Quiz: The Threat Landscape

DataField.Dev

Quiz: The Threat Landscape

A 26-question self-check covering threat actors, motivations, the kill chain, MITRE ATT&CK, and threat modeling. Several questions are tagged with the certification domain they map to — [Sec+] for CompTIA Security+ and [CISSP] for the (ISC)² CISSP — so candidates can self-assess. Answers and one-line explanations are at the end; try the whole quiz before checking.

Section 1 — Multiple choice (1 pt each)

1. [Sec+] A patient, well-resourced, government-sponsored group that maintains long-term access to a target is best described as: A. script kiddie B. hacktivist C. advanced persistent threat (APT) D. insider

2. [Sec+] Which threat actor is most likely to attack a bank on any given day? A. nation-state B. hacktivist C. financially motivated cybercriminal D. script kiddie

3. The two axes used to categorize threat actors are: A. budget and location B. motivation and capability C. speed and stealth D. legality and ethics

4. [Sec+] An attacker uses only built-in administrative tools and scripting to avoid dropping malware. This approach is called: A. zero-day exploitation B. living off the land C. double extortion D. social engineering

5. The cyber kill chain stage in which malware "phones home" to receive instructions is: A. Delivery B. Installation C. Command and Control D. Reconnaissance

6. [Sec+] Which is the correct order of these kill-chain stages? A. Delivery → Reconnaissance → Exploitation B. Reconnaissance → Delivery → Exploitation C. Exploitation → Delivery → Reconnaissance D. Installation → Delivery → Exploitation

7. [CISSP] In MITRE ATT&CK, the attacker's goal in a phase (e.g., Persistence, Credential Access) is called a: A. technique B. procedure C. tactic D. payload

8. An identifier like T1566 (Phishing) in ATT&CK names a: A. tactic B. technique C. procedure D. threat actor

9. [Sec+] The path or means by which an attacker reaches and breaches a target (email, web, removable media, a vulnerable service) is the: A. payload B. attack vector C. indicator of compromise D. kill chain

10. A malicious file hash or a known-bad domain found in your environment is an example of a(n): A. tactic B. threat-actor profile C. indicator of compromise (IoC) D. payload

11. [CISSP] In STRIDE, gaining capabilities you should not have (e.g., from a normal user to domain admin) is: A. Spoofing B. Tampering C. Elevation of privilege D. Repudiation

12. What made the SolarWinds attack so dangerous from a defender's standpoint? A. it used a brand-new zero-day in every system B. the malware arrived signed and trusted via a software supply chain C. it only affected outdated systems D. antivirus vendors ignored it

13. [Sec+] The part of an attack that actually executes the attacker's intent once delivered (runs code, installs a backdoor, encrypts files) is the: A. attack vector B. payload C. tactic D. indicator

14. Modern ransomware that steals data before encrypting it, so backups alone do not remove the threat of a leak, is using: A. living off the land B. double extortion C. a watering-hole attack D. spoofing

Section 2 — True / False with justification (1 pt each)

For each, mark T or F and give a one-sentence reason.

15. "Because the attacker must complete every stage of the kill chain, a defender only needs to break one link to stop that attack."

16. [Sec+] "A script kiddie poses no real risk because their skill level is low."

17. "A detection written against a specific malicious IP address is more durable than one written against an attacker technique."

18. "Keeping software fully patched would have prevented the SolarWinds compromise."

19. [CISSP] "Threat intelligence and indicators of compromise are the same thing."

20. "An organization with no confidential data worth stealing has nothing to fear from ideologically motivated attackers."

Section 3 — Fill in the blank (1 pt each)

21. The three levels of the ATT&CK hierarchy, from goal to method to specific implementation, are _, _, and __ (abbreviated together as TTPs).

22. Reading an attacker's likely behavior from their goal — money, espionage, ideology, or ego — is using the __ lens.

23. [Sec+] A structured analysis of what could go wrong with a system — its assets, adversaries, attack paths, and defenses — is a _ _.

Section 4 — Short answer (2 pts each)

24. Explain why "detect behavior, not just indicators" is a central lesson of MITRE ATT&CK and of the SolarWinds case. Give one example of a behavioral detection and one reason it outlives an indicator-based one.

25. [CISSP] A financially motivated intruder and an espionage-motivated intruder both gain a foothold in your network. Describe how their subsequent behavior would likely differ, and how that difference shapes where you place detection.

