nerdexam
EC-Council

312-50V10 · Question #52

You are monitoring the network of your organizations. You notice that: There are huge outbound connections from your Internal Network to External IPs On further investigation, you see that the externa

The correct answer is D. Both B and C. Effective CnC malware response requires both updating detection signatures and removing the malware to address the threat at network and host levels.

Malware Threats

Question

You are monitoring the network of your organizations. You notice that:

There are huge outbound connections from your Internal Network to External IPs On further investigation, you see that the external IPs are blacklisted Some connections are accepted, and some are dropped You find that it is a CnC communication Which of the following solution will you suggest?

Options

  • ABlock the Blacklist IP's @ Firewall
  • BUpdate the Latest Signatures on your IDS/IPS
  • CClean the Malware which are trying to Communicate with the External Blacklist IP's
  • DBoth B and C

How the community answered

(47 responses)
  • A
    23% (11)
  • B
    13% (6)
  • C
    6% (3)
  • D
    57% (27)

Why each option

Effective CnC malware response requires both updating detection signatures and removing the malware to address the threat at network and host levels.

ABlock the Blacklist IP's @ Firewall

Blocking blacklisted IPs at the firewall is insufficient on its own because CnC operators routinely rotate infrastructure IPs, and the underlying malware infection on endpoints remains active.

BUpdate the Latest Signatures on your IDS/IPS

Updating IDS/IPS signatures improves network-level detection but does not remove the malware already executing on compromised hosts that is generating the CnC traffic.

CClean the Malware which are trying to Communicate with the External Blacklist IP's

Cleaning infected hosts removes the current malware but leaves the network without improved detection capabilities, making reinfection easier to miss.

DBoth B and CCorrect

Updating IDS/IPS signatures (B) closes the detection gap so that ongoing and future CnC traffic patterns are identified and can be blocked at the network perimeter. Cleaning the malware (C) eliminates the root cause from infected endpoints, stopping the outbound beaconing entirely. Both steps together are necessary because signatures alone do not remove existing infections, and malware removal alone does not prevent reinfection or improve detection of similar threats.

Concept tested: CnC malware incident response - layered host and network remediation

Source: https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-83r1.pdf

Topics

#CnC communication#malware C2#IDS/IPS signatures#blacklist filtering

Community Discussion

No community discussion yet for this question.

Full 312-50V10 Practice