Exam SY0-601 topic 1 question 165 discussion

Answer is C: First, it is not an insider threat, since it occurred after an attack on the user, and then continues without the user's interaction. From All-in-one: An APT attack is characterized by using toolkits to achieve a presence on a target network and then, instead of just moving to steal information, focusing on the long game by maintaining a persistent presence on the target network. The tactics, tools, and procedures of APTs are focused on maintaining administrative access to the target network and avoiding detection. Then, over the long haul, the attacker can remove intellectual property and more from the organization, typically undetected.

Concur with KetReeb, this is cleary an APT

The scenario described suggests a sophisticated and persistent threat that was able to remain undetected over a long period while exfiltrating significant amounts of data. The fact that the abnormal activity was noticed when the employee was not working indicates that the threat actor had access to the company’s systems independently of the employee’s actions. Given these details, the most likely threat actor is: C. APT (Advanced Persistent Threat) APTs are typically state-sponsored or highly organized cyber criminals who conduct prolonged and targeted cyberattacks to steal data, disrupt operations, or spy on organizations. The level of sophistication and the persistence of the threat described aligns with the behavior of APTs. They are known for their ability to remain undetected within a network for extended periods.

"evolve and remain undetected" active "when the employee was not working" APT is the best answer IMO, however this can also be an Insider Threat (doesn't mean the employee was acting maliciously, just that they invoked the risk by clicking on an email

Some attackers are highly organized and dedicated. An advanced persistent threat (APT) is a group of organized threat actors that engage in targeted attacks against organizations. These APTs typically have both the capability and intent to launch sophisticated and targeted attacks over a long period of time.

abnormal amount of external connections when EMPLOYEE WAS NOT WORKING... inside threat. might be wrong though but this is making sense to me

D - "Employee clicked on a link", an APT would not leave a trace or even require trying phish an employee.

APT How can it be an insider threat when the employee was a victim of a malicious email and also was absent during periods of exfiltration.

The question is asking for the type of attack, asking for a threat actor, with only one possible answer; D : Inside threat Internal threat - agents are authorized individuals that carry out an attack by exploiting their inherent privileges.

it's not an insider if it was from a phishing email. APT

An advanced persistent threat (APT) is a stealthy threat actor, typically a state or state-sponsored group, which gains unauthorized access to a computer network and remains undetected for an extended period.

This is tough cause it is stating what was likely the threat actor. APT would be the threat. Insider threat would be the threat actor. Insider threat also doesn't have to mean someone acted with malicious intent. Threat actors can be both intentional and accidental.

External connections unbeknownst to the user that clicked the email link

APT makes sense, but the answer is Insider threat. The user could have sent a malicious email to themselves as a way to exploit the company. Also note that is says they notice the connections when the user isnt at work so they are probably connecting at home. Lastly, Dion's training he mentions that APTs are some of the highest level hackers and typically are used for high level threats like he used the example of rigging an election would most likely use an APT. I doubt APT would be used for a simple company exploit.

Answer is D https://www.professormesser.com/security-plus/sy0-601/sy0-601-video/threat-actors-2/ Many threat actors are looking to implement an APT whether it be Insider Threat actors, Nation State, Hacktivists, Script Kiddies, Organized Crime, Hackers, Shadow IT, Competitors etc

IMO this phrase even this employee not working there is abnormal amount of external connections. That means he might continuing the connections as APT. “until a security analyst noticed an abnormal amount of external connections when the employee was not working”

"abnormal amount of external connections when the employee was not working" If this does not give away INSIDER threat then I am not sure how else to explain it.