A security analyst observes a large amount of scanning activity coming from an IP address outside the organization's environment. Which of the following should the analyst do to block this activity?
A.
Create an IPS rule to block the subnet.
B.
Sinkhole the IP address.
C.
Create a firewall rule to block the IP address.
what if the threat actor changed the IP one minute later. But true... you cannot block a subnet! since many of those are Microsoft! and threat actors love them! since MS takes ages to take down a malicious IP!
I choose A. IPS rule will detect and prevent any malicious activity plus it blocks the subnet, which means every IP in that range coming from the source. But i'm not sure on this. A firewall block means attacker can change IP in same range and keep going
blocking the entire subnet without knowing for certain that the other addresses within that block are also involved in malicious activity is a bad way to go. It can even end up impacting the business itself as there might be a chance that legitimate services they need also come from servers that also reside in that subnet .
so the safest and simplest way to go would be to block the individual address.
This section is not available anymore. Please use the main Exam Page.CS0-002 Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
TheStudiousPeepz
2 years, 6 months ago2Fish
2 years, 1 month agouday1985
1 year, 7 months agomarc4354345
2 years, 7 months agoCizzla7049
2 years, 7 months agoTag
2 years, 7 months agoAdrian831
2 years, 7 months ago