Security Operations

The correct answer explains that a single pane of glass solution enables correlation of events across disparate systems to identify complex attack patterns that span multiple security domains.

This is the strategic advantage because modern cyberattacks often traverse multiple environments - an attacker might compromise an endpoint, move laterally through on-premises infrastructure, and exfiltrate data through cloud services. Individual tool dashboards only show their specific domain, making it nearly impossible to see the full attack chain. A consolidated view allows security analysts to correlate seemingly unrelated events across cloud, on-premises, and endpoint environments to detect sophisticated multi-stage attacks.

The other options are incorrect for the following reasons:

The option suggesting cost reduction by replacing all existing tools misrepresents single pane of glass solutions. These platforms typically aggregate and correlate data FROM existing tools rather than replacing them. Organizations still maintain their specialized security tools; the consolidated dashboard provides unified visibility.

The option about automated remediation across all systems describes a feature that may exist in some SOAR (Security Orchestration, Automation and Response) platforms, but this is not the primary strategic advantage of consolidated monitoring. The question specifically asks about monitoring capabilities and why consolidated views are valuable.

The option claiming it eliminates the need for specialized analysts is incorrect and potentially dangerous thinking. Consolidated dashboards still require skilled analysts to interpret complex security data, investigate alerts, and make informed decisions. Simplified views do not replace the need for expertise in understanding attack techniques, threat intelligence, and incident response procedures.

Command and control communication using HTTP as a covert channel for malware beaconing is the correct answer.

The traffic characteristics described are classic indicators of Command and Control (C2) activity:

1. Base64 encoded data in User-Agent field: Attackers commonly use encoding schemes like base64 to obfuscate malicious commands or exfiltrated data within HTTP headers. The User-Agent field is a popular location for hiding C2 communications because it normally contains legitimate browser information and is often not scrutinized closely.

2. Regular beacon intervals of approximately 60 seconds: This consistent timing pattern is a hallmark of malware beaconing behavior. Compromised systems typically 'check in' with their C2 servers at regular intervals to receive commands or report status. The predictable 60-second interval is a strong indicator of automated malicious activity rather than organic user traffic.

3. HTTP as a covert channel: Malware authors frequently use HTTP because it blends in with normal web traffic and typically passes through firewalls unimpeded.

The other options are incorrect because:

• Standard browser telemetry does not typically use encoded data in the User-Agent field with such precise timing intervals. Browser telemetry uses proper API endpoints and structured data formats.

• Load balancing health checks would use dedicated health check endpoints and would not embed encoded data in User-Agent headers. They also typically occur between infrastructure components, not from endpoints to external servers.

• Legitimate software update mechanisms use standard authentication methods and APIs, not encoded data hidden in User-Agent strings. Update polling would also typically occur at longer, more variable intervals.

The correct answer involves correlating the timeline of NTLM authentications with process creation artifacts by exporting objects and cross-referencing with endpoint logs.

This approach is the most effective because Mimikatz and similar credential harvesting tools leave artifacts at the endpoint level, not within the network traffic itself. Wireshark can capture the authentication attempts resulting from credential abuse, but it cannot reveal how those credentials were obtained. By exporting relevant objects from the packet capture and correlating timestamps with endpoint logs (such as Windows Security Event logs showing process creation events like Event ID 4688), analysts can identify if Mimikatz.exe or similar tools were executed before the lateral movement activity began.

The option suggesting filtering for Kerberos AS-REQ packets to identify golden ticket usage is problematic because golden tickets are Kerberos-based attacks, and the scenario specifically describes NTLM authentication being used. Additionally, detecting golden tickets requires analyzing ticket granting tickets and service tickets, not AS-REQ patterns alone.

The option proposing SMB2 command filtering with time delta analysis to detect pass-the-hash signatures is flawed because smb2.cmd == 5 represents tree connect operations, and rapid file enumeration timing alone cannot confirm pass-the-hash attacks. This approach would show file access patterns but provides no evidence of how credentials were initially harvested.

The option about using IO Graphs to plot NTLM timing intervals for anomaly detection is a legitimate network analysis technique for identifying unusual patterns, but it cannot determine if credential harvesting tools were used. Timing analysis can show suspicious authentication behavior but cannot attribute the source of credential compromise to specific tools like Mimikatz.