Which telemetry data captures variations seen within the flow, such as the packets TTL, IP/TCP flags, and payload length?
Answer(s): A
The telemetry information consists of three types of data:+ Flow information: This information contains details about endpoints, protocols, ports, when the flow started,how long the flow was active, etc.+ Interpacket variation: This information captures any interpacket variations within the flow.Examples include variation in Time To Live (TTL), IP and TCP flags, payload length, etc + Context details: Context information is derived outside the packet header. It includes details about variation in buffer utilization, packet drops within a flow, association with tunnel endpoints, etc.
https://www.cisco.com/c/dam/global/en_uk/products/switches/ cisco_nexus_9300_ex_platform_switches_white_paper_uki.pdf
How is ICMP used an exfiltration technique?
Answer(s): C
Which exfiltration method does an attacker use to hide and encode data inside DNS requests and queries?
DNS Tunneling is a method of cyber attack that encodes the data of other programs or protocols in DNSqueries and responses. DNS tunneling often includes data payloads that can be added to an attacked DNSserver and used to control a remote server and applications.
How is DNS tunneling used to exfiltrate data out of a corporate network?
Answer(s): B
Domain name system (DNS) is the protocol that translates human-friendly URLs, such as securitytut.com, into IP addresses, such as 183.33.24.13. Because DNS messages are only used as the beginning of each communication and they are not intended for data transfer, many organizations do not monitor their DNS traffic for malicious activity. As a result, DNS-based attacks can be effective if launched against their networks. DNS tunneling is one such attack.An example of DNS Tunneling is shown below:The attacker incorporates one of many open-source DNS tunneling kits into an authoritative DNS nameserver (NS) and malicious payload.2. An IP address (e.g. 1.2.3.4) is allocated from the attacker's infrastructure and a domain name (e.g. attackerdomain.com) is registered or reused. The registrar informs the top-level domain (.com) nameservers to refer requests for attackerdomain.com to ns.attackerdomain.com, which has a DNSrecord mapped to 1.2.3.43. The attacker compromises a system with the malicious payload. Once the desired data is obtained, the payload encodes the data as a series of 32 characters (0-9, A-Z) broken into short strings (3KJ242AIE9, P028X977W,...).4. The payload initiates thousands of unique DNS record requests to the attacker's domain with each string as a part of the domain name (e.g. 3KJ242AIE9.attackerdomain.com). Depending on the attacker's patience and stealth, requests can be spaced out over days or months to avoid suspicious network activity.5. The requests are forwarded to a recursive DNS resolver. During resolution, the requests are sent to the attacker's authoritative DNS nameserver,6. The tunneling kit parses the encoded strings and rebuilds the exfiltrated data.
https://learn-umbrella.cisco.com/i/775902-dns-tunneling/0
Post your Comments and Discuss Cisco® 350-701 exam with other Community members:
David A commented on January 16, 2024 Good Colombia Anonymous upvote
Kim commented on May 25, 2023 I just purchased and downloaded my files. Everything looks good so far. UNITED STATES upvote
Our website is free, but we have to fight against bots and content theft. We're sorry for the inconvenience caused by these security measures. You can access the rest of the 350-701 content, but please register or login to continue.