Fortinet FCSS_NST_SE-7.4 Exam Dumps and Practice Test Questions Set13 Q181-195

Visit here for our full Fortinet FCSS_NST_SE-7.4 exam dumps and practice test questions.

Question 181:

What is the significance of detecting unusual network file locking patterns in FortiNDR?

A) File locking is purely an application feature unrelated to security

B) It identifies suspicious lock acquisition patterns, unusual lock durations, or lock exhaustion suggesting ransomware preparation or denial of service attacks

C) File locking cannot be observed through network monitoring

D) All file locks are legitimate concurrent access control

Answer: B

Explanation:

FortiNDR identifies suspicious lock acquisition patterns, unusual lock durations, or lock exhaustion suggesting ransomware preparation or denial of service attacks by monitoring network file system locking behaviors and detecting patterns revealing attacks preparing for encryption, causing resource exhaustion, or indicating application compromise.

File locking monitoring detects multiple threat patterns including detecting mass file lock acquisition across many files suggesting ransomware preparation, identifying unusual lock durations indicating resource holding attacks, recognizing systematic locking patterns characteristic of encryption preparation, detecting lock exhaustion preventing legitimate file access, identifying unusual accounts or systems acquiring excessive locks, recognizing lock conflicts indicating concurrent malicious activities, and detecting locking patterns immediately preceding file modifications. For example, detecting system rapidly acquiring exclusive locks on thousands of files across network shares followed by file modification activities indicates ransomware attack where malware locks files before encryption preventing recovery attempts and ensuring exclusive access during encryption process.

A is incorrect because file locking patterns have security implications revealing ransomware preparation, denial of service, and malicious file activities. C is incorrect because network file locking uses protocols like SMB creating observable traffic patterns revealing lock operations, durations, and targets. D is incorrect because file locks can indicate attacks including ransomware preparation and denial of service requiring security monitoring.

Organizations should monitor network file locking patterns for unusual activities, establish baselines for normal file locking behaviors, configure alerts for mass lock acquisition or unusual locking patterns, implement file server monitoring detecting suspicious locking combined with file modifications, and investigate detected locking anomalies as potential ransomware requiring immediate isolation and response.

Question 182:

How does FortiNDR detect malicious use of legitimate infrastructure-as-code tools like Terraform or Ansible?

A) Infrastructure-as-code tools are only used by authorized operations teams

B) It identifies suspicious IaC tool usage including unauthorized infrastructure changes, unusual API patterns, or credential abuse suggesting infrastructure compromise

C) IaC tool traffic cannot reveal security threats

D) All infrastructure automation is legitimate operations

Answer: B

Explanation:

FortiNDR identifies suspicious IaC tool usage including unauthorized infrastructure changes, unusual API patterns, or credential abuse suggesting infrastructure compromise by monitoring infrastructure automation tool communications and detecting patterns revealing attackers using IaC tools for malicious infrastructure manipulation, privilege escalation, or resource hijacking.

IaC tool monitoring detects multiple threat patterns including detecting unauthorized Terraform or Ansible executions modifying production infrastructure, identifying unusual cloud provider API patterns from IaC tools suggesting malicious automation, recognizing infrastructure destruction or resource manipulation through compromised automation, detecting IaC credential abuse enabling unauthorized infrastructure access, identifying unusual infrastructure provisioning patterns, recognizing reconnaissance through infrastructure enumeration, and detecting malicious infrastructure deployment. For example, detecting compromised DevOps credentials using Terraform to deploy cryptocurrency mining infrastructure across cloud accounts or modify security groups exposing internal resources indicates IaC tool abuse where attackers leverage powerful automation capabilities for resource theft or infrastructure compromise.

A is incorrect because IaC tools can be used by attackers with compromised credentials or systems requiring monitoring beyond assuming all usage is authorized operations. C is incorrect because IaC tool traffic includes cloud API patterns, infrastructure changes, and automation activities observable through network monitoring. D is incorrect because infrastructure automation can indicate malicious infrastructure manipulation, resource hijacking, and privilege escalation requiring security monitoring.

Organizations should monitor IaC tool usage for unusual patterns, implement strong authentication and authorization for infrastructure automation tools, configure alerts for unexpected infrastructure changes or unusual IaC tool executions, establish baselines for legitimate infrastructure automation activities, and investigate detected IaC anomalies as potential infrastructure compromise requiring immediate credential rotation and infrastructure review.

