Fortinet FCSS_NST_SE-7.4 Exam Dumps and Practice Test Questions Set 8 Q106-120

Visit here for our full Fortinet FCSS_NST_SE-7.4 exam dumps and practice test questions.

Question 106:

How does FortiNDR’s monitoring of administrative protocol usage detect unauthorized privileged access?

A) Administrative protocols are only used legitimately

B) It identifies unusual usage of protocols like WMI, RDP, or PowerShell remoting from unexpected sources or to unexpected targets

C) Administrative tools cannot be monitored at the network level

D) Privileged access is always authorized and secure

Answer: B

Explanation:

FortiNDR identifies unusual usage of protocols like WMI, RDP, or PowerShell remoting from unexpected sources or to unexpected targets by monitoring administrative protocols for usage patterns inconsistent with normal IT operations, revealing attackers using these powerful tools for lateral movement, remote execution, and privilege escalation.

Administrative protocol monitoring detects multiple threat patterns including identifying administrative protocols used by non-administrative systems such as workstations using WMI or PowerShell remoting to connect to servers, detecting administrative tool usage from user accounts that shouldn’t have administrative privileges, recognizing unusual timing of administrative activity particularly during off-hours when IT staff aren’t normally working, identifying administrative protocol usage in rapid succession across many systems suggesting automated lateral movement, detecting unusual target patterns where administrative tools access systems outside normal IT management scope, recognizing failed administrative authentication attempts suggesting privilege escalation attempts, and identifying administrative protocol abuse by non-IT personnel. For example, detecting a standard user account from a marketing workstation using PowerShell remoting to execute commands on database servers exhibits clear unauthorized privileged access, as neither the user account nor source system should have administrative capabilities to database servers.

A is incorrect because administrative protocols are frequently abused by attackers who have gained initial access and use these legitimate tools for malicious lateral movement and command execution. C is incorrect because administrative tools operate over network protocols that can be monitored through traffic analysis revealing usage patterns and source/destination relationships. D is incorrect because privileged access can be unauthorized through compromised credentials or privilege escalation making monitoring essential rather than assuming all privileged access is authorized.

Organizations should implement monitoring for administrative protocol usage to detect unauthorized privileged access and lateral movement, establish baselines for which systems and accounts legitimately use administrative protocols, configure alerts for administrative protocol usage from unexpected sources or to unexpected targets, and implement technical controls like privileged access management alongside monitoring to restrict and audit administrative tool usage.

Question 107:

What is the significance of monitoring for data exfiltration to personal devices and removable media in FortiNDR?

A) Personal device usage on corporate networks poses no security risk

B) Network traffic to personal devices or unusual USB-related network behaviors can indicate data theft via portable storage

C) Removable media cannot be detected through network monitoring

D) Only endpoint tools can detect data movement to removable devices

Answer: B

Explanation:

Network traffic to personal devices or unusual USB-related network behaviors can indicate data theft via portable storage by monitoring for communications with personal devices and observing network indicators associated with removable media usage that may suggest data being staged for theft through portable storage channels.

Personal device and removable media monitoring detects multiple exfiltration patterns including identifying network traffic to personal smartphone or tablet devices on corporate networks, detecting unusual file transfer protocols associated with syncing to personal devices, recognizing communications with personal cloud backup services used by connected personal devices, identifying network behaviors associated with USB device connections such as file sharing protocols becoming active, detecting workstations beginning to advertise file shares following device connections, recognizing unusual data access patterns preceding device connections suggesting staging data for transfer, and identifying devices connecting then disconnecting repeatedly consistent with data transfer operations. For example, detecting a workstation accessing sensitive databases then immediately establishing network connections to an iPhone on the corporate WiFi network followed by large data transfers suggests data exfiltration where sensitive information is being transferred to personal devices for theft.

