A security analyst is responding to a malware incident at a company. The malware connects to a command-and-control server on the internet in order to function. Which of the following should the security analyst implement first?
A security analyst is responding to a malware incident at a company. The malware connects to a command-and-control server on the internet in order to function. Which of the following should the security analyst implement first?
In the context of responding to a malware incident, the first step should be containment. Network segmentation acts as a containment method by isolating affected parts of the network to prevent the malware from spreading further or communicating with its command-and-control server. This containment allows for better control and analysis of the affected systems before taking additional steps such as implementing IP-based firewall rules or other longer-term solutions.
The question explained that it is connecting to a command and control. If the question was asking how would you stop the spread on the network it'd be A but since the emphasis was on the command and control it's B
After an incident is identified, containment is the first step. CompTIA defines containment as either isolation-based or segmentation-based: Isolation-based containment is "making sure that there is no longer an interface between the affected component and your production network or the Internet." (Section 17C). Segmentation-based containment is specifically mentioned as being a tactic against an established C&C channel. "As opposed to completely isolating the hosts, you might configure the protected segment as a sinkhole or honeynet and allow the attacker to continue to receive filtered (and possibly modified) output over the C&C channel to deceive him or her into thinking the attack is progressing successfully." (Section 17C). I don't believe any of the answer choices besides Network Segmentation (A) allows for containment of the incident. IP-based firewall rules and content filters are undoubtedly configuration changes to be implemented to prevent future/ongoing communication , they would not take priority over containment.
I have to agree with you. The incident response plan says preparation, identification, containment, eradication, lessons learned -- thus network segmentation is under containement and the Ip firewall rules would fall after that -- in the eradication of future instances
B - You can verify in Professor Messers class on bots. Link is below along with the last sentence "You can often identify an active infection by scanning an on-demand anti-malware scan and watching the network for any unusual traffic patterns. And if you know the type of network flows that will be used for the command and control, you can block that at the firewall or with an IPS or firewall at the workstation level." https://www.professormesser.com/security-plus/sy0-601/sy0-601-video/bots-and-botnets-2/
If we follow the Incident Response Process: 1) Preparation - hardening 2) Identification - detection 3) Containment :) 4) Eradication 5) Recovery 6) Lesson Learned Performing containment involves isolating or segregating the affected servers and resources to prevent further unauthorized access or data exfiltration. This can be done by disconnecting the compromised systems from the network, disabling their access to sensitive data or critical resources, or implementing network segmentation to isolate the affected parts of the infrastructure.
Adding a IP based firewall rule is a lot quicker then looking at the network structure to modify it. B , first you add a quick firewall rule to block the malicious command and control IP then you make network segmentation changes for future proofing
Network segmentation IS NOT the same as containment OR isolation. It isn't a defense tactic, it's a network architecture setup for a performance boost amongst other things, but it isn't isolation from the rest of the network.
b is better
Implementing IP-based firewall rules can immediately help block traffic to and from known malicious IP addresses associated with the command-and-control servers. This action effectively cuts off the malware's ability to receive commands or exfiltrate data, thus containing the infection.
The most effective and immediate action to take in this scenario is B. IP-based firewall rules. By quickly implementing firewall rules to block the known IP addresses of the C&C server, the security analyst can effectively stop the malware from communicating with its external controllers, thus mitigating the threat. This action directly addresses the most urgent need: stopping the malware's active threat to the network.
Containment comes first. Then you deal with blocking the IPs, etc.
Block malicious IP first
A. Network segmentation
In the context of CompTIA, "segment" and "containment" might refer to different concepts. "Segment" could relate to dividing networks for security or organizational purposes, while "containment" often refers to isolating threats within a network to prevent their spread. They're related but not necessarily synonymous. Yes, from ChatGPT.. but we’re confusing segmentation and containment I think. Segmentation, containment and isolation all have different meaning when refers g to CompTIA.. confusing I know.
Also see Q661 and 677. It takes more time to create new IP firewall rules that should be done after containment. Or eradication.
in order to stop the attack you first need to B. implement firewall rules. After that you can A. segment the network to make it even more harder to access command and control.
what this guy said: Mizzcoors
Setup DNS sinkhole by setting ip-based firewall rules to locate the infected machines.