During a routine investigation, a security team discovers that an employee is running a series of scanners against various hosts. Which method discovers these unauthorized probes most effectively?
Subscribing to a threat intelligence platform to track external hazards
Collecting and reviewing logs from external web servers for unusual connections
Deploying a decoy server that appears to host valuable services
Observing external domain name records for unusual requests
A decoy server that appears to be a critical resource attracts scans or exploitation attempts from an insider. This provides clear evidence of unauthorized probes targeted at that environment. Reviewing internal logs can be valuable but might not reveal an insider's advanced tactics if commands merge with legitimate traffic. Monitoring external domain records concentrates on outside activity. Subscribing to a threat intelligence feed is useful for external threats but does not specifically detect unusual internal host probing
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a decoy server?
Open an interactive chat with Bash
Why are internal logs less effective in detecting insider threats?
Open an interactive chat with Bash
What are the limitations of monitoring external domain requests for detecting insider activity?