Certified SOC Analyst (CSA v2) — Question 9

You are a Threat Hunter in the SOC team of a prestigious law firm specializing in high-profile corporate cases. Your firm has recently suffered a data breach, where confidential client documents were leaked on a dark web forum. As part of your proactive threat-hunting initiative, you analyze security logs, network traffic, and endpoint activity to trace the attacker’s steps using the Cyber Kill Chain framework. Your investigation reveals that the attacker initially bypassed the firm’s multi-factor authentication (MFA) by masquerading as a legitimate user. Once inside, they moved laterally within the internal network, accessed sensitive client records from a shared file repository, and exfiltrated the data over an extended period. You are tasked to identify the attack phase within the Cyber Kill Chain framework to strengthen defenses against similar attacks. Implement proactive threat hunting measures to detect future intrusions before data exfiltration occurs. At which Cyber Kill Chain phase was the attack identified?

Answer options

• A. Actions on Objectives
• B. Delivery
• C. Command & Control (C2)
• D. Exploitation

Correct answer: A

Explanation

The correct answer is A: Actions on Objectives, as this phase includes the attacker's activities after gaining access, such as lateral movement and data exfiltration. The other options represent earlier stages in the Cyber Kill Chain: Delivery involves the transfer of the malicious payload, Command & Control (C2) refers to the attacker establishing communication with compromised systems, and Exploitation involves taking advantage of vulnerabilities to gain access.