CompTIA Security+ (SY0-501) — Question 467

An organization identifies a number of hosts making outbound connections to a known malicious IP over port TCP 80. The organization wants to identify the data being transmitted and prevent future connections to this IP.
Which of the following should the organization do to achieve this outcome?

Answer options

• A. Use a protocol analyzer to reconstruct the data and implement a web-proxy.
• B. Deploy a web-proxy and then blacklist the IP on the firewall.
• C. Deploy a web-proxy and implement IPS at the network edge.
• D. Use a protocol analyzer to reconstruct the data and blacklist the IP on the firewall.

Correct answer: D

Explanation

The correct answer is D because using a protocol analyzer allows the organization to reconstruct and examine the data being transmitted, while blacklisting the IP on the firewall prevents any future connections to it. Option A lacks the blocking action, B does not analyze the data, and C does not address data reconstruction.