The objective is to gather the actual log entries ("supporting evidence") related to login failures for a specific date. The command grep 20151124 securitylog | grep "login" correctly performs this task in two stages. First, grep 20151124 securitylog filters the securitylog file for all lines containing the string for the correct date (November 24, 2015). Second, the output is piped (|) to grep "login", which further filters the results to show only the lines containing the term "login". This provides the analyst with all login-related events from that day, including the failures, which can then be reviewed as evidence.

A. The -c flag provides only a count of matching lines, not the actual log data needed for evidence.

B. This command searches for the incorrect date (20150124 is January 24) instead of the required November 24, 2015.

D. Similar to option A, the -c flag returns a numerical count instead of the log entries themselves.

1. GNU Grep 3.11 Manual

Section 2.1

"Command-line Options": The official documentation for grep specifies the function of the -c or --count option: "Suppress normal output; instead print a count of matching lines for each input file." This confirms that options A and D would not provide the evidentiary data required by the analyst.

2. MIT OpenCourseWare

6.005 Software Construction

Spring 2016

"Reading 1: Static Checking": In the section on "Pipes and filters

" the courseware explains the use of the pipe (|) operator to connect the output of one command to the input of another. It provides an example: ls | grep .java

which is analogous to the structure used in the question for filtering log data in stages. This validates the command's structure.

3. University of California

Berkeley

EECS Department

"CS 161: Computer Security

Fall 2020

Lab 0": This lab exercise instructs students on using command-line tools for security tasks. It demonstrates using grep to search for specific patterns in files and using pipes to combine commands for more complex filtering

which is the exact technique required to solve the problem posed in the question.

The scenario describes a classic indicator of a data exfiltration event. The key elements are an "excessive amount of traffic" (a large volume of data) originating from an "external-facing host" (a potentially compromised asset) and being sent to an "unknown location on the Internet" (an unauthorized, non-business-related destination). This pattern strongly suggests that a malicious actor has compromised the host and is actively stealing and transferring sensitive data. The "intermittent network communication problems" are a secondary symptom caused by the exfiltration traffic consuming available network bandwidth.

A. The network is experiencing a denial of service (DoS) attack.

A DoS attack typically involves a flood of inbound traffic to overwhelm a service, not a large volume of outbound traffic from a single host.

C. Rogue hardware has been installed.

While rogue hardware can cause network issues, it does not directly explain the specific pattern of high-volume, directed outbound traffic originating from a specific host.

D. An administrator has misconfigured a web proxy.

A misconfiguration is more likely to cause connection failures or routing errors rather than a sustained, excessive flow of data to a single unknown, malicious destination.

1. NIST Special Publication 800-61 Rev. 2

Computer Security Incident Handling Guide. Section 3.2.2

"Signs of an Incident

" lists common indicators. Indicator #5 states

"Unusual outbound network traffic... Large amounts of outbound traffic from a particular host may indicate that sensitive data is being exfiltrated." (Page 24).

2. Purdue University

CERIAS (The Center for Education and Research in Information Assurance and Security). In technical reports on intrusion detection

such as "A Survey of Anomaly Detection Techniques in Network Intrusion Detection

" it is established that significant deviations from baseline network behavior

such as unusually large outbound data flows to new or suspicious IP addresses

are primary indicators of compromise and potential data exfiltration. (e.g.

Garcia-Teodoro

P.

et al.

2009. Anomaly-based network intrusion detection: Techniques

systems and challenges. Computers & Security

28(1-2)

pp.18-28. https://doi.org/10.1016/j.cose.2008.08.003).

3. MIT OpenCourseWare

6.858 Computer Systems Security

Fall 2014. Lecture notes on Network Security discuss traffic analysis as a method for detecting compromises. Monitoring for anomalous traffic patterns

including large

unexpected outbound connections

is a fundamental technique for identifying systems that have been compromised for purposes such as data exfiltration. (See Lecture 15: Network Security).

The described activities—installing unapproved remote access software and updates—are classic examples of an attacker establishing persistence. Persistence techniques are used by malicious actors to maintain access to a compromised system across interruptions such as system reboots, credential changes, or other defensive measures. The remote access software creates a backdoor for the attacker to reconnect at will, while unapproved updates could be used to modify system configurations or install malicious code that ensures their continued foothold on the server.

