Performing CyberOps Using Cisco Security Technologies (CBRCOR) — Question 54

A threat actor attacked an organization's Active Directory server from a remote location, and in a thirty-minute timeframe, stole the password for the administrator account and attempted to access 3 company servers. The threat actor successfully accessed the first server that contained sales data, but no files were downloaded. A second server was also accessed that contained marketing information and 11 files were downloaded. When the threat actor accessed the third server that contained corporate financial data, the session was disconnected, and the administrator's account was disabled. Which activity triggered the behavior analytics tool?

Answer options

• A. accessing the Active Directory server
• B. accessing the server with financial data
• C. accessing multiple servers
• D. downloading more than 10 files

Correct answer: C

Explanation

The correct answer is C, as accessing multiple servers within a short timeframe is indicative of suspicious activity that behavior analytics tools are designed to detect. Options A and B do not demonstrate unusual patterns by themselves, while D, although it involves significant file downloads, is not the primary trigger in this scenario since the focus is on server access frequency.