Fortinet FCSS_NST_SE-7.4 Exam Dumps and Practice Test Questions Set10 Q136-150
Visit here for our full Fortinet FCSS_NST_SE-7.4 exam dumps and practice test questions.
Question 136:
How does FortiNDR’s detection of fileless malware through network behavior analysis enhance endpoint security?
A) Fileless malware leaves no network traces
B) It identifies network patterns from memory-resident malware including command execution, script downloads, and C2 communications despite lack of malware files
C) Only endpoint tools can detect fileless malware
D) Fileless attacks are undetectable by any security tool
Answer: B
Explanation:
FortiNDR identifies network patterns from memory-resident malware including command execution, script downloads, and C2 communications despite lack of malware files by detecting network activities generated by fileless malware even though the malware itself resides only in memory without persistent files that traditional antivirus would detect.
Fileless malware network detection identifies multiple behavioral patterns including detecting PowerShell or other scripting tools downloading and executing code directly in memory, identifying unusual script downloads from external sources suggesting fileless malware delivery, recognizing command and control communications from legitimate processes exploited by fileless malware, detecting Windows Management Instrumentation usage for remote code execution characteristic of fileless attacks, identifying credential theft network patterns associated with fileless tools like Mimikatz running in memory, recognizing lateral movement using fileless techniques observable through remote execution protocols, and detecting unusual network behaviors from system processes indicating in-memory malware presence. For example, detecting PowerShell downloading an encoded script from suspicious external source then immediately establishing persistent C2 communications despite no malware files being written to disk indicates fileless attack where malicious code executes entirely in memory but creates detectable network signatures.
A is incorrect because fileless malware generates network traffic for downloading scripts, command and control, lateral movement, and data exfiltration making network-based detection effective despite lack of malware files. C is incorrect because network monitoring provides valuable fileless malware detection capabilities complementing endpoint tools through detection of network behaviors. D is incorrect because fileless attacks create detectable network patterns and behaviors enabling security tools including network detection systems to identify these sophisticated threats.
Organizations should implement network behavioral monitoring to detect fileless malware through network signatures, configure enhanced monitoring for scripting tool network activities particularly unexpected downloads or C2 patterns, combine network detection with endpoint memory analysis for comprehensive fileless threat visibility, establish baselines for normal scripting tool usage enabling detection of malicious abuse, and investigate detected fileless indicators promptly as these sophisticated attacks often indicate targeted campaigns.
Question 137:
What is the significance of detecting VoIP and unified communications exploitation in FortiNDR?
A) VoIP systems are never targeted by attackers
B) VoIP exploitation enables eavesdropping, toll fraud, denial of service, and pivot points for network attacks
C) Voice traffic cannot be monitored for security purposes
D) Unified communications pose no security risks
Answer: B
Explanation:
VoIP exploitation enables eavesdropping, toll fraud, denial of service, and pivot points for network attacks by monitoring VoIP and unified communications traffic for exploitation attempts and anomalous behaviors revealing attacks targeting voice infrastructure for various malicious purposes including financial fraud and intelligence gathering.
VoIP security monitoring detects multiple threat patterns including identifying SIP scanning and enumeration suggesting reconnaissance of phone systems, detecting unauthorized registration attempts indicating toll fraud preparation, recognizing unusual call patterns suggesting compromised accounts or fraud, identifying VoIP denial of service attacks through call flooding or protocol abuse, detecting eavesdropping attempts through unusual RTP stream captures, recognizing exploitation attempts targeting VoIP server vulnerabilities, and identifying compromised VoIP devices used as network pivot points. For example, detecting thousands of SIP REGISTER attempts from external sources trying different extension numbers indicates VoIP system reconnaissance and brute force attack preparation for toll fraud where attackers compromise phone accounts to make fraudulent international calls at organization expense.
A is incorrect because VoIP systems are frequently targeted by attackers for toll fraud, eavesdropping, and as pivot points into enterprise networks. C is incorrect because voice traffic and VoIP signaling protocols can be monitored for security purposes revealing exploitation attempts and fraudulent usage. D is incorrect because unified communications systems pose significant security risks including toll fraud, privacy violations through eavesdropping, and use as attack vectors requiring security monitoring.
