Quiz: Network Monitoring and Traffic Analysis

A 25-question self-check on packet capture, Zeek, flow data, and the detection of beaconing, exfiltration, and lateral movement. Questions tagged [Sec+] map to CompTIA Security+ objectives and [CISSP] to (ISC)² CISSP domains. Answers and one-line explanations are at the end; attempt the whole quiz before checking.

Section 1 — Multiple choice (1 pt each)

1. [Sec+] Recording every byte of network traffic, exactly as it crosses an interface, is called: A. flow export B. full packet capture C. log normalization D. port mirroring

2. A tool that watches live traffic and writes one structured connection record per connection (plus protocol logs for DNS, TLS, HTTP) is best described as: A. a packet sniffer B. a network security monitoring platform (Zeek) C. a firewall D. a SIEM

3. [Sec+] NetFlow/IPFIX records contain all of the following EXCEPT: A. source and destination IPs B. source and destination ports C. byte and packet counts D. the payload content

4. The single most reliable network signature of command-and-control beaconing is: A. large packet sizes B. use of port 80 C. regular, repeating connection intervals D. UDP traffic

5. [CISSP] Capturing every byte of all traffic on a busy network and retaining it for a year is impractical primarily because of: A. encryption B. storage volume C. legal restrictions only D. CPU on the firewall

6. "Encryption hides the payload, not the metadata" means a defender can still see, for a TLS connection, all of the following EXCEPT: A. the destination IP and port B. the connection timing and sizes C. the decrypted application data D. the SNI hostname in the Client Hello

7. [Sec+] A host suddenly connecting to forty internal hosts on port 445 within ninety seconds most likely indicates: A. normal web browsing B. lateral movement / internal scanning C. a DNS lookup D. a backup job (always)

8. The flow-data fields that betray a beacon even with no payload are the: A. ports and protocol B. connection start times and byte counts C. TTL and checksum D. MAC addresses

9. [CISSP] A dedicated inline hardware device that passively copies every bit on a link to a monitor port with no packet loss is a: A. SPAN port B. network tap C. proxy D. load balancer

10. Compared to a network tap, a SPAN port (port mirror) primarily risks: A. modifying live traffic B. dropping mirrored packets when the switch is busy C. higher hardware cost D. encrypting the copy

11. [Sec+] Internal-to-internal traffic between two hosts inside the network is called: A. north-south traffic B. east-west traffic C. egress traffic D. broadcast traffic

12. A workstation that normally sends ~150 MB/day outbound sends 8 GB to one external IP overnight. This is the classic shape of: A. beaconing B. data exfiltration C. a DDoS attack D. ARP spoofing

13. [Sec+] Which telemetry is forwarded into the SIEM for continuous, scaled detection? A. raw full packet captures B. Zeek logs and flow records C. nothing; the SIEM captures its own D. only firewall deny logs

14. Building a network baseline from a window in which the attacker's beacon was already running causes: A. faster detection B. the beacon to be learned as "normal" and never flagged C. lower storage use D. better encryption

15. [CISSP] The discipline of continuously monitoring network telemetry to detect, investigate, and respond to threats is abbreviated: A. NDR B. EDR C. DLP D. NAC

Section 2 — True / False with justification (1 pt each)

For each, mark T or F and give a one-sentence reason.

16. [Sec+] "Because the C2 channel is encrypted, network monitoring cannot detect it."

17. "A perimeter firewall, placed at the internet edge, can detect lateral movement between two internal hosts."

18. "Full packet capture should be deployed on every link and retained for a year for total visibility."

19. [CISSP] "Flow data, despite keeping no payload, can be retained far longer and across far more of the network than full packet capture."

20. "A once-per-day beacon argues for short packet-capture retention, since you only need a few hours."

Section 3 — Short answer (2 pts each)

21. [Sec+] State the central tradeoff between full packet capture and flow data, and give one question that each is uniquely suited to answer.

22. A host's connection gaps to one destination are nearly constant at 3,600 seconds, around the clock, including overnight. Explain why this is suspicious even though every individual connection looks like normal HTTPS, and name the statistic that quantifies the suspicion.

23. [CISSP] Explain why "sensor placement determines what you can detect." Give one concrete example of a detection that fails purely because no sensor sees the relevant traffic.

24. Describe two ways an attacker evades simple volume-based exfiltration detection, and one detection strategy that counters each.

