Exam SY0-601 topic 1 question 608 discussion

Changing my answer Network logs (Option D): These logs can help identify network connections to the command-and-control server and provide information about source IP addresses (the impacted host) and destination IP addresses (the command-and-control server). Firewall logs (Option E): Firewall logs also track network traffic and can provide valuable information about source and destination IP addresses, helping identify the impacted host and its communication with the command-and-control server.

B. Authentication logs: These logs record user authentication events, including successful and failed login attempts. By analyzing authentication logs, you can determine if unauthorized users accessed the system or if legitimate users' credentials were compromised. D. Network logs: Network logs record information about network traffic, such as source and destination IP addresses, ports, protocols, and connection attempts. Analyzing network logs can help identify communication with the command-and-control server, revealing which hosts were communicating with it.

D. Network Logs: Network logs record information about network traffic, including communication between hosts and external entities. By analyzing network logs, you can identify connections to and from the command-and-control server, helping to trace the affected hosts. E. Firewall Logs: Firewall logs provide details about the traffic that passes through the organization's firewall. They can reveal attempts by hosts to communicate with external servers, including command-and-control servers. Analyzing firewall logs can help identify the hosts involved in the incident and the nature of their communication with the command-and-control server. By analyzing both network and firewall logs, organizations can gain insight into which hosts within their network may have been compromised or are attempting to establish unauthorized connections with external entities like command-and-control servers.

DE - See the following descriptions Per Dion Training 701 Guide. Key work "analyze impact". The fastest way to check the impact is the network to see if there is a spread and whether the firewall was bypassed. Firewall Logs monitor network traffic & detect unauthorized access Network Logs - Records activity and connections

If you're trying to identify the impacted host(s) , then answers A, E & F are out complete (you would need to already know the host). B is out because a C&C Server doesn't need nor use your network's authentication mechanisms. This one is straightforward.

To find a specific host the network and system logs would be most helpful. Firewall logs would only tell about outside threats and wouldn't point to a specific host on the network.

While the other logs (A. Application, B. Authentication, C. Error, and E. Firewall) can be valuable for investigating various aspects of a cybersecurity incident, they may not provide as direct information about the specific host impacted by the C2 server. Network and system logs are more likely to reveal details about the communication and activities related to the C2 server, which is crucial for identifying the affected host.

When an organization experiences a cybersecurity incident involving a command-and-control (C2) server, the logs that should be analyzed to identify the impacted host are as follows: D. Network: Network logs can provide information about the connections made to and from the C2 server. Analyzing network logs can help identify the source and destination IP addresses, ports, and communication patterns related to the C2 server. This information can help pinpoint the impacted host. F. System: System logs on the impacted host can provide information about unusual or suspicious activities, such as system processes, services, or applications that may have been compromised or interacted with the C2 server. Analyzing system logs can help identify the affected system and understand the extent of the compromise.

Network logs (Option D) can help identify the network connections between the compromised host and the command-and-control server, but they may not directly reveal the identity of the impacted host itself. System logs (Option F) can provide information about system-level events and activities on the host, which may include logs related to processes or services involved in the incident. While they may not always directly identify the impacted host, they can provide context and details about the host's behavior during the incident.

D: Network logs: Analyzing network logs can help identify communication with the command-and-control server and trace the affected host E. Firewall logs: Firewall logs can provide insight into potential unauthorized access and identify the source and destination of network traffic, which can help trace the affected host

As usual, I think people are overthinking this. I'm going Network and Firewall. I could see Authentication being correct as well, but the MOST correct are Network and Firewall (IMHO)

DE for a C2 server impact

Network and Firewall logs will give you the most information on traffic between command and control servers!

These 2, D and E, seem reasonable.

To identify the impacted host in a cybersecurity incident involving a command-and-control server, you should focus on analyzing network logs (Option D) and firewall logs (Option E). Both of these logs can provide insights into network traffic, connections, and communication with external servers, which is crucial for identifying the affected host. Network logs can show you connections to and from the command-and-control server, while firewall logs can reveal attempts to communicate with external servers, including the malicious command-and-control server. So, the correct options are: D. Network E. Firewall

chatgpt: D. Network Logs: Network logs can provide information about network traffic, connections, and communication patterns. Analyzing network logs can help identify communication with the command-and-control server and trace the affected host. E. Firewall Logs: Firewall logs can provide details about incoming and outgoing traffic, including attempts to connect to external servers. These logs can help identify communication between the impacted host and the command-and-control server. While other logs such as authentication logs (option B) and system logs (option F) might also provide relevant information, the network and firewall logs are particularly important in identifying the impacted host in a command-and-control server incident.

B vs. E (Authentication vs. Firewall) - It's a bit trickier. If the question focuses solely on the initial identification of the C2 communication, then the firewall log may have a slight edge because it would log any attempts of an internal machine trying to reach out to an external one, regardless of the nature of that communication. Authentication logs are valuable for understanding lateral movement and potential privilege escalation but may not be the first place to identify a host impacted by C2 communication unless that communication mimics authentication traffic. That said, the choice between B and E can depend on the specific architecture and logging capabilities of the organization. In many real-world scenarios, both would be scrutinized. For the purpose of this specific question, given the details provided, D and E might be more directly relevant, but an argument for B and D can be made depending on the assumed nature of the C2 communication.