SPLK-5001 Exam Dumps : Splunk Certified Cybersecurity Defense Analyst

The scenario describes an attack where thousands of failed login attempts are made using various usernames and passwords, which is indicative of aCredential Stuffingattack. This type of attack involves using lists of stolen credentials (usernames and passwords) obtained from previous data breaches to attempt to gain unauthorized access to user accounts. Attackers take advantage of the fact that many users reuse passwords across multiple sites. UnlikePassword Spraying(which tries a few common passwords against many accounts) orPassword Cracking(which tries to guess or decrypt passwords), credential stuffing leverages large datasets of valid credentials obtained from other breaches.

Top of Form

Bottom of Form

Unusual Traffic Patterns:

The key observation here is that one of the servers is sending out a significantly large amount of data to a single external system, with no corresponding increase in incoming traffic.

Possible Threat Activities:

A. Data Exfiltration:

This scenario typically aligns with data exfiltration, where an attacker has successfully compromised a system and is sending out large volumes of stolen data to an external server.

Data exfiltration often involves consistent or large data transfers over time to an external IP address, which matches the description provided.

B. Network Reconnaissance:

While reconnaissance involves scanning and probing, it generally does not produce large outbound data flows but rather small, frequent connection attempts or queries.

C. Data Infiltration:

Infiltration would involve incoming data to the compromised server, which contradicts the scenario as there is no observed increase in incoming traffic.

D. Lateral Movement:

Lateral movement would involve traffic between internal systems rather than large amounts of data being sent to an external system.

Scenario Analysis:Conclusion:Given the evidence of large data transfers to a single external system without corresponding inbound traffic,data exfiltrationis the most likely scenario. This suggests that an adversary has compromised the server and is extracting valuable or sensitive data from the organization.

The correct order of the examples listed corresponds toTactic, Technique, Procedurein the TTP framework:

Tactic:The high-level goal or objective an adversary tries to accomplish. "Extend movement" (likely meant as "Lateral movement") or "Exploiting a remote service" are tactics that describewhatthe adversary wants to do.

Technique:The general method or approach used to achieve the tactic. "Exploiting a remote service" is a technique, detailing the type of action used in pursuit of the tactic.

Procedure:The specific implementation or instance of a technique. "Use EternalBlue to exploit a remote SMB server" is a concrete procedure, an exact exploit tool or method used.

This hierarchy is fundamental to frameworks likeMITRE ATT&CK, which guides how analysts categorize and investigate adversary behaviors.