A security analyst working in the SOC recently discovered instances in which hosts visited a specific set of domains and IPs and became infected with malware. Which of the following is the MOST appropriate action to take in this situation?
A.
Implement an IPS signature for the malware and update the deny list for the associated domains and IPs
B.
Implement an IPS signature for the malware and another signature request to block all the associated domains and IPs
C.
Implement a change request to the firewall setting to not allow traffic to and from the IPs and domains
D.
Implement an IPS signature for the malware and a change request to the firewall setting to not allow traffic to and from the origin IPs' subnets and second-level domains
D is wrong because you don't want to block a whole subnet.
C is wrong because it does nothing about the malware
B is wrong, because is this english?
A is correct
IPS Signature for Malware: Implementing an IPS signature for the known malware allows the security infrastructure to detect and block the specific malware at the network level. This helps prevent the malware from entering the network or spreading further.
Firewall Rule Changes: Requesting a change to the firewall settings to block traffic to and from the origin IPs' subnets and second-level domains is a proactive measure to further protect the network. This action blocks potential communication with the malicious infrastructure associated with the malware, reducing the risk of future infections.
Option A is insufficient because it only blocks the specific IPs and domains already known to be malicious, but does not block the broader subnets/second-level domains that the threat actors likely control.
Option B adds blocking the domains/IPs but does not address blocking at a more general level.
Option C blocks the domains/IPs but does not implement malware detection.
Option D combines malware detection through IPS with proactive blocking of related infrastructure at the firewall, making it the most comprehensive approach.
So we all agree that D is the worst choice due to the blocking of an entire subnet. Lets break down the others for discussion now.
A. Would add the malware signature to the IPS and would be able to detect anomalies based on the signature to block future infections and access to malicious addresses tied to the signature. Adding the domains and IP’s to the deny list will prevent users from accessing the site/address as well as preventing traffic from the site/address.
B. I don’t know what in the world a signature request for an associated domain/Ip is. The actual signature for the malware would tie the domain/IP in with it while it was actively using that domain. So, no B.
C. This one is here to throw everyone off, I think. You don’t need to submit a change request to block a known malicious domain/IP address. Change requests need to be completed when the requested change might affect production, cost, resources, all that good stuff in the BIA. Additionally, the firewall only prevents users from accessing the malicious site and traffic to and from the site. It completely ignores the malware side of the house in a sense. Yes, it prevents users from going to the hosting location, but you’re not just going to throw a nice shiny new malware signature away.
Here's a scenario just for fun as a reason why I wouldn't chose C.
Group of thieves dressed up as let’s say locksmiths from JONES LOCKS Co who wear all blue uniforms. They enter the bank and say, hey we are here to fix your vault door. They are granted access and the bank is robbed. Next day, same group in the same outfit comes in and robs the place again. Happens again on the third day. Then the old security guard goes hmmmm you know what every time those guys from Jones Lock Co in the blue uniforms come in, the place gets robbed. Let me fill out this paperwork to prevent the guys in the blue uniform from Jones Locks Co from coming into the bank. I’ll submit to the senior management, so they and the other stakeholders can have a meeting and decide if they really want to prevent those guys from coming into the bank or not.
. After two days the change is approved (and they were robbed two more times while waiting for the verdict) so now the guard no longer lets those guys from Jones Locks wearing blue into the bank forever. So standing outside, the thieve just kinda look at each other and decide to try something so they head back to the van. 5 minutes later a group of guys wearing green uniforms with a weird hand draw B in the name that says BONES LOCKS Co. The guard shrugs and let em right on in because he only knows to keep the other bad group of locksmiths out, not these guys who resemble the old group. From this point on the cycle just goes over and over.
-The End -
Just a way I try to look at things to make them more fun and break up the monotony. Something a bit more different than the Chat GPT copy paste responses that we get. Be careful taking those as accurate is all I'll say. Sometimes facts can be good but the applied logic is in left field.
I'd go with A. Its accomplishing the same as C as far as blocking the IP's and Domains go. But C does nothing to stop the malware thats already there. The only positive thing about C is the mention of a change request.
This is because by creating a signature for the malware, the IPS will be able to detect and prevent it from entering the network in the future. By also blocking traffic to and from the origin IPs' subnets and second-level domains, the organization can reduce the attack surface and reduce the likelihood of the malware reoccurring. This approach will provide a more comprehensive and thorough solution to the problem, while also reducing the risk of future infections.
D is wrong, it's too extreme and would block traffic to possibly legitimate sites. It goes a step further than B, which is a step further than A.
If you look carefully you'll see A, B and C are all suggesting blocking the same things (malware and domains / IPs) but at different points along the traffic flow. gng's answer works because it goes a step further than IPS.
The most appropriate action in this situation would be to implement a change request to the firewall setting to not allow traffic to and from the IPs and domains. By blocking traffic to and from the IPs and domains associated with the malware instances, the security analyst can effectively prevent hosts from visiting these sources and becoming infected with malware. This proactive approach is more effective than simply implementing an IPS signature for the malware, as it would only detect and prevent the malware after it has already been downloaded and executed on a host.
upvoted 1 times
...
This section is not available anymore. Please use the main Exam Page.CS0-002 Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
G_f_b
Highly Voted 2 years, 4 months ago2Fish
2 years, 3 months agonovolyus
Most Recent 1 year, 7 months agoskibby16
1 year, 9 months agoOabbas
1 year, 9 months agocatastrophie
2 years, 4 months agocatastrophie
2 years, 4 months agocatastrophie
2 years, 4 months agocatastrophie
2 years, 4 months agochuck165
2 years, 4 months agoCock
2 years, 4 months agochuck165
2 years, 4 months agojleonard_ddc
2 years, 4 months agoAaronS1990
2 years, 4 months agochuck165
2 years, 4 months agodb97
2 years, 4 months agoCatoFong
2 years, 5 months agognnggnnggnng
2 years, 5 months ago