Question 183:

What role does monitoring for unusual real-time communication protocol patterns play in FortiNDR?

A) WebRTC and SIP traffic is always legitimate communication

B) It identifies suspicious WebRTC, SIP, or RTP behaviors including unauthorized calls, media stream exfiltration, or VoIP exploitation

C) Real-time protocols cannot indicate security threats

D) Communication protocol monitoring only tracks call quality

Answer: B

Explanation:

FortiNDR identifies suspicious WebRTC, SIP, or RTP behaviors including unauthorized calls, media stream exfiltration, or VoIP exploitation by monitoring real-time communication protocols for patterns revealing attacks targeting communication systems for eavesdropping, toll fraud, or network access.

Real-time communication monitoring detects multiple threat patterns including detecting unauthorized WebRTC sessions potentially exfiltrating audio or video, identifying SIP scanning and enumeration reconnaissance, recognizing toll fraud through unusual call patterns or destinations, detecting media stream interception or recording, identifying VoIP exploitation attempts, recognizing unusual codec selections or media formats, and detecting communication protocol abuse for covert channels. For example, detecting workstations establishing unauthorized WebRTC peer connections streaming audio to external destinations without user initiation indicates surveillance malware or communication system compromise exfiltrating ambient audio for espionage purposes.

A is incorrect because real-time communication traffic can indicate eavesdropping, toll fraud, and unauthorized surveillance requiring security monitoring. C is incorrect because real-time protocols exhibit patterns revealing unauthorized communications, exploitation attempts, and surveillance activities. D is incorrect because communication protocol monitoring provides security capabilities beyond quality tracking through detection of fraud, eavesdropping, and exploitation.

Organizations should monitor real-time communication protocols for unusual patterns, implement authentication and encryption for communication systems, configure alerts for unauthorized media streams or suspicious call patterns, establish baselines for legitimate communication usage, and investigate detected communication anomalies as potential surveillance or toll fraud requiring immediate response.

Question 184:

How does FortiNDR’s detection of unusual network time protocol amplification patterns contribute to DDoS defense?

A) NTP amplification is a theoretical attack not seen in practice

B) It identifies systems participating in NTP amplification attacks, vulnerable NTP servers, or reconnaissance for amplification infrastructure

C) Amplification attacks cannot be detected before they impact targets

D) NTP servers cannot be abused for DDoS attacks

Answer: B

Explanation:

FortiNDR identifies systems participating in NTP amplification attacks, vulnerable NTP servers, or reconnaissance for amplification infrastructure by monitoring NTP traffic for patterns characteristic of amplification attack preparation, participation, or vulnerability to abuse as attack amplifiers.

NTP amplification monitoring detects multiple threat patterns including detecting NTP monlist commands used for reconnaissance of amplification infrastructure, identifying systems sending spoofed NTP requests for amplification attacks, recognizing vulnerable NTP servers responding to monlist queries enabling amplification, detecting unusual NTP response volumes indicating amplification attack participation, identifying reflection patterns where responses target victim addresses, recognizing compromised systems used as amplification attack sources, and detecting NTP configurations vulnerable to abuse. For example, detecting internal NTP servers receiving numerous external monlist queries followed by generating massive response traffic indicates either vulnerable servers being abused as amplification infrastructure or compromised systems participating in distributed denial of service attacks against external targets.

A is incorrect because NTP amplification is a well-documented and actively used DDoS attack technique requiring detection and mitigation. C is incorrect because amplification attack preparation including reconnaissance and vulnerable server identification can be detected before attacks impact victims. D is incorrect because NTP servers specifically can be abused for DDoS amplification attacks making monitoring and hardening essential.

Organizations should monitor for NTP amplification indicators including monlist reconnaissance and amplification traffic, disable NTP monlist command on all NTP servers preventing amplification abuse, configure alerts for unusual NTP traffic patterns suggesting amplification attacks, implement rate limiting on NTP services, and investigate detected NTP amplification activity requiring immediate server hardening and potential incident response.

Question 185:

What is the importance of detecting unusual serverless function invocation patterns in FortiNDR cloud monitoring?