A is incorrect because personal devices on corporate networks can be used for data exfiltration and introduce security risks through unauthorized data transfers. C is incorrect because removable media usage creates observable network behaviors through file sharing activations and data access patterns that precede transfers enabling network-based detection. D is incorrect because while endpoint tools provide visibility into direct USB transfers, network monitoring detects related behaviors including staging activities and network transfers to personal devices complementing endpoint detection.

Organizations should implement monitoring for data transfers to personal devices to detect exfiltration attempts, establish policies governing personal device usage on corporate networks and monitor for policy violations, configure enhanced monitoring for sensitive systems to detect any data staging or transfer activities, and combine network monitoring with endpoint data loss prevention for comprehensive protection against removable media exfiltration.

Question 108:

How does FortiNDR detect malware propagation across the network?

A) Malware propagation only affects individual systems

B) It identifies spreading patterns including sequential exploitation attempts, worm-like behaviors, and rapid replication across multiple systems

C) Network monitoring cannot observe malware spreading

D) Malware never spreads through network connections

Answer: B

Explanation:

FortiNDR identifies spreading patterns including sequential exploitation attempts, worm-like behaviors, and rapid replication across multiple systems by detecting the network signatures of malware as it attempts to propagate from infected systems to additional targets throughout the network environment.

Malware propagation detection identifies multiple spreading patterns including detecting sequential connection attempts where infected systems systematically try to infect other systems, recognizing worm-like behaviors where malware automatically replicates without user intervention, identifying exploitation traffic targeting vulnerabilities as malware attempts to spread, detecting unusual SMB or RDP activity suggesting ransomware or worm propagation, recognizing rapid replication where multiple systems become infected in short timeframes, identifying common exploit patterns across multiple systems indicating coordinated infection, and detecting lateral spreading where malware moves systematically through network segments. For example, detecting one infected system making sequential connections attempting to exploit SMB vulnerabilities on every system in its subnet, followed by newly infected systems exhibiting identical behavior, reveals worm propagation requiring immediate containment before widespread network infection occurs.

A is incorrect because malware frequently propagates across networks infecting multiple systems through various spreading mechanisms that generate detectable network traffic. C is incorrect because network monitoring specifically observes malware spreading through detection of exploitation attempts, unusual connections, and propagation patterns in network traffic. D is incorrect because much malware spreads specifically through network connections using exploitation, credential abuse, or other network-based propagation mechanisms.

Organizations should implement detection for malware propagation patterns to enable rapid containment before widespread infection, configure alerts for spreading behaviors like sequential exploitation attempts or unusual lateral movement, develop incident response procedures that can quickly isolate infected network segments when propagation is detected, and implement network segmentation that limits malware spreading scope even if initial infections occur.

Question 109:

What role does HTTP header analysis play in FortiNDR’s web threat detection?

A) HTTP headers contain no security-relevant information

B) Analyzing headers including user agents, referers, and custom headers helps identify malicious tools, C2 communications, and web attacks

C) Header analysis only tracks website compatibility

D) Only web servers need to analyze HTTP headers

Answer: B

Explanation:

Analyzing headers including user agents, referers, and custom headers helps identify malicious tools, C2 communications, and web attacks by examining HTTP header characteristics that reveal suspicious software, attack techniques, or communications with malicious infrastructure that differ from normal web browsing patterns.

HTTP header analysis detects multiple threat indicators including identifying user agents associated with attack tools, penetration testing frameworks, or malware families, detecting missing or unusual header combinations suggesting non-browser clients or attack scripts, recognizing custom headers used by malware for C2 communications, identifying referer anomalies that reveal attack patterns or suspicious browsing paths, detecting header injection attempts where attackers insert malicious content into headers, recognizing encoding anomalies in headers suggesting evasion techniques, and identifying headers consistent with specific exploit techniques or web attacks. For example, detecting HTTP requests with user agent strings identifying Cobalt Strike or Metasploit combined with custom headers not used by legitimate browsers strongly indicates post-exploitation C2 communications requiring immediate investigation and response.

