Exercises: The Threat Landscape

These exercises move from naming the adversary to reasoning like one — so you can defend against the real thing rather than a cartoon. Difficulty is marked ⭐ (recall/application), ⭐⭐ (analysis), and ⭐⭐⭐ (synthesis/open-ended). A dagger (†) marks problems with a full worked solution in Appendix: Answers to Selected Exercises — attempt every problem before you read one.

Work in your own notebook or a private repository. Where an exercise asks you to map an attack or assign an actor, the reasoning matters more than landing on the single "right" label; defend your choice.

Part A — Actors, motivations, and capability ⭐

1.† Name the five threat-actor types from the taxonomy and give each one's primary motivation and a one-phrase description of its typical capability.

2. For each scenario, name the most likely threat-actor type and justify it in one sentence: (a) a foreign government quietly maintains access to an energy company's network for eighteen months; (b) a forum user runs a downloaded exploit against an unpatched server "to see if it works"; (c) a group leaks a corporation's internal documents to protest its environmental record; (d) a contractor copies a client list to a USB drive on their last day; (e) an organized crew phishes two hundred banks a week and sells the harvested credentials.

3. Distinguish motivation from capability in one sentence each, then explain why a high-motivation, low-capability actor and a high-motivation, high-capability actor demand different defensive postures.

4.† Explain why "we're more expensive to attack than our competitor" is a reasonable defense against most cybercriminals but a poor defense against a nation-state with a specific reason to want us.

5. A junior analyst writes "Threat: hackers" on a risk ticket. Rewrite the threat line for a specific asset (the online-banking portal) so it names a concrete actor, a motivation, and an attack vector.

6. Match each motivation (money, espionage, ideology, ego) to the behavior it most predicts: (a) moves slowly and quietly toward sensitive data over weeks; (b) defaces a site to prove it could be done; (c) deploys ransomware within hours of getting in; (d) targets an organization because of a controversial business decision.

Part B — The kill chain ⭐⭐

7.† List the seven stages of the cyber kill chain in order. For each, write one sentence describing what the attacker is doing and one naming a defensive opportunity.

8. An attacker phishes an employee (email clicked), runs malware that establishes persistence, but the malware's attempt to reach its command server is blocked by your DNS filtering. (a) Identify the kill-chain stage reached at each step. (b) At which stage did the chain break? (c) Explain why this is a defensive success even though code ran on the endpoint.

9. Explain the claim "the attacker must pass every stage, but the defender only has to break one link." How does this reframe the offense/defense asymmetry from Chapter 1, and how does it justify defense in depth?

10.† Why is Command and Control often one of the best stages at which to detect an intrusion? Name two network-level signals that betray C2 activity.

11. The kill chain is sometimes criticized as too "perimeter- and malware-centric." Give one example of a real attack pattern that does not fit the classic chain neatly (e.g., starts inside, or skips stages), and explain how you would still use the model as a thinking tool.

Part C — MITRE ATT&CK and the language of attacks ⭐⭐

12.† Define tactic, technique, and procedure, and give a one-line example of each for a ransomware intrusion. Then explain what "TTPs" abbreviates and why the term is useful.

13. A threat-intelligence report states a group "uses T1566 for initial access and T1071 for command and control." Without looking up the exact IDs, explain in plain English what general categories of behavior those identifiers communicate, and describe the first action your team should take on reading this.

14. Explain why a detection written against a technique (e.g., "credentials dumped from memory") tends to age more slowly than one written against a specific indicator (e.g., a malicious IP address). Relate your answer to why an attacker finds it cheaper to change one than the other.

15.† Your manager says, "I want a detection for every technique in ATT&CK by year-end, and a fully green coverage map." Critique this goal. What is the correct way to use ATT&CK for coverage, and why is a "green wall" potentially worse than an honest, partial map?

16. Define indicator of compromise (IoC) and threat intelligence, and explain the relationship between them with a concrete example involving a list of malicious domains.

Part D — Analyze this (telemetry & intrusions) ⭐⭐

17.† Analyze this log. You are handed this (illustrative) excerpt of outbound network connections from a single internal host. All times are UTC; the destination is in the documentation range 198.51.100.0/24.

02:14:00  src=10.20.4.17  dst=198.51.100.77:443  bytes=812   conn_id=1
02:15:00  src=10.20.4.17  dst=198.51.100.77:443  bytes=799   conn_id=2
02:16:00  src=10.20.4.17  dst=198.51.100.77:443  bytes=820   conn_id=3
02:17:00  src=10.20.4.17  dst=198.51.100.77:443  bytes=805   conn_id=4
02:18:00  src=10.20.4.17  dst=198.51.100.77:443  bytes=808   conn_id=5

(a) What kill-chain stage does this pattern most suggest, and what is the single most suspicious characteristic? (b) Name the term for this behavior. (c) Is this an IoC, a TTP, or both? (d) Name one detection and one prevention that apply.

18. Analyze this log. An authentication log shows a service account svc-backup — which normally authenticates only from one server at 01:00 nightly — logging in interactively from a workstation at 14:30, then accessing a file server it has never touched. (a) What is the most likely motivation of an attacker behind this, and why? (b) Which kill-chain stage(s) does this represent? (c) Why would a signature-based antivirus likely miss this, and what kind of detection would catch it?