A) Serverless functions are stateless and pose no security risks

B) It identifies suspicious Lambda, Azure Functions, or Cloud Functions invocations suggesting credential abuse, resource hijacking, or unauthorized automation

C) Serverless invocations cannot be monitored through network analysis

D) All function invocations are legitimate application operations

Answer: B

Explanation:

FortiNDR identifies suspicious Lambda, Azure Functions, or Cloud Functions invocations suggesting credential abuse, resource hijacking, or unauthorized automation by monitoring serverless function invocation patterns and detecting behaviors revealing attacks exploiting serverless infrastructure for cryptomining, data exfiltration, or resource consumption attacks.

Serverless monitoring detects multiple threat patterns including detecting unusual function invocation volumes suggesting resource hijacking or cryptocurrency mining, identifying unauthorized function invocations from compromised credentials, recognizing excessive invocations consuming budget through resource exhaustion attacks, detecting function invocations accessing unexpected resources suggesting privilege abuse, identifying unusual invocation timing patterns, recognizing data exfiltration through serverless functions, and detecting malicious function deployment or modification. For example, detecting thousands of AWS Lambda invocations from compromised credentials executing cryptocurrency mining workloads or exfiltrating S3 bucket data indicates serverless abuse where attackers leverage scalable cloud compute for resource theft or data exfiltration with costs borne by victim organization.

A is incorrect because serverless functions despite being stateless can be exploited for resource hijacking, data access, and credential abuse making security monitoring essential. C is incorrect because serverless invocations create API traffic including invocation patterns, accessed resources, and function behaviors observable through cloud API monitoring. D is incorrect because function invocations can indicate credential abuse, resource hijacking, and unauthorized automation requiring security monitoring.

Organizations should monitor serverless function invocations for unusual patterns, implement strong authentication and least-privilege permissions for functions, configure alerts for excessive invocations or unusual function behaviors, establish baselines for legitimate function usage including typical invocation volumes, and investigate detected serverless anomalies as potential credential abuse requiring immediate function suspension and credential rotation.

Question 186:

How does FortiNDR detect abuse of legitimate screen sharing and remote collaboration tools?

A) Screen sharing is always authorized collaboration

B) It identifies suspicious remote viewing sessions, unauthorized screen sharing, or data exfiltration through collaboration tools

C) Collaboration tool traffic cannot reveal security threats

D) Remote viewing tools pose no security risks

Answer: B

Explanation:

FortiNDR identifies suspicious remote viewing sessions, unauthorized screen sharing, or data exfiltration through collaboration tools by monitoring screen sharing and remote collaboration protocols for patterns revealing unauthorized surveillance, data theft, or policy violations through collaboration platforms.

Screen sharing monitoring detects multiple threat patterns including detecting unauthorized remote viewing sessions potentially enabling surveillance, identifying screen sharing from unexpected systems or accounts, recognizing unusual durations for screen sharing sessions, detecting screen sharing to external participants without authorization, identifying suspicious collaboration tool usage from sensitive systems, recognizing data exfiltration through screen capture and sharing, and detecting malware using screen sharing protocols for surveillance. For example, detecting executive workstation with unauthorized screen sharing session to external participant capturing board meeting discussions or financial planning presentations indicates surveillance or industrial espionage through collaboration tool abuse.

A is incorrect because screen sharing can enable unauthorized surveillance, data theft, and policy violations requiring monitoring beyond assuming all sharing is authorized collaboration. C is incorrect because collaboration tool traffic exhibits patterns including session participants, durations, and shared systems observable through network monitoring. D is incorrect because remote viewing tools enable surveillance and data exfiltration making them security-relevant for monitoring.

Organizations should monitor screen sharing and collaboration tool usage for unauthorized sessions, implement policies requiring approval for external screen sharing and detect violations, configure alerts for unusual collaboration patterns particularly from sensitive systems, establish baselines for legitimate collaboration tool usage, and investigate detected screen sharing anomalies as potential surveillance or data theft requiring immediate session termination and access review.

Question 187:

What role does detection of unusual IPAM (IP Address Management) system access play in FortiNDR?

A) IPAM systems contain only network addressing information

B) It identifies suspicious IPAM access suggesting network reconnaissance, infrastructure mapping, or preparation for targeted attacks

C) IPAM access cannot indicate security threats

D) IP address management is purely operational

Answer: B

Explanation:

FortiNDR identifies suspicious IPAM access suggesting network reconnaissance, infrastructure mapping, or preparation for targeted attacks by monitoring IPAM system access and detecting patterns revealing attackers using IP address management systems to gather detailed network infrastructure information for attack planning.