Organizations should implement monitoring for VoIP and unified communications security threats, establish baselines for normal call patterns and system access, configure alerts for VoIP scanning, unauthorized registrations, or unusual call patterns, implement VoIP security controls including strong authentication and encryption alongside monitoring, and investigate detected VoIP anomalies particularly unauthorized access or fraud indicators requiring immediate response to prevent financial losses.
Question 138:
How does FortiNDR detect adversary-in-the-middle attacks through traffic analysis?
A) Man-in-the-middle attacks are undetectable during execution
B) It identifies suspicious certificate changes, ARP poisoning, DNS spoofing, and traffic redirection patterns indicating interception attempts
C) Traffic interception creates no observable network anomalies
D) Only encrypted traffic can be intercepted
Answer: B
Explanation:
FortiNDR identifies suspicious certificate changes, ARP poisoning, DNS spoofing, and traffic redirection patterns indicating interception attempts by monitoring network traffic for anomalies characteristic of adversary-in-the-middle attacks where attackers position themselves between communicating parties to intercept, monitor, or modify communications.
Adversary-in-the-middle detection identifies multiple attack patterns including detecting ARP spoofing where attackers announce themselves as the gateway to intercept traffic, identifying suspicious TLS certificate changes suggesting SSL stripping or certificate substitution, recognizing DNS response spoofing redirecting traffic to attacker-controlled systems, detecting unusual traffic routing where communications pass through unexpected intermediate systems, identifying DHCP spoofing providing malicious network configurations, recognizing ICMP redirect attacks manipulating routing, and detecting proxy behaviors suggesting traffic interception. For example, detecting sudden TLS certificate changes for banking websites combined with ARP announcements claiming to be the default gateway indicates adversary-in-the-middle attack where attacker intercepts and potentially modifies traffic between users and financial services.
A is incorrect because adversary-in-the-middle attacks create detectable network anomalies including protocol spoofing, certificate inconsistencies, and routing manipulation observable during attack execution. C is incorrect because traffic interception specifically creates observable network anomalies through the techniques required to position attackers between communicating parties. D is incorrect because both encrypted and unencrypted traffic can be intercepted, with encrypted traffic potentially subject to certificate substitution or SSL stripping attacks.
Organizations should implement detection for adversary-in-the-middle attack techniques including ARP and DNS monitoring, certificate change detection, and routing anomaly identification, configure alerts for indicators of traffic interception attempts, implement technical controls like DHCP snooping and dynamic ARP inspection alongside detection, educate users to recognize certificate warnings and suspicious site behaviors, and investigate detected interception attempts as high-priority security incidents requiring immediate response.
Question 139:
What role does detection of IoT botnet command patterns play in FortiNDR security monitoring?
A) IoT devices never participate in botnets
B) It identifies communication patterns characteristic of IoT botnets including Mirai variants, enabling detection and isolation of infected devices
C) Botnet traffic is indistinguishable from legitimate IoT communications
D) IoT botnets only affect internet infrastructure, not enterprises
Answer: B
Explanation:
FortiNDR identifies communication patterns characteristic of IoT botnets including Mirai variants, enabling detection and isolation of infected devices by monitoring IoT device network behaviors and recognizing command and control patterns, scanning activities, and attack participation characteristic of IoT botnet malware.
IoT botnet detection identifies multiple threat patterns including detecting communications with known botnet command and control infrastructure, identifying scanning behaviors where infected IoT devices probe for additional victims, recognizing DDoS attack participation through unusual traffic volumes directed at external targets, detecting botnet-specific protocols and communication patterns, identifying firmware infection or modification attempts, recognizing cryptocurrency mining activities on compromised IoT devices, and detecting lateral movement from infected IoT devices to other network systems. For example, detecting IP cameras making IRC connections to external servers combined with network scanning behaviors and participation in DDoS attacks indicates Mirai botnet infection where IoT devices are compromised and controlled for launching attacks against internet targets.
