A security incident responder discovers an attacker has gained access to a network and has overwritten key system files with backdoor software.
The server was reimaged and patched offline.
Which of the following tools should be implemented to detect similar attacks?
Click on the arrows to vote for the correct answer
A. B. C. D. E.C.
The correct answer is D. File Integrity Monitor.
Explanation:
A file integrity monitor (FIM) is a tool that is used to monitor changes made to files, directories, and system resources. It can detect when unauthorized changes are made to critical system files or configuration settings, and alert administrators to take appropriate action.
In the scenario given, the attacker gained access to the network and overwrote key system files with backdoor software. As a result, the server was reimaged and patched offline to remove the malicious software. However, this incident highlights the importance of implementing measures to detect and prevent similar attacks from occurring in the future.
A vulnerability scanner (A) is a tool that is used to identify vulnerabilities in software and hardware systems. While it can be useful in identifying potential security risks, it may not be effective in detecting the specific type of attack described in the scenario.
A Trusted Platform Module (TPM) (B) is a hardware security component that is used to store cryptographic keys and other sensitive information. While it can provide enhanced security, it may not be directly applicable in detecting the type of attack described in the scenario.
A host-based firewall (C) is a software program that is used to monitor and control network traffic on a specific host or endpoint. While it can provide some level of protection against network-based attacks, it may not be effective in detecting the specific type of attack described in the scenario.
A Network Intrusion Prevention System (NIPS) (E) is a network security device that is used to monitor and prevent unauthorized access to a network. While it can be useful in preventing network-based attacks, it may not be effective in detecting the specific type of attack described in the scenario.
In conclusion, the most appropriate tool to implement to detect similar attacks would be a file integrity monitor (D), as it can detect unauthorized changes to critical system files and configuration settings.