GIAC Foundational Cybersecurity Technologies Practice Test

Which packet header field is a strong indicator of data exfiltration?

• A. TCP packets in a session with varying message data sizes
• B. ICMP echo requests with varying data field sizes
• C. UDP packets with invalid checksums
• D. All packets are equal

The correct answer is: ICMP echo requests with varying data field sizes

The choice indicating that ICMP echo requests with varying data field sizes is a strong indicator of data exfiltration highlights several key aspects of how data is typically transferred and how abnormalities in protocol usage can signal malicious activity. ICMP (Internet Control Message Protocol) is often used for network diagnostics and management, primarily through ping requests (echo requests). In a standard environment, the data sizes of ICMP packets are typically uniform since they are used for specific testing or information gathering purposes. When you observe echo requests with varying data field sizes, it can be indicative of information being stealthily sent out of a network. Attackers often leverage ICMP for exfiltration as it can evade traditional security measures, like firewalls, because ICMP traffic may not be scrutinized as tightly as TCP or UDP traffic. The variations in data size can indicate that the packets contain tailored payloads meant to transfer information covertly. In contrast, other options may highlight irregularities but do not specifically point to data exfiltration as effectively. TCP sessions may demonstrate varying message sizes by design due to the nature of data transfer, and rise and fall in data sizes are typical. UDP packets with invalid checksums usually indicate corruption, which is more indicative of problems in transmission rather than