312-50V10 · Question #52
You are monitoring the network of your organizations. You notice that: There are huge outbound connections from your Internal Network to External IPs On further investigation, you see that the externa
The correct answer is D. Both B and C. Effective CnC malware response requires both updating detection signatures and removing the malware to address the threat at network and host levels.
Question
You are monitoring the network of your organizations. You notice that:
There are huge outbound connections from your Internal Network to External IPs On further investigation, you see that the external IPs are blacklisted Some connections are accepted, and some are dropped You find that it is a CnC communication Which of the following solution will you suggest?
Options
- ABlock the Blacklist IP's @ Firewall
- BUpdate the Latest Signatures on your IDS/IPS
- CClean the Malware which are trying to Communicate with the External Blacklist IP's
- DBoth B and C
How the community answered
(47 responses)- A23% (11)
- B13% (6)
- C6% (3)
- D57% (27)
Why each option
Effective CnC malware response requires both updating detection signatures and removing the malware to address the threat at network and host levels.
Blocking blacklisted IPs at the firewall is insufficient on its own because CnC operators routinely rotate infrastructure IPs, and the underlying malware infection on endpoints remains active.
Updating IDS/IPS signatures improves network-level detection but does not remove the malware already executing on compromised hosts that is generating the CnC traffic.
Cleaning infected hosts removes the current malware but leaves the network without improved detection capabilities, making reinfection easier to miss.
Updating IDS/IPS signatures (B) closes the detection gap so that ongoing and future CnC traffic patterns are identified and can be blocked at the network perimeter. Cleaning the malware (C) eliminates the root cause from infected endpoints, stopping the outbound beaconing entirely. Both steps together are necessary because signatures alone do not remove existing infections, and malware removal alone does not prevent reinfection or improve detection of similar threats.
Concept tested: CnC malware incident response - layered host and network remediation
Source: https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-83r1.pdf
Topics
Community Discussion
No community discussion yet for this question.