A. Expanding access: This phase involves escalating privileges on the compromised host or moving laterally to other systems on the network, which is not what is described.

B. Covering tracks: This involves removing evidence of the intrusion, such as deleting logs or malware. The actions taken here add tools and make changes, which is the opposite.

C. Scanning: This is a reconnaissance activity performed before an intrusion to identify vulnerabilities. The scenario describes actions taken after the system has already been compromised.

1. MITRE. (2023). ATT&CK Framework

Enterprise Tactic TA0003 - Persistence. The MITRE ATT&CK framework

a globally-accessible knowledge base of adversary tactics and techniques

defines persistence as the set of techniques adversaries use to maintain access to systems. It explicitly lists "External Remote Services" (T1133) and modifying system configurations as methods for achieving this. The installation of remote access software directly aligns with this definition.

Source: MITRE ATT&CK

Tactic TA0003

"Persistence". Available at: https://attack.mitre.org/tactics/TA0003/

2. Purdue University. (n.d.). The Cyber Kill Chain. Course materials from Purdue University's Cyber Forensics program describe the attack lifecycle. The "Installation" phase

which follows initial exploitation

involves installing malware or backdoors on the victim's system to establish a persistent presence. This directly corresponds to the installation of remote access software mentioned in the scenario.

Source: Purdue University Global

"The Cyber Kill Chain

" section on Stage 4: Installation.

3. Conti

G.

& Sobiesk

E. (2010). An Offensive and Defensive Security Curriculum. In this academic paper presented at the 4th USENIX Workshop on Offensive Technologies (WOOT '10)

the authors outline a security curriculum that includes the phases of an attack. They describe the "Maintaining Access" phase

which involves installing rootkits

backdoors

or other mechanisms to ensure the attacker can return to the compromised system. This academic source categorizes the described activity as maintaining access

synonymous with persistence.

Source: USENIX

WOOT '10 Proceedings

Page 4

Section "Maintaining Access".

Incident response (IR) is the systematic approach an organization takes to manage the aftermath of a security breach or cyberattack. The process is fundamentally reactive. It involves handling systems that are victims of a malicious act (C) as well as systems that have been compromised and are being used to perpetrate a crime (A), as both scenarios constitute a security incident. A critical activity within the response process, particularly during the analysis and containment phases, is the forensic collection of data from affected computer media (B). This evidence is essential for understanding the incident's scope, impact, and origin.

D. Analyzing a system: This is too generic. While system analysis is a part of incident response, it is also a routine task for performance tuning, troubleshooting, or vulnerability management, not exclusively an IR example.

E. Threat Modeling: This is a proactive risk assessment activity performed during the preparation or system design phase to identify potential threats before an incident occurs, not a reactive response to an active incident.

1. National Institute of Standards and Technology (NIST). (2012). Computer Security Incident Handling Guide (NIST Special Publication 800-61 Rev. 2).

Page 5

Section 2.1

"What Is an Incident?": Defines an incident as a violation of security policies. Scenarios A and C clearly fall under this definition as they represent policy violations (e.g.

unauthorized use

compromise of integrity).

Page 14

Section 2.4.3

"Evidence Gathering and Handling": This section explicitly details the importance and process of collecting data from various sources

including system images and network traffic

which directly supports option B.

2. Alberts

C.

& Dorofee

A. (2009). A Framework for Categorizing Key Drivers of Risk (CMU/SEI-2009-TN-025). Carnegie Mellon University

Software Engineering Institute.

Page 11

"Threats": This document

in its discussion of risk management

implicitly separates proactive threat analysis from reactive incident response. Threat modeling (E) is part of understanding threats before they are realized

which is distinct from responding to an actualized incident.

3. Kent

K.

Chevalier

S.

Grance

T.

& Dang

H. (2006). Guide to Integrating Forensic Techniques into Incident Response (NIST Special Publication 800-86).

Page 11

Section 3.1

"Data Collection": This guide emphasizes that data collection is a foundational step in the forensic process during an incident response. It states

"The data collection process involves gathering and extracting data from the digital media under examination

" which validates option B as a core IR activity.

