nerdexam
EC-Council

312-50V11 · Question #772

You are monitoring the network of your organizations. You notice that: 1. There are huge outbound connections from your Internal Network to External IPs 2. On further investigation, you see that the e

The correct answer is D. Block the Blacklist IP's @ Firewall as well as Clean the Malware which are trying to Communicate. When CnC (Command and Control) communication is detected, both blocking malicious IPs at the firewall and removing the malware are required for complete remediation.

Malware Threats

Question

You are monitoring the network of your organizations. You notice that: 1. There are huge outbound connections from your Internal Network to External IPs 2. On further investigation, you see that the external IPs are blacklisted 3. Some connections are accepted, and some are dropped 4. You find that it is a CnC communication Which of the following solution will you suggest?

Options

  • ABlock the Blacklist IP's @ Firewall
  • BUpdate the Latest Signatures on your IDS/IPS
  • CClean the Malware which are trying to Communicate with the External Blacklist IP's
  • DBlock the Blacklist IP's @ Firewall as well as Clean the Malware which are trying to Communicate

How the community answered

(55 responses)
  • A
    24% (13)
  • B
    13% (7)
  • C
    7% (4)
  • D
    56% (31)

Why each option

When CnC (Command and Control) communication is detected, both blocking malicious IPs at the firewall and removing the malware are required for complete remediation.

ABlock the Blacklist IP's @ Firewall

Blocking IPs at the firewall only controls network-level communication but leaves the malware running on internal hosts, which can discover new C2 endpoints or cause further internal damage.

BUpdate the Latest Signatures on your IDS/IPS

Updating IDS/IPS signatures improves future detection capability but does not remove existing malware from infected systems or block current outbound connections to blacklisted IPs.

CClean the Malware which are trying to Communicate with the External Blacklist IP's

Cleaning the malware removes the threat from endpoints but does not immediately cut the network channel - and if cleanup fails or takes time, outbound connections continue without a firewall rule in place.

DBlock the Blacklist IP's @ Firewall as well as Clean the Malware which are trying to CommunicateCorrect

Blocking blacklisted IPs at the firewall stops ongoing outbound CnC communication at the network perimeter, but the malware remains active on internal hosts and can pivot to new C2 endpoints or cause additional damage. Cleaning the malware eliminates the root cause on the infected endpoints. Only combining both actions fully contains and remediates the incident.

Concept tested: CnC malware incident response and dual-layer remediation

Source: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-83r1.pdf

Topics

#command and control#botnet#malware remediation#firewall rules

Community Discussion

No community discussion yet for this question.

Full 312-50V11 Practice