Chapter 94 · Tricks

Monitoring Data — Exam Tricks

Four high-yield patterns and three practice scenarios: the SFC vs. Tripwire platform rule, mapping DLP data states to scenarios in under five seconds, why endpoint DLP is the answer for remote workers, and identifying the correct DLP type from a real-world incident description.

Trick 1 SFC vs. Tripwire — Platform Is the Only Differentiator

The exam will describe a FIM requirement and ask which tool to use. The answer is purely determined by the operating system in the scenario:

  • Windows → SFC (System File Checker). Built-in. Run with sfc /scannow. Scans and auto-restores protected OS files. On-demand.
  • Linux → Tripwire. Creates cryptographic hash baselines. Supports real-time monitoring. Alerts on any file change.

There are no cross-platform gotchas: SFC does not run on Linux, Tripwire is not a Windows system tool. If the question says Windows and asks for FIM, the answer is SFC. If the question says Linux and asks for FIM with real-time alerting or hash baselines, the answer is Tripwire.

Common distractor to reject: “Windows Defender” or “Group Policy” as file integrity tools. Windows Defender is antivirus/EDR, not FIM. Group Policy enforces configuration settings, not file hash baselines.

Also know: Host-based IPS (HIPS) can include FIM as an integrated feature. If the question mentions a host-based IPS performing FIM, that is a valid deployment model — the HIPS runs on the OS and has direct access to all file system activity.

Rule: Windows FIM = SFC (built-in, on-demand, auto-repair). Linux FIM = Tripwire (cryptographic baselines, real-time alerting). Platform determines tool — no overlap.
Trick 2 Three DLP Data States — Map the Scenario in Five Seconds

The exam describes a DLP scenario and asks which data state applies. The mapping is determined by one question: where is the data right now?

  • Being processed, copied, printed, or transferred on a deviceData in use → Endpoint DLP
  • Moving across a network, being uploaded or downloadedData in motion → Network DLP (inline appliance or cloud service)
  • Sitting on a server, database, or storage systemData at rest → Storage DLP (scanning agent on the server)

Exam trigger phrases and their mapping:

  • “A user copies a file to a USB drive” → data in use (being copied) → endpoint DLP
  • “An employee uploads a file to Dropbox” → data in motion (traversing the network) → network or cloud DLP
  • “SSNs found in a public file share on the file server” → data at rest (stored, not moving) → storage DLP
  • “An email attachment contains sensitive data” → data in motion (email traverses the network) → email DLP (a network DLP variant)
Rule: In use = on the device being processed. In motion = traversing a network. At rest = stored on a disk/server. Ask “where is it right now?” and the state maps immediately.
Trick 3 Remote Workers & Offline Devices — The Answer Is Always Endpoint DLP

The exam’s most common DLP trap: a scenario involving a remote worker, a traveling employee, or a laptop that is not connected to the corporate network. Candidates incorrectly choose network DLP or cloud DLP because those seem like broader solutions.

Why network DLP fails for offline/remote scenarios:

  • Network DLP sits on the network. If the device is not generating network traffic (USB copy, printing, local clipboard), there is nothing for the network DLP to inspect.
  • A device on home Wi-Fi or a coffee shop network is not routing through the corporate DLP appliance.

Why cloud DLP fails for offline scenarios:

  • Cloud DLP is positioned between the user and the internet. If the activity is local (USB copy, local printing, local file access), no internet traffic is generated and cloud DLP sees nothing.

Why endpoint DLP succeeds:

  • The agent runs directly on the operating system. Every file operation, USB transfer, print job, and clipboard event passes through the OS kernel — the agent monitors all of it regardless of network state.
  • Policies are stored locally on the device. An offline device still enforces whatever policy was last pushed to it.

Exam scenario: “An employee works from home without VPN and copies a sensitive file to a USB drive.” The only DLP type that catches this is endpoint DLP.

Rule: Remote worker + offline device + local data operation = endpoint DLP. Network DLP and cloud DLP require network traffic to function. No network traffic = no inspection for them.
Trick 4 Identify the Incident — DLP Type from the Real-World Story

The exam uses two specific real-world incidents to test DLP knowledge. Knowing the story maps directly to the DLP concept being tested:

2008 US DoD agent.btz incident:

  • Worm spread via infected USB drive
  • Spread to classified and unclassified networks
  • Response: banned all USB storage; deployed endpoint DLP agents with USB blocking
  • Ban lifted February 2010
  • Tests: USB blocking, endpoint DLP, data in use, removable media risk

2016 Boeing spreadsheet incident:

  • Employee emailed spreadsheet template to spouse
  • Hidden columns contained SSNs and PII of 36,000 employees
  • Boeing sold its own DLP software but did not use it internally for this data
  • Tests: outbound email DLP, data in motion, attachment scanning, accidental data leakage

The exam question patterns:

