Questions for the 312-38 were updated on : Dec 01 ,2025
Peter works as a network administrator at an IT company. He wants to avoid exploitation of the
cloud, particularly Azure services. Which of the following is a group of PowerShell scripts designed to
help the network administrator understand how attacks happen and help them protect the cloud?
A
Explanation:
MicroBurst is a collection of PowerShell scripts designed to help network administrators understand
how attacks occur and to protect cloud environments, particularly Azure services. These scripts aid in
detecting vulnerabilities, simulating attacks, and implementing defensive measures to secure the
cloud infrastructure.
POSH-Sysmon: A set of PowerShell scripts for managing Sysmon configurations.
SecurityPolicyDsc: A module for managing security policies through Desired State Configuration
(DSC).
Sysmon: A Windows system service and device driver that logs system activity to the Windows event
log, not specifically focused on cloud protection.
Reference:
EC-Council Certified Network Defender (CND) Study Guide
Azure security documentation and MicroBurst resources
Which of the following refers to the clues, artifacts, or evidence that indicate a potential intrusion or
malicious activity in an organization's infrastructure?
B
Explanation:
Indicators of Compromise (IoCs) are clues, artifacts, or evidence that suggest a potential intrusion or
malicious activity within an organization's infrastructure. IoCs are used to identify and respond to
security breaches and can include log entries, file hashes, unusual network traffic, or specific
patterns that match known threats.
Indicators of Attack (IoA): Focus on detecting the methods and techniques used by attackers.
Key Risk Indicators: Metrics that indicate increased risk levels.
Indicators of Exposure: Signs that reveal vulnerabilities or weaknesses in the system.
Reference:
EC-Council Certified Network Defender (CND) Study Guide
Threat detection and incident response documentation
Which of the following refers to the data that is stored or processed by RAM, CPUs, or databases?
A
Explanation:
Data in Use refers to data that is actively being processed by the system, including data stored in
RAM, CPUs, or databases during computation. This data is currently in memory and being accessed
or manipulated by applications, making it vulnerable to attacks that target active processes, such as
memory scraping or CPU-based attacks.
Data at Rest: Data stored on disk or other persistent storage media.
Data in Transit: Data being transferred over a network.
Data in Backup: Data stored in backup storage for recovery purposes.
Reference:
EC-Council Certified Network Defender (CND) Study Guide
Data lifecycle and security documentation
Identify the attack signature analysis technique carried out when attack signatures are contained in
packet headers.
A
Explanation:
Atomic signature-based analysis is a technique that examines individual packets for attack signatures
contained in packet headers. This method focuses on specific, identifiable patterns or anomalies
within single packets that may indicate malicious activity. Since the attack signatures are within the
packet headers, the analysis does not need to consider the broader context of multiple packets or
sessions, making it an atomic-level inspection.
Reference:
EC-Council Certified Network Defender (CND) Study Guide
Intrusion Detection System (IDS) and attack signature analysis documentation
Which of the following indicators are discovered through an attacker's intent, their end goal or
purpose, and a series of actions that they must take before being able to successfully launch an
attack?
C
Explanation:
Indicators of attack (IoA) provide information about the attacker's intent, end goals, and the actions
they take to execute an attack. IoAs help identify the methods and behaviors an attacker uses during
the attack lifecycle. Unlike Indicators of Compromise (IoCs), which are used to detect evidence of a
breach, IoAs are proactive and help in identifying and preventing potential attacks before they occur
by analyzing the patterns and tactics used by attackers.
Key risk indicators: Metrics used to signal increased risk exposure.
Indicators of compromise: Artifacts observed on a network or in an operating system that with high
confidence indicate a computer intrusion.
Indicators of exposure: Data points or signals that reveal vulnerabilities or weaknesses that could be
exploited.
Reference:
EC-Council Certified Network Defender (CND) Study Guide
Cybersecurity frameworks and documentation on threat detection
How can one identify the baseline for normal traffic?
B
Explanation:
In TCP/IP networking, establishing a connection typically starts with a SYN (synchronize) flag and
ends with a FIN (finish) flag. This is part of the normal TCP three-way handshake and connection
termination process:
SYN (Synchronize): Initiates a connection.
SYN-ACK (Synchronize-Acknowledge): Acknowledges the SYN and responds with a SYN.
