GCIH · Question #718
An attacker has penetrated a network and is moving into the stage of pivoting throughout the network. Which defense mitigates this stage of the attack?
The correct answer is B. Creating two network interfaces for machines that require access to internal and external. Network segmentation using dual-homed machines with controlled interfaces limits lateral movement by containing an attacker within a single network segment.
Question
An attacker has penetrated a network and is moving into the stage of pivoting throughout the network. Which defense mitigates this stage of the attack?
Options
- ASetting unique password for each computer's local administrator
- BCreating two network interfaces for machines that require access to internal and external
- CAlerting on Internet traffic sent to ports commonly used by attack tools
- DPrioritizing patching for public facing servers and web services
How the community answered
(24 responses)- A4% (1)
- B58% (14)
- C25% (6)
- D13% (3)
Why each option
Network segmentation using dual-homed machines with controlled interfaces limits lateral movement by containing an attacker within a single network segment.
Unique local administrator passwords (as implemented by LAPS) mitigate pass-the-hash and credential reuse attacks but do not create network-level barriers that block pivoting.
Placing machines that require both internal and external access on two separate network interfaces - with strict firewall rules governing inter-segment traffic - creates enforced boundaries that prevent an attacker from freely traversing the network. This segmentation means that compromising one segment does not automatically grant access to adjacent segments. It directly disrupts the pivoting phase by requiring the attacker to overcome additional controls at each network boundary.
Alerting on suspicious port traffic is a detection control that may trigger a response after pivoting has begun, not a preventive measure that stops the movement itself.
Prioritizing patches on public-facing servers reduces the initial attack surface but does nothing to impede lateral movement once an attacker is already inside the network.
Concept tested: Network segmentation preventing lateral movement and pivoting
Source: https://www.cisa.gov/sites/default/files/publications/CISA_MS-ISAC_Ransomware%20Guide_S508C.pdf
Topics
Community Discussion
No community discussion yet for this question.