A security analyst is responding to a malware incident at a company. The malware connects to a command-and-control server on the internet in order to function. Which of the following should the security analyst implement first?
Adding a IP based firewall rule is a lot quicker then looking at the network structure to modify it. B , first you add a quick firewall rule to block the malicious command and control IP then you make network segmentation changes for future proofing
Network segmentation IS NOT the same as containment OR isolation. It isn't a defense tactic, it's a network architecture setup for a performance boost amongst other things, but it isn't isolation from the rest of the network.
In the context of CompTIA, "segment" and "containment" might refer to different concepts. "Segment" could relate to dividing networks for security or organizational purposes, while "containment" often refers to isolating threats within a network to prevent their spread. They're related but not necessarily synonymous.
Yes, from ChatGPT.. but we’re confusing segmentation and containment I think. Segmentation, containment and isolation all have different meaning when refers g to CompTIA.. confusing I know.
in order to stop the attack you first need to B. implement firewall rules. After that you can A. segment the network to make it even more harder to access command and control.
Implementing IP-based firewall rules can immediately help block traffic to and from known malicious IP addresses associated with the command-and-control servers. This action effectively cuts off the malware's ability to receive commands or exfiltrate data, thus containing the infection.
The question explained that it is connecting to a command and control. If the question was asking how would you stop the spread on the network it'd be A but since the emphasis was on the command and control it's B
The most effective and immediate action to take in this scenario is B. IP-based firewall rules. By quickly implementing firewall rules to block the known IP addresses of the C&C server, the security analyst can effectively stop the malware from communicating with its external controllers, thus mitigating the threat. This action directly addresses the most urgent need: stopping the malware's active threat to the network.
B - You can verify in Professor Messers class on bots. Link is below along with the last sentence
"You can often identify an active infection by scanning an on-demand anti-malware scan and watching the network for any unusual traffic patterns. And if you know the type of network flows that will be used for the command and control, you can block that at the firewall or with an IPS or firewall at the workstation level."
https://www.professormesser.com/security-plus/sy0-601/sy0-601-video/bots-and-botnets-2/
If we follow the Incident Response Process:
1) Preparation - hardening
2) Identification - detection
3) Containment :)
4) Eradication
5) Recovery
6) Lesson Learned
Performing containment involves isolating or segregating the affected servers and resources to prevent further unauthorized access or data exfiltration.
This can be done by disconnecting the compromised systems from the network, disabling their access to sensitive data or critical resources, or implementing network segmentation to isolate the affected parts of the infrastructure.
After an incident is identified, containment is the first step. CompTIA defines containment as either isolation-based or segmentation-based:
Isolation-based containment is "making sure that there is no longer an interface between the affected component and your production network or the Internet." (Section 17C). Segmentation-based containment is specifically mentioned as being a tactic against an established C&C channel. "As opposed to completely isolating the hosts, you might configure the protected segment as a sinkhole or honeynet and allow the attacker to continue to receive filtered (and possibly modified) output over the C&C channel to deceive him or her into thinking the attack is progressing successfully." (Section 17C).
I don't believe any of the answer choices besides Network Segmentation (A) allows for containment of the incident. IP-based firewall rules and content filters are undoubtedly configuration changes to be implemented to prevent future/ongoing communication , they would not take priority over containment.
I have to agree with you. The incident response plan says preparation, identification, containment, eradication, lessons learned -- thus network segmentation is under containement and the Ip firewall rules would fall after that -- in the eradication of future instances
This section is not available anymore. Please use the main Exam Page.SY0-601 Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
agfencer
10 months, 3 weeks agoshady23
11 months, 2 weeks agoAlcpt
7 months agoLayinCable
11 months, 2 weeks agoAspiringNerd
11 months, 3 weeks agomikzer
11 months, 4 weeks agodurel
11 months, 4 weeks agorussian
1 year agoIykeokebata
1 year agomrface33
1 year agorussian
1 year agocd48a66
1 year ago_deleteme_
1 year agoMizzcoors
1 year, 1 month agousers123n4
1 year, 1 month agops1hacker
1 year, 1 month agoslapster
1 year, 2 months agoCyber_Dondo
1 year, 1 month agoBenrosan
1 year, 2 months ago