A is incorrect because IoT devices are frequently compromised into botnets due to weak security, default credentials, and lack of security updates. C is incorrect because botnet traffic exhibits distinctive patterns including specific C2 protocols, scanning behaviors, and attack participation distinguishable from legitimate IoT device communications. D is incorrect because IoT botnets affect enterprises through compromised internal devices, bandwidth consumption, potential liability, and use of compromised devices for internal attacks.
Organizations should monitor IoT devices for botnet infection indicators, segment IoT devices from critical networks to limit botnet impact, implement strong authentication and change default credentials on IoT devices, configure alerts for scanning or unusual external communications from IoT devices, and investigate detected botnet behaviors requiring device isolation, cleanup, or replacement to prevent continued malicious activity.
Question 140:
How does FortiNDR’s detection of supply chain software implant behaviors contribute to advanced threat defense?
A) Supply chain attacks only affect software vendors, not customers
B) It identifies suspicious behaviors from legitimate software including unexpected communications, data access, or command execution indicating malicious implants
C) Legitimate software never exhibits malicious behaviors
D) Supply chain compromises are undetectable after deployment
Answer: B
Explanation:
FortiNDR identifies suspicious behaviors from legitimate software including unexpected communications, data access, or command execution indicating malicious implants by monitoring network activities from trusted applications and detecting behaviors inconsistent with normal software operations, revealing supply chain attacks where legitimate software is compromised to include malicious functionality.
Supply chain implant detection identifies multiple suspicious patterns including detecting trusted software communicating with unexpected external destinations not associated with vendor infrastructure, identifying unusual data access from applications exceeding their normal scope, recognizing command execution or privilege escalation from software that shouldn’t perform these operations, detecting software update mechanisms delivering malicious payloads, identifying legitimate applications establishing unexpected persistence mechanisms, recognizing network behaviors from trusted software inconsistent with documented functionality, and detecting code signing anomalies or certificate irregularities. For example, detecting enterprise management software that normally only communicates with vendor update servers suddenly establishing connections to newly registered suspicious domains and accessing sensitive databases indicates supply chain compromise where trusted software is modified to include data theft or backdoor capabilities.
A is incorrect because supply chain attacks specifically target customers through compromised software delivered by vendors, affecting all organizations using the compromised products. C is incorrect because legitimate software when compromised through supply chain attacks exhibits malicious behaviors requiring detection despite the software itself being from trusted sources. D is incorrect because supply chain compromises create detectable behavioral anomalies through unexpected network communications and activities observable after deployment.
Organizations should monitor trusted software for behavioral anomalies suggesting supply chain compromise, maintain awareness of supply chain attack campaigns targeting specific software products, establish baselines for normal software network behaviors enabling anomaly detection, implement application whitelisting and monitoring even for trusted applications, and investigate unexpected behaviors from legitimate software as potential supply chain attacks requiring vendor coordination and potential software isolation.
Question 141:
What is the significance of detecting unusual Windows Event Log access patterns in FortiNDR network monitoring?
A) Event log access is purely local and creates no network traffic
B) Remote event log queries, unusual log clearing activities, or suspicious log collection patterns can indicate attack cleanup, reconnaissance, or credential theft
C) Event logs contain no information valuable to attackers
D) Log access monitoring is only relevant on endpoints
Answer: B
Explanation:
Remote event log queries, unusual log clearing activities, or suspicious log collection patterns can indicate attack cleanup, reconnaissance, or credential theft by monitoring network traffic associated with Windows Event Log access and detecting patterns revealing attackers attempting to gather information from logs, clear evidence of their activities, or steal credentials captured in authentication events.
Event log access monitoring detects multiple threat patterns including identifying remote event log queries from unusual sources suggesting reconnaissance or credential harvesting, detecting event log clearing operations potentially indicating attack cleanup to remove evidence, recognizing unusual volumes of log queries suggesting automated credential theft from authentication logs, identifying selective log deletion where specific event IDs are targeted for removal, detecting log forwarding to unauthorized destinations, recognizing remote registry access for log configuration changes, and identifying tools commonly used for credential theft from event logs like PowerShell scripts querying authentication events. For example, detecting a compromised workstation remotely querying Security event logs on domain controllers specifically retrieving authentication events indicates credential theft activity where attackers harvest user credentials from successful logon events recorded in event logs.
