SY0-501 Question #386: Real Exam Question with Answer & Explanation

Question

An organization identifies a number of hosts making outbound connections to a known malicious IP over port TCP 80. The organization wants to identify the data being transmitted and prevent future connections to this IP. Which of the following should the organization do to achieve this outcome?

Options

• AUse a protocol analyzer to reconstruct the data and implement a web-proxy.
• BDeploy a web-proxy and then blacklist the IP on the firewall.
• CDeploy a web-proxy and implement IPS at the network edge.
• DUse a protocol analyzer to reconstruct the data and blacklist the IP on the firewall.

Explanation

To identify past data transmitted to a malicious IP and prevent future connections, an organization should use a protocol analyzer for data reconstruction and blacklist the IP on a firewall.

Common mistakes.

• A. While a protocol analyzer helps with data identification, a web-proxy primarily handles HTTP/HTTPS traffic and is not the most comprehensive or direct method to prevent all future connections to a known malicious IP at the network edge compared to a firewall blacklist.
• B. Deploying a web-proxy primarily helps prevent future connections and logs some data, but it does not facilitate the reconstruction of previously transmitted data for forensic analysis in the same way a protocol analyzer does.
• C. Neither a web-proxy nor an Intrusion Prevention System (IPS) is designed to reconstruct data from past connections for forensic analysis, which is a key requirement of the problem statement.

Concept tested. Network forensics and firewall threat containment

Reference. https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview

No community discussion yet for this question.