A customer is developing a strategy to deal with WannaCry ransomware as well as possible future variants that defect sandboxing attempts and mask their presence if it is determined that it is being analyzed. Which four mechanisms can be used in this strategy?(Choose 4)
A. Employ a DNS forwarder that responds to unknown domain names with a reachable IP (honey pot that can mimic sandboxing containment responses and alert when a possible threat is detected.
B. Apply route maps at the access layer that prevent all RPC and SMB communication through the network.
C. Ensure that the standard desktop image used in the organization is an actively supported operation system that security patches are promptly applied.
D. Run antimalware software on user endpoints and servers as well as ensuring regular signature updates.
E. Ensure that vulnerable services used for propagation of malware such as SMB are blocked on facing segments.
F. Employ URL/DNS inspection mechanisms that black hole the request. This action prevents malware from communicating with unknown domains and thus preventing the Wannacry malware from becoming active.
G. Apply ACLs at the access layer that prevents all RPC and SMB communication throughout the network
A would be a conversome solution. As not many users /customers can deal with a honey pot server unless you are a security lab research.
B. is not a viable solution as the route maps are limited to strict and constant values. They can not self adequate according to the new changes. You will need to keep on creating and adding more statements/conditions to the routemaps. This solution will also decrement the CPU performance of your L3 switch or router.
So i think D,F,G,H are the right answers.
D. Run antimalware software on user endpoints and servers as well as ensuring regular signature updates.
E. Ensure that vulnerable services used for propagation of malware such as SMB are blocked on facing segments.
F. Employ URL/DNS inspection mechanisms that black hole the request. This action prevents malware from communicating with unknown domains and thus preventing the Wannacry malware from becoming active.
G. Apply ACLs at the access layer that prevents all RPC and SMB communication throughout the network
ACDE
https://blog.talosintelligence.com/2017/05/wannacry.html
Mitigation and Prevention
In accordance with known best practices, any organization who has SMB publically accessible via the internet (ports 139, 445) should immediately block inbound traffic.
Ensure your organization is running an actively supported operating system that receives security updates.
Run anti-malware software on your system and ensure you regularly receive malware signature updates.
Malware Analysis
An initial file “mssecsvc.exe” drops and executes “tasksche.exe”, this exe tests the kill switch domains. The above subroutine attempts an HTTP GET to this domain, and if it fails, continues to carry out the infection. However if it succeeds, the subroutine exits. The domain is registered to a well known sinkhole, effectively causing this sample to terminate its malicious activity.
ADEF
https://umbrella.cisco.com/blog/2017/05/16/the-hours-of-wannacry/