Nina, an experienced network incident responder working for a financial services firm, receives a series of high-priority alerts from Splunk Enterprise Security. The alerts are triggered by anomalous HTTP traffic patterns coming from a workstation within the internal network. Specifically, the system flagged repeated attempts to access untrusted external URLs, followed by the download of executable (.exe) files during non-business hours. Suspecting malicious activity, Nina begins investigating the web proxy logs and correlates them with endpoint detection logs. Her analysis confirms that the downloaded executables were not digitally signed and were flagged as malware by the organization's endpoint protection system shortly after execution. She also finds evidence that the malware attempted to establish outbound communication, likely for command-and-control (C2) purposes.
Nina immediately initiates containment by isolating the affected endpoint from the network. She proceeds to perform a wider investigation using system-wide and firewall logs to assess if the malware spread laterally or exfiltrated any sensitive data. What is the most likely cause of this incident?
Submit