nerdexam
EC-Council

312-50V10 · Question #772

You are monitoring the network of your organizations. You notice that: 1. There are huge outbound connections from your Internal Network to External IPs 2. On further investigation, you see that the e

The correct answer is D. Block the Blacklist IP's @ Firewall as well as Clean the Malware which are trying to Communicate. When C&C malware is detected communicating with blacklisted IPs, both network-level blocking and host-level remediation are required for complete incident response.

Malware Threats

Question

You are monitoring the network of your organizations. You notice that: 1. There are huge outbound connections from your Internal Network to External IPs 2. On further investigation, you see that the external IPs are blacklisted 3. Some connections are accepted, and some are dropped 4. You find that it is a CnC communication Which of the following solution will you suggest?

Options

  • ABlock the Blacklist IP's @ Firewall
  • BUpdate the Latest Signatures on your IDS/IPS
  • CClean the Malware which are trying to Communicate with the External Blacklist IP's
  • DBlock the Blacklist IP's @ Firewall as well as Clean the Malware which are trying to Communicate

How the community answered

(42 responses)
  • A
    10% (4)
  • B
    31% (13)
  • C
    12% (5)
  • D
    48% (20)

Why each option

When C&C malware is detected communicating with blacklisted IPs, both network-level blocking and host-level remediation are required for complete incident response.

ABlock the Blacklist IP's @ Firewall

Blocking IPs at the firewall only addresses network communication and does not remove the malware from infected hosts, leaving the root cause and potential for re-infection intact.

BUpdate the Latest Signatures on your IDS/IPS

Updating IDS/IPS signatures improves detection capability for future traffic but does not actively block the ongoing C&C communication or remove the malware already present on hosts.

CClean the Malware which are trying to Communicate with the External Blacklist IP's

Cleaning the malware removes the infection on the endpoint but does not block the blacklisted IPs at the network level, leaving other potentially compromised hosts unprotected.

DBlock the Blacklist IP's @ Firewall as well as Clean the Malware which are trying to CommunicateCorrect

Blocking blacklisted IPs at the firewall stops active and future C&C communication at the network perimeter, preventing data exfiltration and command receipt. Cleaning the malware eliminates the root cause on infected hosts. Neither action alone is sufficient - without firewall blocking, other hosts remain at risk, and without malware removal, the threat persists on the endpoint and may seek new C&C channels.

Concept tested: C&C malware incident response - dual remediation

Source: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-83r1.pdf

Topics

#command and control#malware remediation#blacklisted IPs#firewall response

Community Discussion

No community discussion yet for this question.

Full 312-50V10 Practice