IPAM monitoring detects multiple threat patterns including detecting unauthorized IPAM system access revealing network architecture details, identifying unusual IPAM queries enumerating IP address assignments, recognizing systematic IPAM data extraction suggesting reconnaissance, detecting IPAM access from compromised accounts, identifying unusual timing for IPAM queries particularly during off-hours, recognizing correlation between IPAM access and subsequent network attacks, and detecting IPAM modifications potentially disrupting network addressing. For example, detecting compromised IT account accessing IPAM system downloading complete network address assignments, subnet configurations, and system naming conventions indicates reconnaissance where attackers gather detailed infrastructure maps to identify high-value targets and plan lateral movement paths.

A is incorrect because IPAM systems contain valuable network infrastructure information including system locations, naming conventions, and network architecture details useful for attack planning. C is incorrect because IPAM access patterns can indicate reconnaissance activities and infrastructure mapping attempts by attackers. D is incorrect because IP address management has security implications with IPAM data revealing network structure and systems enabling targeted attacks.

Organizations should monitor IPAM system access for unusual patterns, implement strong authentication and access controls for IPAM systems, configure alerts for unexpected IPAM queries or data extraction, establish baselines for legitimate IPAM usage, and investigate detected IPAM anomalies as potential reconnaissance requiring enhanced monitoring and incident response preparation.

Question 188:

How does FortiNDR’s detection of unusual API gateway traffic patterns enhance application security?

A) API gateways only route traffic and provide no security insights

B) It identifies suspicious API usage including rate limit violations, unusual endpoints accessed, or attack patterns against microservices architectures

C) API gateway traffic is identical to direct API traffic

D) All API gateway traffic is legitimate application communication

Answer: B

Explanation:

FortiNDR identifies suspicious API usage including rate limit violations, unusual endpoints accessed, or attack patterns against microservices architectures by monitoring API gateway traffic for behaviors revealing attacks targeting APIs through the gateway for reconnaissance, exploitation, or abuse.

API gateway monitoring detects multiple threat patterns including detecting unusual API endpoint enumeration suggesting reconnaissance, identifying rate limit violations indicating brute force or denial of service attempts, recognizing unusual API method usage or parameter patterns suggesting exploitation, detecting authentication bypass attempts, identifying data exfiltration through excessive API queries, recognizing API abuse from compromised credentials, and detecting gateway configuration vulnerabilities being probed. For example, detecting external source systematically probing API gateway endpoints with varying parameters testing for injection vulnerabilities while exceeding rate limits indicates API reconnaissance and exploitation attempts requiring blocking and security hardening.

A is incorrect because API gateways provide security insights through traffic patterns, access controls, and attack detection beyond simple routing functions. C is incorrect because API gateway traffic includes gateway-specific patterns including rate limiting, authentication enforcement, and routing decisions observable through traffic analysis. D is incorrect because API gateway traffic can indicate reconnaissance, exploitation attempts, and abuse requiring security monitoring.

Organizations should monitor API gateway traffic for unusual patterns, implement and enforce rate limiting and authentication at gateways, configure alerts for API abuse patterns or unusual endpoint access, establish baselines for legitimate API usage through gateways, and investigate detected API anomalies as potential attacks requiring immediate blocking and application security review.

Question 189:

What is the significance of detecting unusual network device configuration backup patterns in FortiNDR?

A) Configuration backups are routine maintenance operations

B) It identifies suspicious backup activities, unauthorized configuration exports, or network device reconnaissance suggesting infrastructure intelligence gathering

C) Configuration backup traffic provides no security value

D) All backup operations are legitimate network management

Answer: B

Explanation:

FortiNDR identifies suspicious backup activities, unauthorized configuration exports, or network device reconnaissance suggesting infrastructure intelligence gathering by monitoring network device configuration backup traffic and detecting patterns revealing attackers or insiders exfiltrating network configurations for intelligence gathering or preparation for attacks.

Configuration backup monitoring detects multiple threat patterns including detecting unauthorized configuration exports from network devices revealing network architecture, identifying unusual backup timing or frequency suggesting malicious configuration harvesting, recognizing configuration backups to unexpected destinations, detecting backup operations from compromised accounts, identifying selective configuration extraction targeting security settings, recognizing correlation between configuration access and subsequent attacks, and detecting unusual backup protocols or methods. For example, detecting compromised network administrator account systematically backing up all router and switch configurations to external FTP server indicates infrastructure intelligence theft where attacker exfiltrates complete network architecture details, security configurations, and access control lists for attack planning or competitive intelligence.

