A SOC team is informed that a UK-based user will be traveling between three countries over the next 60 days.
Having the names of the 3 destination countries and the user's working hours, what must the analyst do next to detect an abnormal behavior?
Click on the arrows to vote for the correct answer
A. B. C. D.D.
When a user is traveling across multiple countries, it may indicate an increased risk of abnormal behavior that can pose a security threat to an organization. Therefore, a SOC team needs to monitor the user's behavior and detect any suspicious activities.
Out of the provided answers, the most appropriate approach would be to create a rule triggered by multiple successful VPN connections from the destination countries (Answer C). This is because the user is expected to be working from those countries, and connecting to the organization's network using VPN. By monitoring successful VPN connections from these countries, the SOC team can identify any abnormal behavior, such as connections from other countries or multiple connections from outside of the user's working hours.
Answer A, creating a rule triggered by 3 failed VPN connection attempts in an 8-hour period, may be too strict and result in false positives. It could be due to various reasons, such as connectivity issues or user mistyping credentials.
Answer B, creating a rule triggered by 1 successful VPN connection from any non-destination country, may be too broad and result in too many false positives. Many legitimate users may travel to other countries and access the VPN from there.
Answer D, analyzing the logs from all countries related to this user during the traveling period, may be too time-consuming and resource-intensive. It may also be challenging to identify abnormal behavior without a specific rule to guide the analysis.
In summary, creating a rule triggered by multiple successful VPN connections from the destination countries would be the most appropriate approach to detect abnormal behavior of a user traveling between multiple countries.