CompTIA SecurityX (CAS-005) — Question 98

A company recently experienced an incident in which an advanced threat actor was able to shim malicious code against the hardware stack of a domain controller. The forensic team cryptographically validated that both the underlying firmware of the box and the operating system had not been compromised. However, the attacker was able to exfiltrate information from the server using a steganographic technique within LDAP. Which of the following is the best way to reduce the risk of reoccurrence?

Answer options

• A. Enforcing allow lists for authorized network ports and protocols
• B. Measuring and attesting to the entire boot chain
• C. Rolling the cryptographic keys used for hardware security modules
• D. Using code signing to verify the source of OS updates

Correct answer: A

Explanation

Implementing allow lists for authorized network ports and protocols is the best way to mitigate the risk of future incidents by restricting access to only known, safe communications. The other options, while useful, do not directly address the method of exfiltration used by the attacker, which was through LDAP, a network protocol. Therefore, without controlling the allowed ports and protocols, the risk of similar attacks remains high.