State-sponsored hackers, also known as Advanced Persistent Threats (APTs), are entities supported by a nation-state. They possess significant financial, technical, and human resources, enabling them to develop or acquire sophisticated tools, including multiple zero-day exploits. Their primary objectives are aligned with national interests, such as espionage for intelligence gathering and sabotage to disrupt the capabilities of rival nations or organizations. These groups specifically target high-value, well-defended entities like government agencies, defense contractors, and critical infrastructure, making them the most fitting profile for the described activities. The combination of high sophistication, specific motivation, and target selection is the hallmark of a state-sponsored operation.

A. Cybercriminals: Primarily motivated by direct financial profit, they are less likely to expend the immense resources required for espionage or sabotage without a clear monetization path.

B. Hacktivists: Motivated by political or social causes, they typically lack the funding and advanced capabilities needed to develop or purchase multiple zero-day exploits.

D. Cyberterrorist: While their goals can include sabotage to incite fear, they generally do not possess the sustained resources and deep technical sophistication characteristic of a nation-state actor.

1. European Union Agency for Cybersecurity (ENISA). (2022). ENISA Threat Landscape 2022. Section 4.1.1

"State-sponsored actors

" p. 38. The report states

"State-sponsored actors are a type of threat actor that acts on behalf of a state or a government... They have significant resources (financial

human

technical) and their level of sophistication is very high... Their main motivations are espionage

sabotage

and disruption of critical infrastructure."

2. National Institute of Standards and Technology (NIST). Glossary: Advanced Persistent Threat (APT). NIST defines an APT as "An adversary with sophisticated levels of expertise and significant resources which allow it to create opportunities to achieve its objectives by using multiple attack vectors (e.g.

cyber

physical

and deception)." This definition directly aligns with the capabilities described in the question.

3. Kshetri

N. (2013). Cybercrime and Cybersecurity in the Global South. Palgrave Macmillan. In Chapter 2

"Actors in the Underworld

" state-sponsored attackers are characterized by their access to "enormous resources" and their focus on "espionage or to damage another country's critical infrastructure

" distinguishing them from other actors with different motivations and capabilities. (DOI: https://doi.org/10.1057/9781137021949)

4. MITRE. Groups. The MITRE ATT&CK® framework provides detailed profiles of threat groups

many of which are designated as state-sponsored (e.g.

APT28

APT29). The descriptions consistently detail their use of sophisticated techniques

including zero-day exploits

for espionage and destructive attacks against high-value government and commercial targets.

Proxy logs provide the most effective and centralized data for this analysis. A proxy server acts as an intermediary for all outbound web requests from a network. Its logs capture detailed records for each transaction, including the source IP address (identifying the system), the authenticated username (identifying the user), the destination URL, and the volume of data transferred. By aggregating and analyzing this single source of data, an administrator can quickly identify which specific system or user is responsible for generating an anomalous or excessive amount of web traffic.

A. Browser logs: These logs are stored on individual client machines and only record the activity of that specific browser, making network-wide traffic analysis impractical.

B. HTTP logs: These are located on the destination web server and only show traffic requests made to that server, not the total outbound traffic generated by a user to all destinations.

C. System logs: These logs (e.g., Windows Event Logs, syslog) primarily record operating system and application events, and they lack the specific web traffic details needed for this type of analysis.

1. Du

W. (2019). Computer & Internet Security: A Hands-on Approach (2nd ed.). Syracuse University. In Chapter 22: Web Security

the text discusses the role of web proxies as intermediaries that can log all user web activities. Section 22.1.2 describes how proxies see all HTTP requests

making their logs a comprehensive source for monitoring user traffic.

2. Al-Qerem

A.

& Alauthman

M. (2019). Detecting anomalous user behavior using proxy server logs. International Journal of Advanced Computer Science and Applications

10(11). This paper explicitly details the use of proxy server logs for security analysis

stating

"The proxy server log files contain a huge amount of information about the users’ behavior and their interests... such as client IP address

timestamp

requested URL..." (Section II

Paragraph 2). This supports their utility in identifying unusual traffic patterns. DOI: https://doi.org/10.14569/IJACSA.2019.0101101

3. Saltzer

J. H.

& Kaashoek

M. F. (2009). Principles of Computer System Design: An Introduction. MIT OCW

Course 6.033

Spring 2009. Chapter 9

"Security

" discusses the use of firewalls and proxies as "choke points" for monitoring and controlling network traffic. The principle establishes that a centralized logging point like a proxy is the most effective place to analyze traffic from many internal clients to the external network (Section 9.5.2).

