nerdexam
ExamsGCIHQuestions#333
GIAC

GCIH · Question #333

GCIH Question #333: Real Exam Question with Answer & Explanation

The correct answer is D: Report this as a possible insider threat incident, since John has sent out confidential information. The email contains classic insider threat indicators - an employee transmitting confidential acquisition plans, budget data, and PII to an external party while arranging a financial payment in return.

Incident Response & Cyber Kill Chain

Question

You are an incident handler from a Fortune 500 oil and gas company. While reviewing the Data Loss Prevention (DLP) email software alerts, you find an email with Personally Identifiable Information (PII) in an attachment. The email is listed below. 'From: John Smith [email protected] To: Frank Esler [email protected] Sub: Stuff Frank, enclosed is the data you asked for. I will be sending you my bank details shortly for you to deposit the money that we discussed. Attachment: Stuff.doc' When analyzing the attachment, you discovered that the document had detailed information on the budget, the companies that your corporation is going to acquire within the next quarter along with the personal information of the individuals who are involved in the purchase. You had determined that the DLP alert was based on a signature that alerted on a phone number typo that was formatted like a social security number in the document. How would you proceed with your analysis in this situation?

Options

  • ADo not report this, since it was a false alarm by the DLP software and there was no PII enclosed
  • BDo not report this, since I know Frank and he would not use this information even if emailed to
  • CReport this as a probable malware incident, since the 鈥stuff.doc鈥 file looks suspicious
  • DReport this as a possible insider threat incident, since John has sent out confidential information

Explanation

The email contains classic insider threat indicators - an employee transmitting confidential acquisition plans, budget data, and PII to an external party while arranging a financial payment in return.

Common mistakes.

  • A. The DLP alert was a true positive - the attachment contained verified PII and highly sensitive corporate data, so classifying it as a false alarm would be factually incorrect and would suppress a legitimate investigation.
  • B. Personal familiarity with a suspect does not override reporting obligations; incident handlers are required to escalate policy violations regardless of their relationship with the individuals involved.
  • C. There are no technical malware indicators in this scenario - the document is a deliberate act of data exfiltration by an authorized employee, not an unsolicited malicious attachment.

Concept tested. Insider threat identification and DLP incident classification

Reference. https://www.cisa.gov/topics/physical-security/insider-threat-mitigation

Topics

#insider threat#PII exfiltration#DLP alert triage#incident classification

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full GCIH Practice