A is incorrect because HTTP headers contain extensive security-relevant information including software identification, request characteristics, and patterns that distinguish legitimate from malicious traffic. C is incorrect because header analysis provides critical security capabilities beyond compatibility tracking through detection of malicious patterns and attack indicators. D is incorrect because network security tools analyzing HTTP traffic use header analysis for threat detection beyond web server operations.

Organizations should implement HTTP header analysis as part of web traffic monitoring, integrate threat intelligence about malicious user agents and header patterns, configure detection for unusual header combinations or characteristics suggesting attacks or malware, and recognize that header analysis provides valuable detection capabilities for web-based threats that payload analysis alone might miss.

Question 110:

How does FortiNDR detect supply chain compromises through software update traffic analysis?

A) Software updates are always safe and require no monitoring

B) It identifies unusual update mechanisms, suspicious update sources, or unexpected software downloading components indicating compromised supply chain

C) Update traffic cannot be monitored for security purposes

D) Supply chain attacks are undetectable through network analysis

Answer: B

Explanation:

FortiNDR identifies unusual update mechanisms, suspicious update sources, or unexpected software downloading components indicating compromised supply chain by monitoring software update behaviors and detecting anomalies that reveal compromised update infrastructure or malicious modifications to legitimate software update processes.

Supply chain compromise detection through update monitoring identifies multiple threat patterns including detecting software updates from unexpected or suspicious sources different from known vendor infrastructure, identifying unusual update frequencies or sizes suggesting malicious modifications, recognizing certificate anomalies in software updates indicating compromised signing infrastructure, detecting unexpected software components being downloaded by update mechanisms, identifying update traffic to newly registered or suspicious domains, recognizing unusual protocols or ports used for updates suggesting compromised update channels, and detecting behavioral changes in software following updates indicating malicious modifications. For example, detecting enterprise software that normally updates from a specific vendor domain suddenly downloading updates from a suspicious IP address in an unexpected country strongly suggests supply chain compromise where attackers have intercepted or modified the update mechanism to distribute malware.

A is incorrect because software updates can be compromised through supply chain attacks making monitoring essential rather than assuming all updates are safe. C is incorrect because update traffic occurs over network connections and exhibits patterns that can be monitored to detect compromised update mechanisms or malicious update sources. D is incorrect because supply chain attacks manifest through observable network behaviors including unusual update sources, suspicious certificate characteristics, and anomalous update patterns enabling network-based detection.

Organizations should monitor software update traffic for anomalies suggesting supply chain compromise, maintain awareness of legitimate update sources for critical software enabling detection of update source changes, integrate threat intelligence about supply chain compromises affecting specific vendors or products, and implement update verification mechanisms alongside monitoring to validate update authenticity.

Question 111:

What is the importance of detecting anomalous DNS response patterns in FortiNDR?

A) DNS responses are always accurate and trustworthy

B) Unusual DNS response characteristics can indicate DNS hijacking, cache poisoning, or malicious DNS infrastructure

C) DNS response analysis provides no security value

D) Only DNS servers need to monitor DNS responses

Answer: B

Explanation:

Unusual DNS response characteristics can indicate DNS hijacking, cache poisoning, or malicious DNS infrastructure by analyzing DNS responses for anomalies that reveal attacks targeting DNS infrastructure or compromised DNS services returning malicious results to redirect users or systems to attacker-controlled destinations.

DNS response analysis detects multiple threat patterns including identifying responses returning IP addresses inconsistent with known legitimate destinations suggesting DNS hijacking, detecting responses with unusual TTL values possibly indicating cache poisoning attempts, recognizing responses from unexpected DNS servers suggesting DNS hijacking or unauthorized DNS server usage, identifying responses to internal queries coming from external servers indicating DNS exfiltration or compromise, detecting response patterns characteristic of fast-flux networks used by malware, recognizing DNS responses containing suspicious IP addresses known to host malicious infrastructure, and identifying response sizes or patterns consistent with DNS tunneling responses. For example, detecting DNS responses for «google.com» returning IP addresses that don’t belong to Google indicates DNS hijacking where attackers have compromised DNS infrastructure to redirect users to malicious sites for phishing or malware distribution.

