During an investigation, a security analyst determines suspicious activity occurred during the night shift over the weekend. Further investigation reveals the activity was initiated from an internal IP going to an external website. Which of the following would be the MOST appropriate recommendation to prevent similar activity from happening in the future?
The most appropriate recommendation is an IPS signature modification for the specific IP addresses involved in the suspicious activity. An Intrusion Prevention System (IPS) can actively block traffic based on custom rules and signatures, effectively preventing malicious traffic from both entering and leaving the network. This solution directly addresses the issue by preventing known malicious IP addresses from initiating connections, without disrupting legitimate traffic, as blocking port 80 traffic would. A WAF is designed to protect web servers from incoming threats, not to prevent internal users from accessing external websites.
How can anyone say A? We have suspicious activity... no confirmed signature. What are we going to change in the IPS?
The correct answer I am going here is the IPS. A WAF does not protect you from users accessing content, but rather a web proxy. By including the IP in the blocklist of an IPS, no user will be able to reach the external IP.
Agree. IPS is the best answer here. I do not see how a WAF would protect a device making outbound web connections.
More discussions and WAF not included here. https://www.examtopics.com/discussions/comptia/view/44263-exam-cs0-002-topic-1-question-17-discussion/
D. Implement a WAF to restrict malicious web content. A Web Application Firewall (WAF) can provide an additional layer of security for websites by analyzing incoming web traffic for potential threats and blocking malicious content before it reaches the website. By implementing a WAF, the security analyst can reduce the risk of similar activities from happening in the future by restricting malicious web content and helping to prevent data breaches.
Can't be B, you use a WAF to protect your web server. A proxy is the best tool to restrict malicious web content. But since that's not an option in this question, next best answer is an IPS
Can't be D*
That is what I'm thinking. https://www.paloaltonetworks.com/cyberpedia/what-is-a-web-application-firewall. Example: Outbound protection is about preventing enterprise and customer data from leaking. Although accurate parsing of outbound data is challenging in the real world, proxy-based, inline WAFs can intercept outbound data and mask or block sensitive data from leaking either through accidental or malicious means.
Incoming, not outgoing...It say : Further investigation reveals the activity was initiated from an internal IP going to an external website.
To prevent similar activity from happening in the future, the most appropriate recommendation is to modify the IDS signature to specifically target the IP addresses involved in the suspicious activity. Modifying the IDS signature allows the security team to create custom rules that are tailored to the specific behavior or patterns observed in the incident. By doing so, the IDS can be configured to trigger alerts or block traffic from those IP addresses if similar activity is detected in the future.
GPT-4 calibrated to CS0-002 and community votes: Implementing a Web Application Firewall (WAF) to restrict malicious web content (D) would be the most appropriate recommendation to prevent similar activity in the future. A WAF can provide a tailored protection for web applications, blocking traffic based on specific criteria such as traffic patterns or IP reputation. [An IPS or IDS signature modification for specific IP addresses (A and B) could help, but these measures wouldn't necessarily prevent suspicious activity originating from other IPs. Blocking port 80 traffic (C) would disrupt all HTTP traffic, not just the suspicious activity.]
CompTIa guide says: A web application firewall (WAF) is an application-layer security control that can apply a set of rules to HTTP traffic. Where a stateful packet filtering firewall can apply rules to IP and TCP/UDP layer information, a WAF can parse response and request headers and the HTML message body in HTTP packets and apply detection and filtering rules to the contents. These rules address web-based exploits and vulnerabilities, like SQL injection attacks and cross-site scripting (XSS) attacks. Traffic that matches a suspicious or unwanted signature will typically be logged with the source and destination addresses, why the traffic triggered an alert (what known suspicious behavior it matched), and what action was taken (based on the configured rule). The actual composition of the log will differ between WAF vendors. WAFs can be configured to record extensive log information, which can be tricky to handle in a standard log format such as W3C.
WAF not is Web Proxy Filter.
D would have chose A but D makes more sense in this one.
I choose A in this specific scenario . B(IDS) does only detection and not blocking/prevention C (firewall rule on 80 port ) will block all http traffic D - WAF is for protection of Servers and NOT end stations or users. Makes no sense to use WAF in https://www.examtopics.com/discussions/comptia/view/44263-exam-cs0-002-topic-1-question-17-discussion/ there is an option <<D. A firewall rule that will block traffic from the specific IP addresses>> I would go with that if it would be in the exam.
A was not right in the older discussion, and it would not be correct in this one either. Answer is D
IPS it will blocked it...Is not ideal, may not be effective in preventing future attacks as the attacker could change their tactics or use different IP addresses. In this context is the only one pure logical. Implementing a WAF to restrict malicious web content, is not applicable to this scenario as the suspicious activity was initiated from an internal IP going to an external website, rather than from an external website going to an internal resource that can be protected by a WAF
I think it's C. Traffic is outgoing. We have no control over the websites WAF as it's the destination
However, we would not want to block port 80 traffic. This would most likely effect more than just that one device.
After more research. D (WAF) can do this, even egress traffic.
Agree with D