ACK (Acknowledge): Acknowledges the SYN-ACK, establishing the connection.
FIN (Finish): Terminates the connection.
Observing a SYN flag at the beginning and a FIN flag at the end of the connection indicates a normal,
properly terminated TCP session, establishing a baseline for normal traffic patterns.
Reference:
EC-Council Certified Network Defender (CND) Study Guide
TCP/IP protocol suite documentation
Ryan works as a network security engineer at an organization the recently suffered an attack. As a
countermeasure, Ryan would like to obtain more information about the attacker and chooses to
deploy a honeypot into the organizations production environment called Kojoney. Using this
honeypot, he would like to emulate the network vulnerability that was attacked previously. Which
type of honeypot is he trying to implement?
D
Explanation:
A low-interaction honeypot, like Kojoney, is designed to emulate specific network vulnerabilities and
gather information about attackers without providing a full-fledged operating environment. These
honeypots are typically easier to deploy and maintain compared to high-interaction honeypots. They
simulate certain services and responses to attract attackers, allowing the network security team to
gather data on attack patterns, tools, and methodologies used by the attackers. This information is
crucial for understanding the attack and improving defenses.
High-interaction honeypots: Provide a complete environment that can fully engage with attackers,
offering more detailed insights but also posing higher risks.
Pure honeypots: Essentially full-scale, unmodified systems that an attacker interacts with.
Research honeypots: Used primarily for gathering information for research purposes, often involving
high-interaction setups.
Reference:
EC-Council Certified Network Defender (CND) Study Guide
Honeypot deployment and management documentation
Leslie, the network administrator of Livewire Technologies, has been recommending multilayer
inspection firewalls to deploy the company’s infrastructure. What layers of the TCP/IP model can it
protect?
B
Explanation:
Multilayer inspection firewalls, also known as Next-Generation Firewalls (NGFWs), are designed to
provide comprehensive security by inspecting traffic across multiple layers of the TCP/IP model.
These firewalls offer protection at the:
Application Layer: They can analyze and filter traffic based on application-level protocols and
payloads, such as HTTP, FTP, and DNS, providing protection against application-specific attacks.
Transport Layer (TCP): They inspect the transport layer to monitor and control TCP/UDP traffic,
preventing threats such as port scans and DoS attacks.
Internet Layer (IP): They filter and monitor IP packets, enforcing security policies based on IP
addresses and ensuring protection against IP-level attacks like IP spoofing.
By operating at these layers, multilayer inspection firewalls provide a robust defense mechanism
against a wide range of network threats.
Reference:
EC-Council Certified Network Defender (CND) Study Guide
Documentation on Next-Generation Firewalls and their functionalities
Which of the following refers to a potential occurrence of an undesired event that can eventually
damage and interrupt the operational and functional activities of an organization?
C
Explanation:
A threat refers to a potential occurrence of an undesired event that can damage and interrupt the
operational and functional activities of an organization. It represents a possible danger that could
exploit vulnerabilities to harm the organization’s assets.
Attack: An attempt to exploit a vulnerability to cause harm.
Risk: The potential for loss or damage when a threat exploits a vulnerability.
Vulnerability: A weakness that can be exploited by a threat to cause harm.
In this context, a threat is the potential occurrence of an event that can cause damage, whereas an
attack is the actual occurrence, risk is the measure of the likelihood and impact of the threat, and a
vulnerability is the weakness that the threat could exploit.
Reference:
EC-Council Certified Network Defender (CND) Study Guide
Information Security Risk Management documentation
Which of the following connects the SDN controller and SDN networking devices and relays
information from network services to network devices such as switches and routers?
C
Explanation:
In Software Defined Networking (SDN), APIs are used to manage the communication between
different components of the network. The Southbound API connects the SDN controller to the
networking devices such as switches and routers, enabling the controller to send instructions to the
network devices and gather data from them. This API is essential for the controller to enforce policies
and ensure the proper functioning of the network infrastructure.
The other APIs are:
Northbound API: Interfaces between the SDN controller and the applications running on the
network.
Eastbound API and Westbound API: Generally used for communication between different SDN
controllers or other similar systems.
Reference:
EC-Council Certified Network Defender (CND) Study Guide
SDN architecture documentation
Which command list all ports available on a server?
