Exam CS0-002 topic 1 question 292 discussion

A. I can easily discard this option as the attempts might not necessary come from a flagged IP/domain/user-agent. B. This is a good one, several number of requests from same source IP is always a hint. C. Discarded, due to the question says that WAF didn't block anything and doesn't provide more context if the web server is capable to do that (which I don't think so, that's why they are using a WAF lol). D. This is a good one too, but it doesn't tell me if the failed attempts are coming from the same source IP. These failed attempts might come from different IPs. E. Discarded, WAF can't tell you this information lol F. This error is triggered when someone attempted to load a function/method on the web server that is not allowed or is not implemented, it always tells you to try later. If this is coming from the same source IP is a red flag because that means that it's trying to grab information or test potential vulnerabilities. Conclusion: many attempts/errors from the same source IP are red flags. Based on the above, my answer is: BF.

A is for sure, but both B and F can be. Keep in mind that in a home all clients (laptops, phones, tvs) go out with the same public IP. So you could have 2 or more people using different browsers or devices to access the same time so that, in my opinion, would make B having too much noise to be a valid choice. On the other hand, probing to see which functions are available might indicate somebody looking for possible attack vectors. I'd go of AF, who knows

BF makes sense

A. Requests identified by a threat intelligence service with a bad reputation: If requests are being flagged by a threat intelligence service with a bad reputation, it indicates potential malicious activity. Further investigation is necessary to determine the nature and intent of these requests. B. Requests sent from the same IP address using different user agents: This behavior can be indicative of an attacker attempting to obfuscate their identity by using different user agents. It could suggest a potential attempt to bypass security measures or launch targeted attacks. Investigating the source and intent of these requests is important.

B. Requests sent from the same IP address using different user agents: This could indicate an attacker using a tool or script to send automated requests, trying to evade detection by changing the user agent with each request. F. Existence of HTTP/501 status codes generated to the same IP address. Could indicate an attacker attempting to exploit a vulnerability in the web application, which may be causing the web server to generate errors when processing certain requests.

B & F Existence of HTTP/501 status codes generated to the same IP address: This could indicate that an attacker is attempting to exploit a vulnerability in the web server or web application. The HTTP/501 status code indicates that the server does not support the functionality required to fulfill the request, which could be an indication of an attempted attack.

A. Requests identified by a threat intelligence service with a bad reputation B. Requests sent from the same IP address using different user agents The requests identified by a threat intelligence service with a bad reputation and requests sent from the same IP address using different user agents may indicate malicious behavior and could warrant further investigation. The other options listed are not necessarily indicators of malicious activity.

Based on the scenario provided, the two possible TTP combinations that might warrant further investigation are: B. Requests sent from the same IP address using different user agents - This TTP combination could indicate an attacker is using a technique known as user-agent spoofing to evade detection by the WAF. This technique involves modifying the user-agent header in the HTTP request to mimic legitimate user agents, making it difficult for the WAF to detect and block malicious traffic. F. Existence of HTTP/501 status codes generated to the same IP address - HTTP/501 status codes indicate that the web server does not support the functionality required to fulfill the request. This TTP combination could indicate an attacker is probing the web server for vulnerabilities or misconfigurations. The repeated occurrence of HTTP/501 status codes from the same IP address could suggest that an attacker is using an automated tool to scan the web server.

B. Requests sent from the same IP address using different user agents may indicate an attacker attempting to evade detection by using different agents. D. Failed log-in attempts against the web application may indicate an attacker attempting to gain unauthorized access. A, C, E, and F do not necessarily indicate an attack, or are less likely to indicate a security incident. Requests identified by a threat intelligence service with a bad reputation may be blocked, requests blocked by the web server per the input sanitization may indicate successful security controls, requests sent by NICs with outdated firmware may indicate system misconfigurations, and existence of HTTP/501 status codes generated to the same IP address may indicate network or web server issues.

I'm thinking it's a combination of either A or B, plus D. A brute-force attack (failed logons) could hinder the web servers performance. requests from same ip and different user agents is something nefarious to look into. And A, threat intel with a bad reputation makes sense but also requires a follow up step to refer to those threat intel feeds... I'm leaning BD as the answer

A and B are potential indications of malicious activity. Requests identified by a threat intelligence service with a bad reputation may indicate the presence of a known malicious IP address. Requests sent from the same IP address using different user agents may suggest an attempt to bypass IP-based blocking or to evade detection. D and E are not likely to be related to the performance impact of the WAF, so they may not warrant further investigation. Failed log-in attempts against the web application are not necessarily indicative of malicious activity, although they may contribute to increased load on the web server. Requests sent by NICs with outdated firmware may be a sign of an outdated device but not necessarily indicative of malicious activity. HTTP/501 status codes generated to the same IP address may indicate the presence of a vulnerability in the web application, but they may not necessarily be related to the performance impact of the WAF.