312-50V11 · Question #772
You are monitoring the network of your organizations. You notice that: 1. There are huge outbound connections from your Internal Network to External IPs 2. On further investigation, you see that the e
The correct answer is D. Block the Blacklist IP's @ Firewall as well as Clean the Malware which are trying to Communicate. When CnC (Command and Control) communication is detected, both blocking malicious IPs at the firewall and removing the malware are required for complete remediation.
Question
Options
- ABlock the Blacklist IP's @ Firewall
- BUpdate the Latest Signatures on your IDS/IPS
- CClean the Malware which are trying to Communicate with the External Blacklist IP's
- DBlock the Blacklist IP's @ Firewall as well as Clean the Malware which are trying to Communicate
How the community answered
(55 responses)- A24% (13)
- B13% (7)
- C7% (4)
- D56% (31)
Why each option
When CnC (Command and Control) communication is detected, both blocking malicious IPs at the firewall and removing the malware are required for complete remediation.
Blocking IPs at the firewall only controls network-level communication but leaves the malware running on internal hosts, which can discover new C2 endpoints or cause further internal damage.
Updating IDS/IPS signatures improves future detection capability but does not remove existing malware from infected systems or block current outbound connections to blacklisted IPs.
Cleaning the malware removes the threat from endpoints but does not immediately cut the network channel - and if cleanup fails or takes time, outbound connections continue without a firewall rule in place.
Blocking blacklisted IPs at the firewall stops ongoing outbound CnC communication at the network perimeter, but the malware remains active on internal hosts and can pivot to new C2 endpoints or cause additional damage. Cleaning the malware eliminates the root cause on the infected endpoints. Only combining both actions fully contains and remediates the incident.
Concept tested: CnC malware incident response and dual-layer remediation
Source: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-83r1.pdf
Topics
Community Discussion
No community discussion yet for this question.