A is incorrect because while configuration backups are routine operations, unusual backup patterns can indicate malicious configuration theft requiring security monitoring. C is incorrect because configuration backup traffic reveals infrastructure access patterns and potential intelligence gathering activities. D is incorrect because backup operations can indicate unauthorized configuration export and intelligence gathering requiring investigation.

Organizations should monitor network device configuration backup activities for unusual patterns, implement secure backup destinations and processes, configure alerts for configuration exports to unexpected locations or during unusual timeframes, establish baselines for legitimate backup operations, and investigate detected backup anomalies as potential infrastructure intelligence gathering requiring credential rotation and access review.

Question 190:

How does FortiNDR detect malicious use of legitimate network monitoring and packet capture tools?

A) Network monitoring tools are only used by network administrators

B) It identifies suspicious use of Wireshark, tcpdump, or similar tools suggesting credential theft, traffic interception, or reconnaissance

C) Packet capture cannot be detected through network analysis

D) All network monitoring is legitimate troubleshooting

Answer: B

Explanation:

FortiNDR identifies suspicious use of Wireshark, tcpdump, or similar tools suggesting credential theft, traffic interception, or reconnaissance by detecting network behaviors characteristic of packet capture tools running on systems and identifying usage patterns revealing attackers using monitoring tools for credential harvesting, traffic analysis, or network reconnaissance.

Network monitoring tool detection identifies multiple threat patterns including detecting packet capture tools running on unexpected systems like user workstations, identifying promiscuous mode network interfaces suggesting traffic interception, recognizing unusual network traffic patterns characteristic of packet capture activities, detecting capture file transfers suggesting exfiltration of captured traffic, identifying credential theft through captured authentication traffic, recognizing reconnaissance through systematic traffic capture, and detecting monitoring tool deployment on compromised systems. For example, detecting workstation entering promiscuous mode capturing all network traffic followed by transfer of large capture files to external storage indicates traffic interception and credential theft where attacker uses packet capture to harvest credentials and sensitive data from network traffic.

A is incorrect because network monitoring tools can be used by attackers for reconnaissance, credential theft, and traffic interception requiring detection beyond assuming all usage is administrative. C is incorrect because packet capture activities create detectable network behaviors including promiscuous mode, unusual traffic patterns, and capture file transfers. D is incorrect because network monitoring can indicate malicious reconnaissance, credential theft, and traffic interception requiring security investigation.

Organizations should monitor for unauthorized network monitoring tool usage, restrict packet capture capabilities to authorized administrative systems, configure alerts for promiscuous mode activation or unusual traffic capture patterns, implement network segmentation limiting traffic visibility, and investigate detected monitoring tool usage as potential credential theft requiring immediate credential rotation and investigation.

Question 191:

What role does monitoring for unusual NetFlow or sFlow export patterns play in FortiNDR?

A) Flow exports are purely operational telemetry

B) It identifies suspicious flow export modifications, unauthorized collectors, or flow data exfiltration suggesting reconnaissance or monitoring infrastructure compromise

C) Flow export traffic cannot reveal security threats

D) All flow exports are legitimate network monitoring

Answer: B

Explanation:

FortiNDR identifies suspicious flow export modifications, unauthorized collectors, or flow data exfiltration suggesting reconnaissance or monitoring infrastructure compromise by monitoring NetFlow and sFlow export traffic for patterns revealing attackers manipulating flow exports for reconnaissance evasion or exfiltrating flow data for network intelligence gathering.

Flow export monitoring detects multiple threat patterns including detecting unauthorized flow collectors receiving network telemetry, identifying flow export configuration changes potentially hiding malicious traffic, recognizing unusual flow export volumes suggesting data exfiltration, detecting flow exports to unexpected external destinations, identifying flow sampling modifications potentially evading detection, recognizing flow collector compromise enabling traffic analysis, and detecting flow export manipulation for attack concealment. For example, detecting network device flow export configuration modified to exclude specific IP addresses or protocols followed by attack traffic from those excluded sources indicates flow manipulation where attackers configure devices to stop exporting telemetry about their malicious activities evading flow-based detection systems.

