In this simulation, you will explore the limitations of perimeter defenses and the necessity of host-based monitoring. Learn how to detect unauthorized changes when network-level controls fail to identify the intrusion.
CND (312-38) Network Defense Simulation
Network Scenario
Your enterprise DMZ hosts a critical public-facing web server. The perimeter is protected by a Next-Generation Firewall (NGFW) and a dedicated Network IDS (Snort). Despite these controls, attackers successfully compromised the web application and defaced the homepage. Network analysts reviewed the perimeter logs but found no actionable alerts, likely because the attack payload was obfuscated or hidden within an encrypted TLS session. The team urgently needs a mechanism to detect unauthorized modifications to system and web directory files at the host OS level.
Traffic & Logs
Note: The network security appliances failed to inspect the payload, allowing the attacker to interact directly with the local file system.
Question
Simon had all his systems administrators implement hardware and software firewalls to ensure network security. They implemented IDS/IPS systems throughout the network to check for and stop any unauthorized traffic that may attempt to enter. Although Simon and his administrators believed they were secure, a hacker group was able to get into the network and modify files hosted on the company's website. After searching through the firewall and server logs, no one could find how the attackers were able to get in. He decides that the entire network needs to be monitored for critical and essential file changes. This monitoring tool alerts administrators when a critical file is altered. What tool could Simon and his administrators implement to accomplish this?
Ready for more?
Explore more CND simulationsExpert Analysis
1. Network Context
The network relies heavily on perimeter defense (Firewalls, NIDS). However, application-layer attacks (like SQL injection or arbitrary file uploads via a web vulnerability) often pass through firewalls because they occur over legitimate ports (e.g., 443). If the traffic is encrypted, a NIDS without SSL inspection will also fail to detect the payload.
2. Identify the Gap
The attackers bypassed the network layer and modified OS-level files (`index.html`, PHP scripts, or config files). The defense strategy lacks a **Host-based Intrusion Detection System (HIDS)** focusing on **File Integrity Monitoring (FIM)**.
3. Why C is Correct
Tripwire is a classic, industry-standard File Integrity Monitoring (FIM) tool. It creates cryptographic hashes (baselines) of critical system files and directories. If an attacker modifies a monitored file, the hash changes, and Tripwire immediately alerts administrators to the unauthorized alteration.
4. Why others are wrong
- A. Nessus: This is a vulnerability scanner used proactively to find misconfigurations, not a real-time file monitoring agent.
- B. Snort: This is a Network IDS (NIDS). The scenario explicitly states NIDS/IPS was already implemented and bypassed. It monitors packets on the wire, not files on a disk.
- D. Wireshark: A protocol analyzer used for manual packet capture and forensic analysis. It does not monitor host file integrity.
Mini Lesson: Defense-in-Depth & FIM
Network defenses are insufficient on their own because modern web traffic is heavily encrypted and application flaws are highly specific.
Defense-in-Depth Principle: When perimeter controls (Firewall/IPS) fail, host-based controls must catch the intrusion. FIM is critical for compliance (like PCI-DSS) and detecting stealthy compromises.
How FIM works: Tools like Tripwire, OSSEC, or Wazuh run as agents on the endpoint. They compare current file hashes against known-good baselines stored in a secure database. Any unexpected write action triggers a high-severity alert.