CompTIA CySA+ (CS0-002) — Question 170

A new variant of malware is spreading on the company network using TCP/443 to contact its command-and-control server. The domain name used for callback continues to change, and the analyst is unable to predict future domain name variance. Which of the following actions should the analyst take to stop malicious communications with the LEAST disruption to service?

Answer options

• A. Implement a sinkhole with a high entropy level.
• B. Disable TCP/53 at the perimeter firewall.
• C. Block TCP/443 at the edge router.
• D. Configure the DNS forwarders to use recursion.

Correct answer: A

Explanation

Implementing a sinkhole with a high entropy level allows the analyst to redirect malicious traffic without disrupting legitimate services, as it targets the changing callback domains. Disabling TCP/53 would hinder DNS resolution, affecting all domain name lookups, while blocking TCP/443 would disrupt all HTTPS traffic, including valid communications. Configuring DNS forwarders for recursion does not directly address the malware's callback mechanism.