firewall logs and from other system logs inside your network
• C. Check the Internet Storm Center's Top 10 Source IPs Report to see if the external IP address is listed
• D. Run a protocol analyzer on your computer with a filter that will only show the internal or external IP address

Correct answer: A

Explanation

Setting up a host intrusion detection system on the affected host allows for real-time monitoring and can help identify any malicious activity directly on that machine, making it the most effective response. While gathering more data (option B) and checking reports (option C) may provide additional context, they do not offer immediate insights into the potential threat. Running a protocol analyzer (option D) may help in analysis, but it won't actively monitor for intrusion attempts like a host intrusion detection system would.