An organization has activated an incident response plan due to a malware outbreak on its network. The organization has brought in a forensics team that has identified an internet-facing Windows server as the likely point of initial compromise. The malware family that was detected is known to be distributed by manually logging on to servers and running the malicious code. Which of the following actions would be BEST to prevent reinfection from the infection vector?
In order to prevent reinfection from the identified infection vector, blocking port 3389 inbound from untrusted networks is crucial. Port 3389 is used for Remote Desktop Protocol (RDP) and allows remote access to Windows servers. Since the malware was distributed by manually logging onto servers and executing malicious code, disabling RDP access from untrusted networks would effectively prevent unauthorized users from remotely accessing and potentially compromising the server again. This action directly addresses the known method of infection, making it the most appropriate measure to mitigate future risks from the same vector.
The SMB Protocol (in all its version) doesn't provide functionality to execute files at the remote systems. Its main objective is to support the sharing of file and print resource between machines. The only feasible option left is loggin through RDP and manually executing the file. Correct me if I am wrong
I agree
you the best stoneface :)
yeahh :)
It cannot be D since 3389 = RDP which is not a manual way of logging in... C is a possible answer based on elimination methods
Answer: Block port 3389 inbound from untrusted networks. 3389 is the default port for RDP connections. RDP is the protocol used to connect to windows desktops/servers remotely. In the scenario, the malware family is known to be distributed through manually logging on to servers and RDP would require a manual login to access the machine and be able to easily run scripts on the server especially through a GUI.
love you rodwave!
You are my hero!
OUR hero
Thank you Rodwave
love u
Followed by given question clue; The malware family that was detected is known to be distributed by manually logging on to servers and running the malicious code and suspecting reification from initial vector. In this case first step should be focus on port 445; reson behind is Port 445 is used for the Microsoft-DS (Directory Services) protocol, also known as Microsoft-DS SMB (Server Message Block). It facilitates file and printer sharing, as well as communication between Windows computers on a network. Here many of u chosen RDP based 3389. That's not primary action. We should consider printer and other computer on same network connected with infected server/computer. That's why I will go for C. Correct me if I'm wrong.
Blocking port 3389 inbound from untrusted networks is a security measure commonly recommended to protect against potential RDP-based attacks. Here's more information on why option D is the correct choice: 1. Malware Distribution: The question mentions that the malware is distributed by manually logging on to servers and running the malicious code. This indicates that the attackers are gaining access to the server through a legitimate remote access method like RDP. 2. Port 3389: RDP uses port 3389 by default to establish remote connections to Windows servers. By blocking inbound traffic on port 3389 from untrusted networks, you effectively limit the exposure of the server to potential attackers trying to use RDP as a means to gain unauthorized access. 3. Mitigating Unauthorized Access: By blocking inbound RDP traffic from untrusted networks, you are preventing potential attackers from attempting to brute-force or exploit RDP vulnerabilities to gain unauthorized access to the server.
4. Defense-in-Depth Strategy: Implementing network-level controls like blocking port 3389 is part of a defense-in-depth strategy, which involves using multiple layers of security measures to protect systems and data. In this case, it complements other security controls and helps mitigate risks associated with unauthorized remote access. 5. Least Privilege: Limiting access to RDP only from trusted networks or specific IP ranges aligns with the principle of least privilege, which reduces the attack surface and potential impact of security incidents. In conclusion, blocking inbound traffic on port 3389 from untrusted networks is a recommended security practice to prevent unauthorized access to RDP services and help protect against potential malware infections that rely on manual logins to servers.
Curveball, the person was physically in front of the server and logged in.
D makes the most sense as the best solution to prevent manually logging into a system would be to block RDP. SSH is for Linux. RDP is for Windows. C would probably be the next step.
it had to be a windows server :D block rdp
Some harsh argument with ChatGBT here is the answer : port 22 is a Unix-based system but question states Wİndows Server in DMZ, so assess the answer again ChatGPT I understand the clarification regarding the Windows Server in the DMZ. Given this specific context, it's important to reassess the answer in light of the Windows environment. Port 22 (SSH) is typically associated with Unix-based systems, not Windows, and may not be the port of concern for manual logins in this case. My previous responses were based on the assumption of Unix-based systems. In a Windows environment, manual logins and remote access are commonly achieved through protocols like RDP (Remote Desktop Protocol) on port 3389. Given the situation with a Windows Server in the DMZ, it is more appropriate to focus on securing access via the RDP protocol and associated port. Therefore, blocking port 3389 inbound from untrusted networks (as mentioned in option D) is the more relevant and effective security measure in this specific scenario.
I have seen this question in other places and the answer is listed as A. If you think about the question..."prevent reinfection from the initial infection vector"; I am interpreting this to mean the spread AFTER the windows-facing server is compromised. If you look at it that way, they want to know how you would protect the internal network from further infection. Thoughts?
D. Block port 3389 inbound from untrusted networks. Blocking port 3389, which is used for Remote Desktop Protocol (RDP), would prevent remote access to the server from untrusted networks, making it less likely for attackers to manually log on to the server and run the malicious code. This would be the best action to prevent reinfection from the initial infection vector.
In my experience, no company would have RDP enabled on a web server. They would have port 22 SSH open, typically. Though, Windows doesn't have SSH built in, it's often installed to allow management w/o a GUI. RDP isn't available in headless mode, either (which you can install GUI-less Windows Server from the installers). Careful of the OS. Since Windows, by default, has no SSH, and has a GUI, answer D is the only one here. The other 2 answers allow transfer of files, but not execution of them.
I don't get why people choose D as correct answer. it said it was malware outbreak on its network. the attacker intentionally run the malicious code (could be worm since it said a malware outbreak) on windows server (file sharing server). and at the end of the question stated that "Which of the following actions would be BEST to prevent reinfection from the infection vector" (Window Server which is already infected)? C should be the correct answer.
Disabling file sharing over port 445 helps to prevent the malware from being manually copied and executed on the server. By closing this file-sharing port, the organization can effectively block the specific method through which the malware was distributed.
Based on the information provided, the malware was likely manually installed on the internet-facing Windows server by logging in to the server and running the malicious code. Therefore, the best action to prevent reinfection from this infection vector is to prevent unauthorized access to the server. Option D, "Block port 3389 inbound from untrusted networks," is the best choice to prevent unauthorized access to the server. Port 3389 is used by the Remote Desktop Protocol (RDP), which allows users to log in to the server remotely. By blocking inbound traffic on this port from untrusted networks, the organization can prevent attackers from logging in to the server and manually installing the malware. This control is especially important for internet-facing servers, which are more likely to be targeted by attackers. The other options may be valid controls for other types of attacks or malware, but they do not directly address the infection vector described in this scenario. Therefore, option D is the BEST choice in this scenario.
3389 - RDP port 22 - SSH if it was a Linux
Can't it be C? If we're looking to prevent reinfection then wouldn't we want to block file sharing so that the malicious code wouldn't end up on the server in the first place?
Read carefully on "to be distributed by manually logging on to servers and running the malicious code" it's mean using RDP. simple way to prevent is by blocked the RDP port