A is incorrect because DNS responses can be malicious through hijacking, poisoning, or compromised DNS infrastructure making response monitoring essential for security. C is incorrect because DNS response analysis provides critical security capabilities through detection of hijacking, poisoning, and malicious DNS infrastructure. D is incorrect because network security monitoring of DNS responses provides organization-wide protection by detecting DNS-based attacks affecting all systems using DNS services.

Organizations should implement DNS response monitoring to detect hijacking and malicious DNS infrastructure, configure alerts for responses that deviate from expected patterns or known legitimate IP addresses for common destinations, consider implementing DNS security extensions like DNSSEC to prevent some DNS attacks alongside monitoring, and investigate DNS anomalies promptly given their potential to affect all systems relying on DNS services.

Question 112:

How does FortiNDR’s detection of IoT device compromise contribute to network security?

A) IoT devices are too simple to be compromised

B) It identifies unusual behaviors from IoT devices including unexpected communications, scanning activities, or participation in botnets

C) IoT traffic is indistinguishable from other network traffic

D) IoT devices require no security monitoring

Answer: B

Explanation:

FortiNDR identifies unusual behaviors from IoT devices including unexpected communications, scanning activities, or participation in botnets by monitoring IoT device network activity and detecting deviations from expected behaviors, revealing compromised devices that attackers use for various malicious purposes including botnet participation and network pivoting.

IoT compromise detection identifies multiple threat patterns including detecting IoT devices making unexpected outbound connections suggesting botnet command and control, identifying scanning activities from IoT devices indicating compromise for attack purposes, recognizing unusual protocols or ports used by IoT devices inconsistent with their functions, detecting firmware update patterns inconsistent with vendor practices suggesting malicious updates, identifying IoT devices participating in DDoS attacks through unusual traffic volumes, recognizing lateral movement attempts from compromised IoT devices to other systems, and detecting data exfiltration through IoT devices. For example, detecting a smart thermostat scanning internal networks and making connections to external IRC servers exhibits clear botnet compromise behavior, as thermostats should only communicate with their management services and HVAC control systems rather than scanning networks or joining IRC channels.

A is incorrect because IoT devices are frequently compromised due to weak security implementations, default credentials, and unpatched vulnerabilities making them common targets. C is incorrect because IoT devices have characteristic traffic patterns based on their specific functions enabling behavioral analysis to distinguish compromised behavior from normal operations. D is incorrect because IoT devices specifically require security monitoring due to their often weak security postures and increasing use as attack vectors.

Organizations should implement monitoring for IoT device behaviors to detect compromise, segment IoT devices from critical networks to limit attack impact, establish baselines for expected IoT device communications enabling anomaly detection, and implement IoT security policies restricting device capabilities and monitoring for violations.

Question 113:

What role does geofencing and geographic anomaly detection play in FortiNDR?

A) Geographic location is irrelevant to security monitoring

B) Detecting connections to or from unexpected geographic locations helps identify compromised accounts, data exfiltration, and attacks from foreign threat actors

C) Geolocation analysis only supports marketing purposes

D) Geographic patterns cannot indicate security threats

Answer: B

Explanation:

Detecting connections to or from unexpected geographic locations helps identify compromised accounts, data exfiltration, and attacks from foreign threat actors by establishing geographic baselines for normal operations and alerting when communications involve locations inconsistent with business activities or user patterns.

