Exam SY0-601 topic 1 question 298 discussion

I'm guessing C. A isn't correct since we're asked not to disrupt researchers who are using SMB. B would again disrupt and D doesn't really make sense.

C makes the most sense

Containment allows the security team to isolate the affected machines from the network while minimizing disruption to the researchers. This approach helps prevent the unauthorized software from spreading further and making outbound communications without affecting the overall research operations.

Fastest resolution

Blacklisting the unauthorized application is the most targeted approach that minimizes disruption. Researchers can continue using ports 445 and 443 for legitimate communications as long as the unauthorized software is blocked. Placing the machines in containment would completely halt work on those machines, causing significant disruption.

B for me "seen on additional machines outside of the lab" - you would need to contain first then block links etc.

Option A is incorrect because the researchers are using SMB to communicate and we can't block it. Since the researchers are using the same ports used by the unauthorized software to communicate, the researchers are likely using the unauthorized software to communicate making option C incorrect. Option D is also invalid and irrelevant to our scenario, content filters are used to block certain websites.

placing machines in containment would be highly disruptive! if the software is unauthorized, the least disruptive thing to do is block it via a block list. the problem with a content filter is that it filters content, not ports - we don't know what that content is. there may be situations (though I can't think of any) where SMB may be required

I would go with C. This is why, as you see more workstations with the unauthorized software, you need to keep putting them into containment. With blocking the software all together, you wont have that issue making more efficient.

According to the Incident responce answer should be B.

B. Place the machines with the unapproved software in containment. In this scenario, the best course of action is to quickly contain the machines with the unauthorized software to prevent further spread and minimize disruption. Placing the affected machines in containment helps isolate them from the network, preventing the unauthorized software from making outbound communications and spreading to additional machines. While options such as updating host firewalls, implementing a content filter, or placing the unauthorized application in a blocklist may be part of a comprehensive security strategy, containment is the most immediate and targeted response to prevent the unauthorized software from causing further impact and spreading throughout the network.

B. place the machines with the unapproved software in containment. This option would prevent the unauthorized software from spreading to other machines and communicating with external servers, while allowing the researchers to continue their work on unaffected machines.

Answer B. Place the machines with the unapproved software in containment. This would allow the investigation of the infected machine without disrupting the work of researchers

The correct answer is B it’s in the text book by Jason dion and it’s a question that was previously on the last security plus exam

reasons for C to be incorrect: Outbound Communications: Blocking the unauthorized application from running on the machine may not automatically prevent its outbound communications. If the application has already established connections or is designed to communicate over the network, those communications might still occur. Preventing Spread: Placing the application in a blocklist on one machine doesn't prevent it from spreading to other machines. If the unauthorized software is propagating through the network, merely blocking it on one machine may not stop its lateral movement. Holistic Solution: Security incidents often require a more comprehensive and holistic solution. Blocking the application is a reactive measure, but containment measures (such as isolating affected machines) and addressing the root cause are proactive steps to mitigate the impact and prevent further spread.

my 5c here: Option C suggests placing the unauthorized application in a blocklist, this approach might prevent the unauthorized application from running on the affected machines, but it might not be as effective in stopping its outbound communications or preventing its spread to other machines. In scenarios where the unauthorized software is making outbound communications using HTTPS and SMB and is spreading to other machines, a more comprehensive solution like containment (Option B) is necessary to quickly isolate and address the problem at its source.

In line with the incident response process, the breach has been identified, the next step is containment. All other remedies require an emergency change to be logged but the first step should be containment.