D
Explanation:
The netstat command is used to display network connections, routing tables, interface statistics,
masquerade connections, and multicast memberships. To list all ports available on a server, including
both TCP and UDP, along with the listening state and associated program names, the -tunlp options
are used:
-t shows TCP ports.
-u shows UDP ports.
-n displays addresses and port numbers in numerical form.
-l shows only listening sockets.
-p shows the PID and name of the program to which each socket belongs.
Therefore, the command sudo netstat -tunlp effectively lists all ports available on a server with
detailed information.
Reference:
EC-Council Certified Network Defender (CND) Study Guide
Linux netstat command documentation
Clement is the CEO of an IT firm. He wants to implement a policy allowing employees with a
preapproved set of devices from which the employees choose devices (laptops, smartphones, and
tablets) to access company data as per the organization's access privileges. Which among the
following policies does Clement want to enforce?
C
Explanation:
Choose Your Own Device (CYOD) policy allows employees to select from a preapproved list of devices
to access company data. This approach provides the organization with control over which devices are
used, ensuring compatibility and security while giving employees some flexibility in their choice of
devices. The CYOD policy:
Balances security and employee satisfaction.
Ensures devices meet company standards and security requirements.
Reduces the risk associated with a wide variety of personal devices.
In contrast:
BYOD (Bring Your Own Device) policy allows employees to use their personal devices, which can be
harder to secure.
COPE (Corporate-Owned Personally Enabled) policy provides employees with company-owned
devices that they can use for personal tasks.
COBO (Corporate-Owned Business Only) policy restricts device use to business purposes only,
providing the highest level of control but limiting employee flexibility.
Reference:
EC-Council Certified Network Defender (CND) Study Guide
Mobile Device Management (MDM) and CYOD Policies
Assume that you are working as a network defender at the head office of a bank. One day a bank
employee informed you that she is unable to log in to her system. At the same time, you get a call
from another network administrator informing you that there is a problem connecting to the main
server. How will you prioritize these two incidents?
B
Explanation:
Prioritizing incidents based on their potential technical effect ensures that the most critical issues are
addressed first, minimizing the impact on the organization's operations. In this scenario:
An inability to connect to the main server could indicate a network-wide issue that affects many
users and services, potentially disrupting key operations.
A single employee unable to log in, while important, is typically less critical compared to a network-
wide server issue.
By assessing the potential technical effect, Byron can determine that resolving the main server
connectivity issue should take precedence over the individual login problem. This approach helps
maintain the overall health and functionality of the network.
Reference:
EC-Council Certified Network Defender (CND) Study Guide
Incident Management Best Practices
Byron, a new network administrator at FBI, would like to ensure that Windows PCs there are up-to-
date and have less internal security flaws. What can he do?
C
Explanation:
To ensure that Windows PCs are up-to-date and have fewer internal security flaws, Byron should
focus on regularly applying the latest security patches and updates. This can be achieved by:
Downloading and installing the latest patches: Ensures that any vulnerabilities identified in the
operating system and applications are fixed promptly.
Enabling Windows Automatic Updates: Automates the process of checking for and installing updates,
ensuring that PCs are always protected with the most current security measures.
Regularly updating the system helps in closing security loopholes that could be exploited by
attackers. Antivirus software and turning off unnecessary services (Option A) are also important, but
they do not address the critical need for regular patching. Centrally assigning group policies (Option
B) is useful for managing security settings but does not directly address updating and patching.
Dedicating a partition and formatting with NTFS (Option D) is unrelated to keeping systems up-to-
date.
Reference:
EC-Council Certified Network Defender (CND) Study Guide
Microsoft Windows Update Documentation
The mechanism works on the basis of a client-server model.
B
Explanation:
In a pull-based mechanism, the client initiates the request to the server to fetch data or services. This
model contrasts with the push-based mechanism, where the server initiates the data transfer to the
client without a specific request.
In the context of network security and data transfer:
Pull-based mechanisms allow clients to request updates or data as needed, giving them control over
the timing and frequency of the requests.
This model is commonly used in content delivery networks (CDNs), software updates, and various
client-server applications where clients need to periodically check for new information or updates.
Reference:
EC-Council Certified Network Defender (CND) Study Guide
Client-Server Model Documentation and Examples