Malicious Attack Investigation | CAS-003 Exam Answer

Possible Attack Scenarios

Question

A government contractor was the victim of a malicious attack that resulted in the theft of sensitive information.

An analyst's subsequent investigation of sensitive systems led to the following discoveries: -> There was no indication of the data owner's or user's accounts being compromised.

-> No database activity outside of previous baselines was discovered.

-> All workstations and servers were fully patched for all known vulnerabilities at the time of the attack.

-> It was likely not an insider threat, as all employees passed polygraph tests.

Given this scenario, which of the following is the MOST likely attack that occurred?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

B.

Based on the information provided, the most likely attack that occurred is C.

Option A is unlikely because there was no indication of any compromise of the data owner's or user's accounts. Although the attacker may have harvested the hashed credentials of an account within the database administrators group after dumping the memory of a compromised machine, this alone would not give the attacker direct access to the database containing sensitive information.

Option B is also unlikely because all workstations and servers were fully patched for all known vulnerabilities at the time of the attack, and there was no indication of any compromise of the data owner's or user's accounts. The attacker would have needed to compromise an administrator account of the virtualization infrastructure, which should have been well protected, and this would have likely shown up as anomalous activity.

Option D is also unlikely because there was no indication of any compromise of the data owner's or user's accounts. Although the attacker may have gained access to a corporate laptop using a watering hole attack, they would have still needed to establish a remote session over a VPN connection with the server hosting the database of sensitive information, which would have likely shown up as anomalous activity.

Option C is the most likely attack that occurred because a shared workstation was physically accessible in a common area of the contractor's office space, which makes it vulnerable to physical attacks such as a USB exploit. Once the attacker gained access to the workstation, they were able to compromise it and gain a local administrator account. With this account, the attacker was able to move laterally to the server hosting the database with sensitive information, which would not have shown up as anomalous activity as all workstations and servers were fully patched for all known vulnerabilities at the time of the attack.

It is important to note that polygraph tests are not always reliable in detecting insider threats, and it is possible that an insider threat may still be the cause of the attack even if all employees pass polygraph tests.