Geographic anomaly detection identifies multiple threat patterns including detecting authentication from locations where users have never previously appeared, identifying impossible travel where accounts authenticate from distant locations within impossible timeframes, recognizing connections to countries where organization has no business presence, detecting data uploads to geographic locations inconsistent with approved storage locations, identifying attacks originating from countries known for hosting cybercrime infrastructure, recognizing VPN or proxy usage attempting to hide actual geographic locations, and detecting geographic patterns inconsistent with legitimate business operations. For example, detecting a financial analyst account that normally authenticates only from New York suddenly authenticating from Eastern Europe indicates likely account compromise, as the user could not be in both locations and the organization has no operations in Eastern Europe making this access highly suspicious.

A is incorrect because geographic location provides valuable context for security analysis enabling detection of compromised accounts, unauthorized access, and threats from specific geographic regions. C is incorrect because while geolocation serves marketing purposes, it provides critical security detection capabilities through identification of geographic anomalies indicating threats. D is incorrect because geographic patterns specifically indicate various security threats including account compromise, insider threats, and attacks from foreign adversaries.

Organizations should implement geographic monitoring and anomaly detection to identify compromised accounts and unauthorized access, establish baseline geographic patterns for normal operations, configure alerts for connections to or from unexpected locations particularly high-risk countries, and combine geographic analysis with other detection methods for comprehensive threat identification.

Question 114:

How does FortiNDR detect shadow IT through unauthorized cloud service usage?

A) All cloud service usage is authorized and monitored by IT

B) It identifies connections to cloud services not approved by IT, including unauthorized SaaS applications, storage services, and collaboration platforms

C) Cloud services cannot be detected through network monitoring

D) Shadow IT poses no security risks

Answer: B

Explanation:

FortiNDR identifies connections to cloud services not approved by IT, including unauthorized SaaS applications, storage services, and collaboration platforms by monitoring all cloud service communications and comparing them against lists of approved services, revealing shadow IT where users adopt unapproved cloud services that may introduce security and compliance risks.

Shadow IT detection identifies multiple risk patterns including detecting uploads to unauthorized cloud storage services potentially causing data leakage, identifying usage of unapproved SaaS applications that may lack appropriate security controls, recognizing personal cloud service usage for business purposes creating data governance issues, detecting collaboration tool usage outside approved platforms potentially exposing sensitive communications, identifying unauthorized remote access services that bypass security controls, recognizing cryptocurrency or blockchain services violating usage policies, and detecting any cloud service communications to services not in approved application inventory. For example, detecting employees uploading documents to personal Dropbox accounts from corporate systems indicates shadow IT data leakage risk, as sensitive business information may be stored in unauthorized locations without encryption, access controls, or data retention policies that approved services provide.

A is incorrect because shadow IT specifically refers to services used without IT approval or knowledge, making monitoring essential to discover these unauthorized services. C is incorrect because cloud services communicate over network connections to specific domains and IP addresses enabling detection through network traffic analysis. D is incorrect because shadow IT introduces security risks including data leakage, lack of access controls, compliance violations, and gaps in security monitoring.

Organizations should implement detection for unauthorized cloud service usage to identify shadow IT, maintain lists of approved cloud services and monitor for communications to unapproved services, investigate shadow IT discoveries to understand business needs driving adoption while addressing security risks, and establish processes for evaluating and approving cloud services to reduce shadow IT through legitimate alternatives.

Question 115:

What is the significance of monitoring SSL/TLS handshake anomalies in FortiNDR?

A) TLS handshakes are standardized and never exhibit anomalies

B) Unusual handshake patterns, cipher selections, or negotiation behaviors can indicate malware, exploitation attempts, or man-in-the-middle attacks

C) Handshake analysis provides no security value

D) Only encrypted payload content matters for security

Answer: B

Explanation:

Unusual handshake patterns, cipher selections, or negotiation behaviors can indicate malware, exploitation attempts, or man-in-the-middle attacks by analyzing SSL/TLS negotiation processes for anomalies that reveal malicious connections despite payload encryption.