A is incorrect because remote event log access occurs over network protocols including RPC and WMI creating observable network traffic revealing log access patterns. C is incorrect because event logs contain valuable information including credentials in authentication events, evidence of attacks, and system activity details useful for reconnaissance. D is incorrect because network monitoring detects remote log access patterns providing visibility into distributed log access activities beyond individual endpoint monitoring.
Organizations should monitor for unusual event log access patterns particularly remote queries or log clearing operations, establish baselines for legitimate log collection and management activities, configure alerts for suspicious log access including selective deletion or unusual query patterns, implement log forwarding to secure SIEM systems preventing local log tampering, and investigate detected log access anomalies as potential attack cleanup or credential theft requiring immediate response.
Question 142:
How does FortiNDR detect malicious use of legitimate API keys and tokens through behavioral analysis?
A) API credentials are always used by authorized applications
B) It identifies unusual API usage patterns including unexpected sources, excessive requests, or access to resources inconsistent with normal credential usage
C) API authentication cannot be monitored through network analysis
D) Stolen credentials exhibit identical behavior to legitimate usage
Answer: B
Explanation:
FortiNDR identifies unusual API usage patterns including unexpected sources, excessive requests, or access to resources inconsistent with normal credential usage by monitoring API authentication and usage behaviors to detect stolen or compromised credentials being abused for unauthorized access despite using valid authentication tokens.
Compromised API credential detection identifies multiple abuse patterns including detecting API usage from unexpected geographic locations or IP addresses, identifying unusual API call volumes exceeding normal application patterns, recognizing API access to resources outside the normal scope for specific credentials, detecting API usage during unusual hours inconsistent with application schedules, identifying simultaneous API usage from multiple locations suggesting credential sharing or theft, recognizing unusual API call sequences or patterns inconsistent with known applications, and detecting data exfiltration through excessive API queries and responses. For example, detecting an application API key normally used from organization data centers suddenly making thousands of API calls from a foreign country accessing and downloading customer databases indicates stolen credentials being used for data theft despite valid authentication.
A is incorrect because API credentials can be stolen, leaked, or compromised enabling unauthorized usage requiring behavioral monitoring beyond simple authentication validation. C is incorrect because API authentication and usage create network traffic including authentication tokens, request patterns, and accessed resources observable through traffic analysis. D is incorrect because stolen credentials typically exhibit behavioral differences from legitimate usage including unusual sources, timing patterns, and accessed resources enabling detection through behavioral analysis.
Organizations should implement behavioral monitoring for API credential usage to detect theft and abuse, establish baselines for normal API usage patterns including sources, volumes, and accessed resources, configure alerts for unusual API activities suggesting compromised credentials, implement API rate limiting and access controls alongside monitoring, and investigate detected API usage anomalies requiring potential credential rotation and access review.
Question 143:
What role does monitoring for unusual packet fragmentation patterns play in detecting evasion attempts in FortiNDR?
A) All packet fragmentation is normal network behavior
B) Deliberately crafted fragmentation including tiny fragments, overlapping fragments, or unusual reassembly patterns can indicate evasion attempts or exploitation
C) Fragmentation patterns provide no security indicators
D) Modern networks never use packet fragmentation
Answer: B
Explanation:
Deliberately crafted fragmentation including tiny fragments, overlapping fragments, or unusual reassembly patterns can indicate evasion attempts or exploitation by analyzing packet fragmentation for characteristics revealing attackers deliberately fragmenting traffic to evade security inspection, exploit reassembly vulnerabilities, or hide malicious content across fragment boundaries.
