Over the last year, an organization's HR department has accessed data from its legal department on the last day of each month to create a monthly activity report.
An engineer is analyzing suspicious activity alerted by a threat intelligence platform that an authorized user in the HR department has accessed legal data daily for the last week.
The engineer pulled the network data from the legal department's shared folders and discovered above average-size data dumps.
Which threat actor is implied from these artifacts?
Click on the arrows to vote for the correct answer
A. B. C. D.C.
Based on the given artifacts, the engineer is trying to determine the potential threat actor responsible for the suspicious activity. Let's break down the artifacts one by one:
This piece of information establishes a pattern of behavior where the HR department has a legitimate reason to access the legal data, but only once a month. This is an important piece of context that will help the engineer determine if the daily access to the legal data is anomalous or not.
This is the first red flag indicating suspicious activity. A user in the HR department, who is authorized to access the legal data, has been accessing it daily for a week. This is highly unusual, given the established pattern of behavior of accessing the data only once a month.
This is the second red flag indicating suspicious activity. The data dumps are larger than average, which could indicate that someone is exfiltrating data from the legal department.
Based on these artifacts, the engineer can narrow down the potential threat actors:
A. Privilege escalation: This is unlikely to be the cause of the suspicious activity, as there is no indication that the HR user has escalated their privileges to gain access to the legal data. They are authorized to access the data but only once a month.
B. Internal user errors: While this is a possibility, it is unlikely given the established pattern of behavior and the fact that the suspicious activity has been going on for a week.
C. Malicious insider: This is the most likely threat actor based on the given artifacts. An authorized user in the HR department is accessing legal data daily and dumping large amounts of data from the legal department's shared folders. This behavior is highly suspicious and could indicate that the user is exfiltrating data for malicious purposes.
D. External exfiltration: This is unlikely to be the cause of the suspicious activity, as there is no indication that an external actor has gained access to the network or the legal department's data.
In conclusion, based on the given artifacts, the most likely threat actor is a malicious insider.