  • USB + DoD + worm + 2008 → agent.btz; endpoint DLP USB blocking
  • Email + spreadsheet + hidden data + 36,000 employees → Boeing; outbound email DLP
  • “What would have prevented the Boeing incident?” → outbound email DLP scanning attachments for SSN patterns
Rule: DoD 2008 = USB blocking via endpoint DLP (agent.btz worm). Boeing 2016 = outbound email DLP scanning attachments (hidden spreadsheet columns with SSNs). Match incident to control instantly.
Practice Scenarios
Scenario A: A security operations team receives an alert that a critical web server may have been compromised. The investigation reveals that the Apache binary at /usr/sbin/apache2 and the /etc/sudoers file have both been modified since the last known-good baseline. The team also notices the server is running Linux. What technology generated this alert, what tool is likely responsible, and what should the team investigate next based on the specific files that changed?
Answer: The alert was generated by File Integrity Monitoring (FIM). On Linux, the most likely tool is Tripwire, which maintains cryptographic hash baselines of monitored files and alerts when any deviation is detected. Tripwire hashed both files at the last known-good baseline and recomputed hashes at the next monitoring interval; the hashes no longer matched, triggering the alert. The two specific file changes indicate two different post-compromise actions: The Apache binary modification suggests the attacker replaced the legitimate web server binary with a trojanized version. This could hide malicious activity (rootkit behavior), add a backdoor, or exfiltrate data through web server channels. The team should compare the current binary hash against a trusted source, determine when the modification occurred, and analyze what the new binary does. The /etc/sudoers modification is more immediately concerning. This file controls who has sudo (administrator) privileges on the system. An attacker modifying sudoers is almost certainly attempting privilege escalation — adding their compromised user account to the sudoers list to gain root access. The team should immediately review what changes were made, identify which account now has elevated privileges, and revoke those privileges while preserving a forensic image for investigation.
Scenario B: A financial services company has three DLP challenges to address simultaneously: (1) employees working from home are copying customer account files to personal USB drives; (2) the network analysis team found SSNs leaving the corporate network in unencrypted HTTP traffic to an external server; (3) a compliance scan revealed that credit card numbers are stored in plain text in files on a development server in a public share. For each challenge, identify the data state, the appropriate DLP type to address it, and where that DLP would be deployed.
Answer: Challenge 1 — USB copying at home. Data state: data in use (the file is being actively copied to a USB device on the endpoint). DLP type: endpoint DLP (agent-based). Deployment: a DLP agent installed on every employee laptop, enforcing USB block or restrict policies locally. This works even when employees are at home because the agent runs on the OS independent of network connection. Network DLP cannot see this activity because no network traffic is involved in a USB transfer. Challenge 2 — SSNs leaving in network traffic. Data state: data in motion (information actively traversing the network toward an external destination). DLP type: network DLP. Deployment: an inline DLP appliance or NGFW-integrated DLP module positioned at the network perimeter, inspecting outbound traffic. The DLP applies a pattern match for SSN formats (###-##-####) to packet payloads; when the pattern is detected in outbound HTTP, the traffic is blocked and an alert is generated. Challenge 3 — Credit card numbers in files on a server. Data state: data at rest (information stored on a file server, not currently in motion or in use). DLP type: storage DLP (data-at-rest scanning). Deployment: a scanning agent on the development server or a storage DLP solution with network access to the share. The scanner reads files in the public share and searches for credit card number patterns (Luhn-algorithm-valid 16-digit numbers). When found, it flags the files and alerts the compliance team for remediation (encrypt, move, or delete).
Scenario C: A healthcare organization employs 5,000 staff across hospitals, clinics, and remote home-office workers. The security team needs to prevent transmission of patient Protected Health Information (PHI) through three vectors simultaneously: employees emailing PHI to personal addresses, employees uploading PHI to personal cloud storage while working remotely, and clinical staff copying patient records to USB drives at hospital workstations. The organization has budget for two DLP solutions. Which two DLP types cover all three scenarios, and how does each one address the specific vectors?
Answer: The two DLP solutions that cover all three vectors are endpoint DLP and cloud-based DLP (which includes email DLP as an integrated capability). Endpoint DLP addresses two of the three vectors directly. For USB copying at hospital workstations: the DLP agent installed on each clinical workstation enforces USB blocking or restriction policies at the OS level. When clinical staff attempt to copy patient records to USB drives, the agent detects the file type and content patterns for PHI and blocks the transfer. For remote employees uploading PHI to personal cloud storage when not connected via VPN: the endpoint DLP agent runs locally and can monitor and block file uploads from the device using browser extension integration or application-layer monitoring. Even without a network connection to the corporate infrastructure, the agent enforces policy. Cloud-based DLP (with integrated email DLP) addresses email exfiltration and provides a second layer of coverage for cloud uploads. For employees emailing PHI to personal addresses: the cloud DLP proxy or email gateway scans all outbound email — both body and attachments — for PHI patterns (patient names, dates of birth, medical record numbers, diagnosis codes). When detected, the email is blocked or quarantined before delivery. For remote employees uploading to personal cloud storage through a browser: cloud DLP sits between users and the internet and inspects upload traffic for PHI content, blocking uploads to unauthorized cloud services. Together, endpoint DLP (offline/local enforcement) and cloud DLP (network-layer enforcement for internet-bound traffic) provide comprehensive coverage for remote workers, hospital staff, and email channels without requiring a separate on-premises network DLP appliance at every site.