Section 5 — Applied scenario (5 pts)

26. Meridian's SOC observes: (1) a phishing email reported by staff; (2) one workstation establishing persistence via a new scheduled task; (3) that workstation beaconing to an unknown external domain every 60 seconds. (a) Map each observation to a kill-chain stage. (b) Identify the most likely actor type and motivation, with justification. (c) Name the single highest-value place to break the chain right now and the control you would use. (d) Name one earlier control that, had it been present, would have broken the chain before persistence.

Answer Key

Click to reveal answers and explanations

1. **C** — APT: patient, well-resourced, persistent, often nation-state. 2. **C** — money is where the bank is; criminals are the constant threat. 3. **B** — motivation (why) and capability (how good). 4. **B** — living off the land uses legitimate built-in tools to avoid malware signatures. 5. **C** — Command and Control is the "phone home" stage. 6. **B** — Reconnaissance → Delivery → Exploitation is the correct relative order. 7. **C** — a tactic is the adversary's goal in a phase. 8. **B** — a `T####` ID names a technique. 9. **B** — attack vector is the path/means of reaching the target. 10. **C** — a hash/domain artifact is an indicator of compromise. 11. **C** — Elevation of privilege. 12. **B** — a signed, trusted supply-chain update delivered the backdoor, defeating antivirus and "stay patched." 13. **B** — the payload executes the attacker's intent. 14. **B** — double extortion adds data theft to encryption. 15. **T** — the attacker must traverse the whole chain, so breaking any one link stops that intrusion; this is the engine of defense in depth. 16. **F** — low skill is not low risk; a script kiddie with an automated tool and a public exploit can breach a weak system, though they cannot improvise past a closed door. 17. **F** — the reverse: an IP is cheap for the attacker to change (a new server), while a technique reflects how they fundamentally operate and is far costlier to abandon, so technique-based detections are more durable. 18. **F** — patching is what *delivered* the SolarWinds backdoor (the signed, trojanized update); supply-chain and pipeline defenses and behavioral detection were the relevant controls. 19. **F** — an IoC is a raw observable artifact; threat intelligence is the analyzed understanding that gives indicators meaning and context. 20. **F** — ideological attackers target by belief and events, not asset value; disruption, defacement, or embarrassment can be the goal even with nothing to steal. 21. tactic; technique; procedure. 22. motivation. 23. threat model. 24. Indicators (IPs, hashes, domains) are cheap for attackers to change, so indicator-based detections age in days; a *technique* (e.g., dumping credentials from memory, or beaconing to a C2 server) reflects how the attacker operates and is costly to re-engineer, so behavioral detections catch variants and last longer. SolarWinds was caught by behavioral anomaly detection (an odd second MFA enrollment, anomalous traffic), not by a signature, because the malware was signed and trusted. 25. The financially motivated intruder moves fast and loud toward monetizable targets — rapid credential dumping, lateral movement, and ransomware deployment — so detection should watch for sudden bursts of escalation/lateral movement toward financial systems; the espionage intruder moves slowly and quietly, using legitimate tools, minimizing noise, so detection should watch for *quiet anomalies* — off-hours access, admin tools on hosts that never run them, slow data egress, and unusual account behavior over sensitive systems. 26. (a) phishing email = Delivery; new scheduled task = Installation (persistence); beaconing = Command and Control. (b) Most likely a financially motivated cybercriminal (phishing initial access plus rapid persistence and C2 fits a fast, money-driven intrusion; could precede ransomware) — justification credited for naming actor + motivation coherently. (c) Break C2 *now*: block/sinkhole the beacon destination and isolate the host from the network, severing the attacker's control channel before Actions on Objectives. (d) Earlier control: email/URL filtering plus phishing-resistant MFA (Delivery/Exploitation) — or user-reporting acted on quickly — would have broken the chain before persistence. (Full IR process is Chapter 24.) **Topics to review by question:** missed 1–4, 16 → §2.1–2.2; 5–6, 15 → §2.3; 7–8, 17, 21, 24 → §2.4; 9–10, 13, 19 → §2.4–2.5; 12, 18 → §2.5; 11, 23 → §2.6; 14 → §2.5 (ransomware); 25 → §2.2; 26 → §2.3–2.6.