"data exfiltration" points directly to the need for a data type that allows detailed inspection of transferred content, which is why full packet capture is the best answer.
Correct answer should is session data. While session data is very simple, it can be used to answer many important questions that arise regularly in the SOC. Threat intelligence reports may provide a list of suspicious external IP addresses. Session data
can be consulted to see if any internal systems have communicated with any of the suspicious external IP addresses. Similarly, if a particular TCP port is associated with an active malware campaign command and control, session data can be consulted to see if any internal systems are communicating by using that TCP port. If an internal host has been identified as being compromised, session data can identify other internal systems that it has communicated with (potential lateral movement) and any external systems that it has communicated with (potential data exfiltration). This is from the Cisco U CyberOps Course
The answer is B. full packet capture.
Full packet capture is the most comprehensive type of data that can be used to investigate an event. It captures all of the data that is transmitted over a network, including the header and payload of each packet. This allows investigators to see exactly what data was sent and received, and by whom.
Firewall logs, session data, and NetFlow data are all less comprehensive than full packet capture
B.
Full packet capture is the most comprehensive type of data that can be used to investigate a data exfiltration event. It captures all of the data that is transmitted over a network, including the headers, payload, and metadata. This data can be used to identify the source and destination of the traffic, the type of data that is being transferred, and the time and date of the transfer.
Firewall logs, session data, and NetFlow data can also be used to investigate data exfiltration events, but they provide less information than full packet capture.
In the context of data exfiltration, full packet capture can be used to identify the source and destination of any data that is being transferred out of the network. It can also provide insight into the type of data that is being exfiltrated, the frequency and duration of the transfers, and any other characteristics that may be relevant to the investigation.
"determine if data exfiltration has occurred" basically you don't want to look into the packets just want to determine high bandwidth use, the size of these packets, best thing is to look at the metadata
C & D is the same data. The question says ti see if data exfiltrate, so you don't need to see the actual data with full packet capture but only if it happened. So you need only session data to get the answer. Net flow "sees" session data so both answers might be correct.
I agree with this, although Full Packet Capture provide a more comprehensive output, the question just asks if Data Exfiltration has occurred and Session Data if enough. No need to complicate things.
On a certification exam, sometimes the most simplest or provides the bare minimum is the correct one.
Official Cert Guide - "Another product family that integrates with other DLP solutions is the Cisco WSA, which redirects all outbound traffic to a third-party DLP appliance, allowing deep content inspection for regulatory compliance and data exfiltration protection. It enables an administrator to inspect web content by title, metadata, and size and even to prevent users from storing files to cloud services such as Dropbox and Google Drive." ... I think the keyword here should be "all outbound traffic", hence B.
Then again, on the other hand, D is also a possibility (NetFlow data could also provide the investigate capability). According to https://www.plixer.com/blog/netflow-and-internet-data-loss-prevention-alarms/ "The effort to prevent data loss is a top priority for many organizations. Identifying odd traffic patterns and suspicious data transfers has become a concern for many data security professionals. Flow Analytics, an add on to our NetFlow collector, allows administrators to detect odd traffic patterns, such as servers communicating to unauthorized hosts on the Internet." This suggests the solution does not actually implement DLP (outgoing traffic doesn't get inspected for social security numbers, credit card, resumes etc.), just helps detecting it, by alerting when certain network baseline breaches occur (eg. larger amount of exiting traffic than usual, external connections initiated outside working hours etc.)
Netflow is used for network performance analysis and behavioral analytics for security. The flows do not contain actual packet data, but rather the metadata for communications. It is a standard form of session data that details who, what, when, and where of network traffic It is similar to the call records in a phone bill, but in real time. Every network transaction typically gets two flows, one in each direction. If you were to do full capture on each interface is extraordinarily expensive. The best practice is to look at session data in the flows. Cisco Stealthwatch is such a tool and Plixer Scrutinizer! After you see the behavior then you know where to put the full capture filter!
This section is not available anymore. Please use the main Exam Page.200-201 Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
akustic
Highly Voted 3 years, 7 months ago3000bd6
Most Recent 6 months, 3 weeks agoppsilva
1 year, 5 months agofisher004
1 year, 6 months agoCCNPTT
1 year, 6 months agoCCNPTT
1 year, 6 months agoFaio
1 year, 8 months agoFaio
1 year, 10 months agoTopsecret
1 year, 11 months agodrdecker100
2 years, 3 months agoevaline12
2 years, 4 months agoevaline12
2 years, 4 months agohansamaru
2 years, 6 months agocy_analyst
2 years, 7 months agoSecurityGuy
2 years, 3 months agofyticez
2 years, 8 months agofyticez
2 years, 8 months agoweganos
2 years, 9 months agosurforlife
2 years, 11 months agoDYKO
3 years ago