AmmarSpacesJust saw a video by Simply Cyber, regarding 3 levels of SOC Analyst asked an interview question regarding alert prioritization.
The question is:
Which one will be your priority?
a. Domain admin brute force
b. Suspicious powershell on a developer's account
c. 15 GB transfer to cloud storage service
d. 5 Phishing emails reported by users
What got me interesting is, the Senior Level analyst is picking the "15GB data uploaded to something", because he view it as the end of Cyber Kill Chain, which means in term of risks, it is the highest...
While, the beginner and Mid Level pick the Domain Admin brute force, because Domain Admin is a pandora box. If it is compromised, it is a game over.
For initial, I am viewing the 15GB upload as the first priority because it MIGHT means exfiltration already happened.
As I view the video goes, I agree with the reviewer, because:
1. 15GB uploads has more layer of confirmation than Domain Admin abuse
2. Domain admin brute force is MORE obvious of being suspicious
3. Domain admin brute force are easier to confirm
4. IT IS more dangerous and simple to check.
But, what is your view on this, do you agree with what the reviewer said or have your own take?