Fragmentation evasion detection identifies multiple attack patterns including detecting tiny fragments designed to split malicious content across multiple packets evading inspection, identifying overlapping fragments exploiting differences in reassembly implementations, recognizing out-of-order fragment delivery potentially evading stateful inspection, detecting fragmentation of protocols or packet types rarely fragmented legitimately, identifying fragment timeout manipulation exploiting reassembly timer differences, recognizing teardrop attacks using overlapping fragments to crash systems, and detecting fragmentation patterns characteristic of specific evasion tools. For example, detecting HTTP traffic fragmented into eight-byte fragments with some overlapping boundaries indicates deliberate evasion attempt, as legitimate fragmentation maintains reasonable fragment sizes based on MTU and doesn’t create overlapping fragments designed to confuse security systems.
A is incorrect because while some fragmentation is normal due to MTU constraints, deliberately crafted fragmentation patterns indicate evasion attempts rather than normal network behavior. C is incorrect because fragmentation patterns provide valuable security indicators revealing evasion techniques and exploitation attempts through abnormal fragmentation characteristics. D is incorrect because modern networks do use fragmentation when packet sizes exceed path MTU, though unusual fragmentation patterns suggest attacks rather than normal MTU-based fragmentation.
Organizations should monitor packet fragmentation patterns to detect evasion and exploitation attempts, configure proper fragment reassembly in security systems to prevent evasion, implement alerts for suspicious fragmentation including tiny fragments or overlapping patterns, consider blocking certain fragmentation types that are rarely legitimate, and investigate detected fragmentation anomalies as potential attacks requiring response.
Question 144:
How does FortiNDR’s detection of unauthorized database replication or backup activities contribute to data protection?
A) All database replication is authorized by database administrators
B) It identifies unusual database replication patterns, unauthorized backup operations, or suspicious database synchronization suggesting data theft preparation
C) Database replication cannot be observed through network monitoring
D) Backup activities never indicate security threats
Answer: B
Explanation:
FortiNDR identifies unusual database replication patterns, unauthorized backup operations, or suspicious database synchronization suggesting data theft preparation by monitoring database protocol traffic for replication and backup activities inconsistent with normal database operations, revealing attackers using legitimate database features for data exfiltration.
Unauthorized database activity detection identifies multiple threat patterns including detecting database replication initiated from unexpected sources or to unusual destinations, identifying backup operations occurring outside normal backup schedules or from unauthorized systems, recognizing unusual database synchronization patterns suggesting data staging, detecting database dump or export operations from non-administrative accounts, identifying database snapshot creation by unusual users or at suspicious times, recognizing bulk data extraction through database APIs inconsistent with normal application access, and detecting database mirroring to unauthorized systems. For example, detecting database replication from production database server to an external IP address initiated by a compromised service account indicates data theft where attackers abuse legitimate replication features to copy entire databases to attacker-controlled infrastructure.
A is incorrect because database replication can be initiated by attackers with stolen credentials or compromised systems requiring monitoring beyond assuming all replication is authorized. C is incorrect because database replication generates network traffic with distinctive patterns observable through protocol analysis revealing replication activities and destinations. D is incorrect because backup activities initiated by unauthorized users, to unusual destinations, or at suspicious times can indicate data theft preparation requiring security investigation.
Organizations should monitor database replication and backup activities to detect unauthorized data extraction, establish baselines for authorized replication patterns and backup schedules, configure alerts for database operations from unusual sources or to unexpected destinations, implement database activity monitoring and access controls alongside network monitoring, and investigate detected unauthorized database operations as high-priority data theft incidents requiring immediate response.
Question 145:
What is the importance of detecting session hijacking attempts through TCP sequence analysis in FortiNDR?
A) TCP sequence numbers are random and provide no security value
B) Unusual sequence number patterns, duplicate ACKs, or injected packets can indicate session hijacking or man-in-the-middle attacks
C) Session hijacking cannot be detected through network traffic analysis
D) TCP sequence analysis only monitors connection performance
Answer: B
Explanation:
Unusual sequence number patterns, duplicate ACKs, or injected packets can indicate session hijacking or man-in-the-middle attacks by analyzing TCP sequence numbers and acknowledgments for anomalies revealing attempts to inject malicious packets into established sessions or hijack connections between legitimate parties.
