In this simulation, you will analyze internal network traffic that violates corporate policy. Understanding the difference between malicious external attacks and internal policy violations is crucial for proper incident classification and response workflows.

CND (312-38) Network Defense Simulation

Network Scenario

During a routine monitoring shift, the SIEM dashboard highlights a sudden spike in outbound bandwidth originating from a workstation in the Marketing department (10.0.15.22). The user logged into this machine is an authorized employee.

You pivot to the network monitoring tools and discover the endpoint is generating thousands of UDP connections to randomized high ports, characteristic of Peer-to-Peer (P2P) file-sharing applications. The company's Acceptable Use Policy (AUP) explicitly forbids the use of P2P software on corporate assets.

Traffic & Logs

[IDS ALERT] SURICATA INFO ET P2P BitTorrent Announce [TIMESTAMP] 2023-10-24T14:22:15Z [SRC] 10.0.15.22:51433 -> [DST] 185.14.X.X:6881 [NETFLOW STATS - 1 HOUR WINDOW] Top Talker: 10.0.15.22 Protocol: UDP Bytes Transferred: 4.2 GB (Outbound) Connections: 12,450 unique destination IPs [FW LOG] ACTION: ALLOW | RULE: Default_Outbound | APP_ID: bittorrent [DEFENSE NOTE] User authentication logs confirm 'j.doe' is logged in locally. No signs of remote compromise (RDP/SSH) detected.

Question

Individuals in the organization using system resources in a way that violates acceptable usage policies indicates which of the following security incident(s):

The user is an employee who is allowed on the network, but their specific actions (running P2P software) break the rules established by HR and IT.

Expert Analysis

1. What is happening in the network: An authorized internal user is running a BitTorrent client. This is generating excessive outbound UDP traffic, consuming bandwidth, and exposing the corporate network to potential legal liability and malware risks associated with P2P networks.

2. Identify attack or behavior: This is not an external attack. It is an insider threat scenario characterized by a policy violation. The user has legitimate access to the endpoint but is using it in an unapproved manner.

3. Why correct answer is correct (B): Improper Usage incidents occur when authorized users violate the organization's Acceptable Use Policy (AUP). Examples include unauthorized file sharing, crypto-mining, accessing restricted content, or unauthorized software installation.

4. Why others are wrong:

A. Unauthorized Access: The user 'j.doe' is an employee and is authorized to access the workstation and the network. The access itself is legitimate; the activity is not.
C. Denial-of-Service (DoS): While the P2P traffic consumes bandwidth and might slow down the network, the intent is file sharing, not purposefully disrupting network availability.
D. Malicious Code: There is no IDS signature or endpoint alert indicating malware execution (like a virus or ransomware) at this stage, only the presence of a P2P application.

5. Defensive action: Immediately isolate the host (10.0.15.22) from the network to stop the unauthorized data transfer. Configure the Next-Generation Firewall (NGFW) with Application Control (Layer 7) to block 'bittorrent' and other P2P application signatures, rather than relying purely on port blocking. Escalate the incident to HR/Management per the standard incident response plan.

CND Defense Insight: Detection vs Prevention
Relying on "Default_Outbound" allow rules is a critical weakness. Networks should employ an egress filtering strategy where only explicitly approved outbound traffic (e.g., HTTP/S, DNS) is permitted. Implementing Layer 7 Application Control on firewalls prevents users from bypassing port-based blocks by simply changing the port their unauthorized application uses.

Explore more CND simulations

Practice More Scenarios