Following a recent security breach, a company decides to investigate account usage to ensure privileged accounts are only being utilized during typical business hours. During the investigation, a security analyst determines an account was consistently utilized in the middle of the night. Which of the following actions should the analyst take NEXT?
After discovering that a privileged account has been consistently used in the middle of the night, the most appropriate next step is to initiate the incident response plan. This is a critical security procedure designed to handle potential breaches and threats. Reviewing the activity with the user directly may alert a potential insider threat and can result in tampering with evidence or other adverse actions. Thus, involving the incident response team ensures a systematic approach to identifying the root cause and mitigating any risks effectively.
I think initiating an IR plan will be the best, because the employee might be an insider threat or maybe he might be using it for other reasons. Approaching him without first knowing his intent will be a bad idea.
I'm going to have to agree with B - initiate IR plan. The threat of an insider makes me think answer D is not a good idea. Yes the activity may be legitimate, but it can also be nefarious. Better to over-react then under-react and tip off an insider about an investigation.
Totally agree that they might be an insider threat so wouldn't be D, however it states there has been a security breach so I assume the IR plan has already initiated? As there is an ongoing investigation?
So I'll go with B
Agree. Following a breach, meaning post breach where that incident is likely over. Then company decides to monitor off hour logins. Discovers a pattern, what happens next? We initiate the IR plan as this event has kicked off a new investigation. Through the IR process we will find out if it is or is not related to the previous breach.
Read the question everyone. There’s been a security breach, there’s already an ongoing investigation, the only correct option is A. The activity is being conducted during non-business hours, that alone is a policy violation. Not D. Not B either because there’s already an ongoing investigation. The next step is to contain.
I agree. A it is
Midnight patches and upgrades are a thing. Hopefully, they have an incident response plan for such occasions. I'd hope that one of the 1st steps in that plan would be to check change controls that were planned.
Pls disregard my last reply. The question said that it was consistent. No one is patching every night. Could be a service running under a user account instead of a service account, like it should.
I spent too much time reviewing this question but hear me out.... It sounds like D is the answer. Its a tricky worded question. "FOLLOWING a recent security breach (it doesnt say during) ...a company decides to INVESTIGATE account usage... " IRP should not be implemented because there is no proof this is a actual breach thus it should be investigated (as said in the question) "Review the activity with the user." to find out more information before going in to IRP. The account should not be disabled before investigating.
Passed CS0-003 last week (757), this question was on it! 69 questions, 3 PBQ/SIMs. 25 questions that are in the first 200 questions of this board.
Kickuh06 which answer is it since you just took the exam?
congrats! i wonder where the CS0-002 questions will come from!
As someone who works in a SOC environment, the first thing you do after seeing a user related suspicious behavior is reach out to the user first. Answer is D.
I think B is the correct answer. The IR plan MIGHT includes reaching out to the user, but it will also contain a flow chart of what to do after.
I agree what you are saying but just because a user is working during off-hours, it doesn't automatically correlate to the user is doing something bad. You ask the user what they are doing and based on that and the logs you determine the next step.
Read Below - An Incident Response Plan is a written document, formally approved by the senior leadership team, that helps your organization before, during, and after a confirmed or suspected security incident. Your IRP will clarify roles and responsibilities and will provide guidance on key activities. It should also include a cybersecurity list of key people who may be needed during a crisis.
In this case - the guy with Privileged Acct is suspected
D - Disabling the privileged account or initiating the incident response plan without further investigation could be an overreaction and may cause unnecessary disruption to business processes. Reporting the discrepancy to human resources may be necessary at some point, but it should not be the first immediate action. The next step should be to review the activity with the user to determine if there is a legitimate reason for accessing the account during non-business hours. This conversation can provide further insight into the situation and help the security analyst determine if any malicious activity or policy violations have occurred. Based on the outcome of the conversation, the analyst can then take appropriate actions such as escalating the issue or disabling the account.
B. Initiate the incident response plan.
FOLLOWING a recent security breach, meaning that breach has already been dealt with. They are investigating potential issues after already resolving the incident, finding a suspicious privileged account should initiate the incident response process. It's absolutely NOT D since it could be an insider threat. A could also be a bad choice since you would immediately alert the attacker.
Probably answer will be disabling the account but at first I will review logs to get more info about this activity then I will disable it
what sucks is that it doesn't say a PRIV account was consistently accessed in the middle of the night...
initiate incident repose plan. it might include reviewing with the account user or disabling the account.
best option
B seems to be the best answer. Follow the IRP/SOP and get more eyes on this.
I won't do any action without conducting further investigation.
Reviewing the activity with the user is part of the incident response, disabling the account is not a good option as the activity might have been legitimate. HR is not an option at this point.
I believe the answer is A because the company has a recent security breach, it make sense here that incident response is still on-going. We tend to isolate or contain it first for checking.