TLS handshake analysis detects multiple threat indicators including identifying unusual cipher suite selections suggesting malware or attack tools, detecting TLS version downgrade attempts indicating manipulation for exploitation, recognizing handshake patterns characteristic of specific malware families, identifying certificate validation errors or anomalies suggesting malicious infrastructure, detecting unusual TLS extensions or options not commonly used by legitimate applications, recognizing handshake timing anomalies potentially indicating automated tools or attacks, and identifying man-in-the-middle attempts observable through certificate inconsistencies. For example, detecting a connection attempting to negotiate weak obsolete cipher suites no longer supported by legitimate browsers combined with unusual TLS extension combinations suggests either malware using custom TLS implementations or attacks attempting protocol exploitation.

A is incorrect because TLS handshakes exhibit variations in cipher selection, extensions, and negotiation behaviors that distinguish legitimate applications from malware and attacks. C is incorrect because handshake analysis provides valuable security detection capabilities particularly for encrypted traffic where payload inspection is impossible. D is incorrect because handshake metadata provides critical detection capabilities for encrypted traffic where payload content is inaccessible making handshake analysis essential not secondary.

Organizations should implement TLS handshake analysis to detect threats in encrypted traffic, configure detection for unusual cipher selections and handshake patterns indicating malware or attacks, integrate TLS handshake fingerprinting to identify specific applications and malware families, and recognize that handshake analysis enables security visibility into encrypted communications without requiring decryption.

Question 116:

How does FortiNDR detect data exfiltration through steganography in network traffic?

A) Steganographic data hiding is undetectable

B) It identifies suspicious patterns in image transfers, unusual file characteristics, or covert channels hidden within legitimate-appearing content

C) Network monitoring cannot detect hidden data

D) Steganography only affects image files on endpoints

Answer: B

Explanation:

FortiNDR identifies suspicious patterns in image transfers, unusual file characteristics, or covert channels hidden within legitimate-appearing content by analyzing traffic for anomalies that suggest steganographic data hiding where attackers conceal information within innocuous-appearing files or protocols to evade detection.

Steganographic detection identifies multiple suspicious patterns including detecting unusual image file transfers particularly from sensitive data repositories, identifying files with statistical anomalies suggesting embedded data, recognizing unusual volumes of multimedia file transfers inconsistent with normal operations, detecting repeated transfers of similar files with slight variations suggesting iterative data hiding, identifying timing patterns in file transfers suggesting coordinated covert communications, recognizing entropy anomalies in files that should have specific characteristics, and detecting usage of known steganography tools observable through specific file format artifacts. For example, detecting a database administrator account downloading customer data then uploading hundreds of similar-sized image files to external storage exhibits potential steganographic exfiltration, as the pattern suggests stolen data being hidden within image files for covert extraction.

A is incorrect because steganographic data hiding exhibits detectable patterns through file transfer behaviors, statistical anomalies, and contextual indicators that reveal covert data concealment attempts. C is incorrect because network monitoring detects steganography through analysis of transfer patterns, file characteristics observable in network traffic, and behavioral contexts suggesting data hiding. D is incorrect because steganography can affect various file types and network protocols, and network monitoring detects the transfer activities and patterns associated with steganographic exfiltration.

Organizations should implement monitoring for unusual file transfer patterns that may indicate steganographic exfiltration, configure enhanced monitoring for sensitive data repositories to detect any unusual export activities, investigate scenarios where sensitive data access is followed by multimedia file transfers, and recognize that sophisticated adversaries may use steganography requiring detection capabilities beyond simple file type blocking.

Question 117:

What role does application fingerprinting play in FortiNDR’s threat detection?

A) All applications identify themselves accurately

B) Identifying applications through traffic characteristics helps detect misidentified protocols, unauthorized applications, and evasion attempts

C) Application identification is impossible through network traffic

D) Only port numbers are needed to identify applications

Answer: B

Explanation:

Identifying applications through traffic characteristics helps detect misidentified protocols, unauthorized applications, and evasion attempts by analyzing actual traffic patterns and behaviors to determine what applications are truly running regardless of claimed protocols or port numbers, revealing evasion attempts and unauthorized software.