Session hijacking detection through sequence analysis identifies multiple attack patterns including detecting sequence number desynchronization where attacker packets create sequence gaps, identifying duplicate acknowledgments suggesting packet injection attempts, recognizing unusual retransmission patterns inconsistent with normal network behavior, detecting packets with sequence numbers outside expected windows, identifying RST injection attempts to terminate connections, recognizing sequence prediction patterns used in blind hijacking attacks, and detecting acknowledgment manipulation indicating connection hijacking. For example, detecting sudden sequence number jumps in established SSH session combined with duplicate data acknowledgments indicates hijacking attempt where attacker injects malicious commands into authenticated session exploiting sequence number prediction or packet injection.
A is incorrect because TCP sequence numbers follow predictable patterns within connections and deviations from expected sequence progressions provide valuable security indicators revealing hijacking attempts. C is incorrect because session hijacking creates observable network anomalies through sequence number irregularities, duplicate packets, and injection attempts detectable through traffic analysis. D is incorrect because TCP sequence analysis provides critical security capabilities beyond performance monitoring through detection of hijacking and injection attacks.
Organizations should implement TCP sequence analysis to detect session hijacking attempts, configure alerts for sequence number anomalies or duplicate acknowledgment patterns, recognize that session hijacking enables attackers to inject commands into authenticated sessions, implement encryption and session authentication to prevent hijacking, and investigate detected sequence anomalies as potential hijacking requiring session termination and security response.
Question 146:
How does FortiNDR detect malicious use of legitimate management protocols like IPMI or iLO?
A) Out-of-band management is always secure and authorized
B) It identifies unusual IPMI/iLO access patterns, default credential usage, or suspicious management commands indicating infrastructure compromise
C) Management protocols cannot be monitored for security purposes
D) Only physical server access poses security risks
Answer: B
Explanation:
FortiNDR identifies unusual IPMI/iLO access patterns, default credential usage, or suspicious management commands indicating infrastructure compromise by monitoring out-of-band management protocols for access patterns and commands inconsistent with normal infrastructure administration, revealing attacks targeting server management interfaces for persistent access or system control.
Management protocol monitoring detects multiple threat patterns including detecting IPMI or iLO access from unexpected sources or geographic locations, identifying authentication attempts using default credentials common in unpatched management interfaces, recognizing unusual management commands such as virtual media mounting or remote console activation, detecting firmware manipulation through management interfaces, identifying power control commands from unauthorized sources, recognizing mass management protocol scanning suggesting reconnaissance for vulnerable interfaces, and detecting lateral movement through management networks. For example, detecting IPMI authentication from external internet source using default credentials followed by virtual media mounting and remote console activation indicates infrastructure compromise where attackers access server management to install malware or steal data through out-of-band channels bypassing operating system security.
A is incorrect because out-of-band management interfaces are frequently exploited due to weak default credentials, unpatched vulnerabilities, and lack of monitoring requiring security oversight. C is incorrect because management protocols create network traffic with observable access patterns, commands, and behaviors enabling security monitoring. D is incorrect because remote management interfaces provide powerful system access without physical presence making remote attacks through these interfaces significant security risks.
Organizations should monitor management protocol usage to detect unauthorized infrastructure access, change default credentials on all management interfaces and detect default credential usage attempts, segment management networks from production networks, configure alerts for unusual management access or commands, and investigate detected management protocol anomalies as potential infrastructure compromise requiring immediate response.
Question 147:
What role does detection of unusual NFS or SMB mount operations play in FortiNDR security monitoring?
A) All network file system mounts are legitimate file sharing
B) Unusual mount patterns, unauthorized share access, or suspicious file system operations can indicate data theft, ransomware preparation, or lateral movement
C) File system mount operations cannot be detected through network monitoring
D) Network file shares pose no security risks
Answer: B
Explanation:
Unusual mount patterns, unauthorized share access, or suspicious file system operations can indicate data theft, ransomware preparation, or lateral movement by monitoring NFS and SMB mount operations and file system access for patterns inconsistent with normal file sharing usage, revealing various attack activities targeting network file systems.