A procedure provides detailed, step-by-step instructions on how to perform a specific, routine task. The scenario describes the creation of "highly detailed instructions" for a recurring operational activity—patching assets using a specific tool. This directly aligns with the definition of a procedure, which operationalizes policies and standards by outlining the exact actions an individual must take to complete a task correctly and consistently. Procedures are the most granular form of documentation in the governance hierarchy, focusing on the "how-to" for a specific function.

A. Process: A process describes a series of related activities to achieve a result but is less detailed than a procedure, focusing on what is done, not the specific how.

C. Standard: A standard is a mandatory rule or baseline that defines specific requirements (e.g., "all patches must be applied within 30 days"), not a set of instructions.

D. Policy: A policy is a high-level document that states management's intent and organizational rules, lacking the operational, step-by-step detail of a procedure.

1. National Institute of Standards and Technology (NIST) Glossary:

Procedure: "A set of steps that can be followed to accomplish a task." This definition directly matches the "highly detailed instructions" described in the question.

Policy: "A set of rules that governs all aspects of how an organization conducts business..."

Standard: "A document

established by consensus and approved by a recognized body

that provides for common and repeated use

rules

guidelines or characteristics for activities or their results..."

Source: NIST Computer Security Resource Center (CSRC) Glossary

"Procedure

" "Policy

" "Standard" entries. (https://csrc.nist.gov/glossary)

2. Carnegie Mellon University (CMU) Information Security Office:

"A procedure is an established or official way of doing something. A procedure is a series of steps followed in a regular

definite order... Procedures provide the step-by-step instructions for how to implement policies and meet standards."

Source: Carnegie Mellon University

Information Security Office

"Policies

Standards

and Procedures." (https://www.cmu.edu/iso/governance/procedures.html)

3. NIST Special Publication 800-12 Rev. 1

An Introduction to Information Security:

This foundational document discusses the hierarchy of security documentation. It explains that procedures are "detailed

step-by-step instructions that are created to ensure that personnel can perform a given task."

Source: NIST SP 800-12 Rev. 1

Section 4.2.2 "Procedures

" Page 33.

The scenario describes a classic logic bomb: malicious code designed to execute a destructive payload when a specific condition or event occurs. In this case, the trigger is the removal of an administrator's name from an employee list. A time bomb is a specific type of logic bomb where the trigger is a date or time. Although the trigger in the scenario is event-based, "Time bomb" is the most appropriate answer among the choices, as it belongs to the same category of malware (logic bombs) characterized by a dormant payload activated by a predefined trigger.

A. Backdoor: A backdoor is a mechanism for bypassing normal authentication to gain unauthorized access to a system, which is not the function described.

B. Rootkit: A rootkit is a set of tools designed to conceal its presence and maintain privileged access on a system, not to execute a one-time destructive action.

D. Login bomb: A login bomb is a type of logic bomb specifically triggered by a user login event, which is not the trigger in this scenario.

1. National Institute of Standards and Technology (NIST) Special Publication 800-83 Rev. 1

Guide to Malware Incident Prevention and Handling for Desktops and Laptops. Section 2.3.1.4 states

"Logic bombs are a type of malicious code that is intentionally installed

often by an insider. A logic bomb remains dormant until a specific condition is met... A common type of logic bomb is a time bomb

which is set to activate on a particular date and time." This reference distinguishes a logic bomb (the scenario) from a time bomb (the closest option) and shows they are related concepts.

2. Stallings

W.

& Brown

L. (2018). Computer Security: Principles and Practice (4th ed.). Pearson. In Chapter 6

"Malicious Software

" a backdoor is defined as "a secret entry point into a program that allows someone that is aware of the backdoor to gain access without going through the usual security access procedures." This clearly differentiates it from the destructive payload in the question.

3. National Institute of Standards and Technology (NIST) Special Publication 800-12 Rev. 1

An Introduction to Information Security. In Appendix D

"Glossary

" a logic bomb is defined as "A piece of code intentionally inserted into a software system that will set off a malicious function when specified conditions are met." This confirms the scenario describes a logic bomb.