19.† Map the intrusion. Read this constructed incident summary and map each numbered step to a kill-chain stage:

(1) The attacker scraped employee names from the company's public site and LinkedIn. (2) They registered a look-alike domain and built a fake VPN login page. (3) An employee received a "password expiry" email and entered credentials on the fake page. (4) The attacker logged into the real VPN and installed a remote-access tool that survived reboot. (5) The tool beaconed to an external server every five minutes. (6) Over two days, the attacker copied a customer database out of the network.

20. Analyze this. A vulnerability scan reports an internet-facing server with a critical, publicly exploited flaw. Logs show repeated automated probes for that exact flaw from dozens of source IPs in different countries. Which threat-actor types are most and least consistent with this traffic, and what does the indiscriminate, multi-source pattern tell you about urgency?

Part E — Write it / build it ⭐⭐–⭐⭐⭐

21.† Write the rule (pseudo-detection). In plain pseudocode or prose, draft a detection for beaconing: given a stream of outbound connections per host, flag a host that makes connections to the same external destination at highly regular intervals over a window. State the parameters you would tune (interval tolerance, minimum count, window length) and one reason each could cause a false positive.

22. Write the profile. Draft a one-paragraph threat-actor profile for a small online retailer (not a bank): which actor types realistically target it, weighted high/medium/low, with a one-phrase justification each. Note how the profile differs from Meridian's.

23.† Build the threat model. Run a STRIDE-lite pass on Meridian's Active Directory / Entra ID (identity) asset. For each of the six STRIDE categories, write one concrete threat, the likely actor, the kill-chain stage, and one defense. (Compare your answer to the banking-platform model in §2.6.)

24. Design it. You are given three controls and a fixed budget that funds only two: (a) tested offline backups, (b) phishing-resistant MFA, (c) a next-generation antivirus product. For a bank facing primarily ransomware and credential threats, which two would you fund and why? Tie each choice to the kill-chain stage(s) it defends and the actor it counters.

25. ⭐⭐⭐ Design it. Sketch (in words or a simple diagram) where you would place detection for an espionage-motivated APT that uses living-off-the-land techniques and signed software. Given that antivirus and "keep patched" both failed against SolarWinds, name three behavioral detections and the kill-chain stage each targets.

26. Write the policy. Draft a three-to-five-sentence policy statement requiring that every new internet-facing service be threat-modeled and reviewed before exposure, justified in the language of the kill chain (which stage you are denying the attacker). Reference the Chapter 1 lesson about "temporary" exposures.

Part F — Respond to this incident ⭐⭐

27.† Tabletop. At 03:00, Meridian's SOC sees: a reported phishing email (delivered to 30 staff), one workstation beaconing to an unknown external domain every 60 seconds, and a service account logging in from that workstation. In three to five ordered steps, describe your immediate response, and for each step name the kill-chain stage you are trying to break or contain. (Detailed IR process is Chapter 24; here, reason from the chain.)

28. Respond. A threat-intel feed warns that a ransomware group targeting regional banks "uses valid remote-access credentials for initial access and deploys encryption within 24 hours." Using the kill chain, list the two highest-priority preventive actions and the one recovery control that most reduces this group's leverage, with one-sentence justifications.

Part G — CTF-style challenge ⭐⭐⭐

29.† The misattributed intrusion. A breach report claims: "This was an APT. The attacker used a sophisticated zero-day, moved with great patience over months, and exfiltrated data using advanced techniques." Investigation reveals: the "zero-day" was a year-old unpatched CVE with a public exploit; the "months" of patience were actually the time between the breach and its discovery (the attacker was in and out in two days); and the "advanced exfiltration" was a file copied to a cloud-storage account over HTTPS. Re-classify the actor with justification, identify every place the report misuses the vocabulary of this chapter (APT, motivation, capability, TTP, dwell time), and rewrite the one-paragraph summary correctly. (Part of the challenge is recognizing that dwell time and attacker sophistication are different things.)

Part H — Interleaved & forward-looking ⭐⭐

30. Interleaved with Chapter 1. Re-score Meridian's risk register row "Credential attack succeeds via password-only login" now that you can name the actor (financially motivated criminal, high-likelihood) and the kill-chain stage it targets (Delivery → Exploitation). Does naming the actor change your likelihood rating from Chapter 1, and what control breaks the chain earliest?

31. Interleaved. Chapter 1 said "compliance is the floor, not the ceiling." The SolarWinds victims were largely compliant organizations. In two or three sentences, explain how this chapter's account of SolarWinds supports that theme, and what beyond compliance actually surfaced the intrusion.

32. ⭐⭐⭐ Forward-looking. This chapter mentions that detection of behavioral anomalies — not signatures — caught SolarWinds, and that Chapter 22 builds detection and hunting. Predict two reasons "detect behavior, not indicators" will be a recurring discipline, and one situation where indicator-based detection is still worth doing.

33. Open reflection. The kill chain says you only need to break one link. Pick a non-computing domain that also defends against a multi-step attack (e.g., aviation security screening, disease containment, fraud detection in payments). Identify its "links," name where it most reliably breaks the chain, and state one idea cybersecurity could borrow.

Solutions to daggered (†) problems are in the Answers appendix. The remaining problems are deliberately open — bring them to a study group or your instructor.