Section 4 — Applied scenario (5 pts)

25. Theo's beacon_score flags internal host 10.20.4.55 at 0.98, with ~24 daily check-ins to 198.51.100.7:443 for the past three weeks, each flow ~2 KB, including at 3 a.m. on weekends. (a) Identify the attacker behavior and the two flow fields that produced the signal. (b) Explain precisely why the endpoint agent and the firewall both allowed this. (c) Name three telemetry sources, in order, that Theo should pivot to next, and what each would add. (d) State the one gap network monitoring does not close here, and the compensating strategy.

Answer Key

Click to reveal answers and explanations 1. **B** — full packet capture records every byte. 2. **B** — that is exactly Zeek's role (NSM). 3. **D** — flow keeps the 5-tuple plus counts, never payload. 4. **C** — regular repeating intervals are the beacon signature. 5. **B** — storage volume makes network-wide, long-retention full capture infeasible. 6. **C** — the decrypted application data is the one thing encryption hides. 7. **B** — fan-out to many internal hosts on an admin port is lateral movement/scanning. 8. **B** — start times (timing regularity) and byte counts (constant size) carry the beacon signal. 9. **B** — a network tap. 10. **B** — SPAN can drop mirrored packets under switch load. 11. **B** — east-west is internal-to-internal. 12. **B** — large outbound to one destination vs a small baseline is exfiltration. 13. **B** — structured Zeek/flow telemetry (and alerts) feed the SIEM; raw PCAP stays local. 14. **B** — baselining during compromise enshrines the attacker's traffic as normal. 15. **A** — Network Detection and Response. 16. **F** — encryption hides payload but not metadata (timing, size, destination, SNI); beaconing and exfiltration are detectable on metadata alone. 17. **F** — internal-to-internal (east-west) traffic never crosses a perimeter firewall, so it cannot see lateral movement. 18. **F** — full capture everywhere for a year is infeasible on storage and unnecessary; use targeted short-retention PCAP plus flow/Zeek. 19. **T** — tiny per-record flow data is cheap enough to retain network-wide for months to years. 20. **F** — a once-daily beacon argues for *long* retention, because only a long window shows the daily check-in repeating enough times to reveal the pattern. 21. Full capture keeps everything about some traffic briefly; flow keeps almost nothing about all traffic for a long time. Full capture uniquely answers "exactly what content was in this one conversation?"; flow uniquely answers "who talked to whom, how much, across the whole network, over months?" 22. The regularity itself is the tell: humans browse irregularly, while automated malware checks in on a fixed schedule regardless of whether anyone is using the machine; the low *coefficient of variation* of the inter-arrival times (the basis of `beacon_score`) quantifies it. 23. A detection can only run on data a sensor actually delivers; e.g., lateral-movement detection fails if the only sensor is on the internet uplink, because east-west traffic never reaches it — the tool is irrelevant without coverage. 24. (i) "Low-and-slow" trickle under volume thresholds → countered by *cumulative* per-destination baselines over days; (ii) covert channels such as DNS tunneling → countered by inspecting DNS query volume/entropy in Zeek's `dns.log`. (Also: blending with legitimate cloud services → countered by *per-host* baselines.) 25. (a) C2 beaconing; the signal came from the regular connection *start times* and the constant *byte counts*. (b) The endpoint saw an ordinary browser process making an ordinary TLS connection; the firewall saw allowed outbound port 443 to a clean-reputation destination — no single event was anomalous, only the weeks-long pattern. (c) Pivot order, e.g.: Zeek `conn.log` (confirm the cadence and volumes across all connections), then `ssl.log` (the destination's certificate/SNI), then `dns.log` (what name resolved to that IP and how it was obtained); optionally a short full PCAP to capture the live channel — then hand to incident response (Chapter 24). (d) Network monitoring cannot read the *encrypted payload*, so it cannot prove what commands or data flowed; the compensating strategy is metadata/behavioral analysis plus correlation with endpoint and identity telemetry in the SIEM. **Topics to review by question:** missed 1, 5–6 → §10.2; 2, 14 → §10.3; 3, 8 → §10.4; 4, 22, 25 → §10.5 (beaconing); 7, 11, 17, 23 → §10.5–10.6 (lateral movement / sensor placement); 9–10, 13 → §10.6 (taps/ SPAN/SIEM); 12, 24 → §10.5 (exfiltration); 15 → §10.6 (NDR); 18–21 → §10.4 (capture-vs-flow tradeoff).