An employee receives an email from a "trusted" person containing a hyperlink that is malvertising.
The employee clicks the link and the malware downloads.
An information analyst observes an alert at the SIEM and engages the cybersecurity team to conduct an analysis of this incident in accordance with the incident response plan.
Which event detail should be included in this root cause analysis?
Click on the arrows to vote for the correct answer
A. B. C. D.B.
In this scenario, an employee received an email from a "trusted" person containing a malicious hyperlink that led to malware downloading on their system. An alert was triggered on the Security Information and Event Management (SIEM) system, and the cybersecurity team was engaged to conduct an analysis of the incident in accordance with the incident response plan.
The root cause analysis is a critical step in the incident response process, as it helps to identify the underlying cause of the incident and enables organizations to take appropriate measures to prevent similar incidents from occurring in the future.
Out of the given options, the event detail that should be included in the root cause analysis is the phishing email sent to the victim (Option A). This is because the email was the initial vector used by the attacker to gain access to the victim's system. The analysis should focus on how the attacker was able to craft the email to appear as if it was from a trusted source and how the victim was tricked into clicking on the malicious link.
While the alarm raised by the SIEM (Option B) and the alert identified by the cybersecurity team (Option D) are important event details that need to be investigated as part of the incident response process, they do not necessarily provide insight into the root cause of the incident.
Information from the email header (Option C) can also be useful in investigating the incident, particularly in determining the source of the email and any other identifying information that can help in tracing the attacker. However, it is not as critical to the root cause analysis as the phishing email itself.
In summary, the root cause analysis should focus on the phishing email sent to the victim as the initial vector used by the attacker to gain access to the victim's system, and how the attacker was able to trick the victim into clicking on the malicious link.