Question 22 (practice exam 8) (additional)

Here are some flashcard questions based on the provided information:

Q: What type of data does Netflow capture about network traffic?

A: Netflow captures metadata and statistics about network traffic, rather than the full packet capture.

Q: What is the primary purpose of using Netflow in a security context?

A: Netflow can be used to analyze and identify trends, patterns, and anomalies in network traffic, which can help detect potential security incidents or threats.

Q: Which of the following types of data would not be directly available in Netflow metadata?

A: File contents and email messages would not be directly available in Netflow metadata, as Netflow does not capture the full packet payload.

Q: What kind of information can Netflow metadata provide that could indicate potential data exfiltration?

A: Netflow metadata can provide information about the volume of data sent and received, which could indicate data exfiltration if a large amount of data is sent in a short period of time.

Q: How does the data captured by Netflow differ from a full packet capture?

A: Netflow captures metadata and statistics about network traffic, while a full packet capture captures the complete contents of the network packets, including payload data.

Q: In addition to detecting potential data exfiltration, what other security use cases can Netflow metadata be useful for?

A: Netflow metadata can be useful for identifying network traffic patterns, detecting anomalies, tracking communication with known malicious hosts, and analyzing network usage and performance.

Q: Which of the following sources would be more appropriate for retrieving application logs or email messages in a security investigation?

A: Application logs are typically stored locally on hosts or centralized log servers, while email messages would be available from email servers or archives, rather than Netflow metadata.