Information available to you to is PIX ?informational? logging from a syslog sever. Standard internet access with caching DNS service is also available during your investigation.
For each scenario below, describe in detail, the technical steps and conclusion you reach for each scenario.
1. You notice an unusual spike in TCP and UDP flows from a single internal source to multiple destinations. Describe in detail the steps you would take to determine the type of traffic that this represents.
2. You have observed TCP connections to an IP address. The HTTP connections return a file named a.txt but when you try to retrieve the file with your browser you receive a 404 error code. You do not know the DNS name associated with the IP address (there is no reverse map). Describe the steps you would take to retrieve a.txt. Provide a plausible explanation why another machine on your network is retrieving a.txt but you are not able to do the same.
3. You are presented with a list of known bad DNS names but are not allowed to monitor traffic with network sniffers. You are asked to indicate what names are in use on your network without using a network sniffer. Describe, in detail the steps you would take.
4. You receive a report that an attacker from the external Internet has connected inbound via port 443 to remotely control a host on your internal network but you know the firewall blocks inbound connections. Do your best to explain possible reasons for activity.
5. A user reports that although he was logged into a web application at the time, he did not conduct the transaction that the web application purports. We know conclusively that the login has not been shared. What are some possible causes and what you do to investigate them?