CS0-003 Question #111: Real Exam Question with Answer & Explanation

Question

A security analyst is investigating an incident related to an alert from the threat detection platform on a host (10.0.1.25) in a staging environment that could be running a cryptomining tool because it is sending traffic to an IP address that is related to Bitcoin. The network rules for the instance are the following: Which of the following is the BEST way to isolate and triage the host?

Options

• ARemove rules 1, 2, and 3.
• BRemove rules 1, 2, 4, and 5.
• CRemove rules 1, 2, 3, 4, and 5.
• DRemove rules 1, 2, and 5.
• ERemove rules 1, 4, and 5.
• FRemove rules 4 and 5.

Explanation

To best isolate a cryptomining host sending traffic to Bitcoin IPs, while potentially allowing for secure triage, key broad access and specific inbound rules should be removed.

Common mistakes.

• A. Removing only Rules 1, 2, and 3 would primarily affect inbound access and would not stop the outbound cryptomining traffic (Rule 4 or Rule 5 as outbound).
• B. Removing rules 1, 2, 4, and 5 would provide very strong isolation, but might be overly aggressive if a specific, controlled channel (like Rule 3) is desired for triage, making it less ideal for 'BEST isolate AND triage'.
• C. Removing all rules (1, 2, 3, 4, and 5) would fully isolate the host, but it would also prevent any form of access for triage, which is part of the requirement.
• E. Removing rules 1, 4, and 5 would leave HTTP (Rule 2) and HTTPS (Rule 3) inbound open, which does not achieve sufficient isolation.
• F. Removing rules 4 and 5 (assuming they are outbound rules) would stop outbound traffic, but leaves Rules 1, 2, and 3 (inbound) open, which isn't full isolation for the host.

Concept tested. Network firewall rules for incident response containment

No community discussion yet for this question.