A threat actor attacked an organization's Active Directory server from a remote location, and in a thirty-minute timeframe, stole the password for the administrator account and attempted to access 3 company servers.
The threat actor successfully accessed the first server that contained sales data, but no files were downloaded.
A second server was also accessed that contained marketing information and 11 files were downloaded.
When the threat actor accessed the third server that contained corporate financial data, the session was disconnected, and the administrator's account was disabled.
Which activity triggered the behavior analytics tool?
Click on the arrows to vote for the correct answer
A. B. C. D.C.
Based on the information provided, the behavior analytics tool would have triggered when the threat actor attempted to access the third server that contained corporate financial data. Here's why:
Behavior analytics tools are designed to identify anomalous behavior that deviates from normal patterns of user activity within an environment. These tools use machine learning algorithms to create a baseline of normal behavior, and then flag any activity that falls outside of that baseline as potentially suspicious.
In this scenario, the threat actor first accessed the Active Directory server and stole the password for the administrator account. While this activity is certainly suspicious, it may not have been enough to trigger the behavior analytics tool on its own, especially if the tool had not yet established a baseline for what constitutes normal activity on the Active Directory server.
The threat actor then attempted to access three company servers, which is another potentially suspicious activity. However, the fact that the threat actor was able to successfully access the first two servers without incident may have made this activity seem less suspicious at the time.
It wasn't until the threat actor attempted to access the third server that contained corporate financial data and the session was disconnected, that the behavior analytics tool would have been triggered. The sudden disconnection of the session would have been identified as anomalous behavior, as it deviates from the normal pattern of user activity on that server. Additionally, the fact that the administrator's account was disabled after this activity would have further reinforced the suspicion that something suspicious was happening.
In conclusion, while all of the activities listed in the answer choices are potentially suspicious, it was the attempt to access the server with corporate financial data and the subsequent disconnection of the session that likely triggered the behavior analytics tool.