URL redirection, or an "open redirect," is a web application vulnerability. It occurs when an application's code accepts user-supplied input to determine the destination for a redirect without proper validation. An attacker can craft a URL using a trusted domain that redirects the user to a malicious site. The fundamental flaw lies within the application's logic for handling redirects. Therefore, the most effective mitigation strategy is to address the vulnerability at its source by modifying the application code to validate all redirect targets, typically by using a strict whitelist of approved URLs or by preventing redirects to external domains.

B. Users: Users are the targets of the attack via phishing, not the source of the technical vulnerability itself. User training is a secondary control.

C. Network infrastructure: Network devices like firewalls can offer layered defense but do not fix the root cause, which is the flawed logic within the application.

D. Configuration files: A configuration file might hold a whitelist for a secure implementation, but the vulnerability is the application's failure to use that configuration, not the file itself.

1. OWASP Foundation. (n.d.). Unvalidated Redirects and Forwards Cheat Sheet. OWASP Cheat Sheet Series. Retrieved from https://cheatsheetseries.owasp.org/cheatsheets/UnvalidatedRedirectsandForwardsCheatSheet.html. The document states

"Unvalidated redirects and forwards are possible when a web application accepts untrusted input that could cause the web application to redirect the request to an untrusted URL." This identifies the web application as the source.

2. MITRE Corporation. (2023). CWE-601: URL Redirection to Untrusted Site ('Open Redirect'). Common Weakness Enumeration. Retrieved from https://cwe.mitre.org/data/definitions/601.html. The description explicitly states

"The web application accepts a user-controlled input that specifies a link to an external site

and uses that link in a Redirect." This pinpoints the vulnerability's origin to the application's handling of input.

3. Boneh

D.

& Mazières

D. (2018). CS 155: Computer and Network Security

Lecture 10: Web Security Model. Stanford University. Slide 32 discusses "Open redirect" as a vulnerability where a site example.com/redirect?url=evil.com redirects to a malicious site

demonstrating it as an application-level flaw.

Brute force, dictionary, and hybrid attacks are established techniques specifically designed to discover or crack passwords. A brute-force attack systematically attempts every possible combination of characters. A dictionary attack uses a predefined list of common words, phrases, and known passwords. A hybrid attack is a more sophisticated method that combines a dictionary attack with brute-force techniques, such as by adding numbers or symbols to dictionary words (e.g., "password123"). These methods are used to either guess a password against a live authentication system or to crack stored password hashes offline.

A. Cross-Site Scripting attack: This is a web application vulnerability that injects malicious client-side scripts into a trusted website, not a direct password guessing or cracking technique.

C. Man-in-the-middle attack: This is a network eavesdropping attack that intercepts communication. While it can be used to capture credentials, it is not a method of attacking the password's composition itself.

1. National Institute of Standards and Technology (NIST) Computer Security Resource Center (CSRC) Glossary.

Brute Force Attack: Defines it as "A method of guessing a password or other sensitive data by systematically trying all possible combinations of legal characters in sequence."

Dictionary Attack: Defines it as a technique that tries "millions of likely possibilities

such as words in a dictionary" to determine a passphrase.

These definitions clearly categorize options B and E as password attack methods. The glossary can be accessed at: https://csrc.nist.gov/glossary

2. Weir

C. S.

& Douglas

G. (2012). Password cracking and counter-measures: A comparative study of the art. School of Computing

University of Abertay Dundee.

Section 2.2

"Password Cracking Techniques": This section details various password cracking methods

explicitly describing Dictionary Attacks

Brute-Force Attacks

and Hybrid Attacks. It states

"A hybrid attack is a combination of a dictionary attack and a brute-force attack... This type of attack is useful for cracking passwords that are based on a dictionary word but have been modified slightly." This directly supports B

D

and E as password attack techniques.

3. MIT OpenCourseWare

6.858 Computer Systems Security

Fall 2014.

Lecture 4: Authentication: The lecture notes discuss password security and threats

explicitly mentioning "Dictionary attack" and "Brute-force attack" as methods for cracking password hashes.

Lecture 10: Web Security: This lecture defines Cross-Site Scripting (XSS) as an attack where an attacker "injects script into an application's output

" distinguishing it from password-cracking methods. This supports the exclusion of option A.