A security analyst is reviewing alerts from the company's User and Entity Behavior Analytics (UEBA) system. An alert flags an 'impossible travel' scenario for the Chief Financial Officer's (CFO) account. The logs indicate a successful login from New York at 9:00 AM, followed by another successful login at 9:15 AM from an IP address geolocated to Eastern Europe. The analyst quickly confirms the CFO is currently in the New York office. Which of the following is the MOST likely explanation for the alert?
A session hijacking attack is in progress against the CFO's active session.
The IP geolocation database used by the UEBA system is outdated or inaccurate.
The CFO's credentials have been compromised.
The CFO is using a personal VPN that is routing traffic through Eastern Europe.
The most likely explanation is that the CFO's credentials have been compromised. An 'impossible travel' alert, where logins occur from geographically distant locations in an impossibly short time, is a strong indicator of unauthorized access. While VPN usage or geolocation errors can cause false positives, the high-value nature of a CFO's account makes credential compromise a critical and highly probable threat that must be investigated first. A legitimate user is unlikely to have a session active from two continents simultaneously. A VPN would typically route all traffic from a single session, not appear as a separate, concurrent login from a different region just 15 minutes later. Geolocation errors of this magnitude, while possible, are less probable than a targeted attack on a high-value account. Session hijacking is a valid threat, but stolen credentials are a more common root cause that enables such an attack.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is an 'impossible travel' alert in UEBA systems?
Open an interactive chat with Bash
Why are high-value accounts like the CFO's more targeted for credential compromise?
Open an interactive chat with Bash
How does a VPN differ from signs of credential compromise in this scenario?