File system mount monitoring detects multiple threat patterns including detecting unusual systems mounting file shares they don’t normally access, identifying mount operations from unexpected user accounts suggesting compromised credentials, recognizing mass file system mounting across many shares suggesting reconnaissance or ransomware preparation, detecting administrative share mounting from non-administrative systems indicating lateral movement, identifying unusual file operations following mount events such as mass deletion or encryption, recognizing mount attempts to hidden or administrative shares, and detecting mount operations during unusual hours when normal file sharing wouldn’t occur. For example, detecting a marketing workstation mounting administrative shares on domain controllers and file servers throughout the network indicates lateral movement where attackers use compromised credentials to access privileged shares for further reconnaissance or data theft.
A is incorrect because network file system mounts can indicate attacks including data theft, ransomware deployment, and lateral movement requiring security monitoring beyond assuming all mounts are legitimate. C is incorrect because file system mount operations use network protocols including SMB and NFS creating observable traffic patterns revealing mount activities and accessed resources. D is incorrect because network file shares frequently contain sensitive data and provide lateral movement vectors making them significant security concerns requiring monitoring.
Organizations should monitor file system mount operations to detect unauthorized access and attack preparation, establish baselines for normal share access patterns including which systems mount which shares, configure alerts for unusual mount operations particularly administrative shares from unexpected sources, implement share access controls and monitoring, and investigate detected mount anomalies as potential data theft or attack preparation requiring immediate response.
Question 148:
How does FortiNDR’s detection of data encoding in DNS queries enhance exfiltration detection?
A) DNS queries never contain encoded data
B) It identifies suspicious patterns in DNS query strings including Base64 encoding, hexadecimal data, or unusual query lengths suggesting DNS tunneling or data exfiltration
C) DNS query content is irrelevant to security monitoring
D) Data exfiltration only occurs through HTTP/HTTPS protocols
Answer: B
Explanation:
FortiNDR identifies suspicious patterns in DNS query strings including Base64 encoding, hexadecimal data, or unusual query lengths suggesting DNS tunneling or data exfiltration by analyzing DNS query characteristics for patterns indicating abuse of DNS protocol for covert data transmission rather than legitimate name resolution.
DNS exfiltration detection identifies multiple suspicious patterns including detecting unusually long subdomain strings suggesting encoded data in queries, identifying Base64 or hexadecimal encoding patterns in DNS queries inconsistent with normal domain names, recognizing high volumes of DNS queries to single domains suggesting data transmission, detecting queries with high entropy suggesting encrypted or compressed data, identifying systematic query patterns indicating automated data exfiltration, recognizing unusual TXT record queries and responses potentially carrying data, and detecting DNS query timing patterns suggesting data streaming. For example, detecting hundreds of DNS queries to attacker-controlled domain with 200-character random-appearing subdomains exhibits DNS tunneling exfiltration where stolen data is encoded into DNS query subdomains to bypass security controls focused on web and email protocols.
A is incorrect because DNS queries can contain encoded data when abused for tunneling or exfiltration, requiring detection of these abnormal query patterns. C is incorrect because DNS query content provides valuable security indicators revealing data exfiltration, command and control, and covert channel usage. D is incorrect because data exfiltration occurs through multiple protocols including DNS tunneling which is specifically used to bypass security controls monitoring web traffic.
Organizations should implement DNS query analysis to detect exfiltration and tunneling, configure alerts for unusual DNS query characteristics including excessive lengths or encoding patterns, establish baselines for normal DNS query patterns, consider implementing DNS filtering blocking suspicious query patterns, and investigate detected DNS anomalies as potential exfiltration requiring immediate containment.
Question 149:
What is the significance of detecting privilege escalation through Kerberos ticket manipulation in FortiNDR?
A) Kerberos tickets are unforgeable and cannot be manipulated
B) It identifies Golden Ticket, Silver Ticket, or Pass-the-Ticket attacks through unusual Kerberos authentication patterns and ticket usage
C) Kerberos authentication cannot be monitored at the network level
D) Privilege escalation only occurs on individual endpoints
Answer: B
Explanation:
FortiNDR identifies Golden Ticket, Silver Ticket, or Pass-the-Ticket attacks through unusual Kerberos authentication patterns and ticket usage by monitoring Kerberos protocol traffic for anomalies indicating forged or stolen tickets being used for unauthorized privileged access and lateral movement.
