Malicious Attack Investigation | CAS-003 Exam Answer

Possible Attack Scenarios

Prev Question Next Question

Question

A government contractor was the victim of a malicious attack that resulted in the theft of sensitive information.

An analyst's subsequent investigation of sensitive systems led to the following discoveries: -> There was no indication of the data owner's or user's accounts being compromised.

-> No database activity outside of previous baselines was discovered.

-> All workstations and servers were fully patched for all known vulnerabilities at the time of the attack.

-> It was likely not an insider threat, as all employees passed polygraph tests.

Given this scenario, which of the following is the MOST likely attack that occurred?

Answers

A. The attacker harvested the hashed credentials of an account within the database administrators group after dumping the memory of a compromised machine. With these credentials, the attacker was able to access the database containing sensitive information directly.

B. An account, which belongs to an administrator of virtualization infrastructure, was compromised with a successful phishing attack. The attacker used these credentials to access the virtual machine manager and made a copy of the target virtual machine image. The attacker later accessed the image offline to obtain sensitive information.

C. A shared workstation was physically accessible in a common area of the contractor`s office space and was compromised by an attacker using a USB exploit, which resulted in gaining a local administrator account. Using the local administrator credentials, the attacker was able to move laterally to the server hosting the database with sensitive information.

D. After successfully using a watering hole attack to deliver an exploit to a machine, which belongs to an employee of the contractor, an attacker gained access to a corporate laptop. With this access, the attacker then established a remote session over a VPN connection with the server hosting the database of sensitive information.

Show Answer

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Based on the information provided, the most likely attack that occurred is C.

Option A is unlikely because there was no indication of any compromise of the data owner's or user's accounts. Although the attacker may have harvested the hashed credentials of an account within the database administrators group after dumping the memory of a compromised machine, this alone would not give the attacker direct access to the database containing sensitive information.

Option B is also unlikely because all workstations and servers were fully patched for all known vulnerabilities at the time of the attack, and there was no indication of any compromise of the data owner's or user's accounts. The attacker would have needed to compromise an administrator account of the virtualization infrastructure, which should have been well protected, and this would have likely shown up as anomalous activity.

Option D is also unlikely because there was no indication of any compromise of the data owner's or user's accounts. Although the attacker may have gained access to a corporate laptop using a watering hole attack, they would have still needed to establish a remote session over a VPN connection with the server hosting the database of sensitive information, which would have likely shown up as anomalous activity.

Option C is the most likely attack that occurred because a shared workstation was physically accessible in a common area of the contractor's office space, which makes it vulnerable to physical attacks such as a USB exploit. Once the attacker gained access to the workstation, they were able to compromise it and gain a local administrator account. With this account, the attacker was able to move laterally to the server hosting the database with sensitive information, which would not have shown up as anomalous activity as all workstations and servers were fully patched for all known vulnerabilities at the time of the attack.

It is important to note that polygraph tests are not always reliable in detecting insider threats, and it is possible that an insider threat may still be the cause of the attack even if all employees pass polygraph tests.

Prev Question Next Question