CompTIA Security+ (SY0-501) — Question 592

During an incident, a company's CIRT determines it is necessary to observe the continued network-based transactions between a callback domain and the malware running on an enterprise PC. Which of the following techniques would be BEST to enable this activity while reducing the risk of lateral spread and the risk that the adversary would notice any changes?

Answer options

• A. Physically move the PC to a separate Internet point of presence.
• B. Create and apply microsegmentation rules.
• C. Emulate the malware in a heavily monitored DMZ segment.
• D. Apply network blacklisting rules for the adversary domain.

Correct answer: B, A

Explanation

The correct answer is B because microsegmentation allows for isolating parts of the network, which helps limit the risk of lateral movement and keeps the adversary unaware. Option A is less effective as physically moving the PC does not address the network monitoring requirement. Option C could be useful but does not provide the same level of protection against lateral spread. Option D focuses on blocking access, which does not facilitate necessary monitoring of the transactions.