A is incorrect because flow exports have security implications with unauthorized collectors or export manipulation enabling reconnaissance evasion and intelligence gathering. C is incorrect because flow export traffic patterns reveal configuration changes, unauthorized collectors, and potential security compromises. D is incorrect because flow exports can be manipulated or exfiltrated for malicious purposes requiring security monitoring.

Organizations should monitor flow export configurations and destinations for unauthorized changes, implement authentication for flow collectors preventing unauthorized collection, configure alerts for flow export modifications or unexpected collectors, establish baselines for legitimate flow export patterns, and investigate detected flow export anomalies as potential monitoring infrastructure compromise or reconnaissance evasion requiring immediate configuration restoration.

Question 192:

How does FortiNDR’s detection of unusual serial-over-IP or console server traffic contribute to infrastructure security?

A) Console server access is always authorized infrastructure management

B) It identifies suspicious serial console access, unauthorized out-of-band management, or console server exploitation suggesting critical infrastructure compromise

C) Serial protocol traffic cannot be monitored

D) Console access poses no security risks

Answer: B

Explanation:

FortiNDR identifies suspicious serial console access, unauthorized out-of-band management, or console server exploitation suggesting critical infrastructure compromise by monitoring serial-over-IP and console server traffic for patterns revealing attacks targeting out-of-band management infrastructure for privileged access to network and server equipment.

Console server monitoring detects multiple threat patterns including detecting unauthorized access to serial console servers, identifying unusual console session patterns or durations, recognizing console access from unexpected sources or geographic locations, detecting console server exploitation attempts, identifying unusual command execution through console interfaces, recognizing console access during unusual hours suggesting unauthorized activity, and detecting correlation between console access and infrastructure compromise. For example, detecting unauthorized external access to console server followed by serial console sessions to core routers and switches executing configuration changes indicates infrastructure compromise where attackers gain out-of-band access bypassing network security controls to directly manipulate critical infrastructure.

A is incorrect because console server access can indicate unauthorized infrastructure compromise requiring monitoring beyond assuming all access is legitimate management. C is incorrect because serial-over-IP protocols create network traffic with observable access patterns, sessions, and command characteristics. D is incorrect because console access provides privileged infrastructure control making it critical security concern requiring monitoring.

Organizations should monitor console server access for unauthorized sessions, implement strong authentication and access controls for out-of-band management, configure alerts for unusual console access particularly from unexpected sources, establish baselines for legitimate console usage patterns, and investigate detected console access anomalies as potential critical infrastructure compromise requiring immediate session termination and credential rotation.

Question 193:

What is the importance of detecting unusual memory scraping or process injection indicators in FortiNDR network traffic?

A) Memory operations are purely local and create no network traffic

B) It identifies network patterns following memory access including credential usage, data exfiltration, or lateral movement suggesting successful credential theft or code injection

C) Process injection cannot be detected through network monitoring

D) Memory-based attacks have no network indicators

Answer: B

Explanation:

FortiNDR identifies network patterns following memory access including credential usage, data exfiltration, or lateral movement suggesting successful credential theft or code injection by detecting network behaviors that correlate with memory scraping or process injection attacks, revealing successful exploitation through subsequent network activities using stolen credentials or injected code.

Memory attack correlation detects multiple network indicators including detecting unusual authentication patterns immediately following potential credential harvesting, identifying lateral movement using freshly stolen credentials from memory, recognizing data exfiltration following successful code injection, detecting network connections from injected processes, identifying unusual protocol usage characteristic of post-exploitation tools, recognizing command and control establishment following process injection, and detecting behavioral changes indicating successful memory manipulation. For example, detecting system authentication to multiple domain resources using various accounts within minutes following suspicious process activity indicates credential theft from memory where attacker scraped credentials then immediately used stolen credentials for lateral movement before they expire or are changed.

A is incorrect because while memory operations are local, subsequent malicious activities using stolen credentials or injected code create observable network traffic patterns. C is incorrect because process injection results in network behaviors from injected code detectable through behavioral analysis and correlation with injection timeframes. D is incorrect because memory-based attacks create network indicators through subsequent credential usage, command execution, and data exfiltration activities.

Organizations should monitor for network behavioral changes correlating with potential memory attacks, implement enhanced monitoring following suspicious process activities, configure alerts for rapid authentication sequences or unusual credential usage patterns, correlate endpoint and network detection for comprehensive memory attack visibility, and investigate detected post-exploitation network patterns as potential successful memory attacks requiring immediate credential rotation and system isolation.

