Exam CS0-002 topic 1 question 29 discussion

Sinkholing is a reactive measure not a preventative measure. The answer that is reactive and will detect exfiltrated data is B

I would go with dlp,no signature,so we may be looking at a zero day exploit,ip is probably not linked to any malicious group so sinkhole might fail if data exfiltration is not noticed by analysts but dlp involves protecting data at rest, in transit.

Sinkholing can help prevent any impact to the company from similar attacks in the future by redirecting the malicious traffic from the compromised assets to a sinkhole server, where it can be monitored, analyzed, or blocked. Sinkholing can also prevent the compromised assets from communicating with their command and control servers or exfiltrating data to remote destinations

Sink hole. Stop the Malware at it's source and you won't need to worry about DLP.

Straight from the official study guide: "Black holes and sinkholes can be configured using routing policies, but you can also use DNS-based sinkholing to capture malicious traffic trying to exit from your network." This is about malicious traffic exiting your network. DLP is more tailored toward dealing with insider threats, not malware attacks. Another source: https://www.egress.com/blog/data-loss-prevention/five-tips-prevent-exfiltration#:~:text=Sinkholing%20is%20a%20network%20engineering,exfiltration%20from%20doing%20any%20harm. "Sinkholing is a network engineering technique where you redirect traffic from a malicious program to an IP address of your choosing. This technique means you can see exactly what the malware program is attempting to exfiltrate while preventing the exfiltration from doing any harm. You can then study the malware at your leisure to understand how it got there and mitigate future attempts."

Im going to DLP as the answer because from a google search "can dlp work against cyber attacks?" Multiple sources say "Companies that use DLP have a security strategy to detect, prevent data loss, and cyber-attacks. DLP is also used to eliminate unwanted data that will harm the system's security." I looked into Sinkholes and I just feel sketchy about it. Maybe or maybe but I think its unlikely. A big reason too I am going with DLP a lot people who passed the test went with this answer as well.

The best approach to prevent any impact from similar attacks in the future is "D. Sinkholing." A sinkhole redirects traffic from the infected machines to a trusted server, effectively isolating them and preventing data exfiltration to malicious destinations. This can be especially useful when traditional antivirus measures are proving ineffective, as it can stop the communication between the malware and its command and control servers.chatgpt

Sinkholing is a technique for manipulating data flow in a network; you redirect traffic from its intended destination to the server of your choosing. It can be used maliciously, to steer legitimate traffic away from its intended recipient, but security professionals more commonly use sinkholing as a tool for research and reacting to attacks1 Sinkholing can help prevent any impact to the company from similar attacks in the future by redirecting the malicious traffic from the compromised assets to a sinkhole server, where it can be monitored, analyzed, or blocked. Sinkholing can also prevent the compromised assets from communicating with their command and control servers or exfiltrating data to remote destinations.

Im choosing D, soley because its saying it sending resources to outbound sources whiich is why i would use sinkholing to prevent floss of information same as DLP but my opinion giving you more control on the sink hole server

I went through all 405 questions. I am now reviewing the questions I got wrong and I am so puzzled by the comments and voting here. Is for SURE not DLP man. DLP prevents human exfiltration not exfil done by malware attacks (for example exfiltration would mean dns exfiltration - DLP has no way to detect this). I asked chatGPT and said also DLP. I told it :"DLP is useful to protect exfiltration done by humans not malware attacks. I think that IDS signatures is a method to do it(it will detect malware and then the analyst can stop it to happen) or Sinkhole the malicious IPs or domain names used in the malware attack. I do not think DLP is the answer here." Answer came back: You're correct, and I apologize for the incorrect response. In the context of preventing the impact of malware attacks and exfiltration, the more appropriate approach would be option D: Sinkholing. So the only active useful method from the options to really have an impact is the sinkhole for the remote destinations. I choose D.

The best approach to prevent any impact to the company from similar attacks in the future is to implement data loss prevention (DLP).

B. This is DLP for sure.

It says "prevent any impact to the company from similar attacks in the future?". That means the attack still exists in the future within the company. So to prevent any impact to the company is to use DLP.

Data loss prevention (DLP) is a set of technologies and processes that monitor and inspect data on a corporate network to prevent exfiltration of critical data as a result of cyberattacks, such a phishing or malicious insider threats.

Exfiltrating data is DLP no doubt

Context: So devices are connecting to outbound remote destinations (C2), attack via malware, Since malware signatures couldnt be detected, this is Unknown Unknows so we can rule out A, Howvever, Malware analysis will reveal Source info and get IPs from that, then we can SinkHole with the hope of getting alerted!

The little nugget here is "exfiltrating data" DLP