Application fingerprinting detects multiple threat patterns including identifying applications running on non-standard ports attempting to evade port-based security controls, detecting protocols misidentified through incorrect port usage, recognizing unauthorized applications installed by users or malware, identifying tunneling where applications are wrapped within other protocols, detecting malware masquerading as legitimate applications through behavioral analysis, recognizing custom attack tools through distinctive communication patterns, and identifying protocol violations where claimed protocols don’t match actual behaviors. For example, detecting traffic on port 443 that claims to be HTTPS but exhibits characteristics of remote desktop protocol reveals protocol misidentification used to evade security policies that block RDP but allow HTTPS.

A is incorrect because applications and malware frequently misidentify themselves to evade detection, making behavioral fingerprinting essential for accurate identification. C is incorrect because applications exhibit distinctive traffic characteristics including packet sizes, timing patterns, and protocol behaviors enabling fingerprinting through traffic analysis. D is incorrect because port numbers alone are insufficient for application identification as applications can use non-standard ports and attackers deliberately use misleading ports to evade detection.

Organizations should implement application fingerprinting to accurately identify what applications are running regardless of port numbers or self-identification, configure security policies based on actual application identification rather than relying only on port numbers, detect unauthorized applications through fingerprinting that reveals actual application usage, and recognize that fingerprinting enables detection of evasion attempts where applications are disguised or tunneled.

Question 118:

How does FortiNDR detect attacks exploiting trust relationships between systems?

A) Trust relationships are inherently secure and not exploitable

B) It identifies unusual cross-system access patterns, authentication using service accounts across unexpected systems, and abuse of established trust relationships

C) Trust relationship exploitation is undetectable

D) Only endpoint tools can detect trust relationship abuse

Answer: B

Explanation:

FortiNDR identifies unusual cross-system access patterns, authentication using service accounts across unexpected systems, and abuse of established trust relationships by monitoring how systems and accounts interact and detecting patterns where trusted relationships are exploited for unauthorized access or lateral movement.

Trust relationship exploitation detection identifies multiple attack patterns including detecting abuse of service account trust where automated service credentials are used interactively for unauthorized access, identifying exploitation of domain trust relationships for cross-domain attacks, recognizing unusual federation authentication patterns suggesting trust relationship abuse, detecting Kerberos delegation attacks exploiting service authentication trust, identifying lateral movement leveraging administrative trust relationships across systems, recognizing pass-the-ticket attacks abusing Kerberos trust mechanisms, and detecting unusual access patterns between trusted systems suggesting compromised trust exploitation. For example, detecting a service account that normally authenticates only between specific application and database servers suddenly being used for interactive login to domain controllers and workstations indicates trust relationship abuse where attackers exploit the service account’s elevated privileges beyond its intended scope.

A is incorrect because trust relationships are specifically targeted by attackers for privilege escalation and lateral movement despite being legitimate and necessary for operations. C is incorrect because trust relationship exploitation generates observable network patterns through unusual authentication and access behaviors enabling detection. D is incorrect because network monitoring provides valuable visibility into trust relationship abuse through authentication monitoring and cross-system access pattern analysis complementing endpoint detection.

Organizations should monitor trust relationships between systems and accounts to detect exploitation, establish baselines for normal trust usage patterns, configure enhanced alerting for unusual cross-trust-boundary activities, implement principle of least privilege for trust relationships limiting exploitation opportunities, and investigate any anomalous usage of trusted relationships as potential attacks.

Question 119:

What is the importance of detecting reconnaissance through OSINT gathering in FortiNDR?

