CAS-005 · Question #496
CAS-005 Question #496: Real Exam Question with Answer & Explanation
The correct answer is B: Investigate whether the employee had access to the data that was leaked.. Since the exfiltration occurred via an encrypted text file sent by an internal account and no external intrusion or DLP alerts were found, the most appropriate next step is to investigate whether the employee legitimately had access to the leaked data. This helps determine if it
Question
Protected company data was recently exfiltrated. The SOC did not find any indication of a network or outside physical intrusion, and the DLP systems reported no unusual activity. The incident response team determined a text file was encrypted and reviews the following: Which of the following is the most appropriate action for the team to take?
Options
- AReview the email security settings for proper configurations.
- BInvestigate whether the employee had access to the data that was leaked.
- CScan attachments with a third-party virus scan to independently confirm the results.
- DAnalyze the hardware for undetected supply chain vulnerabilities that may have been exploited.
Explanation
Since the exfiltration occurred via an encrypted text file sent by an internal account and no external intrusion or DLP alerts were found, the most appropriate next step is to investigate whether the employee legitimately had access to the leaked data. This helps determine if it was an insider threat or misuse of authorized access.
Community Discussion
No community discussion yet for this question.