Exam CS0-003 topic 1 question 173 discussion

I would go with C too as sandboxing is the only 'mitigating control' from the given options. The rest look to me as 'preventive controls'.

Updating the application blocklist can immediately block the ransomware binaries on the rest of systems, making it the best option to mitigate the effects of a materialized ransomware attack.

How would sandboxing mitigate the damage of an active threat that the AV missed? Updating the blocklist seems the most logical solution to me.

If it's already on the system and has bypassed the AV, putting it on the application blocklist would prevent the system from executing it.

From Study Guide page 195: Sandboxing for Malware Analysis The nature of modern malware means that signature-based tools are less likely to block execution automatically. Manual analysis of malware can provide intelligence that identifies wider IoCs, which can inform the development of custom signatures, IDS rules, and behavior-based rulesets for EDR solutions. Malware analysis must take place in a controlled environment to mitigate intrusion and data breach risks during the analysis process. The begining of the paragraph describes what happens in this question, and it is also mentioned at the end that sandboxing is used for mitigation.

If a ransomware attack has already made it past the company antivirus. Implementing vulnerability management during a ransomware attack or installing a firewall doesn't seem to be the best option. Sandboxing might stop some lateral movement but doesn't guarantee it will mitigate the programs ability to run on other machines. Finding the ransomware program and adding it to an application block list ensures the application can't run / move laterally. Which will mitigate an active attack, instead of hoping a sandbox will stop it. Which it won't.

This is one of those questions where all the answers seem not good enough. All of these measures are preventative when we're looking for corrective measures when the problem is already there.

So actually this question is rhetorical and wants to know what the company should have done to prevent a future event of a ransomware attack.

I’m thinking in term of prioritising isolation/containment first. Blocking the malware from running on other still clean systems would limit the damage. But I could argue that running a sandbox to better understand the malware to block it better is also reasonable. But that cost more time, so I’m going with D. Feeling almost 50/50 between them.

pdating the application blocklist directly addresses and contains the active ransomware, preventing its execution and reducing its impact.

I believe sandbox is strictly for testing

The best option to mitigate the effects of a new ransomware attack that was not properly stopped by the company's antivirus would be: C. Deploy sandboxing. Sandboxing allows you to run potentially malicious files or programs in an isolated environment where they cannot affect the rest of the system. This way, even if ransomware manages to get past the antivirus, its ability to cause harm would be limited to the sandboxed environment.

While options like installing a firewall (A), implementing vulnerability management (B), and updating the application blocklist (D) are important security measures, they may not directly address the immediate threat posed by the ransomware attack. Sandboxing provides a proactive defense mechanism specifically designed to detect and mitigate the effects of malware, including ransomware, by analyzing its behavior in a controlled environment.

B. Implement vulnerability management. This is because vulnerability management is a process of identifying, assessing, and remediating security weaknesses in systems and applications that could be exploited by malicious actors1. By implementing vulnerability management, an organization can reduce the attack surface and prevent ransomware from spreading or encrypting more data.

Sandboxing seems like the best answer here, it's the only post infection persciption from what I can see. We need to mitigate it after it already beat the firewall making the other options questionable.