Kerberos attack detection identifies multiple threat patterns including detecting tickets with unusual lifetimes suggesting Golden Ticket forgery, identifying tickets for non-existent or disabled accounts indicating forged tickets, recognizing unusual encryption types in tickets potentially indicating manipulation, detecting tickets used from unexpected sources or geographic locations, identifying ticket usage patterns inconsistent with normal authentication flows, recognizing excessive ticket requests suggesting ticket harvesting, and detecting Pass-the-Ticket activities where stolen tickets authenticate from unusual systems. For example, detecting Kerberos authentication using tickets with ten-year validity periods for domain administrator account from workstation that never previously accessed domain controllers indicates Golden Ticket attack where attackers forged Kerberos tickets using stolen domain controller credentials to gain unlimited domain access.
A is incorrect because Kerberos tickets can be forged with stolen domain controller keys or stolen and reused in Pass-the-Ticket attacks requiring detection of these abuse patterns. C is incorrect because Kerberos authentication occurs over network protocols creating observable traffic patterns revealing ticket characteristics and usage behaviors. D is incorrect because privilege escalation through Kerberos attacks affects entire domains and enables network-wide lateral movement observable through network authentication monitoring.
Organizations should monitor Kerberos authentication for attack patterns indicating ticket manipulation, establish baselines for normal Kerberos ticket characteristics and usage, configure alerts for unusual tickets or authentication patterns, implement Kerberos security hardening including AES encryption and PAC validation, and investigate detected Kerberos anomalies as potential domain compromise requiring immediate response including potential domain controller credential rotation.
Question 150:
How does FortiNDR detect malicious insider data hoarding before exfiltration?
A) Data hoarding occurs entirely on local storage without network activity
B) It identifies unusual patterns of data aggregation, systematic file access, or data staging to intermediate locations indicating preparation for theft
C) Insider threats cannot be detected through network monitoring
D) All data access by authorized users is legitimate
Answer: B
Explanation:
FortiNDR identifies unusual patterns of data aggregation, systematic file access, or data staging to intermediate locations indicating preparation for theft by monitoring insider data access behaviors and detecting patterns where authorized users systematically gather sensitive information beyond normal job requirements suggesting malicious intent or preparation for data exfiltration.
Insider data hoarding detection identifies multiple suspicious patterns including detecting systematic access to sensitive data repositories where users methodically retrieve documents beyond immediate work needs, identifying data aggregation where users collect information from multiple disparate sources to single locations, recognizing unusual volumes of data access exceeding normal job-related patterns, detecting access to data outside user’s typical scope or department, identifying data staging operations where large volumes are moved to intermediate locations, recognizing searches or queries designed to identify and collect specific sensitive information types, and detecting temporal patterns where data hoarding accelerates before planned departures or terminations. For example, detecting a finance employee systematically downloading all customer contracts, product pricing documents, and strategic planning files to personal workstation over several weeks despite job responsibilities requiring access to only specific customer accounts indicates insider data hoarding preparing for theft when departing to competitor.
A is incorrect because data hoarding involves accessing and aggregating data from network file shares and databases creating observable network traffic patterns revealing systematic data collection. C is incorrect because insider threats create detectable network patterns through unusual data access, aggregation, and staging activities observable through traffic monitoring. D is incorrect because authorized users can have malicious intent with data access patterns revealing suspicious hoarding distinguishable from legitimate work-related access.
Organizations should monitor for insider data hoarding patterns particularly from users with broad data access, establish baselines for normal data access volumes and patterns enabling anomaly detection, configure enhanced monitoring for sensitive data repositories, implement user behavior analytics combining network and endpoint monitoring for comprehensive insider threat detection, and investigate detected hoarding patterns requiring discrete investigation recognizing both security concerns and privacy considerations.