During an investigation, a security analyst determines suspicious activity occurred during the night shift over the weekend.
Further investigation reveals the activity was initiated from an internal IP going to an external website.
Which of the following would be the MOST appropriate recommendation to prevent the activity from happening in the future?
Click on the arrows to vote for the correct answer
A. B. C. D.D.
Based on the scenario provided, a security analyst has determined suspicious activity occurred during the night shift over the weekend, and further investigation reveals the activity was initiated from an internal IP going to an external website. To prevent such activity from happening in the future, the most appropriate recommendation would be to implement controls that block such activity.
Option A suggests an IPS (Intrusion Prevention System) signature modification for the specific IP addresses. An IPS system uses known patterns of malicious behavior to identify and prevent potential threats. However, modifying IPS signatures for specific IP addresses is not the best solution since the threat could use a different IP address, making it challenging to identify the attack.
Option B suggests an IDS (Intrusion Detection System) signature modification for specific IP addresses. An IDS system monitors network traffic for potential security breaches and alerts the security team if it detects any malicious activity. Like Option A, modifying IDS signatures for specific IP addresses may not prevent the attacker from using a different IP address in future attacks.
Option C suggests a firewall rule that will block port 80 traffic. Port 80 is commonly used for HTTP traffic, and blocking it would prevent users from accessing any website that uses this port. However, this may not be a viable option for all organizations, as some websites may need to be accessed for legitimate business purposes.
Option D suggests a firewall rule that will block traffic from the specific IP addresses. This option is the most appropriate recommendation as it will prevent the attacker from accessing external websites from the specific IP address. It is important to note that the IP address could change, so continuous monitoring is needed to ensure that the IP address is still being blocked.
In conclusion, the most appropriate recommendation to prevent the suspicious activity from happening in the future would be to implement a firewall rule that blocks traffic from the specific IP address.