Exam CS0-002 topic 1 question 41 discussion

I think people are confused because all of the steps are valid ones to take. The key is the question asks which step to take NEXT. That means you have to fit the steps into the IR process. We're past identification as we have a live worm spreading. Next step is containment. A) This needs to happen, but could take a long time fo results. This is a post-incident activity. B) Changes like this are part of remediation / recovery. But it only says it revealed the worm; not that it stopped it. C) This would make sense, but slowness is being reported for "all workstation segments". In other words, it's hit every VLAN already. D) Updating your IPS is the best chance you have at stopping it. You don't need much for IOC's, just anything that you're getting from the anti-malware. An EXE, a port, a signature...

A) This takes too long B) The question says all work stations are slow, implying all devices are infected. C) The malware hit all segments, so there's nothing to contain D) Again, the worm spread, so there's nothing to contain. All these options are terrible lol

C. Enable an ACL on all VLANs to contain each segment.

ChatGPT says it's C... Well, might be a point.

"Slowness across ALL network segments" Which means the worm has already spread across all work stations. You cannot halt what has already spread. I'm going with A also

D is correct one for NEXT action to be taken

I went several times on this question. days have passed. i looked at everyone. all answer make sense. The thing is they say all workstation segments. and while the word ALL is important, but also workstation. What about the rest that are NOT workstations ? servers , databases etc ? We want to contain it as it an WORM that spreads allone - think SQL Slammer https://en.wikipedia.org/wiki/SQL_Slammer . So I think the ACL - segmenting ALL segments is the best answer, closing the ports that the worm is using. It is fast and it contains it in the workstation segments that are already infected. the signature and the new anti malware could be done later the Remediation step.

Everyone keeps saying "this has hit every vlan already" as there reasoning for not choosing C. So let me ask you this.. Do servers also live on vlan segments ... that have not potentially been affected yet?

B is a more immediate response to the incident. Deploying the new anti-malware on all uninfected systems will help prevent further infections and reduce the spread of the worm. D is not an immediate response to the incident and may take some time to complete. Both options are important, but in this specific scenario, B is the more urgent and effective next step to take.

C looks appealing but, why would you use ACLs on all vlans, when the IOC/Incident was identified on just the workstation subnet...even sef such action could cause lots of service outages

D. I have to agree that we can contain the spread. Then Send a sample (hashs, etc) to the vendor. Perhaps this could be done in tandem if you have more than one Analyst working on the event.

Containment is key

This virus already in all workstation, so not C. A is post-incident activitiy. When you deploying new anti-malware, it takes so many time. not B. D is make sense, IPS is in your system already.

Question notes it has already spread to all network segments. At this stage to quote Princess Leia, "Help me Intrusion Prevention System, you're my only hope!"

C is a bad answer " Enable an ACL on all VLANs to contain each segment.". Its already on all segments. This won't do anything.

hard to choose, a or d is all fine. But more prefer A since slowness is already on all workstions.

Should be D