Unauthorized Use of Credentials: Incident Response and Lessons Learned | Exam CAS-003: CompTIA CASP+ Study Guide

Unauthorized Use of Credentials

Question

A Chief Security Officer (CSO) is reviewing the organization's incident response report from a recent incident.

The details of the event indicate: 1

A user received a phishing email that appeared to be a report from the organization's CRM tool.

2

The user attempted to access the CRM tool via a fraudulent web page but was unable to access the tool.

3

The user, unaware of the compromised account, did not report the incident and continued to use the CRM tool with the original credentials.

4

Several weeks later, the user reported anomalous activity within the CRM tool.

5

Following an investigation, it was determined the account was compromised and an attacker in another country has gained access to the CRM tool.

6

Following identification of corrupted data and successful recovery from the incident, a lessons learned activity was to be led by the CSO.

Which of the following would MOST likely have allowed the user to more quickly identify the unauthorized use of credentials by the attacker?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D. E. F.

A.

The incident described in the question involves a user falling victim to a phishing attack and unknowingly disclosing their credentials to an attacker, who subsequently used these credentials to gain unauthorized access to the organization's CRM tool. The compromised account was not reported and continued to be used until anomalous activity was observed several weeks later, leading to the discovery of the incident and subsequent recovery efforts.

Given this scenario, the question asks which of the following measures would have most likely allowed the user to more quickly identify the unauthorized use of their credentials by the attacker. Let's take a closer look at each of the options provided:

A. Security awareness training - This measure involves educating users on best practices for identifying and responding to security threats, such as phishing attacks. While security awareness training can be effective in reducing the likelihood of successful phishing attacks, it may not have helped the user in this scenario since they had already fallen victim to the attack and disclosed their credentials. Furthermore, security awareness training typically focuses on prevention rather than detection, so it may not have directly contributed to a more timely identification of the incident.

B. Last login verification - This measure involves recording the date and time of the user's last login to a system or application, which can help identify unauthorized access. However, in this scenario, the attacker had obtained legitimate credentials from the user, so their access would not have triggered any alerts based on last login verification.

C. Log correlation - This measure involves analyzing log data from multiple sources to identify patterns or anomalies that may indicate a security incident. Log correlation could be an effective measure in detecting the anomalous activity within the CRM tool reported by the user, but it may not have directly helped the user identify the unauthorized use of their credentials.

D. Time-of-check controls - This measure involves verifying the validity of a user's credentials at specific points in time, such as when they attempt to access a system or application. Time-of-check controls can help prevent unauthorized access in some cases, but they may not have been effective in this scenario since the attacker had already obtained legitimate credentials from the user.

E. Time-of-use controls - This measure involves limiting the time window during which a user's credentials are valid for accessing a system or application. Time-of-use controls can help reduce the risk of credential misuse, but they may not have helped the user in this scenario since the attacker had obtained legitimate credentials and was using them during the valid time window.

F. WAYF-based authentication - This measure involves using a third-party identity provider to authenticate users, which can help reduce the risk of credential theft and misuse. However, it may not have been practical or feasible for the organization in this scenario, and it may not have directly helped the user identify the unauthorized use of their credentials.

Based on the above analysis, the option that would most likely have allowed the user to more quickly identify the unauthorized use of their credentials by the attacker is C. Log correlation. Analyzing log data from multiple sources could have helped identify patterns or anomalies that may have indicated the attacker's unauthorized access and use of the user's credentials. It's worth noting that effective log correlation requires comprehensive and centralized logging, as well as the ability to analyze and act on log data in a timely manner.