312-50V10 · Question #772
You are monitoring the network of your organizations. You notice that: 1. There are huge outbound connections from your Internal Network to External IPs 2. On further investigation, you see that the e
The correct answer is D. Block the Blacklist IP's @ Firewall as well as Clean the Malware which are trying to Communicate. When C&C malware is detected communicating with blacklisted IPs, both network-level blocking and host-level remediation are required for complete incident response.
Question
Options
- ABlock the Blacklist IP's @ Firewall
- BUpdate the Latest Signatures on your IDS/IPS
- CClean the Malware which are trying to Communicate with the External Blacklist IP's
- DBlock the Blacklist IP's @ Firewall as well as Clean the Malware which are trying to Communicate
How the community answered
(42 responses)- A10% (4)
- B31% (13)
- C12% (5)
- D48% (20)
Why each option
When C&C malware is detected communicating with blacklisted IPs, both network-level blocking and host-level remediation are required for complete incident response.
Blocking IPs at the firewall only addresses network communication and does not remove the malware from infected hosts, leaving the root cause and potential for re-infection intact.
Updating IDS/IPS signatures improves detection capability for future traffic but does not actively block the ongoing C&C communication or remove the malware already present on hosts.
Cleaning the malware removes the infection on the endpoint but does not block the blacklisted IPs at the network level, leaving other potentially compromised hosts unprotected.
Blocking blacklisted IPs at the firewall stops active and future C&C communication at the network perimeter, preventing data exfiltration and command receipt. Cleaning the malware eliminates the root cause on infected hosts. Neither action alone is sufficient - without firewall blocking, other hosts remain at risk, and without malware removal, the threat persists on the endpoint and may seek new C&C channels.
Concept tested: C&C malware incident response - dual remediation
Source: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-83r1.pdf
Topics
Community Discussion
No community discussion yet for this question.