Question 194:

How does FortiNDR detect abuse of legitimate content delivery network (CDN) services for command and control?

A) CDN traffic is always legitimate content delivery

B) It identifies suspicious CDN usage patterns including unusual request frequencies, encoded payloads, or domain fronting techniques suggesting C2 communications

C) CDN services cannot be abused for malicious purposes

D) Content delivery traffic provides no security indicators

Answer: B

Explanation:

FortiNDR identifies suspicious CDN usage patterns including unusual request frequencies, encoded payloads, or domain fronting techniques suggesting C2 communications by monitoring CDN traffic for behaviors revealing attackers leveraging legitimate content delivery services to hide command and control communications within trusted CDN traffic.

CDN abuse detection identifies multiple threat patterns including detecting unusual request patterns to CDN endpoints suggesting automated C2 communications, identifying encoded data in CDN requests or responses potentially carrying commands or exfiltrated data, recognizing domain fronting where connections to CDN services actually route to attacker infrastructure, detecting unusual CDN resource access patterns inconsistent with normal content delivery, identifying beaconing behaviors through CDN services, recognizing suspicious user agents or request headers in CDN traffic, and detecting correlation between CDN requests and malicious activities. For example, detecting workstation making perfectly regular requests every five minutes to specific CDN endpoint with encoded parameters and receiving encoded responses indicates C2 communication where malware uses CDN infrastructure to hide command and control traffic among legitimate CDN usage.

A is incorrect because CDN services can be abused for command and control, data exfiltration, and domain fronting requiring security monitoring. C is incorrect because CDN services are specifically leveraged by sophisticated attackers for hiding malicious communications within trusted traffic. D is incorrect because content delivery traffic exhibits patterns revealing abuse including unusual frequencies, encoded payloads, and domain fronting techniques.

Organizations should monitor CDN traffic for unusual patterns suggesting abuse, establish baselines for legitimate CDN usage in their environments, configure alerts for suspicious CDN request patterns or encoded payloads, implement SSL inspection for CDN traffic where feasible, and investigate detected CDN anomalies as potential command and control requiring immediate malware investigation and remediation.

Question 195:

What role does detection of unusual RADIUS or TACACS+ authentication patterns play in FortiNDR?

A) AAA protocols are secure and require no monitoring

B) It identifies suspicious authentication patterns, credential attacks, or compromised AAA infrastructure suggesting unauthorized network access or infrastructure compromise

C) Authentication protocols cannot reveal security threats

D) All AAA traffic is legitimate authentication

Answer: B

Explanation:

FortiNDR identifies suspicious authentication patterns, credential attacks, or compromised AAA infrastructure suggesting unauthorized network access or infrastructure compromise by monitoring RADIUS and TACACS+ traffic for patterns revealing attacks targeting authentication infrastructure for credential theft, unauthorized access, or AAA server compromise.

AAA protocol monitoring detects multiple threat patterns including detecting authentication attempts from unusual sources suggesting credential attacks, identifying unusual authentication patterns or volumes indicating brute force attempts, recognizing authentication success from unexpected locations suggesting compromised credentials, detecting AAA server exploitation attempts, identifying unauthorized changes to authentication policies, recognizing credential stuffing patterns against AAA infrastructure, and detecting AAA server compromise through unusual authentication grants. For example, detecting thousands of RADIUS authentication attempts from external source testing many different usernames and passwords against VPN infrastructure indicates credential attack where attacker systematically attempts to identify valid credentials for network access.

A is incorrect because AAA protocols can be targeted by credential attacks and infrastructure compromise requiring security monitoring. C is incorrect because authentication protocols exhibit patterns revealing credential attacks, unauthorized access, and infrastructure compromise. D is incorrect because AAA traffic can indicate attacks including credential brute force, authentication bypass attempts, and server compromise.

Organizations should monitor RADIUS and TACACS+ traffic for unusual authentication patterns, implement rate limiting on authentication systems preventing brute force attacks, configure alerts for authentication anomalies particularly from unexpected sources or unusual patterns, establish baselines for legitimate authentication patterns, and investigate detected AAA anomalies as potential credential attacks requiring immediate response including temporary account lockouts and enhanced monitoring.