A) OSINT gathering occurs entirely outside the network

B) Network connections to information gathering tools, WHOIS services, or social media scraping suggest reconnaissance preparation

C) Open source intelligence cannot be detected

D) OSINT is only used for legitimate research

Answer: B

Explanation:

Network connections to information gathering tools, WHOIS services, or social media scraping suggest reconnaissance preparation by detecting when systems within the network are conducting intelligence gathering activities that may indicate either insider threats or compromised systems being used for attack preparation.

OSINT reconnaissance detection identifies multiple suspicious patterns including detecting connections to WHOIS lookup services suggesting domain research, identifying social media API usage consistent with scraping or data harvesting, recognizing connections to search engines with patterns suggesting automated intelligence gathering, detecting usage of reconnaissance frameworks like Recon-ng or theHarvester observable through their network signatures, identifying certificate transparency log queries used to discover infrastructure, recognizing unusual volumes of DNS queries suggesting domain enumeration, and detecting connections to public code repositories when searching for organizational information. For example, detecting a compromised insider workstation making thousands of LinkedIn API calls to enumerate company employees followed by WHOIS lookups for company domains exhibits reconnaissance behavior where attackers gather intelligence about the organization and personnel before launching targeted attacks.

A is incorrect because while much OSINT gathering does occur outside networks, reconnaissance activities from compromised internal systems generate network traffic revealing intelligence gathering preparations. C is incorrect because OSINT gathering activities create network connections to specific services and exhibit patterns detectable through traffic analysis despite using publicly available information sources. D is incorrect because while OSINT has legitimate research uses, reconnaissance patterns from unexpected sources or combined with other suspicious indicators suggest attack preparation requiring investigation.

Organizations should monitor for reconnaissance activities including unusual intelligence gathering patterns, investigate OSINT-related network traffic from unexpected sources as potential insider threats or compromised systems, recognize that detecting reconnaissance provides early warning of potential attacks before actual exploitation, and combine OSINT detection with threat intelligence about current attack campaigns targeting similar organizations.

Question 120:

How does FortiNDR’s detection of persistence mechanisms through network indicators contribute to security?

A) Persistence mechanisms operate entirely locally without network activity

B) It identifies network communications from persistence mechanisms like scheduled tasks, services, or startup items that maintain attacker access

C) Persistence cannot be detected through network monitoring

D) Only endpoint tools detect persistence

Answer: B

Explanation:

FortiNDR identifies network communications from persistence mechanisms like scheduled tasks, services, or startup items that maintain attacker access by detecting the network activities generated when persistence mechanisms execute, revealing ongoing compromises where attackers maintain long-term access to systems.

Persistence mechanism detection through network analysis identifies multiple indicators including detecting network connections from scheduled tasks executing malicious commands at specific times, identifying communications from malicious services or daemons that start automatically, recognizing startup item execution through characteristic network patterns when systems boot, detecting persistence through DLL hijacking observable when hijacked applications make unexpected network connections, identifying registry-based persistence through unusual network activity when registry-launched processes execute, recognizing WMI event subscription persistence through unusual remote execution patterns, and detecting persistence mechanisms through their regular recurring network communications. For example, detecting network connections to a suspicious external IP address occurring precisely every hour at boot time plus fifteen minutes indicates persistence mechanism where malware configured to execute via scheduled task maintains command and control connection on recurring schedule.

A is incorrect because persistence mechanisms typically involve malware or backdoors that communicate over the network for command and control making network activity observable. C is incorrect because persistence mechanism execution generates network traffic when malicious payloads communicate with controllers or perform malicious activities enabling network-based detection. D is incorrect because network monitoring provides complementary persistence detection through observation of communications from persistent malware alongside endpoint detection of persistence establishment.

Organizations should implement detection for network indicators of persistence mechanisms to identify ongoing compromises, configure behavioral monitoring for recurring suspicious network patterns suggesting persistent malware, investigate detected persistence indicators to identify and remove persistence mechanisms preventing continued access, and recognize that persistence detection is essential for complete incident remediation ensuring attackers cannot maintain access.